From dc8595936c4408f0bdc33585762e8609f7b4a7f6 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 8 Dec 2021 18:02:28 +1100 Subject: [PATCH] remove broken-nsec and reject-000-label options --- CHANGES | 8 +-- bin/named/config.c | 1 - bin/named/named.conf.rst | 4 -- bin/named/server.c | 11 ---- .../system/checkconf/good-broken-nsec.conf | 14 ----- .../good-server-christmas-tree.conf.in | 2 - .../system/synthfromdnssec/ns7/named.conf.in | 49 ----------------- .../system/synthfromdnssec/ns7/root.hints | 11 ---- .../system/synthfromdnssec/ns8/named.conf.in | 46 ---------------- .../system/synthfromdnssec/ns8/root.hints | 11 ---- bin/tests/system/synthfromdnssec/setup.sh | 2 - bin/tests/system/synthfromdnssec/tests.sh | 53 ++++++++----------- doc/arm/reference.rst | 27 ---------- doc/man/named.conf.5in | 4 -- doc/misc/options | 4 -- doc/misc/options.active | 4 -- doc/misc/options.grammar.rst | 1 - doc/misc/server.grammar.rst | 1 - lib/bind9/check.c | 1 - lib/dns/include/dns/peer.h | 6 --- lib/dns/include/dns/view.h | 1 - lib/dns/peer.c | 29 ---------- lib/dns/resolver.c | 21 +------- lib/dns/view.c | 1 - lib/isccfg/namedconf.c | 2 - 25 files changed, 23 insertions(+), 291 deletions(-) delete mode 100644 bin/tests/system/checkconf/good-broken-nsec.conf delete mode 100644 bin/tests/system/synthfromdnssec/ns7/named.conf.in delete mode 100644 bin/tests/system/synthfromdnssec/ns7/root.hints delete mode 100644 bin/tests/system/synthfromdnssec/ns8/named.conf.in delete mode 100644 bin/tests/system/synthfromdnssec/ns8/root.hints diff --git a/CHANGES b/CHANGES index 9ca79b3cab..df26bf014c 100644 --- a/CHANGES +++ b/CHANGES @@ -43,13 +43,7 @@ 5774. [func] Restore NSEC Aggressive Cache ("synth-from-dnssec") as active by default. It is limited to NSEC only and by default ignores NSEC records with next name - in form \000.domain. - - Added 'server { broken-nsec yes; };' to - identify servers from which NSEC records in negative - responses will not be cached. These records will - then not be available for synth-from-dnssec to use. - [GL #1265] + in form \000.domain. [GL #1265] 5773. [func] Change the message when accepting TCP connection has failed to say "Accepting TCP connection failed" and diff --git a/bin/named/config.c b/bin/named/config.c index e93ad273ed..6a8fc599fb 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -177,7 +177,6 @@ options {\n\ query-source address *;\n\ query-source-v6 address *;\n\ recursion true;\n\ - reject-000-label yes;\n\ request-expire true;\n\ request-ixfr true;\n\ require-server-cookie no;\n\ diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst index 5957d38b18..644c70430a 100644 --- a/bin/named/named.conf.rst +++ b/bin/named/named.conf.rst @@ -388,7 +388,6 @@ OPTIONS recursing-file quoted_string; recursion boolean; recursive-clients integer; - reject-000-label boolean;// deprecated request-expire boolean; request-ixfr boolean; request-nsid boolean; @@ -514,7 +513,6 @@ SERVER server netprefix { bogus boolean; - broken-nsec boolean;// deprecated edns boolean; edns-udp-size integer; edns-version integer; @@ -794,7 +792,6 @@ VIEW window integer; }; recursion boolean; - reject-000-label boolean;// deprecated request-expire boolean; request-ixfr boolean; request-nsid boolean; @@ -825,7 +822,6 @@ VIEW serial-update-method ( date | increment | unixtime ); server netprefix { bogus boolean; - broken-nsec boolean;// deprecated edns boolean; edns-udp-size integer; edns-version integer; diff --git a/bin/named/server.c b/bin/named/server.c index 1467efa191..d4641516fc 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -1437,12 +1437,6 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj))); } - obj = NULL; - (void)cfg_map_get(cpeer, "broken-nsec", &obj); - if (obj != NULL) { - CHECK(dns_peer_setbrokennsec(peer, cfg_obj_asboolean(obj))); - } - obj = NULL; (void)cfg_map_get(cpeer, "provide-ixfr", &obj); if (obj != NULL) { @@ -4456,11 +4450,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, INSIST(result == ISC_R_SUCCESS); view->acceptexpired = cfg_obj_asboolean(obj); - obj = NULL; - result = named_config_get(maps, "reject-000-label", &obj); - INSIST(result == ISC_R_SUCCESS); - view->reject_000_label = cfg_obj_asboolean(obj); - obj = NULL; /* 'optionmaps', not 'maps': don't check named_g_defaults yet */ (void)named_config_get(optionmaps, "dnssec-validation", &obj); diff --git a/bin/tests/system/checkconf/good-broken-nsec.conf b/bin/tests/system/checkconf/good-broken-nsec.conf deleted file mode 100644 index f1057d3c84..0000000000 --- a/bin/tests/system/checkconf/good-broken-nsec.conf +++ /dev/null @@ -1,14 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -server 10.0.0/24 { - broken-nsec yes; -}; diff --git a/bin/tests/system/checkconf/good-server-christmas-tree.conf.in b/bin/tests/system/checkconf/good-server-christmas-tree.conf.in index 467f750b4e..ce8bd87203 100644 --- a/bin/tests/system/checkconf/good-server-christmas-tree.conf.in +++ b/bin/tests/system/checkconf/good-server-christmas-tree.conf.in @@ -5,7 +5,6 @@ key example { server 0.0.0.0 { bogus no; - broken-nsec no; edns no; edns-udp-size 512; edns-version 0; @@ -28,7 +27,6 @@ server 0.0.0.0 { server :: { bogus no; - broken-nsec no; edns no; edns-udp-size 512; edns-version 0; diff --git a/bin/tests/system/synthfromdnssec/ns7/named.conf.in b/bin/tests/system/synthfromdnssec/ns7/named.conf.in deleted file mode 100644 index bd44c0330b..0000000000 --- a/bin/tests/system/synthfromdnssec/ns7/named.conf.in +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS2 - -options { - query-source address 10.53.0.7; - notify-source 10.53.0.7; - transfer-source 10.53.0.7; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.7; }; - listen-on-v6 { none; }; - recursion yes; - notify no; - dnssec-validation yes; -}; - -server 10.53.0.1 { - broken-nsec yes; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm hmac-sha256; -}; - -controls { - inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -statistics-channels { - inet 10.53.0.7 port @EXTRAPORT1@ allow { any; }; -}; - -zone "." { - type hint; - file "root.hints"; -}; - -include "../ns1/trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns7/root.hints b/bin/tests/system/synthfromdnssec/ns7/root.hints deleted file mode 100644 index 63fc22d0e1..0000000000 --- a/bin/tests/system/synthfromdnssec/ns7/root.hints +++ /dev/null @@ -1,11 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -. NS ns1 -ns1 A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/ns8/named.conf.in b/bin/tests/system/synthfromdnssec/ns8/named.conf.in deleted file mode 100644 index 382be43887..0000000000 --- a/bin/tests/system/synthfromdnssec/ns8/named.conf.in +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS2 - -options { - query-source address 10.53.0.8; - notify-source 10.53.0.8; - transfer-source 10.53.0.8; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.8; }; - listen-on-v6 { none; }; - recursion yes; - notify no; - dnssec-validation yes; - reject-000-label no; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm hmac-sha256; -}; - -controls { - inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -statistics-channels { - inet 10.53.0.8 port @EXTRAPORT1@ allow { any; }; -}; - -zone "." { - type hint; - file "root.hints"; -}; - -include "../ns1/trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns8/root.hints b/bin/tests/system/synthfromdnssec/ns8/root.hints deleted file mode 100644 index 63fc22d0e1..0000000000 --- a/bin/tests/system/synthfromdnssec/ns8/root.hints +++ /dev/null @@ -1,11 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -. NS ns1 -ns1 A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/setup.sh