From b3ff3bf2e416a66560c2d94858791472e6b576e0 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Mon, 11 Mar 2019 18:34:08 -0700
Subject: [PATCH] remove configuration, syntax checking and implementation of
 dnssec-enable

---
 bin/named/config.c         |  1 -
 bin/named/server.c         | 18 +++---------------
 lib/bind9/check.c          | 36 ------------------------------------
 lib/dns/include/dns/view.h |  1 -
 lib/dns/view.c             |  1 -
 lib/ns/query.c             |  8 --------
 6 files changed, 3 insertions(+), 62 deletions(-)

diff --git a/bin/named/config.c b/bin/named/config.c
index a1bec1e8ce..f9a8db2f0b 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -143,7 +143,6 @@ options {\n\
 	cleaning-interval 0;  /* now meaningless */\n\
 	clients-per-query 10;\n\
 	dnssec-accept-expired no;\n\
-	dnssec-enable yes;\n\
 	dnssec-validation " VALIDATION_DEFAULT "; \n"
 #ifdef HAVE_DNSTAP
 "	dnstap-identity hostname;\n"
diff --git a/bin/named/server.c b/bin/named/server.c
index 807b0379dd..6857416a4d 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -4140,27 +4140,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	INSIST(result == ISC_R_SUCCESS);
 	view->acceptexpired = cfg_obj_asboolean(obj);
 
-	obj = NULL;
-	result = named_config_get(maps, "dnssec-enable", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->enablednssec = cfg_obj_asboolean(obj);
-
 	obj = NULL;
 	/* 'optionmaps', not 'maps': don't check named_g_defaults yet */
 	(void)named_config_get(optionmaps, "dnssec-validation", &obj);
 	if (obj == NULL) {
 		/*
-		 * If dnssec-enable is yes, then we default to
-		 * VALIDATION_DEFAULT as set in config.c. Otherwise
-		 * we default to "no".
+		 * Default to VALIDATION_DEFAULT as set in config.c.
 		 */
-		if (view->enablednssec) {
-			(void)cfg_map_get(named_g_defaults,
-					  "dnssec-validation", &obj);
-			INSIST(obj != NULL);
-		} else {
-			view->enablevalidation = false;
-		}
+		(void)cfg_map_get(named_g_defaults, "dnssec-validation", &obj);
+		INSIST(obj != NULL);
 	}
 	if (obj != NULL) {
 		if (cfg_obj_isboolean(obj)) {
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index b9ea978875..813cb7930b 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -3454,8 +3454,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	const cfg_obj_t *options = NULL;
 	const cfg_obj_t *opts = NULL;
 	const cfg_obj_t *plugin_list = NULL;
-	bool enablednssec, enablevalidation;
-	const char *valstr = "no";
 	unsigned int tflags, mflags;
 
 	/*
@@ -3606,40 +3604,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 
 	isc_symtab_destroy(&symtab);
 
-	/*
-	 * Check that dnssec-enable/dnssec-validation are sensible.
-	 */
-	obj = NULL;
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "dnssec-enable", &obj);
-	if (obj == NULL && options != NULL)
-		(void)cfg_map_get(options, "dnssec-enable", &obj);
-	if (obj == NULL)
-		enablednssec = true;
-	else
-		enablednssec = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "dnssec-validation", &obj);
-	if (obj == NULL && options != NULL)
-		(void)cfg_map_get(options, "dnssec-validation", &obj);
-	if (obj == NULL) {
-		enablevalidation = enablednssec;
-		valstr = "yes";
-	} else if (cfg_obj_isboolean(obj)) {
-		enablevalidation = cfg_obj_asboolean(obj);
-		valstr = enablevalidation ? "yes" : "no";
-	} else {
-		enablevalidation = true;
-		valstr = "auto";
-	}
-
-	if (enablevalidation && !enablednssec)
-		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
-			    "'dnssec-validation %s;' and 'dnssec-enable no;'",
-			    valstr);
-
 	/*
 	 * Check trusted-keys and managed-keys.
 	 */
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index f17e9733d0..69e91fa716 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -123,7 +123,6 @@ struct dns_view {
 	bool				use_glue_cache;
 	bool				minimal_any;
 	dns_minimaltype_t		minimalresponses;
-	bool				enablednssec;
 	bool				enablevalidation;
 	bool				acceptexpired;
 	bool				requireservercookie;
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 5b821d38db..cb89730c77 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -179,7 +179,6 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->qminimization = false;
 	view->qmin_strict = false;
 	view->auth_nxdomain = false; /* Was true in BIND 8 */
-	view->enablednssec = true;
 	view->enablevalidation = true;
 	view->acceptexpired = false;
 	view->use_glue_cache = false;
diff --git a/lib/ns/query.c b/lib/ns/query.c
index fda6246645..57d8b17ecd 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -10787,14 +10787,6 @@ ns_query_start(ns_client_t *client) {
 	 */
 	client->next = query_next_callback;
 
-	/*
-	 * Behave as if we don't support DNSSEC if not enabled.
-	 */
-	if (!client->view->enablednssec) {
-		message->flags &= ~DNS_MESSAGEFLAG_CD;
-		client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
-	}
-
 	if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
 		client->query.attributes |= NS_QUERYATTR_WANTRECURSION;