From: Aleš Mrázek Date: Mon, 14 Apr 2025 18:08:29 +0000 (+0200) Subject: datamodel: stabilize dns64 schema X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d475ad4afa812e3cddb5a1ad792abb554303ef3c;p=thirdparty%2Fknot-resolver.git datamodel: stabilize dns64 schema --- diff --git a/NEWS b/NEWS index a8fc79b78..c341c8de1 100644 --- a/NEWS +++ b/NEWS @@ -18,6 +18,8 @@ Incompatible changes - /network/tls/auto-discovery - /webmgmt - Renamed/moved options in the declarative configuration model (YAML). + - /dns64: true|false -> /dns64/enabled: true|false + - /dns64/rev-ttl -> /dns64/reverse-ttl - /dnssec: true|false -> /dnssec/enabled: true|false - /dnssec/keep-removed -> /dnssec/trust-anchors-keep-removed - /dnssec/trust-anchor-sentinel -> /dnssec/sentinel diff --git a/doc/_static/config.schema.json b/doc/_static/config.schema.json index 7af6bae48..f85b13710 100644 --- a/doc/_static/config.schema.json +++ b/doc/_static/config.schema.json @@ -1324,44 +1324,46 @@ } }, "dns64": { - "anyOf": [ - { - "type": "boolean" + "description": "DNS64 (RFC 6147) configuration.", + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable/disable DNS64.", + "default": false }, - { - "description": "DNS64 (RFC 6147) configuration.", - "type": "object", - "properties": { - "prefix": { - "type": "string", - "description": "IPv6 prefix to be used for synthesizing AAAA records.", - "default": "64:ff9b::/96" - }, - "rev-ttl": { - "type": [ - "string", - "null" - ], - "pattern": "^(\\d+)(us|ms|s|m|h|d)$", - "description": "TTL in CNAME generated in the reverse 'ip6.arpa.' subtree.", - "default": null - }, - "exclude-subnets": { - "type": [ - "array", - "null" - ], - "items": { - "type": "string" - }, - "description": "IPv6 subnets that are disallowed in answer.", - "default": null - } - } + "prefix": { + "type": "string", + "description": "IPv6 prefix to be used for synthesizing AAAA records.", + "default": "64:ff9b::/96" + }, + "reverse-ttl": { + "type": [ + "string", + "null" + ], + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "description": "TTL in CNAME generated in the reverse 'ip6.arpa.' subtree.", + "default": null + }, + "exclude-subnets": { + "type": [ + "array", + "null" + ], + "items": { + "type": "string" + }, + "description": "IPv6 subnets that are disallowed in answer.", + "default": null } - ], - "description": "Disable DNS64 (RFC 6147), enable with defaults or set new configuration.", - "default": false + }, + "default": { + "enabled": false, + "prefix": "64:ff9b::/96", + "reverse_ttl": null, + "exclude_subnets": null + } }, "logging": { "description": "Logging and debugging configuration.", diff --git a/doc/user/config-dns64.rst b/doc/user/config-dns64.rst index 85c4605e3..6e87518cf 100644 --- a/doc/user/config-dns64.rst +++ b/doc/user/config-dns64.rst @@ -14,14 +14,16 @@ By default, the well-known prefix ``64:ff9b::/96`` is used. .. code-block:: yaml - dns64: true + dns64: + enabled: true It is also possible to configure own prefix. .. code-block:: yaml - dns64: - prefix: 2001:db8::aabb:0:0/96 + dns64: + enabled: true + prefix: 2001:db8::aabb:0:0/96 .. warning:: @@ -39,18 +41,20 @@ TTL in CNAME generated in the reverse ``ip6.arpa.`` subtree is configurable. .. code-block:: yaml - dns64: - prefix: 2001:db8:77ff::/96 - ttl-reverse: 300s + dns64: + enable: true + prefix: 2001:db8:77ff::/96 + reverse-ttl: 300s You can specify a set of IPv6 subnets that are disallowed in answer. If they appear, they will be replaced by AAAAs generated from As. .. code-block:: yaml - dns64: - prefix: 2001:db8:3::/96 - exclude: [2001:db8:888::/48, '::ffff/96'] + dns64: + enable: true + prefix: 2001:db8:3::/96 + exclude: [2001:db8:888::/48, '::ffff/96'] # You could even pass '::/0' to always force using generated AAAAs. diff --git a/python/knot_resolver/datamodel/config_schema.py b/python/knot_resolver/datamodel/config_schema.py index 65c90babc..656197af4 100644 --- a/python/knot_resolver/datamodel/config_schema.py +++ b/python/knot_resolver/datamodel/config_schema.py @@ -101,7 +101,7 @@ class KresConfig(ConfigSchema): forward: List