b/bin/tests/system/synthfromdnssec/setup.sh index d42715de99..067aa0e753 100644 --- a/bin/tests/system/synthfromdnssec/setup.sh +++ b/bin/tests/system/synthfromdnssec/setup.sh @@ -20,8 +20,6 @@ copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf -copy_setports ns7/named.conf.in ns7/named.conf -copy_setports ns8/named.conf.in ns8/named.conf ( cd ns1 diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh index b21262593a..564287e32e 100644 --- a/bin/tests/system/synthfromdnssec/tests.sh +++ b/bin/tests/system/synthfromdnssec/tests.sh @@ -19,7 +19,6 @@ set -e status=0 n=1 synth_default=yes -reject_default=yes rm -f dig.out.* @@ -99,15 +98,13 @@ check_auth_count() { return 0 } -for ns in 2 4 5 6 7 8 +for ns in 2 4 5 6 do case $ns in 2) ad=yes; description="";; 4) ad=yes; description="no";; 5) ad=yes; description="yes";; 6) ad=no; description="yes; dnssec-validation no";; - 7) ad=yes; description="yes; server 10.53.0.1 { broken-nsec yes; };";; - 8) ad=yes; description="yes; reject-000-label no;";; *) exit 1;; esac echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" @@ -333,15 +330,13 @@ status=$((status+ret)) # sleep 1 -for ns in 2 4 5 6 7 8 +for ns in 2 4 5 6 do case $ns in - 2) ad=yes synth=${synth_default} reject=${reject_default} description="";; - 4) ad=yes synth=no reject=${reject_default} description="no";; - 5) ad=yes synth=yes reject=${reject_default} description="yes";; - 6) ad=no synth=no reject=${reject_default} description="yes; dnssec-validation no";; - 7) ad=yes synth=no reject=${reject_default} description="yes; server 10.53.0.1 { broken-nsec yes; };";; - 8) ad=yes synth=yes reject=no description="yes; reject-000-label no;";; + 2) ad=yes synth=${synth_default} description="";; + 4) ad=yes synth=no description="no";; + 5) ad=yes synth=yes description="yes";; + 6) ad=no synth=no description="yes; dnssec-validation no";; *) exit 1;; esac echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)" @@ -591,20 +586,14 @@ do if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) - echo_i "check back lie NODATA response (synth-from-dnssec ${description};) ($n)" + echo_i "check black lie NODATA response (synth-from-dnssec ${description};) ($n)" ret=0 nextpart ns1/named.run > /dev/null dig_with_opts black.minimal. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes -a ${reject} = no ] - then - check_synth_soa minimal. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null && ret=1 - else - check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null || ret=1 - fi + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null || ret=1 digcomp black.out dig.out.ns${ns}.test$n || ret=1 n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -665,11 +654,11 @@ do count=$(grep "cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) test $count = 2 || ret=1 zero=$(grep "0 cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) - if [ ${ad} = no -o $ns = 7 ] + if [ ${ad} = yes ] then - test $zero = 2 || ret=1 - else test $zero = 1 || ret=1 + else + test $zero = 2 || ret=1 fi n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -679,7 +668,7 @@ do do case $synthesized in NXDOMAIN) count=1;; - no-data) if [ ${reject} = yes ]; then count=4; else count=5; fi;; + no-data) count=4;; wildcard) count=2;; esac echo_i "check 'rndc stats' output for 'synthesized a ${synthesized} response' (synth-from-dnssec ${description};) ($n)" @@ -726,11 +715,11 @@ do count=$(echo "$counter" | grep CacheNSECNodes | wc -l) test $count = 1 || ret=1 zero=$(echo "$counter" | grep ">0<" | wc -l) - if [ ${ad} = no -o $ns = 7 ] + if [ ${ad} = yes ] then - test $zero = 1 || ret=1 - else test $zero = 0 || ret=1 + else + test $zero = 1 || ret=1 fi n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -740,7 +729,7 @@ do do case $synthesized in SynthNXDOMAIN) count=1;; - SynthNODATA) if [ $reject = yes ]; then count=4; else count=5; fi;; + SynthNODATA) count=4;; SynthWILDCARD) count=2;; esac @@ -789,11 +778,11 @@ do count=$(grep '"CacheNSECNodes":' $json | wc -l) test $count = 2 || ret=1 zero=$(grep '"CacheNSECNodes":0' $json | wc -l) - if [ ${ad} = no -o $ns = 7 ] + if [ ${ad} = yes ] then - test $zero = 2 || ret=1 - else test $zero = 1 || ret=1 + else + test $zero = 2 || ret=1 fi n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -803,7 +792,7 @@ do do case $synthesized in SynthNXDOMAIN) count=1;; - SynthNODATA) if [ $reject = yes ]; then count=4; else count=5; fi;; + SynthNODATA) count=4;; SynthWILDCARD) count=2;; esac diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 64d1fe8012..c7c180bf95 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -2100,17 +2100,6 @@ Boolean Options default is ``no``. Setting this option to ``yes`` leaves ``named`` vulnerable to replay attacks. -.. _reject_000_label: - -``reject-000-label`` - This controls whether NSEC records whose Next Owner Name field starts - with a ``\000`` label are cached for use by the ``synth-from-dnssec`` - feature. The default is ``yes``, which means these records are not - used for negative response synthesis. This is a temporary measure to - improve interoperability with authoritative servers that generate - incorrect NSEC records. The default value of this option may change - in a future release, or it may be removed altogether. - ``querylog`` Query logging provides a complete log of all incoming queries and all query errors. This provides more insight into the server's activity, but with a @@ -2257,12 +2246,6 @@ Boolean Options have been proved to be correct using DNSSEC. The default is ``yes``. - The ``reject-000-label`` :ref:`option ` and the - ``broken-nsec`` :ref:`server configuration clause - ` can be used to prevent broken NSEC records from - causing incorrect negative responses to be synthesized when - ``synth-from-dnssec`` is set to ``yes``. - .. note:: DNSSEC validation must be enabled for this option to be effective. This initial implementation only covers synthesis of answers from NSEC records; synthesis from NSEC3 is planned for the future. This @@ -4556,16 +4539,6 @@ If a remote server is giving out bad data, marking it as bogus prevents further queries to it. The default value of ``bogus`` is ``no``. -.. _server_broken_nsec: - -The ``broken-nsec`` clause determines whether the NSEC records found in -negative responses sent by the remote server are ignored for the purpose -of synthesizing negative responses or not. The default is ``no``. -Setting this to ``yes`` can be used to prevent broken NSEC records from -causing incorrect negative responses to be synthesized when -``synth-from-dnssec`` is set to ``yes``. This option may be removed in a -future release. - The ``provide-ixfr`` clause determines whether the local server, acting as primary, responds with an incremental zone transfer when the given remote server, a secondary, requests it. If set to ``yes``, incremental diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index 6837e0d387..1e285a2d0e 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -455,7 +455,6 @@ options { recursing\-file quoted_string; recursion boolean; recursive\-clients integer; - reject\-000\-label boolean;// deprecated request\-expire boolean; request\-ixfr boolean; request\-nsid boolean; @@ -597,7 +596,6 @@ primaries string [ port integer ] [ dscp .ft C server netprefix { bogus boolean; - broken\-nsec boolean;// deprecated edns boolean; edns\-udp\-size integer; edns\-version integer; @@ -897,7 +895,6 @@ view string [ class ] { window integer; }; recursion boolean; - reject\-000\-label boolean;// deprecated request\-expire boolean; request\-ixfr boolean; request\-nsid boolean; @@ -928,7 +925,6 @@ view string [ class ] { serial\-update\-method ( date | increment | unixtime ); server netprefix { bogus boolean; - broken\-nsec boolean;// deprecated edns boolean; edns\-udp\-size integer; edns\-version integer; diff --git a/doc/misc/options b/doc/misc/options index 11e305a03b..b62967ef0c 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -313,7 +313,6 @@ options { recursing-file ; recursion ; recursive-clients ; - reject-000-label ; // deprecated request-expire ; request-ixfr ; request-nsid ; @@ -420,7 +419,6 @@ primaries [ port ] [ dscp server { bogus ; - broken-nsec ; // deprecated edns ; edns-udp-size ; edns-version ; @@ -674,7 +672,6 @@ view [ ] { window ; }; recursion ; - reject-000-label ; // deprecated request-expire ; request-ixfr ; request-nsid ; @@ -705,7 +702,6 @@ view [ ] { serial-update-method ( date | increment | unixtime ); server { bogus ; - broken-nsec ; // deprecated edns ; edns-udp-size ; edns-version ; diff --git a/doc/misc/options.active b/doc/misc/options.active index a8a915bda2..a3e2fbe3f0 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -311,7 +311,6 @@ options { recursing-file ; recursion ; recursive-clients ; - reject-000-label ; // deprecated request-expire ; request-ixfr ; request-nsid ; @@ -417,7 +416,6 @@ primaries [ port ] [ dscp server { bogus ; - broken-nsec ; // deprecated edns ; edns-udp-size ; edns-version ; @@ -670,7 +668,6 @@ view [ ] { window ; }; recursion ; - reject-000-label ; // deprecated request-expire ; request-ixfr ; request-nsid ; @@ -701,7 +698,6 @@ view [ ] { serial-update-method ( date | increment | unixtime ); server { bogus ; - broken-nsec ; // deprecated edns ; edns-udp-size ; edns-version ; diff --git a/doc/misc/options.grammar.rst b/doc/misc/options.grammar.rst index 862461f690..8e69a09686 100644 --- a/doc/misc/options.grammar.rst +++ b/doc/misc/options.grammar.rst @@ -231,7 +231,6 @@ recursing-file ; recursion ; recursive-clients ; - reject-000-label ; // deprecated request-expire ; request-ixfr ; request-nsid ; diff --git a/doc/misc/server.grammar.rst b/doc/misc/server.grammar.rst index 9e61ad1e84..4c461a0c12 100644 --- a/doc/misc/server.grammar.rst +++ b/doc/misc/server.grammar.rst @@ -2,7 +2,6 @@ server { bogus ; - broken-nsec ; // deprecated edns ; edns-udp-size ; edns-version ; diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 3ff5803096..a582a0680b 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -4099,7 +4099,6 @@ static struct { isc_result_t (*set)(dns_peer_t *peer, bool newval); } bools[] = { { "bogus", dns_peer_setbogus }, - { "broken-nsec", dns_peer_setbrokennsec }, { "edns", dns_peer_setsupportedns }, { "provide-ixfr", dns_peer_setprovideixfr }, { "request-expire", dns_peer_setrequestexpire }, diff --git a/lib/dns/include/dns/peer.h b/lib/dns/include/dns/peer.h index 27b5e17ab0..facbf2dc23 100644 --- a/lib/dns/include/dns/peer.h +++ b/lib/dns/include/dns/peer.h @@ -86,12 +86,6 @@ dns_peer_attach(dns_peer_t *source, dns_peer_t **target); void dns_peer_detach(dns_peer_t **list); -isc_result_t -dns_peer_setbrokennsec(dns_peer_t *peer, bool newval); - -isc_result_t -dns_peer_getbrokennsec(dns_peer_t *peer, bool *retval); - isc_result_t dns_peer_setbogus(dns_peer_t *peer, bool newval); diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h index 43deee1039..f1ec93877f 100644 --- a/lib/dns/include/dns/view.h +++ b/lib/dns/include/dns/view.h @@ -130,7 +130,6 @@ struct dns_view { bool synthfromdnssec; bool trust_anchor_telemetry; bool root_key_sentinel; - bool reject_000_label; dns_transfer_format_t transfer_format; dns_acl_t *cacheacl; dns_acl_t *cacheonacl; diff --git a/lib/dns/peer.c b/lib/dns/peer.c index 5d95cb9329..641574f827 100644 --- a/lib/dns/peer.c +++ b/lib/dns/peer.c @@ -58,7 +58,6 @@ struct dns_peer { bool force_tcp; bool tcp_keepalive; bool check_axfr_id; - bool broken_nsec; dns_name_t *key; isc_sockaddr_t *transfer_source; isc_dscp_t