Commit 8abc490f authored by Tomas Krizek's avatar Tomas Krizek Committed by Petr Špaček

trust_anchors: always load keyfile_default

parent e2abf7fa
......@@ -391,7 +391,7 @@ add the following snippet to your configuration file.
.. code-block:: lua
-- turns off DNSSEC validation
trust_anchors.keyfile_default = nil
trust_anchors.remove('.')
The resolver supports DNSSEC including :rfc:`5011` automated DNSSEC TA updates
and :rfc:`7646` negative trust anchors. Depending on your distribution, DNSSEC
......@@ -436,10 +436,6 @@ policy, or automatically maintained by the resolver itself.
If you want to disable DNSSEC validation for a particular domain but keep it enabled for the rest of DNS tree, use :func:`trust_anchors.set_insecure`.
.. envvar:: trust_anchors.keyfile_default = keyfile_default
Set by ``keyfile_default`` option during compilation.
.. envvar:: trust_anchors.hold_down_time = 30 * day
:return: int (default: 30 * day)
......
......@@ -32,7 +32,7 @@ ev = event.after(0, function () return 1 end)
-- Import fake root zone; avoid interference with configured keyfile_default.
trust_anchors.keyfile_default = nil
trust_anchors.remove('.')
trust_anchors.add('. IN DS 48409 8 2 3D63A0C25BCE86621DE63636F11B35B908EFE8E9381E0E3E9DEFD89EA952C27D')
local function check_answer(desc, qname, qtype, expected_rcode)
......
......@@ -31,13 +31,3 @@ end
if require('ffi').C.kr_zonecut_is_empty(kres.context().root_hints) then
_hint_root_file()
end
if not trust_anchors.keysets['\0'] and trust_anchors.keyfile_default then
if io.open(trust_anchors.keyfile_default, 'r') then
trust_anchors.config(trust_anchors.keyfile_default, @unmanaged@)
else
panic("cannot open default trust anchor file:'%s'",
trust_anchors.keyfile_default
)
end
end
......@@ -15,9 +15,10 @@ trust_anchors = configure_file(
output: 'trust_anchors.lua',
configuration: ta_config,
)
config_lua = configure_file(
input: 'config.lua.in',
output: 'config.lua',
sandbox = configure_file(
input: 'sandbox.lua.in',
output: 'sandbox.lua',
configuration: ta_config,
)
......@@ -27,10 +28,10 @@ run_target( # run manually to re-generate kres-gen.lua
)
lua_src = [
config_lua,
files('config.lua'),
files('kres.lua'),
files('kres-gen.lua'),
files('sandbox.lua'),
sandbox,
trust_anchors,
files('zonefile.lua'),
]
......
......@@ -325,6 +325,9 @@ modules.load('detect_time_jump')
modules.load('ta_sentinel')
modules.load('edns_keepalive')
-- Load keyfile_default
trust_anchors.add_file('@keyfile_default@', @unmanaged@)
-- Interactive command evaluation
function eval_cmd(line, raw)
-- Compatibility sandbox code loading
......
......@@ -351,7 +351,7 @@ local function add_file(path, unmanaged)
local keyset_orig = trust_anchors.keysets[owner]
if keyset_orig then
warn('[ ta ] warning: overriding previously set trust anchors for ' .. owner_str)
if keyset_orig.managed then
if keyset_orig.managed and ta_update then
ta_update.stop(owner)
end
end
......@@ -427,7 +427,6 @@ trust_anchors = {
bootstrap_url = 'https://data.iana.org/root-anchors/root-anchors.xml',
bootstrap_ca = '@etc_dir@/icann-ca.pem',
keyfile_default = '@keyfile_default@',
-- Load keys from a file, 5011-managed by default.
-- If managed and the file doesn't exist, try bootstrapping the root into it.
......
......@@ -60,7 +60,7 @@ end
local host = 'https://localhost:8080/'
-- avoid interference with configured keyfile_default
trust_anchors.keyfile_default = nil
trust_anchors.remove('.')
local function test_err_cert()
trust_anchors.bootstrap_ca = 'x509/wrongca.pem'
......
trust_anchors.keyfile_default = nil
trust_anchors.remove('.')
local ffi = require('ffi')
......
......@@ -4,7 +4,6 @@
man_config = configuration_data()
man_config.set('version', meson.project_version())
man_config.set('date', run_command('../scripts/get-date.sh').stdout())
man_config.set('keyfile_default', keyfile_default)
man_config.set('man_seealso_systemd', '')
if systemd_files == 'enabled'
......@@ -13,16 +12,6 @@ elif systemd_files == 'nosocket'
man_config.set('man_seealso_systemd', '\\fIkresd.systemd.nosocket(7)\\fR, ')
endif
man_config.set('man_managed_keyfile_default', '')
man_config.set('man_unmanaged_keyfile_default', '')
if managed_ta
man_config.set('man_managed_keyfile_default', '''
Default: "@0@"'''.format(keyfile_default))
else
man_config.set('man_unmanaged_keyfile_default', '''
Default: "@0@"'''.format(keyfile_default))
endif
man_kresd = configure_file(
input: 'kresd.8.in',
output: 'kresd.8',
......
