From c9d6f0e400ea00de60e263aac294dfc848cc4f13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Mon, 4 Sep 2023 13:08:48 +0200
Subject: [PATCH] Deprecate 'dnssec-must-be-secure' option

The dnssec-must-be-secure feature was added in the early days of BIND 9
and DNSSEC and it makes sense only as a debugging feature.

Remove the feature to simplify the code.

(cherry picked from commit 9e0b348a2b6a12da65d23ddb82fa0154a30f7111)
---
 bin/tests/system/checkconf/deprecated.conf | 6 ++++--
 bin/tests/system/checkconf/tests.sh        | 1 +
 doc/arm/reference.rst                      | 4 +++-
 doc/misc/options                           | 4 ++--
 lib/isccfg/namedconf.c                     | 2 +-
 5 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf
index e332f6e4dd..bd6e0c2f1c 100644
--- a/bin/tests/system/checkconf/deprecated.conf
+++ b/bin/tests/system/checkconf/deprecated.conf
@@ -18,8 +18,10 @@ server 1.2.3.4 {
 options {
 	dnssec-validation yes;
 
-        dialup yes;
-        heartbeat-interval 60;
+	dialup yes;
+	heartbeat-interval 60;
+
+	dnssec-must-be-secure mustbesecure.example yes;
 
 	use-v4-udp-ports { range 1024 65535; };
 	use-v6-udp-ports { range 1024 65535; };
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index b3aca64c09..8d82f92657 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -175,6 +175,7 @@ grep "option 'root-delegation-only' is deprecated" < checkconf.out$n.1 > /dev/nu
 grep "'type delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "option 'dialup' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "option 'heartbeat-interval' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'dnssec-must-be-secure' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 0f6758ec69..02f111e513 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -1722,9 +1722,11 @@ default is used.
    :any:`disable-ds-digests` are treated as insecure.
 
 .. namedconf:statement:: dnssec-must-be-secure
-   :tags: dnssec
+   :tags: deprecated
    :short: Defines hierarchies that must or may not be secure (signed and validated).
 
+   This option is deprecated and will be removed in a future release.
+
    This specifies hierarchies which must be or may not be secure (signed and
    validated). If ``yes``, then :iscman:`named` only accepts answers if
    they are secure. If ``no``, then normal DNSSEC validation applies,
diff --git a/doc/misc/options b/doc/misc/options
index 017f1a5c96..e19261f112 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -119,7 +119,7 @@ options {
 	dnssec-accept-expired <boolean>;
 	dnssec-dnskey-kskonly <boolean>;
 	dnssec-loadkeys-interval <integer>;
-	dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+	dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
 	dnssec-policy <string>;
 	dnssec-secure-to-insecure <boolean>;
 	dnssec-update-mode ( maintain | no-resign );
@@ -428,7 +428,7 @@ view <string> [ <class> ] {
 	dnssec-accept-expired <boolean>;
 	dnssec-dnskey-kskonly <boolean>;
 	dnssec-loadkeys-interval <integer>;
-	dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+	dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
 	dnssec-policy <string>;
 	dnssec-secure-to-insecure <boolean>;
 	dnssec-update-mode ( maintain | no-resign );
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 918d3c0a94..4e4c098073 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2068,7 +2068,7 @@ static cfg_clausedef_t view_clauses[] = {
 	{ "dnssec-lookaside", NULL,
 	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT },
 	{ "dnssec-must-be-secure", &cfg_type_mustbesecure,
-	  CFG_CLAUSEFLAG_MULTI },
+	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
 	{ "dnssec-validation", &cfg_type_boolorauto, 0 },
 #ifdef HAVE_DNSTAP
 	{ "dnstap", &cfg_type_dnstap, 0 },