Deprecation notice for BIND 9.20+: "tkey-gssapi-credential", "tkey-domain"

[Michał Kępień]

BIND users,

In line with our deprecation policy, we are notifying the mailing list
about our intent to deprecate two TKEY-related configuration
statements: "tkey-gssapi-credential" and "tkey-domain".

"tkey-gssapi-credential"
------------------------

Since the "tkey-gssapi-credential" statement acquires the specified GSS-API
credential from a Kerberos keytab, the "tkey-gssapi-keytab"
option should be used instead as such a setup is simpler, more reliable,
and easier to troubleshoot.

For configurations currently using a combination of both
"tkey-gssapi-keytab" and "tkey-gssapi-credential", the latter should be
dropped; the keytab pointed to by "tkey-gssapi-keytab" should only
contain the credential previously specified by "tkey-gssapi-credential".

These changes are intended to simplify GSS-TSIG configuration in
named.conf: using the "tkey-gssapi-keytab" statement will be the only way
to do that.

In BIND 9.18 & BIND 9.20, using the "tkey-gssapi-credential" statement
will cause a deprecation warning to be emitted, but it will continue
working.

In BIND 9.22, using the "tkey-gssapi-credential" statement will be a
fatal error.

"tkey-domain"
-------------

This statement is only used by code implementing TKEY Mode 2
(Diffie-Hellman), which has already been removed from BIND 9.20+.

In BIND 9.18, using the "tkey-domain" statement will cause a deprecation
warning to be emitted, but it will continue working with TKEY Mode 2.

In BIND 9.20, using the "tkey-domain" statement will cause a deprecation
warning to be emitted, but that statement will not influence server
behavior in any way.

In BIND 9.22, using the "tkey-domain" statement will be a fatal error.

This is tracked at:

    https://gitlab.isc.org/isc-projects/bind9/-/issues/4204

Thanks,

-- 
Best regards,
Michał Kępień