Deprecate 'dnssec-must-be-secure' option

The dnssec-must-be-secure feature was added in the early days of BIND 9 and DNSSEC and it makes sense only as a debugging feature. Remove the feature to simplify the code. (cherry picked from commit 9e0b348a2b)
2026-06-10 10:19:59 -04:00 · 2023-09-04 13:08:48 +02:00 · 2023-09-04 13:08:48 +02:00 · c9d6f0e400
commit c9d6f0e400
parent 8f99ee3e13
5 changed files with 11 additions and 6 deletions
--- a/bin/tests/system/checkconf/deprecated.conf
+++ b/bin/tests/system/checkconf/deprecated.conf
@ -18,8 +18,10 @@ server 1.2.3.4 {
 options {
 	dnssec-validation yes;

-        dialup yes;
-        heartbeat-interval 60;
+	dialup yes;
+	heartbeat-interval 60;
+
+	dnssec-must-be-secure mustbesecure.example yes;

 	use-v4-udp-ports { range 1024 65535; };
 	use-v6-udp-ports { range 1024 65535; };
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@ -175,6 +175,7 @@ grep "option 'root-delegation-only' is deprecated" < checkconf.out$n.1 > /dev/nu
 grep "'type delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "option 'dialup' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "option 'heartbeat-interval' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'dnssec-must-be-secure' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -1722,9 +1722,11 @@ default is used.
   :any:`disable-ds-digests` are treated as insecure.

 .. namedconf:statement:: dnssec-must-be-secure
-   :tags: dnssec
+   :tags: deprecated
   :short: Defines hierarchies that must or may not be secure (signed and validated).

+   This option is deprecated and will be removed in a future release.
+
   This specifies hierarchies which must be or may not be secure (signed and
   validated). If ``yes``, then :iscman:`named` only accepts answers if
   they are secure. If ``no``, then normal DNSSEC validation applies,
--- a/doc/misc/options
+++ b/doc/misc/options
@ -119,7 +119,7 @@ options {
 	dnssec-accept-expired <boolean>;
 	dnssec-dnskey-kskonly <boolean>;
 	dnssec-loadkeys-interval <integer>;
-	dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+	dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
 	dnssec-policy <string>;
 	dnssec-secure-to-insecure <boolean>;
 	dnssec-update-mode ( maintain | no-resign );
@ -428,7 +428,7 @@ view <string> [ <class> ] {
 	dnssec-accept-expired <boolean>;
 	dnssec-dnskey-kskonly <boolean>;
 	dnssec-loadkeys-interval <integer>;
-	dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+	dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
 	dnssec-policy <string>;
 	dnssec-secure-to-insecure <boolean>;
 	dnssec-update-mode ( maintain | no-resign );
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@ -2068,7 +2068,7 @@ static cfg_clausedef_t view_clauses[] = {
 	{ "dnssec-lookaside", NULL,
 	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT },
 	{ "dnssec-must-be-secure", &cfg_type_mustbesecure,
-	  CFG_CLAUSEFLAG_MULTI },
+	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
 	{ "dnssec-validation", &cfg_type_boolorauto, 0 },
 #ifdef HAVE_DNSTAP
 	{ "dnstap", &cfg_type_dnstap, 0 },