Commit f5e1b555 authored by Mark Andrews's avatar Mark Andrews

4801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside .

                        trust-anchor dlv.isc.org;' now elicit warnings rather
                        than being fatal configuration errors. [RT #46410]
parent 4e2ba60f
4801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside .
trust-anchor dlv.isc.org;' now elicit warnings rather
than being fatal configuration errors. [RT #46410]
4800. [bug] When processing delzone, write one zone config per
line to the NZF. [RT #46323]
......@@ -200,7 +204,7 @@
- Removed DLV key from bind.keys
- No longer use ISC DLV by default in delv
- "dnssec-lookaside auto" and configuration of
"dnssec-lookaide" with dlv.isc.org as trust
"dnssec-lookaide" with dlv.isc.org as the trust
anchor are both now fatal errors.
[RT #46155]
......
......@@ -4975,11 +4975,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
if (!strcasecmp(dom, "no")) {
result = ISC_R_NOTFOUND;
} else if (!strcasecmp(dom, "auto")) {
cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
"WARNING: the DLV server at "
"'dlv.isc.org' is no longer "
"in service; dnssec-lookaside "
"ignored");
/*
* Warning logged by libbind9.
*/
result = ISC_R_NOTFOUND;
}
}
......@@ -5005,11 +5003,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj),
DNS_NAME_DOWNCASE, NULL));
if (dns_name_equal(dlv, iscdlv)) {
cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
"WARNING: the DLV server at "
"'dlv.isc.org' is no longer "
"in service; dnssec-lookaside "
"ignored");
/*
* Warning logged by libbind9.
*/
view->dlv = NULL;
} else {
view->dlv = dlv;
......
/*
* Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
options {
dnssec-lookaside . trust-anchor dlv.example.com;
};
......@@ -327,5 +327,29 @@ diff good.zonelist checkconf.out$n > diff.out$n || ret=1
if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I: check that 'dnssec-lookaside auto;' generates a warning ($n)"
ret=0
$CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1
grep "dnssec-lookaside 'auto' is no longer supported" checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I: check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)"
ret=0
$CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1
grep "dlv.isc.org has been shut down" checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I: check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)"
ret=0
$CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] && ret=1
if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -464,15 +464,15 @@
<itemizedlist>
<listitem>
<para>
The ISC DNSSEC Lookaside Validation (DLV) service has been shut
down; all DLV records in the dlv.isc.org zone have been removed.
References to the service have been removed from BIND documentation.
Lookaside validation is no longer used by default by
<command>delv</command>. The DLV key has been removed from
<filename>bind.keys</filename>. Setting
<command>dnssec-lookaside</command> to
The ISC DNSSEC Lookaside Validation (DLV) service has
been shut down; all DLV records in the dlv.isc.org zone
have been removed. References to the service have been
removed from BIND documentation. Lookaside validation
is no longer used by default by <command>delv</command>.
The DLV key has been removed from <filename>bind.keys</filename>.
Setting <command>dnssec-lookaside</command> to
<command>auto</command> or to use dlv.isc.org as a trust
anchor is now a fatal configuration error. [RT #46155]
anchor results in a warning being issued.
</para>
</listitem>
<listitem>
......
......@@ -1183,11 +1183,9 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
continue;
}
if (!strcasecmp(dlv, "auto")) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
"dnssec-lookaside 'auto' "
"is no longer supported");
if (result == ISC_R_SUCCESS)
result = ISC_R_FAILURE;
continue;
}
}
......@@ -1242,10 +1240,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
continue;
}
if (dns_name_equal(&dlviscorg, name)) {
cfg_obj_log(anchor, logctx, ISC_LOG_ERROR,
cfg_obj_log(anchor, logctx, ISC_LOG_WARNING,
"dlv.isc.org has been shut down");
if (result == ISC_R_SUCCESS)
result = ISC_R_FAILURE;
continue;
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment