4437. [func] Minimal-responses now has two additional modes

no-auth and no-auth-recursive which suppress adding the NS records to the authority section as well as the associated address records for the nameservers. [RT #42005]
2026-05-28 04:34:54 -04:00 · 2016-08-12 10:48:51 +10:00 · 2016-08-12 10:48:51 +10:00 · 78e31dd187
commit 78e31dd187
parent aaeed646fe
13 changed files with 291 additions and 47 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+4437.	[func]		Minimal-responses now has two additional modes
+			no-auth and no-auth-recursive which suppress
+			adding the NS records to the authority section
+			as well as the associated address records for the
+			nameservers. [RT #42005]
+
 4436.	[func]		Return TLSA records as additional data for MX and SRV
 			lookups. [RT #42894]

--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@ -241,7 +241,7 @@ options {
 	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
 	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
 	minimal-any <replaceable>boolean</replaceable>;
-	minimal-responses <replaceable>boolean</replaceable>;
+	minimal-responses ( <replaceable>boolean</replaceable> | no-auth | no-auth-recursive );
 	recursion <replaceable>boolean</replaceable>;
 	rrset-order {
 		<optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional>
--- a/bin/named/query.c
+++ b/bin/named/query.c
@ -9048,9 +9048,21 @@ ns_query_start(ns_client_t *client) {
 	if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0)
 		client->attributes |= NS_CLIENTATTR_WANTDNSSEC;

-	if (client->view->minimalresponses)
+	switch (client->view->minimalresponses) {
+	case dns_minimal_no:
+		break;
+	case dns_minimal_yes:
 		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
 					     NS_QUERYATTR_NOADDITIONAL);
+		break;
+	case dns_minimal_noauth:
+		client->query.attributes |= NS_QUERYATTR_NOAUTHORITY;
+		break;
+	case dns_minimal_noauthrec:
+		if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
+			client->query.attributes |= NS_QUERYATTR_NOAUTHORITY;
+		break;
+	}

 	if ((client->view->cachedb == NULL)
 	    || (!client->view->additionalfromcache)) {
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -4090,7 +4090,20 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	obj = NULL;
 	result = ns_config_get(maps, "minimal-responses", &obj);
 	INSIST(result == ISC_R_SUCCESS);
-	view->minimalresponses = cfg_obj_asboolean(obj);
+	if (cfg_obj_isboolean(obj)) {
+		if (cfg_obj_asboolean(obj))
+			view->minimalresponses = dns_minimal_yes;
+		else
+			view->minimalresponses = dns_minimal_no;
+	} else {
+		str = cfg_obj_asstring(obj);
+		if (strcasecmp(str, "no-auth") == 0) {
+			view->minimalresponses = dns_minimal_noauth;
+		} else if (strcasecmp(str, "no-auth-recursive") == 0) {
+			view->minimalresponses = dns_minimal_noauthrec;
+		} else
+			INSIST(0);
+	}

 	obj = NULL;
 	result = ns_config_get(maps, "transfer-format", &obj);
--- a/bin/tests/system/additional/ns1/named3.conf
+++ b/bin/tests/system/additional/ns1/named3.conf
@ -18,6 +18,7 @@ options {
 	listen-on-v6 { none; };
 	notify no;
 	minimal-any yes;
+	minimal-responses no-auth;
 };

 include "../../common/rndc.key";
@ -30,3 +31,23 @@ zone "rt.example" {
 	type master;
 	file "rt.db";
 };
+
+zone "naptr.example" {
+	type master;
+	file "naptr.db";
+};
+
+zone "rt2.example" {
+	type master;
+	file "rt2.db";
+};
+
+zone "naptr2.example" {
+	type master;
+	file "naptr2.db";
+};
+
+zone "nid.example" {
+	type master;
+	file "nid.db";
+};
--- a/bin/tests/system/additional/ns1/named4.conf
+++ b/bin/tests/system/additional/ns1/named4.conf
@ -11,11 +11,13 @@ options {
 	notify-source 10.53.0.1;
 	transfer-source 10.53.0.1;
 	recursion no;
+	additional-from-auth no;
 	port 5300;
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	notify no;
+	minimal-responses no-auth-recursive;
 };

