Merge branch '3953-deprecate-delegation-only-v9_18' into 'bind-9.18'

[9.18] Merge branch '3953-deprecate-delegation-only' into 'main'

See merge request isc-projects/bind9!7718

CHANGES

@@ -1,3 +1,7 @@
+6126.	[cleanup]	Deprecate zone type "delegation-only" and the
+			"delegation-only" and "root-delegation-only"
+			options. [GL #3953]
+
 6125.	[bug]		Hold a catz reference while the update process is
 			running, so that the catalog zone is not destroyed
 			during shutdown until the update process is finished or

bin/check/named-checkconf.c

@@ -726,7 +726,8 @@ main(int argc, char **argv) {
 		exit(1);
 	}
 
-	result = bind9_check_namedconf(config, loadplugins, logc, mctx);
+	result = bind9_check_namedconf(config, loadplugins, nodeprecate, logc,
+				       mctx);
 	if (result != ISC_R_SUCCESS) {
 		exit_status = 1;
 	}

bin/named/server.c

@@ -8552,7 +8552,8 @@ load_configuration(const char *filename, named_server_t *server,
 	 * checked later when the modules are actually loaded and
 	 * registered.)
 	 */
-	CHECK(bind9_check_namedconf(config, false, named_g_lctx, named_g_mctx));
+	CHECK(bind9_check_namedconf(config, false, false, named_g_lctx,
+				    named_g_mctx));
 
 	/* Let's recreate the TLS context cache */
 	if (server->tlsctx_server_cache != NULL) {

bin/tests/system/checkconf/deprecated.conf

@@ -22,6 +22,8 @@ options {
 	use-v6-udp-ports { range 1024 65535; };
 	avoid-v4-udp-ports { range 1 1023; };
 	avoid-v6-udp-ports { range 1 1023; };
+
+	root-delegation-only exclude { "them"; };
 };
 
 trusted-keys {
@@ -45,3 +47,13 @@ managed-keys {
 		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
 		R1AkUTV74bU=";
 };
+
+zone "." {
+	type hint;
+	file "shared.example.db";
+	delegation-only yes;
+};
+
+zone com {
+	type delegation-only;
+};

bin/tests/system/checkconf/tests.sh

@@ -168,6 +168,9 @@ grep "option 'use-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null |
 grep "option 'use-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "option 'avoid-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "option 'avoid-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'root-delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "'type delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

doc/arm/reference.rst

@@ -1624,7 +1624,7 @@ default is used.
    IPv4 and AAAA when responding to queries that arrived via IPv6.
 
 .. namedconf:statement:: root-delegation-only
-   :tags: query
+   :tags: deprecated
    :short: Turns on enforcement of delegation-only in top-level domains (TLDs) and root zones with an optional exclude list.
 
    This turns on enforcement of delegation-only in top-level domains (TLDs)
@@ -1660,6 +1660,9 @@ default is used.
           root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
       };
 
+   This option is deprecated, and will be rendered non-operational in a
+   future release.
+
 .. namedconf:statement:: disable-algorithms
    :tags: dnssec
    :short: Disables DNSSEC algorithms from a specified zone.
@@ -6953,19 +6956,22 @@ Zone Types
    zones are reloaded along with other zones.
 
 .. namedconf:statement:: type delegation-only
-   :tags: query
+   :tags: deprecated
    :short: Enforces the delegation-only status of infrastructure zones (COM, NET, ORG, etc.).
 
-   This zone type is used to enforce the delegation-only status of infrastructure
-   zones (e.g., COM, NET, ORG). Any answer that is received without an
-   explicit or implicit delegation in the authority section is treated
-   as NXDOMAIN. This does not apply to the zone apex, and should not be
-   applied to leaf zones.
+   This zone type is used to enforce the delegation-only status of
+   infrastructure zones (e.g., COM, NET, ORG). Any answer that is received
+   without an explicit or implicit delegation in the authority section is
+   treated as NXDOMAIN. This does not apply to the zone apex, and should
+   not be applied to leaf zones.
 
    :any:`delegation-only` has no effect on answers received from forwarders.
 
    See caveats in :any:`root-delegation-only`.
 
+   This zone type is deprecated, and will be rendered non-operational in a
+   future release.
+
 .. namedconf:statement:: in-view
    :tags: view, zone
    :short: Specifies the view in which a given zone is defined.
@@ -7094,7 +7100,7 @@ Zone Options
    See the description of :any:`dialup` in :ref:`boolean_options`.
 
