From c8f43b9160c9255b76d84170d44b13895496395b Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 1 Nov 2023 17:09:16 +0100
Subject: [PATCH] remove some long-deprecated arguments from dig

certain dig options which were deprecated and became nonoperational
several releases ago still had documentation in the dig man page and
warnings printed when they were used: these included +mapped,
+sigchase, +topdown, +unexpected, +trusted-key, and the -i and -n
options. these are now all fatal errors.

another option was described as deprecated in the man page, but
the code to print a warning was never added. it has been added now.
---
 bin/dig/dig.c                  | 36 ++++++++++++----------------------
 bin/dig/dig.rst                | 34 +++++++++++---------------------
 bin/tests/system/idna/tests.sh |  3 +--
 bin/tools/mdig.c               |  3 +--
 4 files changed, 26 insertions(+), 50 deletions(-)

diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index 54d1425ea5..5274a7a9c0 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -306,8 +306,7 @@ help(void) {
 	       "                 +[no]tls-keyfile=file (Load client TLS "
 	       "private key from file)\n"
 	       "                 +[no]trace          (Trace delegation down "
-	       "from root "
-	       "[+dnssec])\n"
+	       "from root [implies +dnssec])\n"
 	       "                 +tries=###          (Set number of UDP "
 	       "attempts) [3]\n"
 	       "                 +[no]ttlid          (Control display of ttls "
@@ -1670,6 +1669,8 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
 		switch (cmd[1]) {
 		case 'e': /* defname */
 			FULLCHECK("defname");
+			fprintf(stderr, ";; +[no]defname option is "
+					"deprecated; use +[no]search\n");
 			if (!lookup->trace) {
 				usesearch = state;
 			}
@@ -2044,12 +2045,11 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
 			goto invalid_option;
 		}
 		break;
-	case 'm': /* multiline */
+	case 'm':
 		switch (cmd[1]) {
 		case 'a':
 			FULLCHECK("mapped");
-			fprintf(stderr, ";; +mapped option is deprecated");
-			break;
+			fatal("+mapped option no longer supported");
 		case 'u':
 			FULLCHECK("multiline");
 			lookup->multiline = state;
@@ -2303,8 +2303,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
 			break;
 		case 'i': /* sigchase */
 			FULLCHECK("sigchase");
-			fprintf(stderr, ";; +sigchase option is deprecated");
-			break;
+			fatal("+sigchase option no longer supported");
 		case 'p': /* split */
 			FULLCHECK("split");
 			if (value != NULL && !state) {
@@ -2428,8 +2427,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
 			break;
 		case 'o':
 			FULLCHECK("topdown");
-			fprintf(stderr, ";; +topdown option is deprecated");
-			break;
+			fatal("+topdown option no longer supported");
 		case 'r':
 			switch (cmd[2]) {
 			case 'a': /* trace */
@@ -2470,9 +2468,8 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
 				break;
 			case 'u': /* trusted-key */
 				FULLCHECK("trusted-key");
-				fprintf(stderr, ";; +trusted-key option is "
-						"deprecated");
-				break;
+				fatal("+trusted-key option "
+				      "no longer supported");
 			default:
 				goto invalid_option;
 			}
@@ -2509,9 +2506,8 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
 			switch (cmd[2]) {
 			case 'e':
 				FULLCHECK("unexpected");
-				fprintf(stderr, ";; +unexpected option "
-						"is deprecated");
-				break;
+				fatal("+unexpected option "
+				      "no longer supported");
 			case 'k':
 				FULLCHECK("unknownformat");
 				lookup->print_unknown_format = state;
@@ -2519,11 +2515,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
 			default:
 				goto invalid_option;
 			}
-			break;
-		default:
-			goto invalid_option;
 		}
-
 		break;
 	case 'v':
 		FULLCHECK("vc");
@@ -2629,14 +2621,12 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			exit(0);
 			break;
 		case 'i':
-			/* deprecated */
-			break;
+			fatal("-%c removed", option[0]);
 		case 'm': /* memdebug */
 			/* memdebug is handled in preparse_args() */
 			break;
 		case 'n':
-			/* deprecated */
-			break;
+			fatal("-%c removed", option[0]);
 		case 'r':
 			debug("digrc (late)");
 			digrc = false;
diff --git a/bin/dig/dig.rst b/bin/dig/dig.rst
index 71dce3ec36..83c0ab7acf 100644
--- a/bin/dig/dig.rst
+++ b/bin/dig/dig.rst
@@ -614,11 +614,6 @@ abbreviation is unambiguous; for example, :option:`+cd` is equivalent to
 
    This option performs [or does not perform] a search showing intermediate results.
 
