mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-27 20:25:55 -04:00
Obsolete the "tkey-domain" statement
The "tkey-domain" statement has effectively been a no-op since commitbd4576b3ce, which removed the only bit of code using it: the logic implementing TKEY Mode 2 (Diffie-Hellman). A subsequent cleanup commit,885c132f4a, also missed the opportunity to remove the "tkey-domain" statement altogether. Mark the "tkey-domain" statement as obsolete and remove all code and documentation related to it. (cherry picked from commit805f1c0f65)
This commit is contained in:
Michał Kępień
parent
b239a70cac
commit
cae623fa69
7 changed files with 3 additions and 56 deletions
|
|
@ -123,7 +123,6 @@ options {\n\
|
|||
tcp-listen-queue 10;\n\
|
||||
tcp-receive-buffer 0;\n\
|
||||
tcp-send-buffer 0;\n\
|
||||
# tkey-domain <none>\n\
|
||||
# tkey-gssapi-credential <none>\n\
|
||||
transfer-message-size 20480;\n\
|
||||
transfers-in 10;\n\
|
||||
|
|
|
|||
|
|
@ -58,19 +58,6 @@ named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
|
|||
return result;
|
||||
}
|
||||
|
||||
obj = NULL;
|
||||
result = cfg_map_get(options, "tkey-domain", &obj);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
s = cfg_obj_asstring(obj);
|
||||
isc_buffer_constinit(&b, s, strlen(s));
|
||||
isc_buffer_add(&b, strlen(s));
|
||||
name = dns_fixedname_initname(&fname);
|
||||
RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
|
||||
tctx->domain = isc_mem_get(mctx, sizeof(dns_name_t));
|
||||
dns_name_init(tctx->domain, NULL);
|
||||
dns_name_dup(name, mctx, tctx->domain);
|
||||
}
|
||||
|
||||
obj = NULL;
|
||||
result = cfg_map_get(options, "tkey-gssapi-credential", &obj);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
|
|
|
|||
|
|
@ -1461,24 +1461,7 @@ default is used.
|
|||
principal which the server can acquire through the default system key
|
||||
file, normally ``/etc/krb5.keytab``. The location of the keytab file can be
|
||||
overridden using the :any:`tkey-gssapi-keytab` option. Normally this
|
||||
principal is of the form ``DNS/server.domain``. To use
|
||||
GSS-TSIG, :any:`tkey-domain` must also be set if a specific keytab is
|
||||
not set with :any:`tkey-gssapi-keytab`.
|
||||
|
||||
.. namedconf:statement:: tkey-domain
|
||||
:tags: security
|
||||
:short: Sets the domain appended to the names of all shared keys generated with ``TKEY``.
|
||||
|
||||
This domain is appended to the names of all shared keys generated with
|
||||
``TKEY``. When a client requests a ``TKEY`` exchange, it may or may
|
||||
not specify the desired name for the key. If present, the name of the
|
||||
shared key is ``client-specified part`` + :any:`tkey-domain`.
|
||||
Otherwise, the name of the shared key is ``random hex digits``
|
||||
+ :any:`tkey-domain`. In most cases, the ``domainname``
|
||||
should be the server's domain name, or an otherwise nonexistent
|
||||
subdomain like ``_tkey.domainname``. If using GSS-TSIG,
|
||||
this variable must be defined, unless a specific keytab
|
||||
is indicated using :any:`tkey-gssapi-keytab`.
|
||||
principal is of the form ``DNS/server.domain``.
|
||||
|
||||
.. namedconf:statement:: dump-file
|
||||
:tags: logging
|
||||
|
|
|
|||
|
|
@ -305,7 +305,7 @@ options {
|
|||
tcp-listen-queue <integer>;
|
||||
tcp-receive-buffer <integer>;
|
||||
tcp-send-buffer <integer>;
|
||||
tkey-domain <quoted_string>;
|
||||
tkey-domain <quoted_string>; // obsolete
|
||||
tkey-gssapi-credential <quoted_string>; // deprecated
|
||||
tkey-gssapi-keytab <quoted_string>;
|
||||
tls-port <integer>;
|
||||
|
|
|
|||
|
|
@ -35,7 +35,6 @@ ISC_LANG_BEGINDECLS
|
|||
#define DNS_TKEYMODE_DELETE 5
|
||||
|
||||
struct dns_tkeyctx {
|
||||
dns_name_t *domain;
|
||||
dns_gss_cred_id_t gsscred;
|
||||
isc_mem_t *mctx;
|
||||
char *gssapi_keytab;
|
||||
|
|
|
|||
|
|
@ -101,12 +101,6 @@ dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) {
|
|||
*tctxp = NULL;
|
||||
mctx = tctx->mctx;
|
||||
|
||||
if (tctx->domain != NULL) {
|
||||
if (dns_name_dynamic(tctx->domain)) {
|
||||
dns_name_free(tctx->domain, mctx);
|
||||
}
|
||||
isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t));
|
||||
}
|
||||
if (tctx->gssapi_keytab != NULL) {
|
||||
isc_mem_free(mctx, tctx->gssapi_keytab);
|
||||
}
|
||||
|
|
@ -441,21 +435,6 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
|
|||
ring));
|
||||
break;
|
||||
case DNS_TKEYMODE_GSSAPI:
|
||||
/*
|
||||
* For non-delete operations we do this:
|
||||
*
|
||||
* if (qname != ".")
|
||||
* keyname = qname + defaultdomain
|
||||
* else
|
||||
* keyname = <random hex> + defaultdomain
|
||||
*/
|
||||
if (tctx->domain == NULL && tkeyin.mode != DNS_TKEYMODE_GSSAPI)
|
||||
{
|
||||
tkey_log("dns_tkey_processquery: tkey-domain not set");
|
||||
result = DNS_R_REFUSED;
|
||||
goto failure;
|
||||
}
|
||||
|
||||
keyname = dns_fixedname_initname(&fkeyname);
|
||||
|
||||
if (!dns_name_equal(qname, dns_rootname)) {
|
||||
|
|
|
|||
|
|
@ -1450,7 +1450,7 @@ static cfg_clausedef_t options_clauses[] = {
|
|||
{ "tcp-receive-buffer", &cfg_type_uint32, 0 },
|
||||
{ "tcp-send-buffer", &cfg_type_uint32, 0 },
|
||||
{ "tkey-dhkey", NULL, CFG_CLAUSEFLAG_ANCIENT },
|
||||
{ "tkey-domain", &cfg_type_qstring, 0 },
|
||||
{ "tkey-domain", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
|
||||
{ "tkey-gssapi-credential", &cfg_type_qstring,
|
||||
CFG_CLAUSEFLAG_DEPRECATED },
|
||||
{ "tkey-gssapi-keytab", &cfg_type_qstring, 0 },
|
||||
|
|
|
|||
Loading…
Reference in a new issue