 .. namedconf:statement:: delegation-only
-   :tags: zone
+   :tags: deprecated
    :short: Indicates that a forward, hint, or stub zone is to be treated as a delegation-only type zone.
 
    This flag only applies to forward, hint, and stub zones. If set to
@@ -7103,6 +7109,9 @@ Zone Options
 
    See caveats in :any:`root-delegation-only`.
 
+   This option is deprecated, and will be rendered non-operational in a
+   future release.
+
 .. namedconf:statement:: file
    :tags: zone
    :short: Specifies the zone's filename.

doc/misc/forward.zoneopt

@@ -1,6 +1,6 @@
 zone <string> [ <class> ] {
 	type forward;
-	delegation-only <boolean>;
+	delegation-only <boolean>; // deprecated
 	forward ( first | only );
 	forwarders [ port <integer> ]  { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
 };

doc/misc/hint.zoneopt

@@ -1,6 +1,6 @@
 zone <string> [ <class> ] {
 	type hint;
 	check-names ( fail | warn | ignore );
-	delegation-only <boolean>;
+	delegation-only <boolean>; // deprecated
 	file <quoted_string>;
 };

doc/misc/options

@@ -258,7 +258,7 @@ options {
 	response-padding { <address_match_element>; ... } block-size <integer>;
 	response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
 	reuseport <boolean>;
-	root-delegation-only [ exclude { <string>; ... } ];
+	root-delegation-only [ exclude { <string>; ... } ]; // deprecated
 	root-key-sentinel <boolean>;
 	rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
 	secroots-file <quoted_string>;
@@ -537,7 +537,7 @@ view <string> [ <class> ] {
 	resolver-retry-interval <integer>;
 	response-padding { <address_match_element>; ... } block-size <integer>;
 	response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
-	root-delegation-only [ exclude { <string>; ... } ];
+	root-delegation-only [ exclude { <string>; ... } ]; // deprecated
 	root-key-sentinel <boolean>;
 	rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
 	send-cookie <boolean>;

doc/misc/stub.zoneopt

@@ -4,7 +4,7 @@ zone <string> [ <class> ] {
 	allow-query-on { <address_match_element>; ... };
 	check-names ( fail | warn | ignore );
 	database <string>;
-	delegation-only <boolean>;
+	delegation-only <boolean>; // deprecated
 	dialup ( notify | notify-passive | passive | refresh | <boolean> );
 	file <quoted_string>;
 	forward ( first | only );

doc/notes/notes-current.rst

@@ -27,6 +27,16 @@ Removed Features
 
 - None.
 