transfer_dscp; @@ -97,7 +96,6 @@ struct dns_peer { #define FORCE_TCP_BIT 15 #define SERVER_PADDING_BIT 16 #define REQUEST_TCP_KEEPALIVE_BIT 17 -#define BROKEN_NSEC 18 static void peerlist_delete(dns_peerlist_t **list); @@ -592,33 +590,6 @@ dns_peer_gettcpkeepalive(dns_peer_t *peer, bool *retval) { } } -isc_result_t -dns_peer_setbrokennsec(dns_peer_t *peer, bool newval) { - bool existed; - - REQUIRE(DNS_PEER_VALID(peer)); - - existed = DNS_BIT_CHECK(BROKEN_NSEC, &peer->bitflags); - - peer->broken_nsec = newval; - DNS_BIT_SET(BROKEN_NSEC, &peer->bitflags); - - return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS); -} - -isc_result_t -dns_peer_getbrokennsec(dns_peer_t *peer, bool *retval) { - REQUIRE(DNS_PEER_VALID(peer)); - REQUIRE(retval != NULL); - - if (DNS_BIT_CHECK(BROKEN_NSEC, &peer->bitflags)) { - *retval = peer->broken_nsec; - return (ISC_R_SUCCESS); - } else { - return (ISC_R_NOTFOUND); - } -} - isc_result_t dns_peer_settransfers(dns_peer_t *peer, uint32_t newval) { bool existed; diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 5c78c410e2..71ed4b7cce 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -5343,7 +5343,6 @@ validated(isc_task_t *task, isc_event_t *event) { dns_valarg_t *valarg; dns_validatorevent_t *vevent; fetchctx_t *fctx = NULL; - bool broken_nsec = false; bool chaining; bool negative; bool sentresponse; @@ -5356,8 +5355,6 @@ validated(isc_task_t *task, isc_event_t *event) { dns_fixedname_t fwild; dns_name_t *wild = NULL; dns_message_t *message = NULL; - dns_peer_t *peer = NULL; - isc_netaddr_t ipaddr; UNUSED(task); /* for now */ @@ -5686,11 +5683,6 @@ validated(isc_task_t *task, isc_event_t *event) { answer_response: - isc_netaddr_fromsockaddr(&ipaddr, &addrinfo->sockaddr); - (void)dns_peerlist_peerbyaddr(fctx->res->view->peers, &ipaddr, &peer); - if (peer != NULL) { - (void)dns_peer_getbrokennsec(peer, &broken_nsec); - } /* * Cache any SOA/NS/NSEC records that happened to be validated. */ @@ -5724,15 +5716,6 @@ answer_response: continue; } - /* - * If this peer has been marked as emitting broken - * NSEC records do not cache it. - */ - if (rdataset->type == dns_rdatatype_nsec && broken_nsec) - { - continue; - } - /* * Don't cache NSEC if missing NSEC or RRSIG types. */ @@ -5765,9 +5748,7 @@ answer_response: * Look for \000 label in next name. */ if (rdataset->type == dns_rdatatype_nsec && - fctx->res->view->reject_000_label && - has_000_label(rdataset)) - { + has_000_label(rdataset)) { continue; } diff --git a/lib/dns/view.c b/lib/dns/view.c index 13679f3d3d..b27be5c512 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -240,7 +240,6 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, const char *name, view->synthfromdnssec = true; view->trust_anchor_telemetry = true; view->root_key_sentinel = true; - view->reject_000_label = true; view->new_zone_dir = NULL; view->new_zone_file = NULL; view->new_zone_db = NULL; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 5e62fb5795..5a1c19c253 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2118,7 +2118,6 @@ static cfg_clausedef_t view_clauses[] = { { "queryport-pool-updateinterval", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "rate-limit", &cfg_type_rrl, 0 }, { "recursion", &cfg_type_boolean, 0 }, - { "reject-000-label", &cfg_type_boolean, CFG_CLAUSEFLAG_DEPRECATED }, { "request-nsid", &cfg_type_boolean, 0 }, { "request-sit", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "require-server-cookie", &cfg_type_boolean, 0 }, @@ -2515,7 +2514,6 @@ static cfg_type_t cfg_type_key = { "key", cfg_parse_named_map, */ static cfg_clausedef_t server_clauses[] = { { "bogus", &cfg_type_boolean, 0 }, - { "broken-nsec", &cfg_type_boolean, CFG_CLAUSEFLAG_DEPRECATED }, { "edns", &cfg_type_boolean, 0 }, { "edns-udp-size", &cfg_type_uint32, 0 }, { "edns-version", &cfg_type_uint32, 0 },