These will replace `addDS` and `clearDS` in the future.
}
});
+ Lua.writeFunction("addTA", [&lci](const std::string& who, const std::string& what) {
+ warnIfDNSSECDisabled("Warning: adding Trust Anchor for DNSSEC (addTA), but dnssec is set to 'off'!");
+ DNSName zone(who);
+ auto ds = unique_ptr<DSRecordContent>(dynamic_cast<DSRecordContent*>(DSRecordContent::make(what)));
+ lci.dsAnchors[zone].insert(*ds);
+ });
+
+ Lua.writeFunction("clearTA", [&lci](boost::optional<string> who) {
+ warnIfDNSSECDisabled("Warning: removing Trust Anchor for DNSSEC (clearTA), but dnssec is set to 'off'!");
+ if(who)
+ lci.dsAnchors.erase(DNSName(*who));
+ else
+ lci.dsAnchors.clear();
+ });
+
+ /* Remove in 4.3 */
Lua.writeFunction("addDS", [&lci](const std::string& who, const std::string& what) {
warnIfDNSSECDisabled("Warning: adding Trust Anchor for DNSSEC (addDS), but dnssec is set to 'off'!");
+ g_log<<Logger::Warning<<"addDS is deprecated and will be removed in the future, switch to addTA"<<endl;
DNSName zone(who);
auto ds = unique_ptr<DSRecordContent>(dynamic_cast<DSRecordContent*>(DSRecordContent::make(what)));
lci.dsAnchors[zone].insert(*ds);
});
+ /* Remove in 4.3 */
Lua.writeFunction("clearDS", [&lci](boost::optional<string> who) {
+ g_log<<Logger::Warning<<"clearDS is deprecated and will be removed in the future, switch to clearTA"<<endl;
warnIfDNSSECDisabled("Warning: removing Trust Anchor for DNSSEC (clearDS), but dnssec is set to 'off'!");
if(who)
lci.dsAnchors.erase(DNSName(*who));
**Note**: it has no support for :rfc:`5011` key rollover and does not persist a changed root trust anchor to disk.
-Configuring DNSSEC key material must be done in the :ref:`setting-lua-config-file`, using :func:`addDS`.
+Configuring DNSSEC key material must be done in the :ref:`setting-lua-config-file`, using :func:`addTA`.
This function takes 2 arguments: the node in the DNS-tree and the data of the corresponding DS record.
To e.g. add a trust anchor for the root and powerdns.com, use the following config in the Lua file:
.. code:: Lua
- addDS('.', "63149 13 1 a59da3f5c1b97fcd5fa2b3b2b0ac91d38a60d33a") -- This is not an ICANN root
- addDS('powerdns.com', "44030 8 2 D4C3D5552B8679FAEEBC317E5F048B614B2E5F607DC57F1553182D49 AB2179F7")
+ addTA('.', "63149 13 1 a59da3f5c1b97fcd5fa2b3b2b0ac91d38a60d33a") -- This is not an ICANN root
+ addTA('powerdns.com', "44030 8 2 D4C3D5552B8679FAEEBC317E5F048B614B2E5F607DC57F1553182D49 AB2179F7")
+
+For PowerDNS Recursor 4.1.x and below, use the :func:`addDS` function instead.
Now (re)start the recursor to load these trust anchors.
See the :doc:`../dnssec` for all information about DNSSEC in the PowerDNS Recursor.
This page only documents the Lua functions for DNSSEC configuration
+.. function:: addTA(name, dscontent)
+
+ .. versionadded:: 4.2.0
+
+ Adds Trust Anchor to the list of DNSSEC anchors.
+
+ :param str name: The name in the DNS tree from where this Trust Anchor should be used
+ :param str dsrecord: The DS Record content associated with ``name``
+
.. function:: addDS(name, dscontent)
+ .. deprecated:: 4.2.0
+ Please use :func:`addTA` instead
+
Adds a DS record (Trust Anchor) to the configuration
:param str name: The name in the DNS tree from where this Trust Anchor should be used
projects / thirdparty / pdns.git / commitdiff
