4801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside .

trust-anchor dlv.isc.org;' now elicit warnings rather than being fatal configuration errors. [RT #46410]
2026-06-09 10:42:12 -04:00 · 2017-10-30 07:40:59 +11:00 · 2017-10-30 07:40:59 +11:00 · f5e1b555c5
commit f5e1b555c5
parent 4e2ba60f3c
8 changed files with 56 additions and 25 deletions
--- a/6
+++ b/6
@ -1,3 +1,7 @@
+4801.	[func]		'dnssec-lookaside auto;' and 'dnssec-lookaside .
+			trust-anchor dlv.isc.org;' now elicit warnings rather
+			than being fatal configuration errors. [RT #46410]
+
 4800.	[bug]		When processing delzone, write one zone config per
 			line to the NZF. [RT #46323]

@ -200,7 +204,7 @@
 			- Removed DLV key from bind.keys
 			- No longer use ISC DLV by default in delv
 			- "dnssec-lookaside auto" and configuration of
-			  "dnssec-lookaide" with dlv.isc.org as trust
+			  "dnssec-lookaide" with dlv.isc.org as the trust
 			  anchor are both now fatal errors.
 			[RT #46155]

--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -4975,11 +4975,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 			if (!strcasecmp(dom, "no")) {
 				result = ISC_R_NOTFOUND;
 			} else if (!strcasecmp(dom, "auto")) {
-				cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
-					    "WARNING: the DLV server at "
-					    "'dlv.isc.org' is no longer "
-					    "in service; dnssec-lookaside "
-					    "ignored");
+				/*
+				 * Warning logged by libbind9.
+				 */
 				result = ISC_R_NOTFOUND;
 			}
 		}
@ -5005,11 +5003,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 			CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj),
 						  DNS_NAME_DOWNCASE, NULL));
 			if (dns_name_equal(dlv, iscdlv)) {
-				cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
-					    "WARNING: the DLV server at "
-					    "'dlv.isc.org' is no longer "
-					    "in service; dnssec-lookaside "
-					    "ignored");
+				/*
+				 * Warning logged by libbind9.
+				 */
 				view->dlv = NULL;
 			} else {
 				view->dlv = dlv;
--- a/bin/tests/system/checkconf/good-dlv-dlv.example.com.conf
+++ b/bin/tests/system/checkconf/good-dlv-dlv.example.com.conf
@ -0,0 +1,11 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+options {
+	dnssec-lookaside . trust-anchor dlv.example.com;
+};
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@ -327,5 +327,29 @@ diff good.zonelist checkconf.out$n  > diff.out$n || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
 status=`expr $status + $ret`

+n=`expr $n + 1`
+echo "I: check that 'dnssec-lookaside auto;' generates a warning ($n)"
+ret=0
+$CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "dnssec-lookaside 'auto' is no longer supported" checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I: check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)"
+ret=0
+$CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "dlv.isc.org has been shut down" checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I: check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)"
+ret=0
+$CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
+[ -s checkconf.out$n ] && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1
--- a/bin/tests/system/checkconf/warn-dlv-auto.conf
+++ b/bin/tests/system/checkconf/warn-dlv-auto.conf
--- a/bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf
+++ b/bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@ -464,15 +464,15 @@
    <itemizedlist>
      <listitem>
 	<para>
-	  The ISC DNSSEC Lookaside Validation (DLV) service has been shut
-	  down; all DLV records in the dlv.isc.org zone have been removed.
-	  References to the service have been removed from BIND documentation.
-	  Lookaside validation is no longer used by default by
-	  <command>delv</command>. The DLV key has been removed from
-	  <filename>bind.keys</filename>. Setting
-	  <command>dnssec-lookaside</command> to
+	  The ISC DNSSEC Lookaside Validation (DLV) service has
+	  been shut down; all DLV records in the dlv.isc.org zone
+	  have been removed.  References to the service have been
+	  removed from BIND documentation.  Lookaside validation
+	  is no longer used by default by <command>delv</command>.
+	  The DLV key has been removed from <filename>bind.keys</filename>.
+	  Setting <command>dnssec-lookaside</command> to
 	  <command>auto</command> or to use dlv.isc.org as a trust
-	  anchor is now a fatal configuration error. [RT #46155]
+	  anchor results in a warning being issued.
 	</para>
      </listitem>
      <listitem>
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@ -1183,11 +1183,9 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 					continue;
 				}
 				if (!strcasecmp(dlv, "auto")) {
-					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
 						    "dnssec-lookaside 'auto' "
 						    "is no longer supported");
-					if (result == ISC_R_SUCCESS)
-						result = ISC_R_FAILURE;
 					continue;
 				}
 			}
@ -1242,10 +1240,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 				continue;
 			}
 			if (dns_name_equal(&dlviscorg, name)) {
-				cfg_obj_log(anchor, logctx, ISC_LOG_ERROR,
+				cfg_obj_log(anchor, logctx, ISC_LOG_WARNING,
 					    "dlv.isc.org has been shut down");
-				if (result == ISC_R_SUCCESS)
-					result = ISC_R_FAILURE;
 				continue;
 			}
 		}