From 833ca463d41321aa315bd6f21a15e32af0037efe Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 22 Mar 2023 16:57:54 -0700 Subject: [PATCH] remove {root-}delegation-only complete the removal of the delegation-only and root-delegation-only options, and the delegation-only zone type. --- bin/check/named-checkconf.c | 3 +- bin/named/named.conf.rst | 1 - bin/named/server.c | 67 +----- bin/tests/system/addzone/tests.sh | 8 - bin/tests/system/checkconf/deprecated.conf | 12 - bin/tests/system/checkconf/tests.sh | 3 - bin/tests/system/resolver/ns4/named.conf.in | 2 - bin/tests/system/resolver/ns4/root.db | 2 - bin/tests/system/resolver/ns5/named.conf.in | 4 - bin/tests/system/resolver/ns6/named.conf.in | 10 - bin/tests/system/resolver/tests.sh | 96 -------- doc/arm/Makefile.am | 1 - doc/arm/logging-categories.inc.rst | 3 - doc/arm/reference.rst | 73 +----- doc/misc/Makefile.am | 4 - doc/misc/cfg_test.c | 2 - doc/misc/delegation-only.zoneopt | 3 - doc/misc/forward.zoneopt | 1 - doc/misc/hint.zoneopt | 1 - doc/misc/options | 2 - doc/misc/stub.zoneopt | 1 - lib/dns/include/dns/log.h | 32 +-- lib/dns/include/dns/view.h | 65 ------ lib/dns/log.c | 17 +- lib/dns/resolver.c | 245 -------------------- lib/dns/view.c | 144 ------------ lib/isccfg/check.c | 46 +--- lib/isccfg/include/isccfg/check.h | 4 +- lib/isccfg/namedconf.c | 17 +- 29 files changed, 44 insertions(+), 825 deletions(-) delete mode 100644 doc/misc/delegation-only.zoneopt diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c index 798adca581..a24435f03e 100644 --- a/bin/check/named-checkconf.c +++ b/bin/check/named-checkconf.c @@ -733,8 +733,7 @@ main(int argc, char **argv) { exit(1); } - result = isccfg_check_namedconf(config, loadplugins, nodeprecate, logc, - mctx); + result = isccfg_check_namedconf(config, loadplugins, logc, mctx); if (result != ISC_R_SUCCESS) { exit_status = 1; } diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst index 8e93f8b3fe..89e76bd99c 100644 --- a/bin/named/named.conf.rst +++ b/bin/named/named.conf.rst @@ -52,7 +52,6 @@ Any of these zone statements can also be set inside the view statement. .. literalinclude:: ../../doc/misc/redirect.zoneopt .. literalinclude:: ../../doc/misc/static-stub.zoneopt .. literalinclude:: ../../doc/misc/stub.zoneopt -.. literalinclude:: ../../doc/misc/delegation-only.zoneopt .. literalinclude:: ../../doc/misc/in-view.zoneopt Files diff --git a/bin/named/server.c b/bin/named/server.c index 518f494eb2..67b8e1c4a9 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -5593,29 +5593,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, view->preferred_glue = 0; } - obj = NULL; - result = named_config_get(maps, "root-delegation-only", &obj); - if (result == ISC_R_SUCCESS) { - dns_view_setrootdelonly(view, true); - } - if (result == ISC_R_SUCCESS && !cfg_obj_isvoid(obj)) { - const cfg_obj_t *exclude; - dns_fixedname_t fixed; - dns_name_t *name; - - name = dns_fixedname_initname(&fixed); - for (element = cfg_list_first(obj); element != NULL; - element = cfg_list_next(element)) - { - exclude = cfg_listelt_value(element); - CHECK(dns_name_fromstring( - name, cfg_obj_asstring(exclude), 0, NULL)); - dns_view_excludedelegationonly(view, name); - } - } else { - dns_view_setrootdelonly(view, false); - } - /* * Load DynDB modules. */ @@ -6500,7 +6477,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *forwarders = NULL; const cfg_obj_t *forwardtype = NULL; const cfg_obj_t *ixfrfromdiffs = NULL; - const cfg_obj_t *only = NULL; const cfg_obj_t *viewobj = NULL; isc_result_t result = ISC_R_SUCCESS; isc_result_t tresult; @@ -6629,17 +6605,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const char *hintsfile = cfg_obj_asstring(fileobj); CHECK(configure_hints(view, hintsfile)); - - /* - * Hint zones may also refer to delegation only points. - */ - only = NULL; - tresult = cfg_map_get(zoptions, "delegation-only", - &only); - if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only)) - { - dns_view_adddelegationonly(view, origin); - } } else { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, @@ -6663,23 +6628,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, (void)cfg_map_get(zoptions, "forwarders", &forwarders); CHECK(configure_forward(config, view, origin, forwarders, forwardtype)); - - /* - * Forward zones may also set delegation only. - */ - only = NULL; - tresult = cfg_map_get(zoptions, "delegation-only", &only); - if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only)) { - dns_view_adddelegationonly(view, origin); - } - goto cleanup; - } - - /* - * "delegation-only zones" aren't zones either. - */ - if (strcasecmp(ztypestr, "delegation-only") == 0) { - dns_view_adddelegationonly(view, origin); goto cleanup; } @@ -6841,16 +6789,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, forwardtype)); } - /* - * Stub and forward zones may also refer to delegation only points. - */ - only = NULL; - if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS) { - if (cfg_obj_asboolean(only)) { - dns_view_adddelegationonly(view, origin); - } - } - /* * Mark whether the zone was originally added at runtime or not */ @@ -8428,7 +8366,7 @@ load_configuration(const char *filename, named_server_t *server, * checked later when the modules are actually loaded and * registered.) */ - result = isccfg_check_namedconf(config, false, false, named_g_lctx, + result = isccfg_check_namedconf(config, false, named_g_lctx, named_g_mctx); if (result != ISC_R_SUCCESS) { goto cleanup_config; @@ -13337,8 +13275,7 @@ newzone_parse(named_server_t *server, char *command, dns_view_t **viewp, } if (strcasecmp(cfg_obj_asstring(obj), "hint") == 0 || - strcasecmp(cfg_obj_asstring(obj), "forward") == 0 || - strcasecmp(cfg_obj_asstring(obj), "delegation-only") == 0) + strcasecmp(cfg_obj_asstring(obj), "forward") == 0) { (void)putstr(text, "'"); (void)putstr(text, cfg_obj_asstring(obj)); diff --git a/bin/tests/system/addzone/tests.sh b/bin/tests/system/addzone/tests.sh index 0f81eb761b..e626c5cd9e 100755 --- a/bin/tests/system/addzone/tests.sh +++ b/bin/tests/system/addzone/tests.sh @@ -469,14 +469,6 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "check that zone type 'delegation-only' is properly rejected ($n)" -ret=0 -$RNDCCMD 10.53.0.2 addzone 'delegation-only.example { type delegation-only; };' > rndc.out.ns2.