Commit d1503cbf authored by Matthijs Mekking's avatar Matthijs Mekking 🏡
Browse files

Deprecate dnssec-lookaside option

Add the CFG_CLAUSEFLAG_DEPRECATED flag to the option so that people are
discouraged from using DLV.
parent 4cacdcc1
......@@ -254,7 +254,7 @@ options {
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor
<replaceable>string</replaceable> | auto | no );
<replaceable>string</replaceable> | auto | no );, deprecated
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
......@@ -615,7 +615,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor
<replaceable>string</replaceable> | auto | no );
<replaceable>string</replaceable> | auto | no );, deprecated
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
......
......@@ -11,6 +11,7 @@
options {
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv.example.com;
};
trusted-keys {
......
......@@ -24,7 +24,6 @@ view view3 {
view view4 {
match-clients { none; };
dnssec-lookaside no;
};
view view5 {
......
......@@ -107,7 +107,6 @@ view "second" {
1.2.3.4;
};
};
dnssec-lookaside "." trust-anchor "example.org.";
dnssec-validation auto;
zone-statistics full;
};
......
......@@ -130,6 +130,7 @@ n=`expr $n + 1`
echo_i "checking named-checkconf deprecate warnings ($n)"
ret=0
$CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1
grep "option 'dnssec-lookaside' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
......@@ -401,10 +402,12 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' does not generate a warning ($n)"
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates only a deprecate warning ($n)"
ret=0
$CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] && ret=1
lines=$(wc -l < checkconf.out$n)
if [ $lines != 1 ]; then ret=1; fi
grep "option 'dnssec-lookaside' is deprecated" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
......
......@@ -5103,6 +5103,9 @@ options {
<userinput>no</userinput>, then dnssec-lookaside
is not used.
</para>
<para>
This option is deprecated and its use is discouraged.
</para>
<para>
NOTE: The ISC-provided DLV service at
<literal>dlv.isc.org</literal>, has been shut down.
......
......@@ -195,7 +195,7 @@
<itemizedlist>
<listitem>
<para>
The <command>dnssec-enable</command> option has been deprecated and
The <command>dnssec-enable</command> option has been obsoleted and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</para>
......@@ -206,6 +206,12 @@
removed. [GL !1731]
</para>
</listitem>
<listitem>
<para>
The <command>dnssec-lookaside</command> option has been deprecated.
The feature still works, but it is discouraged to use it. [GL #7]
</para>
</listitem>
</itemizedlist>
</section>
......
......@@ -91,7 +91,7 @@
<command>dnssec-dnskey-kskonly</command> <replaceable>boolean</replaceable>;
<command>dnssec-loadkeys-interval</command> <replaceable>integer</replaceable>;
<command>dnssec-lookaside</command> ( <replaceable>string</replaceable> trust-anchor
<replaceable>string</replaceable> | auto | no );
<replaceable>string</replaceable> | auto | no );, deprecated
<command>dnssec-must-be-secure</command> <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
<command>dnssec-secure-to-insecure</command> <replaceable>boolean</replaceable>;
<command>dnssec-update-mode</command> ( maintain | no-resign );
......
......@@ -147,7 +147,7 @@ options {
dnssec-enable <boolean>; // obsolete
dnssec-loadkeys-interval <integer>;
dnssec-lookaside ( <string> trust-anchor
<string> | auto | no ); // may occur multiple times
<string> | auto | no ); // may occur multiple times, deprecated
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
......@@ -525,7 +525,7 @@ view <string> [ <class> ] {
<integer> <quoted_string>; ... }; // may occur multiple times
dnssec-loadkeys-interval <integer>;
dnssec-lookaside ( <string> trust-anchor
<string> | auto | no ); // may occur multiple times
<string> | auto | no ); // may occur multiple times, deprecated
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
......
......@@ -1879,7 +1879,8 @@ view_clauses[] = {
#endif
{ "dnssec-accept-expired", &cfg_type_boolean, 0 },
{ "dnssec-enable", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
{ "dnssec-lookaside", &cfg_type_lookaside,
CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
{ "dnssec-must-be-secure", &cfg_type_mustbesecure,
CFG_CLAUSEFLAG_MULTI },
{ "dnssec-validation", &cfg_type_boolorauto, 0 },
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment