datamodel: stabilize network schema

author Aleš Mrázek <ales.mrazek@nic.cz>

Thu, 27 Mar 2025 13:35:24 +0000 (14:35 +0100)

committer Aleš Mrázek <ales.mrazek@nic.cz>

Thu, 28 Aug 2025 10:48:54 +0000 (12:48 +0200)
author Aleš Mrázek <ales.mrazek@nic.cz>
Thu, 27 Mar 2025 13:35:24 +0000 (14:35 +0100)
committer Aleš Mrázek <ales.mrazek@nic.cz>
Thu, 28 Aug 2025 10:48:54 +0000 (12:48 +0200)
diff --git a/NEWS b/NEWS

index 5fe7f5cb85dc20e6439aa1d044ad8ff700c88ff8..5c1473994b1e6d6959c66a7c66c29b436a7ad6c8 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -11,7 +11,10 @@ Incompatible changes
    These are mostly experimental and debugging/testing options that are not useful for general users (remain in Lua):
    - /logging/debugging
    - /max-workers
+  - /network/tls/auto-discovery
    - /webmgmt
+- Renamed/moved options in the declarative configuration model (YAML).
+  - /network/tls/files-watchdog -> /network/tls/watchdog
  
  
  Knot Resolver 6.0.15 (2025-07-17)
diff --git a/doc/_static/config.schema.json b/doc/_static/config.schema.json

index 535985991f0f46f193f6b9f6c18a568ec6f52c08..cfef3cb8ae5ac5286042e0379c5e2ef1b7835473 100644 (file)
--- a/doc/_static/config.schema.json
+++ b/doc/_static/config.schema.json
@@ -252,7 +252,7 @@
                      "description": "TLS configuration, also affects DNS over TLS and DNS over HTTPS.",
                      "type": "object",
                      "properties": {
-                        "files-watchdog": {
+                        "watchdog": {
                              "anyOf": [
                                  {
                                      "type": "string",
@@ -264,7 +264,7 @@
                                      "type": "boolean"
                                  }
                              ],
-                            "description": "Enables files watchdog for TLS certificate files. Requires the optional 'watchdog' dependency.",
+                            "description": "Enables watchdog of changes in TLS certificate files. Requires the optional 'watchdog' dependency.",
                              "default": "auto"
                          },
                          "cert-file": {
@@ -300,11 +300,6 @@
                              "description": "Path to file with secret for TLS session resumption via tickets. (RFC 5077).",
                              "default": null
                          },
-                        "auto-discovery": {
-                            "type": "boolean",
-                            "description": "Experimental automatic discovery of authoritative servers supporting DNS-over-TLS.",
-                            "default": false
-                        },
                          "padding": {
                              "anyOf": [
                                  {
@@ -321,12 +316,11 @@
                          }
                      },
                      "default": {
-                        "files_watchdog": true,
+                        "watchdog": true,
                          "cert_file": null,
                          "key_file": null,
                          "sticket_secret": null,
                          "sticket_secret_file": null,
-                        "auto_discovery": false,
                          "padding": true
                      }
                  },
@@ -480,12 +474,11 @@
                  },
                  "address_renumbering": null,
                  "tls": {
-                    "files_watchdog": true,
+                    "watchdog": true,
                      "cert_file": null,
                      "key_file": null,
                      "sticket_secret": null,
                      "sticket_secret_file": null,
-                    "auto_discovery": false,
                      "padding": true
                  },
                  "proxy_protocol": false,
diff --git a/python/knot_resolver/datamodel/network_schema.py b/python/knot_resolver/datamodel/network_schema.py

index e2753a852e35ea939daa49ad17e6172bd7607be7..21f3db56fc8ca1f0e4917b75fcbcdf7c895092e7 100644 (file)
--- a/python/knot_resolver/datamodel/network_schema.py
+++ b/python/knot_resolver/datamodel/network_schema.py
@@ -54,44 +54,41 @@ class TLSSchema(ConfigSchema):
          TLS configuration, also affects DNS over TLS and DNS over HTTPS.
  
