master2 = t.server("knot")
slave = t.server("knot")
-# flush zones immediately
-for server in [master1, master2, slave]:
- slave.zonefile_sync = "0"
-
t.link([zone], master1, master2)
t.link([zone], master1, slave)
t.link([zone], master2, slave)
slave.journal_db_size = 1024 * 1024
-slave.zones[zone.name].journal_content = "all"
+slave.conf_zone(zone).journal_content = "all"
+
+# flush zones immediately
+for server in [master1, master2, slave]:
+ server.conf_zone(zone).zonefile_sync = "0"
t.start()
t.link(zones, master, slave)
-master.zonefile_sync = -1
+master.conf_zone(zones).zonefile_sync = -1
t.start()
serial = slave.zones_wait(zones)
master = t.server("knot")
slave = t.server("knot")
-slave.zonefile_sync = 24 * 60 * 60
t.link([zone], master, slave)
+slave.conf_zone(zone).zonefile_sync = 24 * 60 * 60
+
t.start()
# verify zone bootstrap
zone = t.zone("example.com.")
-t.link(zone, master, slave, journal_content="all")
-slave.zonefile_sync = "-1"
-slave.zonefile_load = "none"
+t.link(zone, master, slave)
+
+slave.conf_zone(zone).journal_content = "all"
+slave.conf_zone(zone).zonefile_sync = "-1"
+slave.conf_zone(zone).zonefile_load = "none"
t.start()
slave.dnssec(zone).enable = True
-master.zonemd_verify = True
-slave.zonemd_verify = True
-slave.zonemd_generate = random.choice(["zonemd-sha384", "zonemd-sha512"])
+master.conf_zone(zone).zonemd_verify = True
+slave.conf_zone(zone).zonemd_verify = True
+slave.conf_zone(zone).zonemd_generate = random.choice(["zonemd-sha384", "zonemd-sha512"])
t.start()
knot = t.server("knot")
knot.DIG_TIMEOUT = 2
-knot.tcp_reuseport = True
bind = t.server("bind")
zone = t.zone("example.", "example.zone.nsec", storage=".")
t.link(zone, knot)
t.link(zone, bind)
+knot.conf_srv().tcp_reuseport = True
+
t.start()
# B1. Answer.
knot = t.server("knot")
knot.DIG_TIMEOUT = 2
-knot.tcp_reuseport = True
bind = t.server("bind")
zone = t.zone("example.", "example.zone.nsec3", storage=".")
t.link(zone, knot)
t.link(zone, bind)
+knot.conf_srv().tcp_reuseport = True
+
t.start()
knot.zone_wait(zone)
bind.zone_wait(zone)
master = t.server("knot")
slave = t.server("knot")
-master.zonefile_sync = "0" # Not needed, just to ensure catalog with up-to-date zone file.
-
(cat0, memb0) = add_catalog(t, master, slave)
t.start()
master.cat_interpret(catz)
-master.zones[catz[0].name].journal_content = "all"
+master.conf_zone(catz).journal_content = "all"
master.dnssec(stuckzone).enable = True
master.dnssec(stuckzone).single_type_signing = True
-master.dnssec(stuckzone).ds_push = stuck_parent
master.dnssec(stuckzone).propagation_delay = 1
-master.tcp_remote_io_timeout = 40000
+master.conf_zone(stuckzone).ds_push = [ stuck_parent ]
+
+master.conf_srv().tcp_remote_io_timeout = 40000
master.gen_confile()
master.key_gen(stuckzone[0].name, ksk="true", zsk="true", active="+0")
slave.cat_interpret(cz)
slave.dnssec(catz[0]).enable = DNSSEC
-slave.dnssec(catz[0]).alg = "ECDSAP256SHA256"
-slave.zones[catz[0].name].journal_content = "all"
+slave.dnssec(catz[0]).algorithm = "ECDSAP256SHA256"
+slave.conf_zone(catz).journal_content = "all"
slave.journal_db_size = 200 * 1024 * 1024
if master.valgrind:
- master.tcp_idle_timeout = 15000
+ master.conf_srv().tcp_idle_timeout = 15000
t.start()
t = Test(stress=False)
knot = t.server("knot")
-
-if knot.valgrind:
- knot.semantic_check = False
-
catz = t.zone("catalog1.", storage=".")
t.link(catz, knot)
knot.cat_interpret(catz)
+if knot.valgrind:
+ knot.conf_zone(catz).semantic_checks = False
+
os.mkdir(knot.dir + "/catalog")
t.start()
t = Test()
knot = t.server("knot")
-knot.bg_workers = 4
-
-knot.semantic_check = False
catz = t.zone("catalog1.", storage=".")