 include "../../common/rndc.key";
@ -33,3 +35,28 @@ zone "srv.example" {
 	type master;
 	file "srv.db";
 };
+
+zone "rt.example" {
+	type master;
+	file "rt.db";
+};
+
+zone "naptr.example" {
+	type master;
+	file "naptr.db";
+};
+
+zone "rt2.example" {
+	type master;
+	file "rt2.db";
+};
+
+zone "naptr2.example" {
+	type master;
+	file "naptr2.db";
+};
+
+zone "nid.example" {
+	type master;
+	file "nid.db";
+};
--- a/bin/tests/system/additional/tests.sh
+++ b/bin/tests/system/additional/tests.sh
@ -16,81 +16,192 @@ n=0

 dotests() {
    n=`expr $n + 1`
-    echo "I:test with RT, single zone ($n)"
+    echo "I:test with RT, single zone (+rec) ($n)"
    ret=0
-    $DIG -t RT rt.rt.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
+    $DIG +rec -t RT rt.rt.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
    if [ $ret -eq 1 ] ; then
            echo "I: failed"; status=1
    fi

    n=`expr $n + 1`
-    echo "I:test with RT, two zones ($n)"
+    echo "I:test with RT, two zones (+rec) ($n)"
    ret=0
-    $DIG -t RT rt.rt2.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
+    $DIG +rec -t RT rt.rt2.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
    if [ $ret -eq 1 ] ; then
            echo "I: failed"; status=1
    fi

    n=`expr $n + 1`
-    echo "I:test with NAPTR, single zone ($n)"
+    echo "I:test with NAPTR, single zone (+rec) ($n)"
    ret=0
-    $DIG -t NAPTR nap.naptr.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
+    $DIG +rec -t NAPTR nap.naptr.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
    if [ $ret -eq 1 ] ; then
            echo "I: failed"; status=1
    fi

    n=`expr $n + 1`
-    echo "I:test with NAPTR, two zones ($n)"
+    echo "I:test with NAPTR, two zones (+rec) ($n)"
    ret=0
-    $DIG -t NAPTR nap.hang3b.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
+    $DIG +rec -t NAPTR nap.hang3b.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
    if [ $ret -eq 1 ] ; then
            echo "I: failed"; status=1
    fi

    n=`expr $n + 1`
-    echo "I:test with LP ($n)"
+    echo "I:test with LP (+rec) ($n)"
    ret=0
-    $DIG -t LP nid2.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
-    if [ $minimal = no ] ; then
-      grep "L64" dig.out.$n > /dev/null || ret=1
-      grep "L32" dig.out.$n > /dev/null || ret=1
-    else
-      grep "L64" dig.out.$n > /dev/null && ret=1
-      grep "L32" dig.out.$n > /dev/null && ret=1
-    fi
+    $DIG +rec -t LP nid2.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
+    case $minimal in
+    no)
+      grep -w "NS" dig.out.$n > /dev/null || ret=1
+      grep -w "L64" dig.out.$n > /dev/null || ret=1
+      grep -w "L32" dig.out.$n > /dev/null || ret=1
+      ;;
+    yes)
+      grep -w "NS" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+      ;;
+    no-auth)
+      grep -w "NS" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null || ret=1
+      grep -w "L32" dig.out.$n > /dev/null || ret=1
+      ;;
+    no-auth-recursive)
+      grep -w "NS" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null || ret=1
+      grep -w "L32" dig.out.$n > /dev/null || ret=1
+      ;;
+    esac
    if [ $ret -eq 1 ] ; then
            echo "I: failed"; status=1
    fi

    n=`expr $n + 1`
-    echo "I:test with NID ($n)"
+    echo "I:test with NID (+rec) ($n)"
    ret=0
-    $DIG -t NID ns1.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
+    $DIG +rec -t NID ns1.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
    if [ $minimal = no ] ; then
      # change && to || when we support NID additional processing
-      grep "L64" dig.out.$n > /dev/null && ret=1
-      grep "L32" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
    else
-      grep "L64" dig.out.$n > /dev/null && ret=1
-      grep "L32" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
    fi
    if [ $ret -eq 1 ] ; then
            echo "I: failed"; status=1
    fi

    n=`expr $n + 1`
-    echo "I:test with NID + LP ($n)"
+    echo "I:test with NID + LP (+rec) ($n)"
    ret=0
-    $DIG -t NID nid2.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
+    $DIG +rec -t NID nid2.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
    if [ $minimal = no ] ; then
      # change && to || when we support NID additional processing
-      grep "LP" dig.out.$n > /dev/null && ret=1
-      grep "L64" dig.out.$n > /dev/null && ret=1
-      grep "L32" dig.out.$n > /dev/null && ret=1
+      grep -w "LP" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
    else
-      grep "LP" dig.out.$n > /dev/null && ret=1
-      grep "L64" dig.out.$n > /dev/null && ret=1
-      grep "L32" dig.out.$n > /dev/null && ret=1
+      grep -w "LP" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+    fi
+    if [ $ret -eq 1 ] ; then
+            echo "I: failed"; status=1
+    fi
+
+    n=`expr $n + 1`
+    echo "I:test with RT, single zone (+norec) ($n)"
+    ret=0
+    $DIG +norec -t RT rt.rt.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
+    if [ $ret -eq 1 ] ; then
+            echo "I: failed"; status=1
+    fi
+
+    n=`expr $n + 1`
+    echo "I:test with RT, two zones (+norec) ($n)"
+    ret=0
+    $DIG +norec -t RT rt.rt2.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
+    if [ $ret -eq 1 ] ; then
+            echo "I: failed"; status=1
+    fi
+
+    n=`expr $n + 1`
+    echo "I:test with NAPTR, single zone (+norec) ($n)"
+    ret=0
+    $DIG +norec -t NAPTR nap.naptr.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
+    if [ $ret -eq 1 ] ; then
+            echo "I: failed"; status=1
+    fi
+
+    n=`expr $n + 1`
+    echo "I:test with NAPTR, two zones (+norec) ($n)"
+    ret=0
+    $DIG +norec -t NAPTR nap.hang3b.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
+    if [ $ret -eq 1 ] ; then
+            echo "I: failed"; status=1
+    fi
+
+    n=`expr $n + 1`
+    echo "I:test with LP (+norec) ($n)"
+    ret=0
+    $DIG +norec -t LP nid2.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
+    case $minimal in
+    no)
+      grep -w "NS" dig.out.$n > /dev/null || ret=1
+      grep -w "L64" dig.out.$n > /dev/null || ret=1
+      grep -w "L32" dig.out.$n > /dev/null || ret=1
+      ;;
+    yes)
+      grep -w "NS" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+      ;;
+    no-auth)
+      grep -w "NS" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null || ret=1
+      grep -w "L32" dig.out.$n > /dev/null || ret=1
+      ;;
+    no-auth-recursive)
+      grep -w "NS" dig.out.$n > /dev/null || ret=1
+      grep -w "L64" dig.out.$n > /dev/null || ret=1
+      grep -w "L32" dig.out.$n > /dev/null || ret=1
+      ;;
+    esac
+    if [ $ret -eq 1 ] ; then
+            echo "I: failed"; status=1
+    fi
+
+    n=`expr $n + 1`
+    echo "I:test with NID (+norec) ($n)"
+    ret=0
+    $DIG +norec -t NID ns1.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
+    if [ $minimal = no ] ; then
+      # change && to || when we support NID additional processing
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+    else
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+    fi
+    if [ $ret -eq 1 ] ; then
+            echo "I: failed"; status=1
+    fi
+
+    n=`expr $n + 1`
+    echo "I:test with NID + LP (+norec) ($n)"
+    ret=0
+    $DIG +norec -t NID nid2.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
+    if [ $minimal = no ] ; then
+      # change && to || when we support NID additional processing
+      grep -w "LP" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+    else
+      grep -w "LP" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
    fi
    if [ $ret -eq 1 ] ; then
            echo "I: failed"; status=1
@ -133,11 +244,19 @@ if [ $ret -eq 1 ] ; then
    echo "I: failed"; status=1
 fi

+echo "I:testing with 'minimal-responses no-auth;'"
+minimal=no-auth
+dotests
+
 echo "I:reconfiguring server"
 cp ns1/named4.conf ns1/named.conf
 $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 reconfig 2>&1 | sed 's/^/I:ns1 /'
 sleep 2

+echo "I:testing with 'minimal-responses no-auth-recursive;'"
+minimal=no-auth-recursive
+dotests
+
 n=`expr $n + 1`
 echo "I:testing returning TLSA records with MX query ($n)"
 ret=0
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@ -4429,7 +4429,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
    <optional> host-statistics <replaceable>yes_or_no</replaceable>; </optional>
    <optional> host-statistics-max <replaceable>number</replaceable>; </optional>
    <optional> minimal-any <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> minimal-responses (<replaceable>yes_or_no</replaceable> | <constant>no-auth</constant> | <constant>no-auth-recursive</constant>); </optional>
    <optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
    <optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
@ -6187,11 +6187,26 @@ options {
 	      <term><command>minimal-responses</command></term>
 	      <listitem>
 		<para>
-		  If <userinput>yes</userinput>, then when generating
+		  If set to <userinput>yes</userinput>, then when generating
 		  responses the server will only add records to the authority
 		  and additional data sections when they are required (e.g.
 		  delegations, negative responses).  This may improve the
 		  performance of the server.
+		</para>
+		<para>
+		  When set to <userinput>no-auth</userinput>, the
+		  server will omit records from the authority section
+		  unless they are required, but it may still add
+		  records to the additional section.  When set to
+		  <userinput>no-auth-recursive</userinput>, this
+		  is only done if the query is recursive.  These
+		  settings are useful when answering stub clients,
+		  which usually ignore the authority section.
+		  <userinput>no-auth-recursive</userinput> is
+		  designed for mixed-mode servers which handle
+		  both authoritative and recursive queries.
+		</para>
+		<para>
 		  The default is <userinput>no</userinput>.
 		</para>
 	      </listitem>
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@ -537,7 +537,7 @@
      <listitem>
 	<para>
 	  An <command>--enable-querytrace</command> configure switch is
-	  now available to enable very verbose query tracelogging. This
+	  now available to enable very verbose query trace logging. This
 	  option can only be set at compile time. This option has a
 	  negative performance impact and should be used only for
 	  debugging. [RT #37520]
@ -843,6 +843,15 @@
 	  block the server.
 	</para>
      </listitem>
+      <listitem>
+	<para>
+	  <command>minimal-responses</command> now takes two new
+	  arguments: <option>no-auth</option> suppresses
+	  populating the authority section but not the additional
+	  section; <option>no-auth-recursive</option>
+	  does the same but only when answering recursive queries.
+	</para>
+      </listitem>
    </itemizedlist>
  </section>

--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@ -188,6 +188,13 @@ typedef enum {
 	dns_notifytype_masteronly = 3
 } dns_notifytype_t;