......@@ -7,7 +7,7 @@
@config_defaults@
-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.keyfile_default = nil
-- trust_anchors.remove('.')
-- Large cache size, so we don't need to flush ever
-- This can be larger than available RAM, least frequently accessed
......
......@@ -6,7 +6,7 @@ net.listen('0.0.0.0')
net.listen('0.0.0.0', 853, {tls=true})
-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.keyfile_default = nil
-- trust_anchors.remove('.')
-- Load Useful modules
modules = {
......
......@@ -4,7 +4,7 @@
@config_defaults@
-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.keyfile_default = nil
-- trust_anchors.remove('.')
-- Large cache size, so we don't need to flush often
-- This can be larger than available RAM, least frequently accessed
......
......@@ -3,7 +3,7 @@
@config_defaults@
-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.keyfile_default = nil
-- trust_anchors.remove('.')
-- Load useful modules
modules = {
......
......@@ -4,7 +4,7 @@
@config_defaults@
-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.keyfile_default = nil
-- trust_anchors.remove('.')
-- Load Useful modules
modules = {
......
......@@ -3,7 +3,7 @@ net.ipv6 = false
policy.add(policy.all(policy.STUB({ '::1:2:3:4', '1.2.3.4' })))
-- make sure DNSSEC is turned off for tests
trust_anchors.keyfile_default = nil
trust_anchors.remove('.')
-- Disable RFC5011 TA update
if ta_update then
......
......@@ -4,7 +4,7 @@ net.ipv6 = false
policy.add(policy.all(policy.STUB({ '::1:2:3:4', '1.2.3.4' })))
-- make sure DNSSEC is turned off for tests
trust_anchors.keyfile_default = nil
trust_anchors.remove('.')
-- Disable RFC5011 TA update
if ta_update then
......
......@@ -2,7 +2,7 @@
policy.add(policy.suffix(policy.REFUSE, {todname('refuse.example.com')}))
-- make sure DNSSEC is turned off for tests
trust_anchors.keyfile_default = nil
trust_anchors.remove('.')
-- Disable RFC5011 TA update
if ta_update then
......
{% raw %}
-- make sure DNSSEC is turned off for tests
trust_anchors.keyfile_default = nil
trust_anchors.remove('.')
-- Disable RFC5011 TA update
if ta_update then
......
......@@ -2,7 +2,7 @@
modules = { 'serve_stale < cache' }
-- make sure DNSSEC is turned off for tests
trust_anchors.keyfile_default = nil
trust_anchors.remove('.')
-- Disable RFC5011 TA update
if ta_update then
......
......@@ -52,7 +52,7 @@ policy.add(policy.pattern(reply_result, 'stats.test.'))
policy.add(policy.all(FWD_TARGET)) -- avoid iteration
-- make sure DNSSEC is turned off for tests
trust_anchors.keyfile_default = nil
trust_anchors.remove('.')
-- Disable RFC5011 TA update
if ta_update then
......
......@@ -3,7 +3,7 @@ ta_update.refresh_time = 0.1 * sec
ta_update.hold_down_time = 0.2 * sec
-- prevent build-time config from interfering with the test
trust_anchors.keyfile_default = nil
trust_anchors.remove('.')
-- count . IN DNSKEY queries
counter = 0
......
......@@ -6,7 +6,7 @@ view:addr('127.0.0.0/24', policy.suffix(policy.DENY_MSG("addr 127.0.0.0/24 match
policy.add(policy.all(policy.FORWARD('1.2.3.4')))
-- make sure DNSSEC is turned off for tests
trust_anchors.keyfile_default = nil
trust_anchors.remove('.')
-- Disable RFC5011 TA update
if ta_update then
......
......@@ -28,7 +28,7 @@ if detect_time_skew then
end
-- make sure DNSSEC is turned off for tests
trust_anchors.keyfile_default = nil
trust_anchors.remove('.')
_hint_root_file('hints')
cache.size = 2*MB
......
......@@ -43,7 +43,7 @@ policy.add(policy.suffix(policy.PASS, {todname('test.')}))
{% endif %}
-- make sure DNSSEC is turned off for tests
trust_anchors.keyfile_default = nil
trust_anchors.remove('.')
modules.unload("ta_update")
modules.unload("ta_signal_query")
modules.unload("priming")
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment