Deprecation notice force BIND 9.20+: dnssec-must-be-secure option
Ondřej Surý
ondrej at isc.org
Mon Sep 4 11:45:33 UTC 2023
Hello,
in line with out deprecation policy, I am notifying the mailing list about our preliminary
intent to deprecate the 'dnssec-must-be-secure' option. The option will be marked as
deprecated (causing warning from named-checkconf) in BIND 9.18 and 9.20 and
it will be removed in BIND 9.21+ when the next development cycle starts next year.
The 'dnssec-must-be-secured' description from the ARM:
> This specifies hierarchies which must be or may not be secure (signed and
> validated). If ``yes``, then :iscman:`named` only accepts answers if
> they are secure. If ``no``, then normal DNSSEC validation applies,
> allowing insecure answers to be accepted. The specified domain
> must be defined as a trust anchor, for instance in a :any:`trust-anchors`
> statement, or ``dnssec-validation auto`` must be active.
>
In BIND 9.21:
1. Using dnssec-must-be-secure option in named.conf will be now a fatal error
In BIND 9.18 and BIND 9.20:
1. Using dnssec-must-be-secure option in named.conf will issue a deprecation warning
This is tracked under https://gitlab.isc.org/isc-projects/bind9/-/issues/4263
Thanks.
--
Ondřej Surý (He/Him)
ondrej at isc.org
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
More information about the bind-users
mailing list