+typedef enum {
+	dns_minimal_no = 0,
+	dns_minimal_yes = 1,
+	dns_minimal_noauth = 2,
+	dns_minimal_noauthrec = 3
+} dns_minimaltype_t;
+
 typedef enum {
 	dns_dialuptype_no = 0,
 	dns_dialuptype_yes = 1,
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@ -117,7 +117,7 @@ struct dns_view {
 	isc_boolean_t			additionalfromcache;
 	isc_boolean_t			additionalfromauth;
 	isc_boolean_t			minimal_any;
-	isc_boolean_t			minimalresponses;
+	dns_minimaltype_t		minimalresponses;
 	isc_boolean_t			enablednssec;
 	isc_boolean_t			enablevalidation;
 	isc_boolean_t			acceptexpired;
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@ -186,7 +186,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->enablevalidation = ISC_TRUE;
 	view->acceptexpired = ISC_FALSE;
 	view->minimal_any = ISC_FALSE;
-	view->minimalresponses = ISC_FALSE;
+	view->minimalresponses = dns_minimal_no;
 	view->transfer_format = dns_one_answer;
 	view->cacheacl = NULL;
 	view->cacheonacl = NULL;
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@ -89,14 +89,19 @@ doc_geoip(cfg_printer_t *pctx, const cfg_type_t *type);
 static cfg_type_t cfg_type_acl;
 static cfg_type_t cfg_type_addrmatchelt;
 static cfg_type_t cfg_type_bracketed_aml;
-static cfg_type_t cfg_type_bracketed_namesockaddrkeylist;
 static cfg_type_t cfg_type_bracketed_dscpsockaddrlist;
+static cfg_type_t cfg_type_bracketed_namesockaddrkeylist;
 static cfg_type_t cfg_type_bracketed_sockaddrlist;
 static cfg_type_t cfg_type_bracketed_sockaddrnameportlist;
 static cfg_type_t cfg_type_controls;
 static cfg_type_t cfg_type_controls_sockaddr;
 static cfg_type_t cfg_type_destinationlist;
 static cfg_type_t cfg_type_dialuptype;
+static cfg_type_t cfg_type_dlz;
+static cfg_type_t cfg_type_dnstap;
+static cfg_type_t cfg_type_dnstapoutput;
+static cfg_type_t cfg_type_dyndb;
+static cfg_type_t cfg_type_filter_aaaa;
 static cfg_type_t cfg_type_ixfrdifftype;
 static cfg_type_t cfg_type_key;
 static cfg_type_t cfg_type_logfile;
@ -105,15 +110,16 @@ static cfg_type_t cfg_type_logseverity;
 static cfg_type_t cfg_type_lwres;
 static cfg_type_t cfg_type_masterselement;
 static cfg_type_t cfg_type_maxttl;
+static cfg_type_t cfg_type_minimal;
 static cfg_type_t cfg_type_nameportiplist;
 static cfg_type_t cfg_type_negated;
 static cfg_type_t cfg_type_notifytype;
 static cfg_type_t cfg_type_optional_allow;
 static cfg_type_t cfg_type_optional_class;
+static cfg_type_t cfg_type_optional_dscp;
 static cfg_type_t cfg_type_optional_facility;
 static cfg_type_t cfg_type_optional_keyref;
 static cfg_type_t cfg_type_optional_port;
-static cfg_type_t cfg_type_optional_dscp;
 static cfg_type_t cfg_type_optional_uint32;
 static cfg_type_t cfg_type_options;
 static cfg_type_t cfg_type_portiplist;
@ -133,11 +139,6 @@ static cfg_type_t cfg_type_view;
 static cfg_type_t cfg_type_viewopts;
 static cfg_type_t cfg_type_zone;
 static cfg_type_t cfg_type_zoneopts;
-static cfg_type_t cfg_type_filter_aaaa;
-static cfg_type_t cfg_type_dlz;
-static cfg_type_t cfg_type_dyndb;
-static cfg_type_t cfg_type_dnstap;
-static cfg_type_t cfg_type_dnstapoutput;

 /*% tkey-dhkey */

@ -1715,7 +1716,7 @@ view_clauses[] = {
 	{ "max-udp-size", &cfg_type_uint32, 0 },
 	{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
 	{ "minimal-any", &cfg_type_boolean, 0 },
-	{ "minimal-responses", &cfg_type_boolean, 0 },
+	{ "minimal-responses", &cfg_type_minimal, 0 },
 	{ "nta-recheck", &cfg_type_ttlval, 0 },
 	{ "nta-lifetime", &cfg_type_ttlval, 0 },
 	{ "nxdomain-redirect", &cfg_type_astring, 0 },
@ -2465,6 +2466,20 @@ static cfg_type_t cfg_type_notifytype = {
 	&cfg_rep_string, notify_enums,
 };

+static const char *minimal_enums[] = { "no-auth", "no-auth-recursive", NULL };
+static isc_result_t
+parse_minimal(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static void
+doc_minimal(cfg_printer_t *pctx, const cfg_type_t *type) {
+	return (doc_enum_or_other(pctx, type, &cfg_type_boolean));
+}
+static cfg_type_t cfg_type_minimal = {
+	"mimimal", parse_minimal, cfg_print_ustring, doc_minimal,
+	&cfg_rep_string, minimal_enums,
+};
+
 static const char *ixfrdiff_enums[] = { "master", "slave", NULL };
 static isc_result_t
 parse_ixfrdiff_type(cfg_parser_t *pctx, const cfg_type_t *type,