upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 03:29:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch '4263-deprecate-dnssec-must-be-secure-feature-9.18' into 'bind-9.18'

Browse source 
Deprecate 'dnssec-must-be-secure' option

See merge request isc-projects/bind9!8268
This commit is contained in:
Ondřej Surý 2023-09-04 16:54:46 +00:00
commit 445283a67b
7 changed files with 16 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGES
View file

@ -1,3 +1,6 @@
6239. [func] Deprecate the 'dnssec-must-be-secure' option.
[GL #3700]
6237. [bug] Address memory leaks due to not clearing OpenSSL error
stack. [GL #4159]

6
bin/tests/system/checkconf/deprecated.conf
View file

@ -18,8 +18,10 @@ server 1.2.3.4 {
options {
dnssec-validation yes;
dialup yes;
heartbeat-interval 60;
dialup yes;
heartbeat-interval 60;
dnssec-must-be-secure mustbesecure.example yes;
use-v4-udp-ports { range 1024 65535; };
use-v6-udp-ports { range 1024 65535; };

1
bin/tests/system/checkconf/tests.sh
View file

@ -175,6 +175,7 @@ grep "option 'root-delegation-only' is deprecated" < checkconf.out$n.1 > /dev/nu
grep "'type delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'dialup' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'heartbeat-interval' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'dnssec-must-be-secure' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))

4
doc/arm/reference.rst
View file

@ -1722,9 +1722,11 @@ default is used.
:any:`disable-ds-digests` are treated as insecure.
.. namedconf:statement:: dnssec-must-be-secure
:tags: dnssec
:tags: deprecated
:short: Defines hierarchies that must or may not be secure (signed and validated).
This option is deprecated and will be removed in a future release.
This specifies hierarchies which must be or may not be secure (signed and
validated). If ``yes``, then :iscman:`named` only accepts answers if
they are secure. If ``no``, then normal DNSSEC validation applies,

4
doc/misc/options
View file

@ -119,7 +119,7 @@ options {
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
@ -428,7 +428,7 @@ view <string> [ <class> ] {
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );

3
doc/notes/notes-current.rst
View file

@ -25,7 +25,8 @@ New Features
Removed Features
~~~~~~~~~~~~~~~~
- None.
- The :any:`dnssec-must-be-secure` option has been deprecated and will be
removed in a future release. :gl:`#4263`
Feature Changes
~~~~~~~~~~~~~~~

2
lib/isccfg/namedconf.c
View file

@ -2068,7 +2068,7 @@ static cfg_clausedef_t view_clauses[] = {
{ "dnssec-lookaside", NULL,
CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT },
{ "dnssec-must-be-secure", &cfg_type_mustbesecure,
CFG_CLAUSEFLAG_MULTI },
CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
{ "dnssec-validation", &cfg_type_boolorauto, 0 },
#ifdef HAVE_DNSTAP
{ "dnstap", &cfg_type_dnstap, 0 },