$n 2>&1 && ret=1 -grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - echo_i "check that 'in-view' zones are properly rejected ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' > rndc.out.ns2.$n 2>&1 && ret=1 diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf index 55d0f79e0b..548b144d15 100644 --- a/bin/tests/system/checkconf/deprecated.conf +++ b/bin/tests/system/checkconf/deprecated.conf @@ -23,8 +23,6 @@ options { use-v6-udp-ports { range 1024 65535; }; avoid-v4-udp-ports { range 1 1023; }; avoid-v6-udp-ports { range 1 1023; }; - - root-delegation-only exclude { "them"; }; }; trusted-keys { @@ -54,13 +52,3 @@ zone example.com { file "maxttl-bad.db"; max-zone-ttl 120; }; - -zone "." { - type hint; - file "shared.example.db"; - delegation-only yes; -}; - -zone com { - type delegation-only; -}; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index d67ab61ab9..f65d603314 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -169,9 +169,6 @@ grep "option 'use-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null | grep "option 'use-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "option 'avoid-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "option 'avoid-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'root-delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "'type delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in index 281c2ca0c8..67cbee8870 100644 --- a/bin/tests/system/resolver/ns4/named.conf.in +++ b/bin/tests/system/resolver/ns4/named.conf.in @@ -23,8 +23,6 @@ options { listen-on-v6 { none; }; recursion no; dnssec-validation no; - /* test that named loads with root-delegation-only */ - root-delegation-only; }; zone "." { diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db index df6c29b926..330b00e377 100644 --- a/bin/tests/system/resolver/ns4/root.db +++ b/bin/tests/system/resolver/ns4/root.db @@ -20,8 +20,6 @@ $TTL 300 . NS a.root-servers.nil. a.root-servers.nil. A 10.53.0.4 all-cnames NS cname.tld -delegation-only. NS ns.delegation-only. -ns.delegation-only. A 10.53.0.6 example.net. NS ns.example.net. ns.example.net. A 10.53.0.6 no-questions. NS ns.no-questions. diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in index 6ad4e6aaaf..9856d8e5b1 100644 --- a/bin/tests/system/resolver/ns5/named.conf.in +++ b/bin/tests/system/resolver/ns5/named.conf.in @@ -46,10 +46,6 @@ zone "child.server" { file "child.server.db"; }; -zone "delegation-only" { - type delegation-only; -}; - key rndc_key { secret "1234abcd8765"; algorithm @DEFAULT_HMAC@; diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in index 769b577069..c6ec72abc4 100644 --- a/bin/tests/system/resolver/ns6/named.conf.in +++ b/bin/tests/system/resolver/ns6/named.conf.in @@ -25,11 +25,6 @@ options { dnssec-validation no; querylog yes; statistics-file "named.stats"; - /* - * test that named loads with root-delegation-only that - * has a exclude list. - */ - root-delegation-only exclude { "a"; }; max-udp-size 4096; }; @@ -77,11 +72,6 @@ zone "no-edns-version.tld" { file "no-edns-version.tld.db"; }; -zone "delegation-only" { - type primary; - file "delegation-only.db"; -}; - zone "fetch.tld" { type primary; file "fetch.tld.db"; diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh index 33a72383f3..9bd258e8c1 100755 --- a/bin/tests/system/resolver/tests.sh +++ b/bin/tests/system/resolver/tests.sh @@ -546,102 +546,6 @@ grep "CLIENT-SUBNET: 255.255.254.0/23/0" dig.out.ns5.test${n} > /dev/null || ret if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) -echo_i "check that SOA query returns data for delegation-only apex (${n})" -ret=0 -dig_with_opts soa delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) -n=$((n+1)) - -n=$((n+1)) -echo_i "check that NS query returns data for delegation-only apex (${n})" -ret=0 -dig_with_opts ns delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n+1)) -echo_i "check that A query returns data for delegation-only A apex (${n})" -ret=0 -dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n+1)) -echo_i "check that CDS query returns data for delegation-only apex (${n})" -ret=0 -dig_with_opts cds delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n+1)) -echo_i "check that AAAA query returns data for delegation-only AAAA apex (${n})" -ret=0 -dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) -n=$((n+1)) - -echo_i "check that DNSKEY query returns data for delegation-only apex (${n})" -ret=0 -dig_with_opts dnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n+1)) -echo_i "check that CDNSKEY query returns data for delegation-only apex (${n})" -ret=0 -dig_with_opts cdnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n+1)) -echo_i "check that NXDOMAIN is returned for delegation-only non-apex A data (${n})" -ret=0 -dig_with_opts a a.