From: Pieter Lexis Date: Tue, 23 Oct 2018 15:13:44 +0000 (+0200) Subject: Document incompatibility between loading TAs from disk and runtime managemen X-Git-Tag: dnsdist-1.3.3~23^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9893699fb5ee25b666562c355d16ca640b2a6259;p=thirdparty%2Fpdns.git Document incompatibility between loading TAs from disk and runtime managemen --- diff --git a/pdns/recursordist/docs/dnssec.rst b/pdns/recursordist/docs/dnssec.rst index 7c54102c64..6d8dc52cf2 100644 --- a/pdns/recursordist/docs/dnssec.rst +++ b/pdns/recursordist/docs/dnssec.rst @@ -103,7 +103,9 @@ Now (re)start the recursor to load these trust anchors. Reading trust anchors from files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Since version 4.2.0 of the PowerDNS Recursor, it is also possible to read the Trust Anchors from a BIND-style zonefile. +.. versionadded:: 4.2.0 + +It is also possible to read the Trust Anchors from a BIND-style zonefile using the :func:`readTrustAnchorsFromFile` in the :ref:`setting-lua-config-file`. Only the DS and DNSKEY records from this file are read. This file is (by default) re-read every 24 hours for updates. Debian and its derivatives ship the ``dns-root-data`` package that contains the DNSSEC root trust anchors in ``/usr/share/dns/root.key``. @@ -115,6 +117,11 @@ To only use the distribution-provided Trust Anchors, add the following to the :r clearTA() -- Remove built-in trust-anchors readTrustAnchorsFromFile("/usr/share/dns/root.key") -- Use these keys +.. note:: + When using :func:`readTrustAnchorsFromFile`, any runtime changes to Trust Anchors (see below) will be overwritten when the file is refreshed. + To prevent this, set the ``interval`` parameter to ``0``. + This will **disable** automatic reloading of the file. + Runtime Configuration of Trust Anchors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To change or add trust anchors at runtime, use the :doc:`manpages/rec_control.1` tool.