          ---
-        files_watchdog: Enables files watchdog for TLS certificate files. Requires the optional 'watchdog' dependency.
+        watchdog: Enables watchdog of changes in TLS certificate files. Requires the optional 'watchdog' dependency.
          cert_file: Path to certificate file.
          key_file: Path to certificate key file.
          sticket_secret: Secret for TLS session resumption via tickets. (RFC 5077).
          sticket_secret_file: Path to file with secret for TLS session resumption via tickets. (RFC 5077).
-        auto_discovery: Experimental automatic discovery of authoritative servers supporting DNS-over-TLS.
          padding: EDNS(0) padding of queries and answers sent over an encrypted channel.
          """
  
-        files_watchdog: Union[Literal["auto"], bool] = "auto"
+        watchdog: Union[Literal["auto"], bool] = "auto"
          cert_file: Optional[ReadableFile] = None
          key_file: Optional[ReadableFile] = None
          sticket_secret: Optional[EscapedStr32B] = None
          sticket_secret_file: Optional[ReadableFile] = None
-        auto_discovery: bool = False
          padding: Union[bool, Int0_512] = True
  
      _LAYER = Raw
  
-    files_watchdog: bool
+    watchdog: bool
      cert_file: Optional[ReadableFile] = None
      key_file: Optional[ReadableFile] = None
      sticket_secret: Optional[EscapedStr32B] = None
      sticket_secret_file: Optional[ReadableFile] = None
-    auto_discovery: bool = False
      padding: Union[bool, Int0_512] = True
  
-    def _files_watchdog(self, obj: Raw) -> Any:
-        if obj.files_watchdog == "auto":
+    def _watchdog(self, obj: Raw) -> Any:
+        if obj.watchdog == "auto":
              return WATCHDOG_LIB
-        return obj.files_watchdog
+        return obj.watchdog
  
      def _validate(self):
          if self.sticket_secret and self.sticket_secret_file:
              raise ValueError("'sticket_secret' and 'sticket_secret_file' are both defined, only one can be used")
          if bool(self.cert_file) != bool(self.key_file):
              raise ValueError("'cert-file' and 'key-file' must be configured together")
-        if self.cert_file and self.key_file and self.files_watchdog and not WATCHDOG_LIB:
+        if self.cert_file and self.key_file and self.watchdog and not WATCHDOG_LIB:
              raise ValueError(
                  "'files-watchdog' is enabled, but the required 'watchdog' dependency (optional) is not installed"
              )
diff --git a/python/knot_resolver/datamodel/templates/network.lua.j2 b/python/knot_resolver/datamodel/templates/network.lua.j2

index cfc152cd3837bf1c32d51ebac91fa401762feec1..f80fc9ce2e8b11a21785d56b37fcdd74b58fc0ee 100644 (file)
--- a/python/knot_resolver/datamodel/templates/network.lua.j2
+++ b/python/knot_resolver/datamodel/templates/network.lua.j2
@@ -46,13 +46,6 @@ net.tls_sticket_secret('{{ cfg.network.tls.sticket_secret }}')
  net.tls_sticket_secret_file('{{ cfg.network.tls.sticket_secret_file }}')
  {% endif %}
  
-{% if cfg.network.tls.auto_discovery %}
--- network.tls.auto-discovery
-modules.load('experimental_dot_auth')
-{% else %}
--- modules.unload('experimental_dot_auth')
-{% endif %}
-
  -- network.tls.padding
  net.tls_padding(
  {%- if cfg.network.tls.padding == true -%}
diff --git a/python/knot_resolver/manager/files/watchdog.py b/python/knot_resolver/manager/files/watchdog.py

index e74abec9f629a4880b7c18890bbd8feb0607e3ab..b27bd99ee35e7aa043b9967f2f942042e64943aa 100644 (file)
--- a/python/knot_resolver/manager/files/watchdog.py
+++ b/python/knot_resolver/manager/files/watchdog.py
@@ -18,7 +18,7 @@ FilesToWatch = Dict[Path, Optional[str]]
  
  def watched_files_config(config: KresConfig) -> List[Any]:
      return [
-        config.network.tls.files_watchdog,
+        config.network.tls.watchdog,
          config.network.tls.cert_file,
          config.network.tls.key_file,
          config.local_data.rpz,
@@ -154,7 +154,7 @@ async def _init_files_watchdog(config: KresConfig) -> None:
          files_to_watch: FilesToWatch = {}
  