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n+1)) -echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDS data (${n})" -ret=0 -dig_with_opts cds cds.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n+1)) -echo_i "check that NXDOMAIN is returned for delegation-only non-apex AAAA data (${n})" -ret=0 -dig_with_opts aaaa aaaa.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) -n=$((n+1)) - -echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDNSKEY data (${n})" -ret=0 -dig_with_opts cdnskey cdnskey.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - n=$((n+1)) echo_i "check zero ttl not returned for learnt non zero ttl records (${n})" ret=0 diff --git a/doc/arm/Makefile.am b/doc/arm/Makefile.am index 78c146c305..5c53d56634 100644 --- a/doc/arm/Makefile.am +++ b/doc/arm/Makefile.am @@ -68,7 +68,6 @@ EXTRA_DIST = \ ../dnssec-guide \ ../misc/options \ ../misc/rndc.grammar \ - ../misc/delegation-only.zoneopt \ ../misc/forward.zoneopt \ ../misc/hint.zoneopt \ ../misc/in-view.zoneopt \ diff --git a/doc/arm/logging-categories.inc.rst b/doc/arm/logging-categories.inc.rst index 69c14c23cf..2bee205894 100644 --- a/doc/arm/logging-categories.inc.rst +++ b/doc/arm/logging-categories.inc.rst @@ -24,9 +24,6 @@ ``default`` Logging options for those categories where no specific configuration has been defined. -``delegation-only`` - Queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a :any:`delegation-only` in a forward, hint, or stub zone declaration. - ``dispatch`` Dispatching of incoming packets to the server modules where they are to be processed. diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 02c578bcbf..daaa04c283 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1598,46 +1598,6 @@ default is used. is to prefer A records when responding to queries that arrived via IPv4 and AAAA when responding to queries that arrived via IPv6. -.. namedconf:statement:: root-delegation-only - :tags: deprecated - :short: Turns on enforcement of delegation-only in top-level domains (TLDs) and root zones with an optional exclude list. - - This turns on enforcement of delegation-only in top-level domains (TLDs) - and root zones with an - optional exclude list. - - DS queries are expected to be made to and be answered by delegation-only - zones. Such queries and responses are treated as an exception to - delegation-only processing and are not converted to NXDOMAIN - responses, provided a CNAME is not discovered at the query name. - - If a delegation-only zone server also serves a child zone, it is not - always possible to determine whether an answer comes from the - delegation-only zone or the child zone. SOA NS and DNSKEY records are - apex-only records and a matching response that contains these records - or DS is treated as coming from a child zone. RRSIG records are also - examined to see whether they are signed by a child zone, and the - authority section is examined to see if there is evidence that - the answer is from the child zone. Answers that are determined to be - from a child zone are not converted to NXDOMAIN responses. Despite - all these checks, there is still a possibility of false negatives when - a child zone is being served. - - Similarly, false positives can arise from empty nodes (no records at - the name) in the delegation-only zone when the query type is not ``ANY``. - - Note that some TLDs are not delegation-only; e.g., "DE", "LV", "US", and - "MUSEUM". This list is not exhaustive. - - :: - - options { - root-delegation-only exclude { "de"; "lv"; "us"; "museum"; }; - }; - - This option is deprecated, and will be rendered non-operational in a - future release. - .. namedconf:statement:: disable-algorithms :tags: dnssec :short: Disables DNSSEC algorithms from a specified zone. @@ -6646,8 +6606,7 @@ Zone Types :any:`primary ` (or ``master``), :any:`secondary ` (or ``slave``), :any:`mirror `, :any:`hint `, :any:`stub `, :any:`static-stub `, - :any:`forward `, :any:`redirect `, or - :any:`delegation-only `. + :any:`forward `, or :any:`redirect `. .. namedconf:statement:: type primary :tags: zone @@ -6872,23 +6831,6 @@ Zone Types When using :option:`rndc reload` without specifying a zone name, redirect zones are reloaded along with other zones. -.. namedconf:statement:: type delegation-only - :tags: deprecated - :short: Enforces the delegation-only status of infrastructure zones (COM, NET, ORG, etc.). - - This zone type is used to enforce the delegation-only status of - infrastructure zones (e.g., COM, NET, ORG). Any answer that is received - without an explicit or implicit delegation in the authority section is - treated as NXDOMAIN. This does not apply to the zone apex, and should - not be applied to leaf zones. - - :any:`delegation-only` has no effect on answers received from forwarders. - - See caveats in :any:`root-delegation-only`. - - This zone type is deprecated, and will be rendered non-operational in a - future release. - .. namedconf:statement:: in-view :tags: view, zone :short: Specifies the view in which a given zone is defined. @@ -7016,19 +6958,6 @@ Zone Options :any:`dialup` See the description of :any:`dialup` in :ref:`boolean_options`. -.. namedconf:statement:: delegation-only - :tags: deprecated - :short: Indicates that a forward, hint, or stub zone is to be treated as a delegation-only type zone. - - This flag only applies to forward, hint, and stub zones. If set to - ``yes``, then the zone is treated as if it is also a - delegation-only type zone. - - See caveats in :any:`root-delegation-only`. - - This option