upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Deprecate the "tkey-gssapi-credential" statement

Browse source 
The "tkey-gssapi-keytab" statement enables GSS-TSIG to be set up in a
simpler and more reliable way than using the "tkey-gssapi-credential"
statement and setting environment variables (e.g. KRB5_KTNAME).

Mark the "tkey-gssapi-credential" statement as deprecated to eventually
only have one method for setting up GSS-TSIG in named.  Do not mention
"tkey-gssapi-credential" in the section of the ARM on dynamic updates.
This commit is contained in:
Michał Kępień 2025-09-01 21:23:30 +02:00
parent 3c0c66dc3e
commit 6de435c528
No known key found for this signature in database
3 changed files with 7 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
doc/arm/advanced.inc.rst
View file

@ -31,11 +31,10 @@ are permitted for the key ``local-ddns``, which is generated by
:iscman:`named` at startup. See :ref:`dynamic_update_policies` for more details.
Dynamic updates using Kerberos-signed requests can be made using the
TKEY/GSS protocol, either by setting the :any:`tkey-gssapi-keytab` option
or by setting both the :any:`tkey-gssapi-credential` and
:any:`tkey-domain` options. Once enabled, Kerberos-signed requests are
matched against the update policies for the zone, using the Kerberos
principal as the signer for the request.
TKEY/GSS protocol, by setting the :any:`tkey-gssapi-keytab` option.
Once enabled, Kerberos-signed requests are matched against the update
policies for the zone, using the Kerberos principal as the signer for
the request.
Updating of secure zones (zones using DNSSEC) follows :rfc:`3007`: RRSIG,
NSEC, and NSEC3 records affected by updates are automatically regenerated

2
doc/misc/options
View file

@ -303,7 +303,7 @@ options {
tcp-receive-buffer <integer>;
tcp-send-buffer <integer>;
tkey-domain <quoted_string>;
tkey-gssapi-credential <quoted_string>;
tkey-gssapi-credential <quoted_string>; // deprecated
tkey-gssapi-keytab <quoted_string>;
tls-port <integer>;
transfer-format ( many-answers | one-answer );

3
lib/isccfg/namedconf.c
View file

@ -1349,7 +1349,8 @@ static cfg_clausedef_t options_clauses[] = {
{ "tcp-send-buffer", &cfg_type_uint32, 0 },
{ "tkey-dhkey", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "tkey-domain", &cfg_type_qstring, 0 },
{ "tkey-gssapi-credential", &cfg_type_qstring, 0 },
{ "tkey-gssapi-credential", &cfg_type_qstring,
CFG_CLAUSEFLAG_DEPRECATED },
{ "tkey-gssapi-keytab", &cfg_type_qstring, 0 },
{ "transfer-message-size", &cfg_type_uint32, 0 },
{ "transfers-in", &cfg_type_uint32, 0 },