Hello, in line with out deprecation policy, I am notifying the mailing list about our preliminary intent to deprecate the 'dnssec-must-be-secure' option. The option will be marked as deprecated (causing warning from named-checkconf) in BIND 9.18 and 9.20 and it will be removed in BIND 9.21+ when the next development cycle starts next year.
The 'dnssec-must-be-secured' description from the ARM: > This specifies hierarchies which must be or may not be secure (signed and > validated). If ``yes``, then :iscman:`named` only accepts answers if > they are secure. If ``no``, then normal DNSSEC validation applies, > allowing insecure answers to be accepted. The specified domain > must be defined as a trust anchor, for instance in a :any:`trust-anchors` > statement, or ``dnssec-validation auto`` must be active. > In BIND 9.21: 1. Using dnssec-must-be-secure option in named.conf will be now a fatal error In BIND 9.18 and BIND 9.20: 1. Using dnssec-must-be-secure option in named.conf will issue a deprecation warning This is tracked under https://gitlab.isc.org/isc-projects/bind9/-/issues/4263 Thanks. -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users