From 41ba4b4d1feae7b11c651647c2326466d4622008 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Tue, 19 Mar 2019 13:01:35 +0100 Subject: [PATCH] trust_anchors: remove syntactic sugar and duplicity --- NEWS | 3 +++ ci/respdiff/kresd.config | 2 +- daemon/README.rst | 10 +++------- daemon/lua/trust_anchors.lua.in | 18 ++++++++++++------ doc/upgrading.rst | 22 ++++++++++++++++++++++ scripts/kresd-host.lua | 4 ++-- 6 files changed, 43 insertions(+), 16 deletions(-) diff --git a/NEWS b/NEWS index a82954d00..66dfce29b 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,8 @@ Incompatible changes -------------------- - see upgrading guide: https://knot-resolver.readthedocs.io/en/v4.0.0/upgrading.html#upgrade-from-3-to-4 +- configuration: trust_anchors aliases .file, .config() and .negative were removed (!788) +- configuration: trust_anchors.keyfile_default is no longer accessible (!788) - meson build system is now used for builds (!771) - build with embedded LMBD is no longer supported - default modules dir location has changed @@ -33,6 +35,7 @@ Bugfixes - policy.RPZ: log problems from zone-file level of parser as well (#453) - fix flushing of messages to logs in some cases (!781) - fix fallback when SERVFAIL or REFUSED is received from upstream (!784) +- fix crash when dealing with unknown TA key algorhitm (#449) Module API changes ------------------ diff --git a/ci/respdiff/kresd.config b/ci/respdiff/kresd.config index c733601a0..fb5a33d29 100644 --- a/ci/respdiff/kresd.config +++ b/ci/respdiff/kresd.config @@ -5,7 +5,7 @@ net.listen('127.0.0.1', 8853, { tls = true }) net.ipv6=false -- Auto-maintain root TA -trust_anchors.file = '.local/etc/knot-resolver/root.keys' +trust_anchors.add_file('.local/etc/knot-resolver/root.keys') -- Large cache size, so we don't need to flush often -- This can be larger than available RAM, least frequently accessed diff --git a/daemon/README.rst b/daemon/README.rst index b2de69ba7..3d76095bd 100644 --- a/daemon/README.rst +++ b/daemon/README.rst @@ -305,7 +305,7 @@ Environment net = { '127.0.0.1', '::1' } -- unprivileged cache.size = 100*MB - trust_anchors.file = 'root.key' + trust_anchors.add_file('root.key') Example output: @@ -398,7 +398,7 @@ and :rfc:`7646` negative trust anchors. Depending on your distribution, DNSSEC trust anchors should be either maintained in accordance with the distro-wide policy, or automatically maintained by the resolver itself. -.. function:: trust_anchors.add_file(keyfile, readonly) +.. function:: trust_anchors.add_file(keyfile[, readonly = false]) :param string keyfile: path to the file. :param readonly: if true, do not attempt to update the file. @@ -421,10 +421,6 @@ policy, or automatically maintained by the resolver itself. [ ta ] key: 19036 state: Valid -.. function:: trust_anchors.config(keyfile, readonly) - - Alias for `add_file`. Its use is discouraged and will be removed in future versions. - .. function:: trust_anchors.remove(zonename) Remove specified trust anchor from trusted key set. Removing trust anchor for the root zone effectivelly disables DNSSEC validation (unless you configured another trust anchor). @@ -638,7 +634,7 @@ Example: $ kresd-query.lua www.sub.nic.cz 'assert(kres.dname2str(req:resolved().zone_cut.name) == "nic.cz.")' && echo "yes" yes - $ kresd-query.lua -C 'trust_anchors.config("root.keys")' nic.cz 'assert(req:resolved().flags.DNSSEC_WANT)' + $ kresd-query.lua -C 'trust_anchors.add_file("root.keys")' nic.cz 'assert(req:resolved().flags.DNSSEC_WANT)' $ echo $? 0 diff --git a/daemon/lua/trust_anchors.lua.in b/daemon/lua/trust_anchors.lua.in index efcdae15d..f235a9707 100644 --- a/daemon/lua/trust_anchors.lua.in +++ b/daemon/lua/trust_anchors.lua.in @@ -11,6 +11,11 @@ local key_state = { Missing = 'Missing', Revoked = 'Revoked', Removed = 'Removed' } +local function upgrade_required(field) + panic('Configuration upgrade required! Please refer to ' .. + 'https://knot-resolver.readthedocs.io/en/stable/upgrading.html') +end + -- TODO: Move bootstrap to a separate module or even its own binary -- Fetch over HTTPS with peert cert checked local function https_fetch(url, ca) @@ -431,7 +436,7 @@ trust_anchors = { -- Load keys from a file, 5011-managed by default. -- If managed and the file doesn't exist, try bootstrapping the root into it. add_file = add_file, - config = add_file, + config = upgrade_required, remove = remove, keyset_publish = keyset_publish, @@ -515,11 +520,12 @@ trust_anchors = { -- Syntactic sugar for TA store setmetatable(trust_anchors, { - __newindex = function (t,k,v) - if k == 'file' then t.config(v) - elseif k == 'negative' then t.set_insecure(v) - else rawset(t, k, v) end - end, + __newindex = function (t,k,v) + if k == 'file' then upgrade_required() + elseif k == 'negative' then upgrade_required() + elseif k == 'keyfile_default' then upgrade_required() + else rawset(t, k, v) end + end, }) return trust_anchors diff --git a/doc/upgrading.rst b/doc/upgrading.rst index 1ea5e1990..f38c1e4a0 100644 --- a/doc/upgrading.rst +++ b/doc/upgrading.rst @@ -19,6 +19,28 @@ Users location. The exact location depends on your distribution. Generally, modules previously in ``/usr/lib/kdns_modules`` should be moved to ``/usr/lib/knot-resolver/kres_modules``. +Configuration +~~~~~~~~~~~~~ + +* ``trust_anchors.file``, ``trust_anchors.config()`` and ``trust_anchors.negative`` + aliases were removed to avoid duplicity + + .. csv-table:: + :header: "3.x configuration", "4.x configuration" + + "``trust_anchors.file = path``", "``trust_anchors.add_file(path)``" + "``trust_anchors.config(path, readonly)``", "``trust_anchors.add_file(path, readonly)``" + "``trust_anchors.negative = nta_set``", "``trust_anchors.set_insecure(nta_set)``" + +* ``trust_anchors.keyfile_default`` is no longer accessible and is only possible to set + at compile time. To turn off DNSSEC, use ``trust_anchors.remove('.')``. + + .. csv-table:: + :header: "3.x configuration", "4.x configuration" + + "``trust_anchors.keyfile_default = nil``", "``trust_anchors.remove('.')``" + + Packagers & Developers ---------------------- diff --git a/scripts/kresd-host.lua b/scripts/kresd-host.lua index 9348716af..bfbcbf19e 100755 --- a/scripts/kresd-host.lua +++ b/scripts/kresd-host.lua @@ -41,10 +41,10 @@ k = 1 while k <= #arg do k = k + 1 table.insert(config, arg[k]) elseif v == '-D' then - table.insert(config, 'trust_anchors.file = "root.keys"') + table.insert(config, 'trust_anchors.add_file("root.keys")') elseif v == '-f' then k = k + 1 - table.insert(config, string.format('trust_anchors.file = "%s"', arg[k])) + table.insert(config, string.format('trust_anchors.add_file("%s")', arg[k])) elseif v == '-v' then verbose = true elseif v == '-d' then -- 2.47.3