          # network.tls
-        if config.network.tls.files_watchdog and config.network.tls.cert_file and config.network.tls.key_file:
+        if config.network.tls.watchdog and config.network.tls.cert_file and config.network.tls.key_file:
              net_tls = f"net.tls('{config.network.tls.cert_file}', '{config.network.tls.key_file}')"
              files_to_watch[config.network.tls.cert_file.to_path()] = net_tls
              files_to_watch[config.network.tls.key_file.to_path()] = net_tls
diff --git a/tests/manager/datamodel/test_network_schema.py b/tests/manager/datamodel/test_network_schema.py

index 1451ac20ebfc4658b0a55450b3ab9b4c0c16c481..321f18a7331bbdb1914b0b2f3581cc7fc20cf173 100644 (file)
--- a/tests/manager/datamodel/test_network_schema.py
+++ b/tests/manager/datamodel/test_network_schema.py
@@ -83,11 +83,11 @@ def test_listen_invalid(listen: Dict[str, Any]):
  @pytest.mark.parametrize(
      "tls",
      [
-        {"files-watchdog": "auto"},
-        {"files-watchdog": True},
-        {"files-watchdog": False},
+        {"watchdog": "auto"},
+        {"watchdog": True},
+        {"watchdog": False},
      ],
  )
-def test_tls_files_watchdog(tls: Dict[str, Any]):
-    expected: bool = WATCHDOG_LIB if tls["files-watchdog"] == "auto" else tls["files-watchdog"]
-    assert TLSSchema(tls).files_watchdog == expected
+def test_tls_watchdog(tls: Dict[str, Any]):
+    expected: bool = WATCHDOG_LIB if tls["watchdog"] == "auto" else tls["watchdog"]
+    assert TLSSchema(tls).watchdog == expected
diff --git a/tests/packaging/interactive/tls_cert_watchdog.sh b/tests/packaging/interactive/tls_cert_watchdog.sh

index 104bbdd64f102acf5c8ffd0ee8ca4063e1aab4c0..d0663d870817258c12486dc287da6490b9857a05 100755 (executable)
--- a/tests/packaging/interactive/tls_cert_watchdog.sh
+++ b/tests/packaging/interactive/tls_cert_watchdog.sh
@@ -44,7 +44,7 @@ fi
  # }}
  
  # configure TLS certificate files and turn on watchdog
-kresctl config set -p /network/tls/files-watchdog true
+kresctl config set -p /network/tls/watchdog true
  if [ "$?" -ne "0" ]; then
      echo "Could not turn on TLS certificate files watchdog."
      exit 1
author	Aleš Mrázek <ales.mrazek@nic.cz>
	Thu, 27 Mar 2025 13:35:24 +0000 (14:35 +0100)
committer	Aleš Mrázek <ales.mrazek@nic.cz>
	Thu, 28 Aug 2025 10:48:54 +0000 (12:48 +0200)
NEWS		patch \| blob \| blame \| history
doc/_static/config.schema.json		patch \| blob \| blame \| history
python/knot_resolver/datamodel/network_schema.py		patch \| blob \| blame \| history
python/knot_resolver/datamodel/templates/network.lua.j2		patch \| blob \| blame \| history
python/knot_resolver/manager/files/watchdog.py		patch \| blob \| blame \| history
tests/manager/datamodel/test_network_schema.py		patch \| blob \| blame \| history
tests/packaging/interactive/tls_cert_watchdog.sh		patch \| blob \| blame \| history