upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

rem: usr: Deprecate the "tkey-gssapi-credential" statement

Browse source 
The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up in
a simpler and more reliable way than using the
:any:`tkey-gssapi-credential` statement and setting environment
variables (e.g. ``KRB5_KTNAME``). Therefore, the
:any:`tkey-gssapi-credential` statement has been deprecated;
:any:`tkey-gssapi-keytab` should be used instead.

For configurations currently using a combination of both
:any:`tkey-gssapi-keytab` *and* :any:`tkey-gssapi-credential`, the
latter should be dropped and the keytab pointed to by
:any:`tkey-gssapi-keytab` should now only contain the credential
previously specified by :any:`tkey-gssapi-credential`.

See #4204

Merge branch '4204-deprecate-tkey-gssapi-credential' into 'main'

See merge request isc-projects/bind9!10782
This commit is contained in:
Michał Kępień 2025-09-01 21:33:33 +02:00
commit c47e8edd09
3 changed files with 7 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
doc/arm/advanced.inc.rst
View file

@ -31,11 +31,10 @@ are permitted for the key ``local-ddns``, which is generated by
:iscman:`named` at startup. See :ref:`dynamic_update_policies` for more details.
Dynamic updates using Kerberos-signed requests can be made using the
TKEY/GSS protocol, either by setting the :any:`tkey-gssapi-keytab` option
or by setting both the :any:`tkey-gssapi-credential` and
:any:`tkey-domain` options. Once enabled, Kerberos-signed requests are
matched against the update policies for the zone, using the Kerberos
principal as the signer for the request.
TKEY/GSS protocol, by setting the :any:`tkey-gssapi-keytab` option.
Once enabled, Kerberos-signed requests are matched against the update
policies for the zone, using the Kerberos principal as the signer for
the request.
Updating of secure zones (zones using DNSSEC) follows :rfc:`3007`: RRSIG,
NSEC, and NSEC3 records affected by updates are automatically regenerated

2
doc/misc/options
View file

@ -303,7 +303,7 @@ options {
tcp-receive-buffer <integer>;
tcp-send-buffer <integer>;
tkey-domain <quoted_string>;
tkey-gssapi-credential <quoted_string>;
tkey-gssapi-credential <quoted_string>; // deprecated
tkey-gssapi-keytab <quoted_string>;
tls-port <integer>;
transfer-format ( many-answers | one-answer );

3
lib/isccfg/namedconf.c
View file

@ -1349,7 +1349,8 @@ static cfg_clausedef_t options_clauses[] = {
{ "tcp-send-buffer", &cfg_type_uint32, 0 },
{ "tkey-dhkey", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "tkey-domain", &cfg_type_qstring, 0 },
{ "tkey-gssapi-credential", &cfg_type_qstring, 0 },
{ "tkey-gssapi-credential", &cfg_type_qstring,
CFG_CLAUSEFLAG_DEPRECATED },
{ "tkey-gssapi-keytab", &cfg_type_qstring, 0 },
{ "transfer-message-size", &cfg_type_uint32, 0 },
{ "transfers-in", &cfg_type_uint32, 0 },