is deprecated, and will be rendered non-operational in a - future release. - .. namedconf:statement:: file :tags: zone :short: Specifies the zone's filename. diff --git a/doc/misc/Makefile.am b/doc/misc/Makefile.am index 8d7c80d9c4..d613981855 100644 --- a/doc/misc/Makefile.am +++ b/doc/misc/Makefile.am @@ -12,7 +12,6 @@ OPTIONS_FILES = \ stub.zoneopt \ static-stub.zoneopt \ redirect.zoneopt \ - delegation-only.zoneopt \ in-view.zoneopt EXTRA_DIST = \ @@ -71,9 +70,6 @@ static-stub.zoneopt: cfg_test redirect.zoneopt: cfg_test $(AM_V_CFG_TEST)$(builddir)/cfg_test --zonegrammar redirect > $@ -delegation-only.zoneopt: cfg_test - $(AM_V_CFG_TEST)$(builddir)/cfg_test --zonegrammar delegation-only > $@ - in-view.zoneopt: cfg_test $(AM_V_CFG_TEST)$(builddir)/cfg_test --zonegrammar in-view > $@ diff --git a/doc/misc/cfg_test.c b/doc/misc/cfg_test.c index 87b9884226..439c9cf1d5 100644 --- a/doc/misc/cfg_test.c +++ b/doc/misc/cfg_test.c @@ -128,8 +128,6 @@ main(int argc, char **argv) { zonetype = CFG_ZONE_FORWARD; } else if (strcmp(argv[1], "redirect") == 0) { zonetype = CFG_ZONE_REDIRECT; - } else if (strcmp(argv[1], "delegation-only") == 0) { - zonetype = CFG_ZONE_DELEGATION; } else if (strcmp(argv[1], "in-view") == 0) { zonetype = CFG_ZONE_INVIEW; } else { diff --git a/doc/misc/delegation-only.zoneopt b/doc/misc/delegation-only.zoneopt deleted file mode 100644 index ab86327cbd..0000000000 --- a/doc/misc/delegation-only.zoneopt +++ /dev/null @@ -1,3 +0,0 @@ -zone [ ] { - type delegation-only; -}; diff --git a/doc/misc/forward.zoneopt b/doc/misc/forward.zoneopt index a66d31e542..a0d26b12d8 100644 --- a/doc/misc/forward.zoneopt +++ b/doc/misc/forward.zoneopt @@ -1,6 +1,5 @@ zone [ ] { type forward; - delegation-only ; // deprecated forward ( first | only ); forwarders [ port ] [ tls ] { ( | ) [ port ] [ tls ]; ... }; }; diff --git a/doc/misc/hint.zoneopt b/doc/misc/hint.zoneopt index d14c3efec1..2d2c98de4d 100644 --- a/doc/misc/hint.zoneopt +++ b/doc/misc/hint.zoneopt @@ -1,6 +1,5 @@ zone [ ] { type hint; check-names ( fail | warn | ignore ); - delegation-only ; // deprecated file ; }; diff --git a/doc/misc/options b/doc/misc/options index 714e225214..58298adacb 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -250,7 +250,6 @@ options { response-padding { ; ... } block-size ; response-policy { zone [ add-soa ] [ log ] [ max-policy-ttl ] [ min-update-interval ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only ) ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ ede ]; ... } [ add-soa ] [ break-dnssec ] [ max-policy-ttl ] [ min-update-interval ] [ min-ns-dots ] [ nsip-wait-recurse ] [ nsdname-wait-recurse ] [ qname-wait-recurse ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ dnsrps-enable ] [ dnsrps-options { } ]; reuseport ; - root-delegation-only [ exclude { ; ... } ]; // deprecated root-key-sentinel ; rrset-order { [ class ] [ type ] [ name ] ; ... }; secroots-file ; @@ -524,7 +523,6 @@ view [ ] { resolver-retry-interval ; response-padding { ; ... } block-size ; response-policy { zone [ add-soa ] [ log ] [ max-policy-ttl ] [ min-update-interval ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only ) ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ ede ]; ... } [ add-soa ] [ break-dnssec ] [ max-policy-ttl ] [ min-update-interval ] [ min-ns-dots ] [ nsip-wait-recurse ] [ nsdname-wait-recurse ] [ qname-wait-recurse ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ dnsrps-enable ] [ dnsrps-options { } ]; - root-delegation-only [ exclude { ; ... } ]; // deprecated root-key-sentinel ; rrset-order { [ class ] [ type ] [ name ] ; ... }; send-cookie ; diff --git a/doc/misc/stub.zoneopt b/doc/misc/stub.zoneopt index 414fd901b8..c7ee0ed75c 100644 --- a/doc/misc/stub.zoneopt +++ b/doc/misc/stub.zoneopt @@ -4,7 +4,6 @@ zone [ ] { allow-query-on { ; ... }; check-names ( fail | warn | ignore ); database ; - delegation-only ; // deprecated dialup ( notify | notify-passive | passive | refresh | ); file ; forward ( first | only ); diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h index 0b2f8eb508..e2cd959dc8 100644 --- a/lib/dns/include/dns/log.h +++ b/lib/dns/include/dns/log.h @@ -27,22 +27,22 @@ extern isc_logmodule_t dns_modules[]; #define DNS_LOGCATEGORY_DATABASE (&dns_categories[1]) #define DNS_LOGCATEGORY_SECURITY (&dns_categories[2]) /* DNS_LOGCATEGORY_CONFIG superseded by CFG_LOGCATEGORY_CONFIG */ -#define DNS_LOGCATEGORY_DNSSEC (&dns_categories[4]) -#define DNS_LOGCATEGORY_RESOLVER (&dns_categories[5]) -#define DNS_LOGCATEGORY_XFER_IN (&dns_categories[6]) -#define DNS_LOGCATEGORY_XFER_OUT (&dns_categories[7]) -#define DNS_LOGCATEGORY_DISPATCH (&dns_categories[8]) -#define DNS_LOGCATEGORY_LAME_SERVERS (&dns_categories[9]) -#define DNS_LOGCATEGORY_DELEGATION_ONLY (&dns_categories[10]) -#define DNS_LOGCATEGORY_EDNS_DISABLED (&dns_categories[11]) -#define DNS_LOGCATEGORY_RPZ (&dns_categories[12]) -#define DNS_LOGCATEGORY_RRL (&dns_categories[13]) -#define DNS_LOGCATEGORY_CNAME (&dns_categories[14]) -#define DNS_LOGCATEGORY_SPILL (&dns_categories[15]) -#define DNS_LOGCATEGORY_DNSTAP (&dns_categories[16]) -#define DNS_LOGCATEGORY_ZONELOAD (&dns_categories[17]) -#define DNS_LOGCATEGORY_NSID (&dns_categories[18]) -#define DNS_LOGCATEGORY_RPZ_PASSTHRU (&dns_categories[19]) +#define DNS_LOGCATEGORY_DNSSEC (&dns_categories[4]) +#define DNS_LOGCATEGORY_RESOLVER (&dns_categories[5]) +#define DNS_LOGCATEGORY_XFER_IN (&dns_categories[6]) +#define DNS_LOGCATEGORY_XFER_OUT (&dns_categories[7]) +#define DNS_LOGCATEGORY_DISPATCH (&dns_categories[8]) +#define