Hello,
in line with out deprecation policy, I am notifying the mailing list about our
preliminary
intent to deprecate the 'dnssec-must-be-secure' option. The option will be
marked as
deprecated (causing warning from named-checkconf) in BIND 9.18 and 9.20 and
it will be removed in BIND 9.21+ when the next development cycle starts next
year.
The 'dnssec-must-be-secured' description from the ARM:
>This specifies hierarchies which must be or may not be secure (signed and
>validated). If ``yes``, then :iscman:`named` only accepts answers if
>they are secure. If ``no``, then normal DNSSEC validation applies,
>allowing insecure answers to be accepted. The specified domain
>must be defined as a trust anchor, for instance in a :any:`trust-anchors`
>statement, or ``dnssec-validation auto`` must be active.
>
In BIND 9.21:
1. Using dnssec-must-be-secure option in named.conf will be now a fatal error
In BIND 9.18 and BIND 9.20:
1. Using dnssec-must-be-secure option in named.conf will issue a deprecation
warning
This is tracked under https://gitlab.isc.org/isc-projects/bind9/-/issues/4263
Thanks.
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users