Alias for `add_file`. Its use is discouraged and will be removed in future versions.
-.. function:: trust_anchors.distrust(zonename)
+.. function:: trust_anchors.remove(zonename)
Remove specified trust anchor from trusted key set. Removing trust anchor for the root zone effectivelly disables DNSSEC validation (unless you configured another trust anchor).
.. code-block:: lua
- > trust_anchors.distrust('.')
+ > trust_anchors.remove('.')
true
If you want to disable DNSSEC validation for a particular domain but keep it enabled for the rest of DNS tree, use :func:`trust_anchors.set_insecure`.
.. envvar:: trust_anchors.keyfile_default = keyfile_default
- Set by ``keyfile_default`` option during compilation. This can be explicitly
- set to ``nil`` to disable DNSSEC validation.
+ Set by ``keyfile_default`` option during compilation.
.. envvar:: trust_anchors.hold_down_time = 30 * day
When you use a domain name as an *negative trust anchor* (NTA), DNSSEC validation will be turned off at/below these names.
Each function call replaces the previous NTA set. You can find the current active set in ``trust_anchors.insecure`` variable.
- If you want to disable DNSSEC validation completely use :func:`trust_anchors.distrust` function instead.
+ If you want to disable DNSSEC validation completely use :func:`trust_anchors.remove` function instead.
Example output:
end
end
-local function distrust(zname)
+local function remove(zname)
local owner = kres.str2dname(zname)
if not trust_anchors.keysets[owner] then
return false
-- If managed and the file doesn't exist, try bootstrapping the root into it.
add_file = add_file,
config = add_file,
- distrust = distrust,
+ remove = remove,
keyset_publish = keyset_publish,
keyset_write = keyset_write,
same(root_ta.rrs.count, 1, 'the root TA set contains one RR')
end
-local function test_distrust()
+local function test_remove()
-- uses root key from the previous test
assert(trust_anchors.keysets['\0'], 'root key must be there from previous test')
local ta_c = kres.context().trust_anchors
assert(root_ta ~= nil, 'we got non-NULL TA RRset')
assert(root_ta.rrs.count, 1, 'we have a root TA set to be deleted')
- trust_anchors.distrust('.')
+ trust_anchors.remove('.')
same(trust_anchors.keysets['\0'], nil, 'Lua interface does not have the removed key')
local root_ta = ffi.C.kr_ta_get(ta_c, '\0')
return {
test_revoked_key,
- test_distrust
+ test_remove,
}
panic('[ta_update] TA must be configured first before tracking it')
end
if not keyset.managed then
- panic('[ta_update] TA is configured as unmanaged; distrust it and '
+ panic('[ta_update] TA is configured as unmanaged; remove it and '
.. 'add it again as managed using trust_anchors.add_file()')
end
refresh_plan(keyset, 0)
ok(modules.unload('ta_update'), 'module can be unloaded')
same(ta_update, nil, 'unloaded module is nil')
- ok(trust_anchors.distrust('.'), 'managed root TA can be removed')
+ ok(trust_anchors.remove('.'), 'managed root TA can be removed')
same(trust_anchors.keysets['\0'], nil, 'TA removal works')
end
worker.sleep(0.3)
ok(counter == 0, 'TA is actually unmanaged')
- ok(trust_anchors.distrust('.'), 'unmanaged root TA can be removed')
+ ok(trust_anchors.remove('.'), 'unmanaged root TA can be removed')
same(trust_anchors.keysets['\0'], nil, 'TA removal works')
end
projects / thirdparty / knot-resolver.git / commitdiff