-.. option:: +sigchase, +nosigchase
-
-   This feature is now obsolete and has been removed; use :iscman:`delv`
-   instead.
-
 .. option:: +split=W
 
    This option splits long hex- or base64-formatted fields in resource records into
@@ -688,25 +683,23 @@ abbreviation is unambiguous; for example, :option:`+cd` is equivalent to
    server TLS certificate verification. Otherwise, the DNS server name
    is used. This option has no effect if :option:`+tls-ca` is not specified.
 
-.. option:: +topdown, +notopdown
-
-   This feature is related to :option:`dig +sigchase`, which is obsolete and
-   has been removed. Use :iscman:`delv` instead.
-
 .. option:: +trace, +notrace
 
-   This option toggles tracing of the delegation path from the root name servers for
-   the name being looked up. Tracing is disabled by default. When
-   tracing is enabled, :program:`dig` makes iterative queries to resolve the
-   name being looked up. It follows referrals from the root servers,
-   showing the answer from each server that was used to resolve the
-   lookup.
+   This option toggles tracing of the delegation path from the root name
+   servers for the name being looked up. Tracing is disabled by default.
+   When tracing is enabled, :program:`dig` makes iterative queries to
+   resolve the name being looked up. It follows referrals from the root
+   servers, showing the answer from each server that was used to resolve
+   the lookup.
 
    If ``@server`` is also specified, it affects only the initial query for
    the root zone name servers.
 
-   :option:`+dnssec` is also set when :option:`+trace` is set, to better emulate the
-   default queries from a name server.
+   :option:`+dnssec` is set when :option:`+trace` is set, to better
+   emulate the default queries from a name server.
+
+   Note that the ``delv +ns`` option can also be used for tracing the
+   resolution of a name from the root (see :iscman:`delv`).
 
 .. option:: +tries=T
 
@@ -714,11 +707,6 @@ abbreviation is unambiguous; for example, :option:`+cd` is equivalent to
    instead of the default, 3. If ``T`` is less than or equal to zero,
    the number of tries is silently rounded up to 1.
 
-.. option:: +trusted-key=####
-
-   This option formerly specified trusted keys for use with :option:`dig +sigchase`. This
-   feature is now obsolete and has been removed; use :iscman:`delv` instead.
-
 .. option:: +ttlid, +nottlid
 
    This option displays [or does not display] the TTL when printing the record.
diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh
index d83dae76be..4a8dc512b0 100644
--- a/bin/tests/system/idna/tests.sh
+++ b/bin/tests/system/idna/tests.sh
@@ -53,8 +53,7 @@ export LC_ALL
 # 1. http://www.unicode.org/reports/tr46/#Deviations
 # 2. http://www.unicode.org/reports/tr46/#IDNAComparison
 
-# Using dig insecure mode as we are not testing DNSSEC here
-DIGCMD="$DIG -i -p ${PORT} @10.53.0.1"
+DIGCMD="$DIG -p ${PORT} @10.53.0.1"
 
 # Initialize test count and status return
 n=0
diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c
index 094c4e0dcd..1c36679403 100644
--- a/bin/tools/mdig.c
+++ b/bin/tools/mdig.c
@@ -1693,8 +1693,7 @@ dash_option(const char *option, char *next, struct query *query, bool global,
 			exit(0);
 			break;
 		case 'i':
-			/* deprecated */
-			break;
+			fatal("-%c removed", opt);
 		case 'm':
 			/*
 			 * handled by preparse_args()