From 7c96bf3e7143a42c673c1944b8c89ecd6cc1ebb4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Fri, 1 Mar 2024 08:45:06 +0100
Subject: [PATCH 1/2] Deprecate sortlist option

Mark the sortlist option deprecated, so we can remove it in the
future.
---
 bin/tests/system/checkconf/deprecated.conf | 2 ++
 bin/tests/system/checkconf/tests.sh        | 1 +
 doc/arm/reference.rst                      | 4 +++-
 doc/misc/options                           | 4 ++--
 lib/isccfg/namedconf.c                     | 2 +-
 5 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf
index 15d719d6a4..71ea50eb6c 100644
--- a/bin/tests/system/checkconf/deprecated.conf
+++ b/bin/tests/system/checkconf/deprecated.conf
@@ -28,6 +28,8 @@ options {
 	avoid-v6-udp-ports { range 1 1023; };
 
 	dnssec-must-be-secure mustbesecure.example yes;
+
+	sortlist { };
 };
 
 trusted-keys {
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 74361fa9cb..76b2986d8d 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -179,6 +179,7 @@ grep "option 'avoid-v6-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null |
 grep "option 'dialup' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 grep "option 'heartbeat-interval' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 grep "option 'dnssec-must-be-secure' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
+grep "option 'sortlist' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 grep "token 'port' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index e4f1b1cc7a..dc11db525e 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -4014,9 +4014,11 @@ client's address. This only requires configuring the name servers, not
 all the clients.
 
 .. namedconf:statement:: sortlist
-   :tags: query
+   :tags: query, deprecated
    :short: Controls the ordering of RRs returned to the client, based on the client's IP address.
 
+   This option is deprecated and will be removed in a future release.
+
    The :any:`sortlist` statement (see below) takes an :term:`address_match_list` and
    interprets it in a special way. Each top-level statement in the :any:`sortlist`
    must itself be an explicit :term:`address_match_list` with one or two elements. The
diff --git a/doc/misc/options b/doc/misc/options
index 31efabbc15..1142bb6f18 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -274,7 +274,7 @@ options {
 	sig-signing-signatures <integer>;
 	sig-signing-type <integer>;
 	sig-validity-interval <integer> [ <integer> ]; // obsolete
-	sortlist { <address_match_element>; ... };
+	sortlist { <address_match_element>; ... }; // deprecated
 	stale-answer-client-timeout ( disabled | off | <integer> );
 	stale-answer-enable <boolean>;
 	stale-answer-ttl <duration>;
@@ -569,7 +569,7 @@ view <string> [ <class> ] {
 	sig-signing-signatures <integer>;
 	sig-signing-type <integer>;
 	sig-validity-interval <integer> [ <integer> ]; // obsolete
-	sortlist { <address_match_element>; ... };
+	sortlist { <address_match_element>; ... }; // deprecated
 	stale-answer-client-timeout ( disabled | off | <integer> );
 	stale-answer-enable <boolean>;
 	stale-answer-ttl <duration>;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index d5e09149e3..5c50c586f1 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2199,7 +2199,7 @@ static cfg_clausedef_t view_clauses[] = {
 	{ "rrset-order", &cfg_type_rrsetorder, 0 },
 	{ "send-cookie", &cfg_type_boolean, 0 },
 	{ "servfail-ttl", &cfg_type_duration, 0 },
-	{ "sortlist", &cfg_type_bracketed_aml, 0 },
+	{ "sortlist", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_DEPRECATED },
 	{ "stale-answer-enable", &cfg_type_boolean, 0 },
 	{ "stale-answer-client-timeout", &cfg_type_staleanswerclienttimeout,
 	  0 },

From dfefc89b7ef5bf3313a56e5c2269edfa34130d3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Fri, 1 Mar 2024 08:49:53 +0100
Subject: [PATCH 2/2] Add CHANGES and release note for [GL #4593]

---
 CHANGES                     | 3 +++
 doc/notes/notes-current.rst | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/CHANGES b/CHANGES
index bd72ded702..2de7d25c5b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+6368.	[func]		The 'sortlist' option has been marked and documented
+			as deprecated. [GL #4593]
+
 6367.	[bug]		Since the dns_validator_destroy() function doesn't
 			guarantee that it destroys the validator, rename it to
 			dns_validator_shutdown() and require explicit
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index baf7840df2..e9effb3afe 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -32,6 +32,10 @@ Feature Changes
 
 - None.
 
+- The ``sortlist`` option has been deprecated and will be removed
+  in a future BIND 9.21.x release. Please don't rely on a specific
+  order of resource records in the DNS messages.  :gl:`#4593`
+
 Bug Fixes
 ~~~~~~~~~