upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/doc/notes/notes-9.21.12.rst
Michał Kępień 84b96df153
Remove "tkey-gssapi-credential" and related code 
Since the "tkey-gssapi-credential" statement has been previously
deprecated, mark it as ancient and remove all code related to it:

  - The code processing the "tkey-gssapi-credential" statement in the
    configuration is the only user of the dst_gssapi_acquirecred() and
    dst_gssapi_releasecred() functions, so remove them along with their
    static helper functions and a backup definition of the
    GSS_KRB5_MECHANISM macro.

  - When calling gss_accept_sec_context(), pass GSS_C_NO_CREDENTIAL
    instead of the credential acquired by gss_acquire_cred().
    (Previously, NULL was passed when "tkey-gssapi-credential" was not
    specified.  Kerberos headers define GSS_C_NO_CREDENTIAL as
    (gss_cred_id_t) 0, so the logic was effectively the same, but using
    the GSS_C_NO_CREDENTIAL macro is more appropriate.)  This renders
    the 'cred' parameter for dst_gssapi_acceptctx() redundant, so remove
    it from the prototype of the latter.  (Contrary to what the
    documentation for dst_gssapi_acceptctx() claims,
    dst_gssapi_releasecred() does not need to subsequently be called to
    free the GSS-API context; a dst_gssapi_deletectx() call in
    gssapi_destroy() takes care of that when the dynamically generated
    TSIG key is destroyed.)

  - Remove the 'gsscred' member from struct dns_tkeyctx, along with its
    related dns_gss_cred_id_t typedef.

Update the relevant sections of the ARM and code comments accordingly.

This makes the "tkey-gssapi-keytab" statement the only way to set up
GSS-TSIG in named.

Remove redundant code from bin/named/tkeyconf.c while at it.
2025-10-06 13:19:50 +02:00

79 lines
2.8 KiB
ReStructuredText
Raw Permalink Blame History

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.21.12
----------------------
New Features
~~~~~~~~~~~~
- Add a new option ``manual-mode`` to :any:`dnssec-policy`.
When enabled, :iscman:`named` will not modify DNSSEC keys or key states
automatically. The proposed change will be logged and only after manual
confirmation with ``rndc dnssec -step`` will the modification be made.
:gl:`#4606`
- Add a new option ``servfail-until-ready`` to :namedconf:ref:`response-policy`
zones.
By default, when :iscman:`named` is started, it starts answering
queries before all response policy zones are completely loaded and
processed. This new option instructs :iscman:`named` to respond with
SERVFAIL until all the response policy zones are processed and ready.
Note that if one or more response policy zones fail to load,
:iscman:`named` starts responding to queries according to those zones
that did load. :gl:`#5222`
- Support for parsing HHIT and BRID records has been added.
:gl:`#5444`
Removed Features
~~~~~~~~~~~~~~~~
- Deprecate the ``tkey-gssapi-credential`` statement.
The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up
in a simpler and more reliable way than using the
``tkey-gssapi-credential`` statement and setting environment
variables (e.g. ``KRB5_KTNAME``). Therefore, the
``tkey-gssapi-credential`` statement has been deprecated;
:any:`tkey-gssapi-keytab` should be used instead.
For configurations currently using a combination of both
:any:`tkey-gssapi-keytab` *and* ``tkey-gssapi-credential``, the
latter should be dropped and the keytab pointed to by
:any:`tkey-gssapi-keytab` should now only contain the credential
previously specified by ``tkey-gssapi-credential``. :gl:`#4204`
- Obsolete the "tkey-domain" statement.
Mark the ``tkey-domain`` statement as obsolete because it has not had
any effect on server behavior since support for TKEY Mode 2
(Diffie-Hellman) was removed (in BIND 9.20.0). :gl:`#4204`
Bug Fixes
~~~~~~~~~
- Prevent spurious SERVFAILs for certain 0-TTL resource records.
Under certain circumstances, BIND 9 can return SERVFAIL when updating
existing entries in the cache with new NS, A, AAAA, or DS records that have a
TTL of zero. :gl:`#5294`
- Fix unexpected termination if :namedconf:ref:`catalog-zones` had undefined
``default-primaries``.
The issue manifested only if the server was reloaded or reconfigured twice.
:gl:`#5494`
Reference in a new issue View git blame Copy permalink