diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf index bdda4c80c0..15d719d6a4 100644 --- a/bin/tests/system/checkconf/deprecated.conf +++ b/bin/tests/system/checkconf/deprecated.conf @@ -26,6 +26,8 @@ options { use-v6-udp-ports { range 1024 65535; }; avoid-v4-udp-ports { range 1 1023; }; avoid-v6-udp-ports { range 1 1023; }; + + dnssec-must-be-secure mustbesecure.example yes; }; trusted-keys { diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 94a1d3a7f3..464879c975 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -155,6 +155,7 @@ grep "option 'avoid-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null grep "option 'avoid-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "option 'dialup' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "option 'heartbeat-interval' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "option 'dnssec-must-be-secure' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 065f05ccce..1c2c3d4e10 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1654,9 +1654,11 @@ default is used. :any:`disable-ds-digests` are treated as insecure. .. namedconf:statement:: dnssec-must-be-secure - :tags: dnssec + :tags: deprecated :short: Defines hierarchies that must or may not be secure (signed and validated). + This option is deprecated and will be removed in a future release. + This specifies hierarchies which must be or may not be secure (signed and validated). If ``yes``, then :iscman:`named` only accepts answers if they are secure. If ``no``, then normal DNSSEC validation applies, diff --git a/doc/misc/options b/doc/misc/options index edb8e86290..c01314b789 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -118,7 +118,7 @@ options { dnssec-accept-expired ; dnssec-dnskey-kskonly ; // obsolete dnssec-loadkeys-interval ; - dnssec-must-be-secure ; // may occur multiple times + dnssec-must-be-secure ; // may occur multiple times, deprecated dnssec-policy ; dnssec-secure-to-insecure ; // obsolete dnssec-update-mode ( maintain | no-resign ); // obsolete @@ -416,7 +416,7 @@ view [ ] { dnssec-accept-expired ; dnssec-dnskey-kskonly ; // obsolete dnssec-loadkeys-interval ; - dnssec-must-be-secure ; // may occur multiple times + dnssec-must-be-secure ; // may occur multiple times, deprecated dnssec-policy ; dnssec-secure-to-insecure ; // obsolete dnssec-update-mode ( maintain | no-resign ); // obsolete diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 97ed56c515..afe4f5fabd 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2056,7 +2056,7 @@ static cfg_clausedef_t view_clauses[] = { { "dnssec-lookaside", NULL, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT }, { "dnssec-must-be-secure", &cfg_type_mustbesecure, - CFG_CLAUSEFLAG_MULTI }, + CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED }, { "dnssec-validation", &cfg_type_boolorauto, 0 }, #ifdef HAVE_DNSTAP { "dnstap", &cfg_type_dnstap, 0 },