of Forward Zones and its configuration. cache: DNS resolver cache configuration. dnssec: DNSSEC configuration. - dns64: Disable DNS64 (RFC 6147), enable with defaults or set new configuration. + dns64: DNS64 (RFC 6147) configuration. logging: Logging and debugging configuration. monitoring: Metrics exposisition configuration (Prometheus, Graphite) lua: Custom Lua configuration. @@ -122,7 +122,7 @@ class KresConfig(ConfigSchema): forward: Optional[List[ForwardSchema]] = None cache: CacheSchema = lazy_default(CacheSchema, {}) dnssec: DnssecSchema = DnssecSchema() - dns64: Union[bool, Dns64Schema] = False + dns64: Dns64Schema = Dns64Schema() logging: LoggingSchema = LoggingSchema() monitoring: MonitoringSchema = MonitoringSchema() rate_limiting: Optional[RateLimitingSchema] = None @@ -143,7 +143,7 @@ class KresConfig(ConfigSchema): forward: Optional[List[ForwardSchema]] cache: CacheSchema dnssec: DnssecSchema - dns64: Union[Literal[False], Dns64Schema] + dns64: Dns64Schema logging: LoggingSchema monitoring: MonitoringSchema rate_limiting: Optional[RateLimitingSchema] @@ -166,11 +166,6 @@ class KresConfig(ConfigSchema): ) return obj.workers - def _dns64(self, obj: Raw) -> Any: - if obj.dns64 is True: - return Dns64Schema() - return obj.dns64 - def _validate(self) -> None: # warn about '/management/unix-socket' not located in '/rundir' if self.management.unix_socket and self.management.unix_socket.to_path().parent != self.rundir.to_path(): diff --git a/python/knot_resolver/datamodel/dns64_schema.py b/python/knot_resolver/datamodel/dns64_schema.py index cc0fa06a5..130ad9722 100644 --- a/python/knot_resolver/datamodel/dns64_schema.py +++ b/python/knot_resolver/datamodel/dns64_schema.py @@ -9,11 +9,13 @@ class Dns64Schema(ConfigSchema): DNS64 (RFC 6147) configuration. --- + enabled: Enable/disable DNS64. prefix: IPv6 prefix to be used for synthesizing AAAA records. - rev_ttl: TTL in CNAME generated in the reverse 'ip6.arpa.' subtree. + reverse_ttl: TTL in CNAME generated in the reverse 'ip6.arpa.' subtree. exclude_subnets: IPv6 subnets that are disallowed in answer. """ + enabled: bool = False prefix: IPv6Network96 = IPv6Network96("64:ff9b::/96") - rev_ttl: Optional[TimeUnit] = None + reverse_ttl: Optional[TimeUnit] = None exclude_subnets: Optional[List[IPv6Network]] = None diff --git a/python/knot_resolver/datamodel/templates/dns64.lua.j2 b/python/knot_resolver/datamodel/templates/dns64.lua.j2 index c5239f00e..f23093464 100644 --- a/python/knot_resolver/datamodel/templates/dns64.lua.j2 +++ b/python/knot_resolver/datamodel/templates/dns64.lua.j2 @@ -1,17 +1,24 @@ {% from 'macros/common_macros.lua.j2' import string_table %} -{% if cfg.dns64 %} --- load dns64 module +{% if cfg.dns64.enabled %} + +-- Enable DNS64 by loading module modules.load('dns64') --- dns64.prefix +-- Configure DNS64 module dns64.config({ prefix = '{{ cfg.dns64.prefix.to_std().network_address|string }}', -{% if cfg.dns64.rev_ttl %} - rev_ttl = {{ cfg.dns64.rev_ttl.seconds() }}, +{% if cfg.dns64.reverse_ttl %} + rev_ttl = {{ cfg.dns64.reverse_ttl.seconds() }}, {% endif %} {% if cfg.dns64.exclude_subnets %} exclude_subnets = {{ string_table(cfg.dns64.exclude_subnets) }}, {% endif %} }) + +{% else %} + +-- Disable DNS64 by unloading module +-- modules.unload('dns64') + {% endif %} \ No newline at end of file diff --git a/tests/manager/datamodel/test_config_schema.py b/tests/manager/datamodel/test_config_schema.py index 2a6180e8e..9ad424c15 100644 --- a/tests/manager/datamodel/test_config_schema.py +++ b/tests/manager/datamodel/test_config_schema.py @@ -50,7 +50,7 @@ def test_config_defaults(): config = KresConfig() # DNS64 default - assert config.dns64 == False + assert config.dns64.enabled == False def test_dnssec_false(): @@ -73,7 +73,10 @@ def test_dnssec_default_true(): def test_dns64_prefix_default(): - assert str(KresConfig({"dns64": True}).dns64.prefix) == "64:ff9b::/96" + config = KresConfig({"dns64": {"enabled": True}}) + + assert config.dns64.enabled == True + assert str(config.dns64.prefix) == "64:ff9b::/96" def test_config_json_schema():