+- Zone type ``delegation-only``, and the ``delegation-only`` and
+  ``root-delegation-only`` options, have been deprecated; a warning will
+  be logged when they are used.
+
+  These options were created to address the SiteFinder controversy, in
+  which certain top-level domains redirected misspelled queries to other
+  sites instead of returning NXDOMAIN responses. Since top-level domains are
+  now DNSSEC signed, and DNSSEC validation is active by default, the
+  options are no longer needed. :gl:`#3953`
+
 Feature Changes
 ~~~~~~~~~~~~~~~
 

lib/bind9/check.c

@@ -2828,7 +2828,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	       const cfg_obj_t *config, isc_symtab_t *symtab,
 	       isc_symtab_t *files, isc_symtab_t *keydirs, isc_symtab_t *inview,
 	       const char *viewname, dns_rdataclass_t defclass,
-	       cfg_aclconfctx_t *actx, isc_log_t *logctx, isc_mem_t *mctx) {
+	       bool nodeprecate, cfg_aclconfctx_t *actx, isc_log_t *logctx,
+	       isc_mem_t *mctx) {
 	const char *znamestr;
 	const char *typestr = NULL;
 	const char *target = NULL;
@@ -2914,6 +2915,11 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 			ztype = CFG_ZONE_HINT;
 		} else if (strcasecmp(typestr, "delegation-only") == 0) {
 			ztype = CFG_ZONE_DELEGATION;
+			if (!nodeprecate) {
+				cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+					    "'type delegation-only' is "
+					    "deprecated");
+			}
 		} else if (strcasecmp(typestr, "redirect") == 0) {
 			ztype = CFG_ZONE_REDIRECT;
 		} else {
@@ -5136,7 +5142,8 @@ static isc_result_t
 check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	       const char *viewname, dns_rdataclass_t vclass,
 	       isc_symtab_t *files, isc_symtab_t *keydirs, bool check_plugins,
-	       isc_symtab_t *inview, isc_log_t *logctx, isc_mem_t *mctx) {
+	       bool nodeprecate, isc_symtab_t *inview, isc_log_t *logctx,
+	       isc_mem_t *mctx) {
 	const cfg_obj_t *zones = NULL;
 	const cfg_obj_t *view_tkeys = NULL, *global_tkeys = NULL;
 	const cfg_obj_t *view_mkeys = NULL, *global_mkeys = NULL;
@@ -5194,7 +5201,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 
 		tresult = check_zoneconf(zone, voptions, config, symtab, files,
 					 keydirs, inview, viewname, vclass,
-					 actx, logctx, mctx);
+					 nodeprecate, actx, logctx, mctx);
 		if (tresult != ISC_R_SUCCESS) {
 			result = ISC_R_FAILURE;
 		}
@@ -5797,7 +5804,7 @@ bind9_check_controls(const cfg_obj_t *config, isc_log_t *logctx,
 
 isc_result_t
 bind9_check_namedconf(const cfg_obj_t *config, bool check_plugins,
-		      isc_log_t *logctx, isc_mem_t *mctx) {
+		      bool nodeprecate, isc_log_t *logctx, isc_mem_t *mctx) {
 	const cfg_obj_t *options = NULL;
 	const cfg_obj_t *views = NULL;
 	const cfg_obj_t *acls = NULL;
@@ -5889,8 +5896,8 @@ bind9_check_namedconf(const cfg_obj_t *config, bool check_plugins,
 
 	if (views == NULL) {
 		tresult = check_viewconf(config, NULL, NULL, dns_rdataclass_in,
-					 files, keydirs, check_plugins, inview,
-					 logctx, mctx);
+					 files, keydirs, check_plugins,
+					 nodeprecate, inview, logctx, mctx);
 		if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS) {
 			result = ISC_R_FAILURE;
 		}
@@ -5982,7 +5989,8 @@ bind9_check_namedconf(const cfg_obj_t *config, bool check_plugins,
 		if (tresult == ISC_R_SUCCESS) {
 			tresult = check_viewconf(config, voptions, key, vclass,
 						 files, keydirs, check_plugins,
-						 inview, logctx, mctx);
+						 nodeprecate, inview, logctx,
+						 mctx);
 		}
 		if (tresult != ISC_R_SUCCESS) {
 			result = ISC_R_FAILURE;

lib/bind9/include/bind9/check.h

@@ -36,7 +36,7 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 bind9_check_namedconf(const cfg_obj_t *config, bool check_plugins,
-		      isc_log_t *logctx, isc_mem_t *mctx);
+		      bool nodeprecate, isc_log_t *logctx, isc_mem_t *mctx);
 /*%<
  * Check the syntactic validity of a configuration parse tree generated from
  * a named.conf file.
@@ -44,6 +44,8 @@ bind9_check_namedconf(const cfg_obj_t *config, bool check_plugins,
  * If 'check_plugins' is true, load plugins and check the validity of their
  * parameters as well.
  *
+ * If 'nodeprecate' is true, do not warn about deprecated configuration.
+ *
  * Requires:
  *\li	config is a valid parse tree
  *

lib/isccfg/namedconf.c

@@ -2143,7 +2143,8 @@ static cfg_clausedef_t view_clauses[] = {
 	{ "response-padding", &cfg_type_resppadding, 0 },
 	{ "response-policy", &cfg_type_rpz, 0 },
 	{ "rfc2308-type1", NULL, CFG_CLAUSEFLAG_ANCIENT },
-	{ "root-delegation-only", &cfg_type_optional_exclude, 0 },
+	{ "root-delegation-only", &cfg_type_optional_exclude,
+	  CFG_CLAUSEFLAG_DEPRECATED },
 	{ "root-key-sentinel", &cfg_type_boolean, 0 },
 	{ "rrset-order", &cfg_type_rrsetorder, 0 },
 	{ "send-cookie", &cfg_type_boolean, 0 },
@@ -2388,7 +2389,8 @@ static cfg_clausedef_t zone_only_clauses[] = {
 	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
 		  CFG_ZONE_STUB },
 	{ "delegation-only", &cfg_type_boolean,
-	  CFG_ZONE_HINT | CFG_ZONE_STUB | CFG_ZONE_FORWARD },
+	  CFG_ZONE_HINT | CFG_ZONE_STUB | CFG_ZONE_FORWARD |
+		  CFG_CLAUSEFLAG_DEPRECATED },
 	{ "dlz", &cfg_type_astring,
 	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_REDIRECT },
 	{ "file", &cfg_type_qstring,