Commit 41ba4b4d authored by Tomas Krizek's avatar Tomas Krizek Committed by Petr Špaček

trust_anchors: remove syntactic sugar and duplicity

parent 8abc490f
......@@ -5,6 +5,8 @@ Incompatible changes
--------------------
- see upgrading guide:
https://knot-resolver.readthedocs.io/en/v4.0.0/upgrading.html#upgrade-from-3-to-4
- configuration: trust_anchors aliases .file, .config() and .negative were removed (!788)
- configuration: trust_anchors.keyfile_default is no longer accessible (!788)
- meson build system is now used for builds (!771)
- build with embedded LMBD is no longer supported
- default modules dir location has changed
......@@ -33,6 +35,7 @@ Bugfixes
- policy.RPZ: log problems from zone-file level of parser as well (#453)
- fix flushing of messages to logs in some cases (!781)
- fix fallback when SERVFAIL or REFUSED is received from upstream (!784)
- fix crash when dealing with unknown TA key algorhitm (#449)
Module API changes
------------------
......
......@@ -5,7 +5,7 @@ net.listen('127.0.0.1', 8853, { tls = true })
net.ipv6=false
-- Auto-maintain root TA
trust_anchors.file = '.local/etc/knot-resolver/root.keys'
trust_anchors.add_file('.local/etc/knot-resolver/root.keys')
-- Large cache size, so we don't need to flush often
-- This can be larger than available RAM, least frequently accessed
......
......@@ -305,7 +305,7 @@ Environment
net = { '127.0.0.1', '::1' }
-- unprivileged
cache.size = 100*MB
trust_anchors.file = 'root.key'
trust_anchors.add_file('root.key')
Example output:
......@@ -398,7 +398,7 @@ and :rfc:`7646` negative trust anchors. Depending on your distribution, DNSSEC
trust anchors should be either maintained in accordance with the distro-wide
policy, or automatically maintained by the resolver itself.
.. function:: trust_anchors.add_file(keyfile, readonly)
.. function:: trust_anchors.add_file(keyfile[, readonly = false])
:param string keyfile: path to the file.
:param readonly: if true, do not attempt to update the file.
......@@ -421,10 +421,6 @@ policy, or automatically maintained by the resolver itself.
[ ta ] key: 19036 state: Valid
.. function:: trust_anchors.config(keyfile, readonly)
Alias for `add_file`. Its use is discouraged and will be removed in future versions.
.. function:: trust_anchors.remove(zonename)
Remove specified trust anchor from trusted key set. Removing trust anchor for the root zone effectivelly disables DNSSEC validation (unless you configured another trust anchor).
......@@ -638,7 +634,7 @@ Example:
$ kresd-query.lua www.sub.nic.cz 'assert(kres.dname2str(req:resolved().zone_cut.name) == "nic.cz.")' && echo "yes"
yes
$ kresd-query.lua -C 'trust_anchors.config("root.keys")' nic.cz 'assert(req:resolved().flags.DNSSEC_WANT)'
$ kresd-query.lua -C 'trust_anchors.add_file("root.keys")' nic.cz 'assert(req:resolved().flags.DNSSEC_WANT)'
$ echo $?
0
......
......@@ -11,6 +11,11 @@ local key_state = {
Missing = 'Missing', Revoked = 'Revoked', Removed = 'Removed'
}
local function upgrade_required(field)
panic('Configuration upgrade required! Please refer to ' ..
'https://knot-resolver.readthedocs.io/en/stable/upgrading.html')
end
-- TODO: Move bootstrap to a separate module or even its own binary
-- Fetch over HTTPS with peert cert checked
local function https_fetch(url, ca)
......@@ -431,7 +436,7 @@ trust_anchors = {
-- Load keys from a file, 5011-managed by default.
-- If managed and the file doesn't exist, try bootstrapping the root into it.
add_file = add_file,
config = add_file,
config = upgrade_required,
remove = remove,
keyset_publish = keyset_publish,
......@@ -515,11 +520,12 @@ trust_anchors = {
-- Syntactic sugar for TA store
setmetatable(trust_anchors, {
__newindex = function (t,k,v)
if k == 'file' then t.config(v)
elseif k == 'negative' then t.set_insecure(v)
else rawset(t, k, v) end
end,
__newindex = function (t,k,v)
if k == 'file' then upgrade_required()
elseif k == 'negative' then upgrade_required()
elseif k == 'keyfile_default' then upgrade_required()
else rawset(t, k, v) end
end,
})
return trust_anchors
......@@ -19,6 +19,28 @@ Users
location. The exact location depends on your distribution. Generally, modules previously
in ``/usr/lib/kdns_modules`` should be moved to ``/usr/lib/knot-resolver/kres_modules``.
Configuration
~~~~~~~~~~~~~
* ``trust_anchors.file``, ``trust_anchors.config()`` and ``trust_anchors.negative``
aliases were removed to avoid duplicity
.. csv-table::
:header: "3.x configuration", "4.x configuration"
"``trust_anchors.file = path``", "``trust_anchors.add_file(path)``"
"``trust_anchors.config(path, readonly)``", "``trust_anchors.add_file(path, readonly)``"
"``trust_anchors.negative = nta_set``", "``trust_anchors.set_insecure(nta_set)``"
* ``trust_anchors.keyfile_default`` is no longer accessible and is only possible to set
at compile time. To turn off DNSSEC, use ``trust_anchors.remove('.')``.
.. csv-table::
:header: "3.x configuration", "4.x configuration"
"``trust_anchors.keyfile_default = nil``", "``trust_anchors.remove('.')``"
Packagers & Developers
----------------------
......
......@@ -41,10 +41,10 @@ k = 1 while k <= #arg do
k = k + 1
table.insert(config, arg[k])
elseif v == '-D' then
table.insert(config, 'trust_anchors.file = "root.keys"')
table.insert(config, 'trust_anchors.add_file("root.keys")')
elseif v == '-f' then
k = k + 1
table.insert(config, string.format('trust_anchors.file = "%s"', arg[k]))
table.insert(config, string.format('trust_anchors.add_file("%s")', arg[k]))
elseif v == '-v' then
verbose = true
elseif v == '-d' then
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment