From cae623fa690f9de0600d7d9a207e198be1920949 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 1 Sep 2025 21:35:33 +0200 Subject: [PATCH] Obsolete the "tkey-domain" statement The "tkey-domain" statement has effectively been a no-op since commit bd4576b3cef88bcb78ae0dd7619019be4fdfb2ea, which removed the only bit of code using it: the logic implementing TKEY Mode 2 (Diffie-Hellman). A subsequent cleanup commit, 885c132f4ae6d895ee973648e15d9e61d01555a8, also missed the opportunity to remove the "tkey-domain" statement altogether. Mark the "tkey-domain" statement as obsolete and remove all code and documentation related to it. (cherry picked from commit 805f1c0f6539dae29d11799af2de4f8ab2a02a98) --- bin/named/config.c | 1 - bin/named/tkeyconf.c | 13 ------------- doc/arm/reference.rst | 19 +------------------ doc/misc/options | 2 +- lib/dns/include/dns/tkey.h | 1 - lib/dns/tkey.c | 21 --------------------- lib/isccfg/namedconf.c | 2 +- 7 files changed, 3 insertions(+), 56 deletions(-) diff --git a/bin/named/config.c b/bin/named/config.c index 15bfff512f..9f62ced2b3 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -123,7 +123,6 @@ options {\n\ tcp-listen-queue 10;\n\ tcp-receive-buffer 0;\n\ tcp-send-buffer 0;\n\ -# tkey-domain \n\ # tkey-gssapi-credential \n\ transfer-message-size 20480;\n\ transfers-in 10;\n\ diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c index a072fa4475..5777be2bd2 100644 --- a/bin/named/tkeyconf.c +++ b/bin/named/tkeyconf.c @@ -58,19 +58,6 @@ named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, return result; } - obj = NULL; - result = cfg_map_get(options, "tkey-domain", &obj); - if (result == ISC_R_SUCCESS) { - s = cfg_obj_asstring(obj); - isc_buffer_constinit(&b, s, strlen(s)); - isc_buffer_add(&b, strlen(s)); - name = dns_fixedname_initname(&fname); - RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL)); - tctx->domain = isc_mem_get(mctx, sizeof(dns_name_t)); - dns_name_init(tctx->domain, NULL); - dns_name_dup(name, mctx, tctx->domain); - } - obj = NULL; result = cfg_map_get(options, "tkey-gssapi-credential", &obj); if (result == ISC_R_SUCCESS) { diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 277bd0655c..b2d69737d2 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1461,24 +1461,7 @@ default is used. principal which the server can acquire through the default system key file, normally ``/etc/krb5.keytab``. The location of the keytab file can be overridden using the :any:`tkey-gssapi-keytab` option. Normally this - principal is of the form ``DNS/server.domain``. To use - GSS-TSIG, :any:`tkey-domain` must also be set if a specific keytab is - not set with :any:`tkey-gssapi-keytab`. - -.. namedconf:statement:: tkey-domain - :tags: security - :short: Sets the domain appended to the names of all shared keys generated with ``TKEY``. - - This domain is appended to the names of all shared keys generated with - ``TKEY``. When a client requests a ``TKEY`` exchange, it may or may - not specify the desired name for the key. If present, the name of the - shared key is ``client-specified part`` + :any:`tkey-domain`. - Otherwise, the name of the shared key is ``random hex digits`` - + :any:`tkey-domain`. In most cases, the ``domainname`` - should be the server's domain name, or an otherwise nonexistent - subdomain like ``_tkey.domainname``. If using GSS-TSIG, - this variable must be defined, unless a specific keytab - is indicated using :any:`tkey-gssapi-keytab`. + principal is of the form ``DNS/server.domain``. .. namedconf:statement:: dump-file :tags: logging diff --git a/doc/misc/options b/doc/misc/options index 11e0f257cd..0f9d77e949 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -305,7 +305,7 @@ options { tcp-listen-queue ; tcp-receive-buffer ; tcp-send-buffer ; - tkey-domain ; + tkey-domain ; // obsolete tkey-gssapi-credential ; // deprecated tkey-gssapi-keytab ; tls-port ; diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h index f1998beb1c..f1588b93af 100644 --- a/lib/dns/include/dns/tkey.h +++ b/lib/dns/include/dns/tkey.h @@ -35,7 +35,6 @@ ISC_LANG_BEGINDECLS #define DNS_TKEYMODE_DELETE 5 struct dns_tkeyctx { - dns_name_t *domain; dns_gss_cred_id_t gsscred; isc_mem_t *mctx; char *gssapi_keytab; diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index 90cd9bb32d..56347fe812 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -101,12 +101,6 @@ dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) { *tctxp = NULL; mctx = tctx->mctx; - if (tctx->domain != NULL) { - if (dns_name_dynamic(tctx->domain)) { - dns_name_free(tctx->domain, mctx); - } - isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t)); - } if (tctx->gssapi_keytab != NULL) { isc_mem_free(mctx, tctx->gssapi_keytab); } @@ -441,21 +435,6 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx, ring)); break; case DNS_TKEYMODE_GSSAPI: - /* - * For non-delete operations we do this: - * - * if (qname != ".") - * keyname = qname + defaultdomain - * else - * keyname = + defaultdomain - */ - if (tctx->domain == NULL && tkeyin.mode != DNS_TKEYMODE_GSSAPI) - { - tkey_log("dns_tkey_processquery: tkey-domain not set"); - result = DNS_R_REFUSED; - goto failure; - } - keyname = dns_fixedname_initname(&fkeyname); if (!dns_name_equal(qname, dns_rootname)) { diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index ea2d7fb881..d09afdacb1 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1450,7 +1450,7 @@ static cfg_clausedef_t options_clauses[] = { { "tcp-receive-buffer", &cfg_type_uint32, 0 }, { "tcp-send-buffer", &cfg_type_uint32, 0 }, { "tkey-dhkey", NULL, CFG_CLAUSEFLAG_ANCIENT }, - { "tkey-domain", &cfg_type_qstring, 0 }, + { "tkey-domain", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE }, { "tkey-gssapi-credential", &cfg_type_qstring, CFG_CLAUSEFLAG_DEPRECATED }, { "tkey-gssapi-keytab", &cfg_type_qstring, 0 },