Deprecation notice for BIND 9.20+: "tkey-gssapi-credential", "tkey-domain"

Wed, 13 Aug 2025 09:53:59 -0700 

BIND users,

In line with our deprecation policy, we are notifying the mailing list
about our intent to deprecate two TKEY-related configuration
statements: "tkey-gssapi-credential" and "tkey-domain".

"tkey-gssapi-credential"
------------------------

Since the "tkey-gssapi-credential" statement acquires the specified GSS-API
credential from a Kerberos keytab, the "tkey-gssapi-keytab"
option should be used instead as such a setup is simpler, more reliable,
and easier to troubleshoot.

For configurations currently using a combination of both
"tkey-gssapi-keytab" and "tkey-gssapi-credential", the latter should be
dropped; the keytab pointed to by "tkey-gssapi-keytab" should only
contain the credential previously specified by "tkey-gssapi-credential".

These changes are intended to simplify GSS-TSIG configuration in
named.conf: using the "tkey-gssapi-keytab" statement will be the only way
to do that.

In BIND 9.18 & BIND 9.20, using the "tkey-gssapi-credential" statement
will cause a deprecation warning to be emitted, but it will continue
working.

In BIND 9.22, using the "tkey-gssapi-credential" statement will be a
fatal error.

"tkey-domain"
-------------

This statement is only used by code implementing TKEY Mode 2
(Diffie-Hellman), which has already been removed from BIND 9.20+.

In BIND 9.18, using the "tkey-domain" statement will cause a deprecation
warning to be emitted, but it will continue working with TKEY Mode 2.

In BIND 9.20, using the "tkey-domain" statement will cause a deprecation
warning to be emitted, but that statement will not influence server
behavior in any way.

In BIND 9.22, using the "tkey-domain" statement will be a fatal error.

This is tracked at:

    https://gitlab.isc.org/isc-projects/bind9/-/issues/4204

Thanks,

-- 
Best regards,
Michał Kępień
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to