DNS_LOGCATEGORY_LAME_SERVERS (&dns_categories[9]) +/* #define DNS_LOGCATEGORY_DELEGATION_ONLY removed */ +#define DNS_LOGCATEGORY_EDNS_DISABLED (&dns_categories[10]) +#define DNS_LOGCATEGORY_RPZ (&dns_categories[11]) +#define DNS_LOGCATEGORY_RRL (&dns_categories[12]) +#define DNS_LOGCATEGORY_CNAME (&dns_categories[13]) +#define DNS_LOGCATEGORY_SPILL (&dns_categories[14]) +#define DNS_LOGCATEGORY_DNSTAP (&dns_categories[15]) +#define DNS_LOGCATEGORY_ZONELOAD (&dns_categories[16]) +#define DNS_LOGCATEGORY_NSID (&dns_categories[17]) +#define DNS_LOGCATEGORY_RPZ_PASSTHRU (&dns_categories[18]) /* Backwards compatibility. */ #define DNS_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h index 9cbdb935c7..0a697fc8c0 100644 --- a/lib/dns/include/dns/view.h +++ b/lib/dns/include/dns/view.h @@ -162,9 +162,6 @@ struct dns_view { dns_aclenv_t *aclenv; dns_rdatatype_t preferred_glue; bool flush; - dns_namelist_t *delonly; - bool rootdelonly; - dns_namelist_t *rootexclude; bool checknames; uint16_t maxudp; dns_ttl_t staleanswerttl; @@ -922,68 +919,6 @@ dns_view_flushname(dns_view_t *view, const dns_name_t *name); * other returns are failures. */ -void -dns_view_adddelegationonly(dns_view_t *view, const dns_name_t *name); -/*%< - * Add the given name to the delegation only table. - * - * Requires: - *\li 'view' is valid. - *\li 'name' is valid. - * - * Returns: - *\li #ISC_R_SUCCESS - *\li #ISC_R_NOMEMORY - */ - -void -dns_view_excludedelegationonly(dns_view_t *view, const dns_name_t *name); -/*%< - * Add the given name to be excluded from the root-delegation-only. - * - * - * Requires: - *\li 'view' is valid. - *\li 'name' is valid. - * - * Returns: - *\li #ISC_R_SUCCESS - *\li #ISC_R_NOMEMORY - */ - -bool -dns_view_isdelegationonly(dns_view_t *view, const dns_name_t *name); -/*%< - * Check if 'name' is in the delegation only table or if - * rootdelonly is set that name is not being excluded. - * - * Requires: - *\li 'view' is valid. - *\li 'name' is valid. - * - * Returns: - *\li #true if the name is the table. - *\li #false otherwise. - */ - -void -dns_view_setrootdelonly(dns_view_t *view, bool value); -/*%< - * Set the root delegation only flag. - * - * Requires: - *\li 'view' is valid. - */ - -bool -dns_view_getrootdelonly(dns_view_t *view); -/*%< - * Get the root delegation only flag. - * - * Requires: - *\li 'view' is valid. - */ - isc_result_t dns_view_freezezones(dns_view_t *view, bool freeze); /*%< diff --git a/lib/dns/log.c b/lib/dns/log.c index 6900a47374..6f583d763b 100644 --- a/lib/dns/log.c +++ b/lib/dns/log.c @@ -22,13 +22,16 @@ * \#define to . */ isc_logcategory_t dns_categories[] = { - { "notify", 0 }, { "database", 0 }, { "security", 0 }, - { "_placeholder", 0 }, { "dnssec", 0 }, { "resolver", 0 }, - { "xfer-in", 0 }, { "xfer-out", 0 }, { "dispatch", 0 }, - { "lame-servers", 0 }, { "delegation-only", 0 }, { "edns-disabled", 0 }, - { "rpz", 0 }, { "rate-limit", 0 }, { "cname", 0 }, - { "spill", 0 }, { "dnstap", 0 }, { "zoneload", 0 }, - { "nsid", 0 }, { "rpz-passthru", 0 }, { NULL, 0 } + { "notify", 0 }, { "database", 0 }, + { "security", 0 }, { "_placeholder", 0 }, + { "dnssec", 0 }, { "resolver", 0 }, + { "xfer-in", 0 }, { "xfer-out", 0 }, + { "dispatch", 0 }, { "lame-servers", 0 }, + { "edns-disabled", 0 }, { "rpz", 0 }, + { "rate-limit", 0 }, { "cname", 0 }, + { "spill", 0 }, { "dnstap", 0 }, + { "zoneload", 0 }, { "nsid", 0 }, + { "rpz-passthru", 0 }, { NULL, 0 } }; /*% diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 2ba79cd864..1299b9f480 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -728,7 +728,6 @@ release_fctx(fetchctx_t *fctx); * - Check the parsed response for an OPT record and handle * EDNS (rctx_opt(), rctx_edns()). * - Check for a bad or lame server (rctx_badserver(), rctx_lameserver()). - * - Handle delegation-only zones (rctx_delonly_zone()). * - If RCODE and ANCOUNT suggest this is a positive answer, and * if so, call rctx_answer(): go to step 2. * - If RCODE and NSCOUNT suggest this is a negative answer or a @@ -928,9 +927,6 @@ rctx_dispfail(respctx_t *rctx); static isc_result_t rctx_timedout(respctx_t *rctx); -static void -rctx_delonly_zone(respctx_t *rctx); - static void rctx_ncache(respctx_t *rctx); @@ -992,208 +988,6 @@ valcreate(fetchctx_t *fctx, dns_message_t *message, dns_adbaddrinfo_t *addrinfo, return (ISC_R_SUCCESS); } -static bool -rrsig_fromchildzone(fetchctx_t *fctx, dns_rdataset_t *rdataset) { - dns_namereln_t namereln; - dns_rdata_rrsig_t rrsig; - dns_rdata_t rdata = DNS_RDATA_INIT; - int order; - isc_result_t result; - unsigned int labels; - - for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; - result = dns_rdataset_next(rdataset)) - { - dns_rdataset_current(rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &rrsig, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - namereln = dns_name_fullcompare(&rrsig.signer, fctx->domain, - &order, &labels); - if (namereln == dns_namereln_subdomain) { - return (true); - } - dns_rdata_reset(&rdata); - } - return (false); -} - -static bool -fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) { - dns_name_t *name; - dns_name_t *domain = fctx->domain; - dns_rdataset_t *rdataset; - dns_rdatatype_t type; - isc_result_t result; - bool keep_auth = false; - - if (message->rcode == dns_rcode_nxdomain) { - return (false); - } - - /* - * A DS RRset can appear anywhere in a zone, even for a delegation-only - * zone. So a response to an explicit query for this type should be - * excluded from delegation-only fixup. - * - * SOA, NS, and DNSKEY can only exist at a zone apex, so a positive - * response to a query for these types can never violate the - * delegation-only assumption: if the query name is below a - * zone cut, the response should normally be a referral, which should - * be accepted; if the query name is below a zone cut but the server - * happens to have authority for the zone of the query name, the - * response is a (non-referral) answer. But this does not violate - * delegation-only because the query name must be in a different zone - * due to the "apex-only" nature of these types. Note that if the - * remote server happens to have authority for a child zone of a - * delegation-only zone, we may still incorrectly "fix" the response - * with NXDOMAIN for queries for other types. Unfortunately it's - * generally impossible to differentiate this case from violation of - * the delegation-only assumption. Once the resolver learns the - * correct zone cut, possibly via a separate query for an "apex-only" - * type, queries for other types will be resolved correctly. - * - * A query for type ANY will be accepted if it hits an exceptional - * type above in the answer section as it should be from a child - * zone. - * - * Also accept answers with RRSIG records from the child zone. - * Direct queries for RRSIG records should not be answered from - * the parent zone. - */ - - if (message->counts[DNS_SECTION_ANSWER] != 0 && - (fctx->type == dns_rdatatype_ns || fctx->type == dns_rdatatype_ds || - fctx->type == dns_rdatatype_soa || - fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig || - fctx->type == dns_rdatatype_dnskey)) - { - result = dns_message_firstname(message, DNS_SECTION_ANSWER); - while (result == ISC_R_SUCCESS) { - name = NULL; - dns_message_currentname(message, DNS_SECTION_ANSWER, - &name); - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; - rdataset = ISC_LIST_NEXT(rdataset, link)) - { - if (!dns_name_equal(name, fctx->name)) { - continue; - } - type = rdataset->type; - /* - * RRsig from child? - */ - if (type == dns_rdatatype_rrsig && - rrsig_fromchildzone(fctx, rdataset)) - { - return (false); - } - /* - * Direct query for apex records or DS. - */ - if (fctx->type == type && - (type == dns_rdatatype_ds || - type == dns_rdatatype_ns || - type == dns_rdatatype_soa || - type == dns_rdatatype_dnskey)) - { - return (false); - } - /* - * Indirect query for apex records or DS. - */ - if (fctx->type == dns_rdatatype_any && - (type == dns_rdatatype_ns || - type == dns_rdatatype_ds || - type == dns_rdatatype_soa || - type == dns_rdatatype_dnskey)) - { - return (false); - } - } - result = dns_message_nextname(message, - DNS_SECTION_ANSWER); - } - } - - /* - * A NODATA response to a DS query? - */ - if (fctx->type == dns_rdatatype_ds && - message->counts[DNS_SECTION_ANSWER] == 0) - { - return (false); - } - - /* Look for referral or indication of answer from child zone? */ - if (message->counts[DNS_SECTION_AUTHORITY] == 0) { - goto munge; - } - - result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); - while (result == ISC_R_SUCCESS) { - name = NULL; - dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); - for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; - rdataset = ISC_LIST_NEXT(rdataset, link)) - { - type = rdataset->type; - if (type == dns_rdatatype_soa && - dns_name_equal(name, domain)) - { - keep_auth = true; - } - - if (type != dns_rdatatype_ns && - type != dns_rdatatype_soa && - type != dns_rdatatype_rrsig) - { - continue; - } - - if (type == dns_rdatatype_rrsig) { - if (rrsig_fromchildzone(fctx, rdataset)) { - return (false); - } else { - continue; - } - } - - /* NS or SOA records. */ - if (dns_name_equal(name, domain)) { - /* - * If a query for ANY causes a negative - * response, we can be sure that this is - * an empty node. For other type of queries - * we cannot differentiate an empty node - * from a node that just doesn't have that - * type of record. We only accept the former - * case. - */ - if (message->counts[DNS_SECTION_ANSWER] == 0 && - fctx->type == dns_rdatatype_any) - { - return (false); - } - } else if (dns_name_issubdomain(name, domain)) { - /* Referral or answer from child zone. */ - return (false); - } - } - result = dns_message_nextname(message, DNS_SECTION_AUTHORITY); - } - -munge: - message->rcode = dns_rcode_nxdomain; - message->counts[DNS_SECTION_ANSWER] = 0; - if (!keep_auth) { - message->counts[DNS_SECTION_AUTHORITY] = 0; - } - message->counts[DNS_SECTION_ADDITIONAL] = 0; - return (true); -} - static void resquery_destroy(resquery_t *query) { fetchctx_t *fctx = query->fctx; @@ -7799,11 +7593,6 @@ resquery_response(isc_result_t eresult, isc_region_t *region, void *arg) { return; } - /* - * Handle delegation-only zones like NET or COM. - */ - rctx_delonly_zone(&rctx); - /* * Optionally call dns_rdata_checkowner() and * dns_rdata_checknames() to validate the names in the response @@ -9996,40 +9785,6 @@ rctx_lameserver(respctx_t *rctx) { return (ISC_R_COMPLETE); } -/* - * rctx_delonly_zone(): - * Handle delegation-only zones like NET and COM. - */ -static void -rctx_delonly_zone(respctx_t *rctx) { - fetchctx_t *fctx = rctx->fctx; - char namebuf[DNS_NAME_FORMATSIZE]; - char domainbuf[DNS_NAME_FORMATSIZE]; - char addrbuf[ISC_SOCKADDR_FORMATSIZE]; - char classbuf[64]; - char typebuf[64]; - - if (ISFORWARDER(rctx->query->addrinfo) || - !dns_view_isdelegationonly(fctx->res->view, fctx->domain) || - dns_name_equal(fctx->domain, fctx->name) || - !fix_mustbedelegationornxdomain(rctx->query->rmessage, fctx)) - { - return; - } - - dns_name_format(fctx->name, namebuf, sizeof(namebuf)); - dns_name_format(fctx->domain, domainbuf, sizeof(domainbuf)); - dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf)); - dns_rdataclass_format(fctx->res->rdclass, classbuf, sizeof(classbuf)); - isc_sockaddr_format(&rctx->query->addrinfo->sockaddr, addrbuf, - sizeof(addrbuf)); - - isc_log_write(dns_lctx, DNS_LOGCATEGORY_DELEGATION_ONLY, - DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE, - "enforced delegation-only for '%s' (%s/%s/%s) from %s", - domainbuf, namebuf, typebuf, classbuf, addrbuf); -} - /*** *** Resolver Methods ***/ diff --git a/lib/dns/view.c b/lib/dns/view.c index 1aeb5a8588..551b1ebd4c 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -384,41 +384,6 @@ destroy(dns_view_t *view) { if (view->sfd != NULL) { dns_rbt_destroy(&view->sfd); } - if (view->delonly != NULL) { - dns_name_t *name; - int i; - - for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) { - name = ISC_LIST_HEAD(view->delonly[i]); - while (name != NULL) { - ISC_LIST_UNLINK(view->delonly[i], name, link); - dns_name_free(name, view->mctx); - isc_mem_put(view->mctx, name, sizeof(*name)); - name = ISC_LIST_HEAD(view->delonly[i]); - } - } - isc_mem_put(view->mctx, view->delonly, - sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH); - view->delonly = NULL; - } - if (view->rootexclude != NULL) { - dns_name_t *name; - int i; - - for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) { - name = ISC_LIST_HEAD(view->rootexclude[i]); - while (name != NULL) { - ISC_LIST_UNLINK(view->rootexclude[i], name, - link); - dns_name_free(name, view->mctx); - isc_mem_put(view->mctx, name, sizeof(*name)); - name = ISC_LIST_HEAD(view->rootexclude[i]); - } - } - isc_mem_put(view->mctx, view->rootexclude, - sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH); - view->rootexclude = NULL; - } if (view->secroots_priv != NULL) { dns_keytable_detach(&view->secroots_priv); } @@ -1572,115 +1537,6 @@ dns_view_flushnode(dns_view_t *view, const dns_name_t *name, bool tree) { return (result); } -void -dns_view_adddelegationonly(dns_view_t *view, const dns_name_t *name) { - dns_name_t *item; - unsigned int hash; - - REQUIRE(DNS_VIEW_VALID(view)); - - if (view->delonly == NULL) { - view->delonly = isc_mem_get(view->mctx, - sizeof(dns_namelist_t) * - DNS_VIEW_DELONLYHASH); - for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++) { - ISC_LIST_INIT(view->delonly[hash]); - } - } - hash = dns_name_hash(name, false) % DNS_VIEW_DELONLYHASH; - item = ISC_LIST_HEAD(view->delonly[hash]); - while (item != NULL && !dns_name_equal(item, name)) { - item = ISC_LIST_NEXT(item, link); - } - if (item != NULL) { - return; - } - item = isc_mem_get(view->mctx, sizeof(*item)); - dns_name_init(item, NULL); - dns_name_dup(name, view->mctx, item); - ISC_LIST_APPEND(view->delonly[hash], item, link); -} - -void -dns_view_excludedelegationonly(dns_view_t *view, const dns_name_t *name) { - dns_name_t *item; - unsigned int hash; - - REQUIRE(DNS_VIEW_VALID(view)); - - if (view->rootexclude == NULL) { - view->rootexclude = isc_mem_get(view->mctx, - sizeof(dns_namelist_t) * - DNS_VIEW_DELONLYHASH); - for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++) { - ISC_LIST_INIT(view->rootexclude[hash]); - } - } - hash = dns_name_hash(name, false) % DNS_VIEW_DELONLYHASH; - item = ISC_LIST_HEAD(view->rootexclude[hash]); - while (item != NULL && !dns_name_equal(item, name)) { - item = ISC_LIST_NEXT(item, link); - } - if (item != NULL) { - return; - } - item = isc_mem_get(view->mctx, sizeof(*item)); - dns_name_init(item, NULL); - dns_name_dup(name, view->mctx, item); - ISC_LIST_APPEND(view->rootexclude[hash], item, link); -} - -bool -dns_view_isdelegationonly(dns_view_t *view, const dns_name_t *name) { - dns_name_t *item; - unsigned int hash; - - REQUIRE(DNS_VIEW_VALID(view)); - - if (!view->rootdelonly && view->delonly == NULL) { - return (false); - } - - hash = dns_name_hash(name, false) % DNS_VIEW_DELONLYHASH; - if (view->rootdelonly && dns_name_countlabels(name) <= 2) { - if (view->rootexclude == NULL) { - return (true); - } - item = ISC_LIST_HEAD(view->rootexclude[hash]); - while (item != NULL && !dns_name_equal(item, name)) { - item = ISC_LIST_NEXT(item, link); - } - if (item == NULL) { - return (true); - } - } - - if (view->delonly == NULL) { - return (false); - } - - item = ISC_LIST_HEAD(view->delonly[hash]); - while (item != NULL && !dns_name_equal(item, name)) { - item = ISC_LIST_NEXT(item, link); - } - if (item == NULL) { - return (false); - } - return (true); -} - -void -dns_view_setrootdelonly(dns_view_t *view, bool value) { - REQUIRE(DNS_VIEW_VALID(view)); - view->rootdelonly = value; -} - -bool -dns_view_getrootdelonly(dns_view_t *view) { - REQUIRE(DNS_VIEW_VALID(view)); - return (view->rootdelonly); -} - isc_result_t dns_view_freezezones(dns_view_t *view, bool value) { REQUIRE(DNS_VIEW_VALID(view)); diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c index 0469eaf969..4dc7172e26 100644 --- a/lib/isccfg/check.c +++ b/lib/isccfg/check.c @@ -1468,28 +1468,6 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config, } } - obj = NULL; - (void)cfg_map_get(options, "root-delegation-only", &obj); - if (obj != NULL) { - if (!cfg_obj_isvoid(obj)) { - for (element = cfg_list_first(obj); element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *exclude; - - exclude = cfg_listelt_value(element); - str = cfg_obj_asstring(exclude); - tresult = check_name(str); - if (tresult != ISC_R_SUCCESS) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "bad domain name '%s'", - str); - result = tresult; - } - } - } - } - /* * Set supported DNSSEC algorithms. */ @@ -2886,8 +2864,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, const cfg_obj_t *config, isc_symtab_t *symtab, isc_symtab_t *files, isc_symtab_t *keydirs, isc_symtab_t *inview, const char *viewname, dns_rdataclass_t defclass, - bool nodeprecate, cfg_aclconfctx_t *actx, isc_log_t *logctx, - isc_mem_t *mctx) { + cfg_aclconfctx_t *actx, isc_log_t *logctx, isc_mem_t *mctx) { const char *znamestr; const char *typestr = NULL; const char *target = NULL; @@ -2971,13 +2948,6 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, ztype = CFG_ZONE_FORWARD; } else if (strcasecmp(typestr, "hint") == 0) { ztype = CFG_ZONE_HINT; - } else if (strcasecmp(typestr, "delegation-only") == 0) { - ztype = CFG_ZONE_DELEGATION; - if (!nodeprecate) { - cfg_obj_log(obj, logctx, ISC_LOG_WARNING, - "'type delegation-only' is " - "deprecated"); - } } else if (strcasecmp(typestr, "redirect") == 0) { ztype = CFG_ZONE_REDIRECT; } else { @@ -5236,8 +5206,7 @@ static isc_result_t check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, const char *viewname, dns_rdataclass_t vclass, isc_symtab_t *files, isc_symtab_t *keydirs, bool check_plugins, - bool nodeprecate, isc_symtab_t *inview, isc_log_t *logctx, - isc_mem_t *mctx) { + isc_symtab_t *inview, isc_log_t *logctx, isc_mem_t *mctx) { const cfg_obj_t *zones = NULL; const cfg_obj_t *view_tkeys = NULL, *global_tkeys = NULL; const cfg_obj_t *view_mkeys = NULL, *global_mkeys = NULL; @@ -5295,7 +5264,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, tresult = check_zoneconf(zone, voptions, config, symtab, files, keydirs, inview, viewname, vclass, - nodeprecate, actx, logctx, mctx); + actx, logctx, mctx); if (tresult != ISC_R_SUCCESS) { result = ISC_R_FAILURE; } @@ -5908,7 +5877,7 @@ check_controls(const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) { isc_result_t isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins, - bool nodeprecate, isc_log_t *logctx, isc_mem_t *mctx) { + isc_log_t *logctx, isc_mem_t *mctx) { const cfg_obj_t *options = NULL; const cfg_obj_t *views = NULL; const cfg_obj_t *acls = NULL; @@ -5997,8 +5966,8 @@ isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins, if (views == NULL) { tresult = check_viewconf(config, NULL, NULL, dns_rdataclass_in, - files, keydirs, check_plugins, - nodeprecate, inview, logctx, mctx); + files, keydirs, check_plugins, inview, + logctx, mctx); if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS) { result = ISC_R_FAILURE; } @@ -6090,8 +6059,7 @@ isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins, if (tresult == ISC_R_SUCCESS) { tresult = check_viewconf(config, voptions, key, vclass, files, keydirs, check_plugins, - nodeprecate, inview, logctx, - mctx); + inview, logctx, mctx); } if (tresult != ISC_R_SUCCESS) { result = ISC_R_FAILURE; diff --git a/lib/isccfg/include/isccfg/check.h b/lib/isccfg/include/isccfg/check.h index c1cccfef3b..b96e9f50e5 100644 --- a/lib/isccfg/include/isccfg/check.h +++ b/lib/isccfg/include/isccfg/check.h @@ -36,7 +36,7 @@ ISC_LANG_BEGINDECLS isc_result_t isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins, - bool nodeprecate, isc_log_t *logctx, isc_mem_t *mctx); + isc_log_t *logctx, isc_mem_t *mctx); /*%< * Check the syntactic validity of a configuration parse tree generated from * a named.conf file. @@ -44,8 +44,6 @@ isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins, * If 'check_plugins' is true, load plugins and check the validity of their * parameters as well. * - * If 'nodeprecate' is true, do not warn about deprecated configuration. - * * Requires: *\li config is a valid parse tree * diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index d1c1b4208c..a6accd8ffd 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -826,11 +826,10 @@ static cfg_type_t cfg_type_forwardtype = { cfg_doc_enum, &cfg_rep_string, &forwardtype_enums }; -static const char *zonetype_enums[] = { - "primary", "master", "secondary", "slave", - "mirror", "delegation-only", "forward", "hint", - "redirect", "static-stub", "stub", NULL -}; +static const char *zonetype_enums[] = { "primary", "master", "secondary", + "slave", "mirror", "forward", + "hint", "redirect", "static-stub", + "stub", NULL }; static cfg_type_t cfg_type_zonetype = { "zonetype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string, &zonetype_enums }; @@ -2127,7 +2126,7 @@ static cfg_clausedef_t view_clauses[] = { { "response-policy", &cfg_type_rpz, 0 }, { "rfc2308-type1", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "root-delegation-only", &cfg_type_optional_exclude, - CFG_CLAUSEFLAG_DEPRECATED }, + CFG_CLAUSEFLAG_ANCIENT }, { "root-key-sentinel", &cfg_type_boolean, 0 }, { "rrset-order", &cfg_type_rrsetorder, 0 }, { "send-cookie", &cfg_type_boolean, 0 }, @@ -2376,7 +2375,7 @@ static cfg_clausedef_t zone_only_clauses[] = { CFG_ZONE_STUB }, { "delegation-only", &cfg_type_boolean, CFG_ZONE_HINT | CFG_ZONE_STUB | CFG_ZONE_FORWARD | - CFG_CLAUSEFLAG_DEPRECATED }, + CFG_CLAUSEFLAG_ANCIENT }, { "dlz", &cfg_type_astring, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_REDIRECT }, { "file", &cfg_type_qstring, @@ -3878,10 +3877,6 @@ cfg_print_zonegrammar(const unsigned int zonetype, unsigned int flags, cfg_print_indent(&pctx); cfg_print_cstr(&pctx, "type redirect;\n"); break; - case CFG_ZONE_DELEGATION: - cfg_print_indent(&pctx); - cfg_print_cstr(&pctx, "type delegation-only;\n"); - break; case CFG_ZONE_INVIEW: /* no zone type is specified for these */ break;