rzone = t.zone(".") # to slow down background workers
rzone[0].update_rnd() # it needs to be larger, slower
-t.link(catz, knot, journal_content = "none")
-t.link(rzone, knot, journal_content = "none")
+t.link(catz, knot)
+t.link(rzone, knot)
knot.cat_interpret(catz)
+knot.conf_srv().background_workers = 4
+knot.conf_zone(catz + rzone).journal_content = "none"
+knot.conf_zone(catz + rzone).semantic_checks = False
+
catalog_dir = os.path.join(knot.dir, "catalog")
os.mkdir(catalog_dir)
for zf in glob.glob(t.data_dir + "/*.zone"):
knot.dnssec(z).signing_threads = "2"
if not knot.valgrind: # it would be too slow with valgrind
knot.dnssec(z).nsec3 = True
- knot.dnssec(z).nsec3_iters = "65000"
- knot.dnssec(z).alg = "rsasha512"
+ knot.dnssec(z).nsec3_iterations = "65000"
+ knot.dnssec(z).algorithm = "rsasha512"
knot.dnssec(z).zsk_size = "4096"
# Whether to test a property change instead of add/del.
master.dnssec(z).nsec3 = True
for s in [ master, slave ]:
- s.bg_workers = 3
- s.udp_workers = 1
- s.tcp_workers = 1
+ s.conf_srv().background_workers = 3
+ s.conf_srv().udp_workers = 1
+ s.conf_srv().tcp_workers = 1
t.start()
slave.zones_wait(zones)
t.link(zones, master, slave, ixfr=True)
-slave.zonemd_generate = "zonemd-sha512"
+slave.conf_zone(zones).zonemd_generate = "zonemd-sha512"
t.start()
master = t.server("knot")
zones = t.zone("example.")
-t.link(zones, master, journal_content="all")
+
+t.link(zones, master)
+
+master.conf_zone(zones).journal_content = "all"
t.start()
t.link(zone, master_nsec3, ddns=True)
master_nsec3.dnssec(zone).enable = True
master_nsec3.dnssec(zone).nsec3 = True
-master_nsec3.dnssec(zone).nsec3_salt_len = 8
+master_nsec3.dnssec(zone).nsec3_salt_length = 8
master_nsec3.dnssec(zone).nsec3_opt_out = (random.random() < 0.5)
t.start()
master.dnssec(zone).enable = True
if random.choice([False, True]):
- master.zones[ZONE].journal_content = "all"
+ master.conf_zone(zone).journal_content = "all"
if random.choice([False, True]):
- master.zonemd_generate = "zonemd-sha512"
- slave.zonemd_verify = True
+ master.conf_zone(zone).zonemd_generate = "zonemd-sha512"
+ slave.conf_zone(zone).zonemd_verify = True
t.start()
t.link(zone, master, slave, ddns=True)
slave.dnssec(zone).enable = True
-slave.ddns_master = ""
+slave.conf_zone(zone).ddns_master = ""
t.start()
master = t.server("knot")
zone = t.zone("example.com.")
-master.zone_size_limit = 500
-
t.link(zone, master, ddns=True)
+
+master.conf_zone(zone).zone_max_size = 500
+
t.start()
master.zones_wait(zone)
master = t.server("knot")
zone = t.zone("example.com.")
-master.zone_size_limit = 5000
-
t.link(zone, master, ddns=True)
+
+master.conf_zone(zone).zone_max_size = 5000
+
t.start()
master.zones_wait(zone)
# Step 2. Check possibly dead pointer in additionals_tree (server would crash).
if next_step == 2:
- master.zone_size_limit = 10000
+ master.conf_zone(zone).zone_max_size = 10000
master.gen_confile()
master.reload()
soa1 = resp.soa_serial()
master.stop()
- master.zone_size_limit = 10000
+ master.conf_zone(zone).zone_max_size = 10000
master.gen_confile()
master.start() # let the changesets from journal apply
master.zones_wait(zone)
master = t.server("knot")
slave = t.server("knot")
-slave.zonefile_sync = "-1"
zone = t.zone_rnd(1, dnssec=False)
t.link(zone, master, slave)
+
+slave.conf_zone(zone).zonefile_sync = "-1"
slave.dnssec(zone).enable = True
t.start()
def configure_dnssec(server1, master, server2, server3, roll):
t.link(zone, master, server1, ddns=True)
- server1.tcp_remote_io_timeout = 1500
+ server1.conf_srv().tcp_remote_io_timeout = 1500
if DNSKEY_MASTER < 2:
- server1.ddns_master = ""
+ server1.conf_zone(zone).ddns_master = ""
if DNSKEY_MASTER > 0:
- server1.ixfr_benevolent = True
+ server1.conf_zone(list(server1.zones.keys())).ixfr_benevolent = True
server_mod = int(server1.name[-1]) - 2
server1.dnssec(zone).enable = True
server1.dnssec(zone).single_type_signing = (roll == 2)
server1.dnssec(zone).propagation_delay = 4
- server1.dnssec(zone).ksk_sbm_timeout = 4
- server1.dnssec(zone).dnskey_mgmt = "incremental"
+ server1.conf_ss("submission", zone).timeout = 4
+ server1.dnssec(zone).dnskey_management = "incremental"
server1.dnssec(zone).delete_delay = 4
- server1.dnssec(zone).cds_publish = ("always" if CDS else "none")
+ server1.dnssec(zone).cds_cdnskey_publish = ("always" if CDS else "none")
server1.dnssec(zone).keytag_modulo = "%d/3" % server_mod
if DNSKEY_MASTER == 1:
- server1.dnssec(zone).dnskey_sync = [ master ]
+ server1.conf_ss("dnskey-sync", zone).remote = [ master ]
else:
- server1.dnssec(zone).dnskey_sync = [ server2, server3 ] if SIGNERS3 else [ server2 ]
+ server1.conf_ss("dnskey-sync", zone).remote = [ server2, server3 ] if SIGNERS3 else [ server2 ]
t = Test()
child_zone = t.zone(ZONE, file_name=child_zf)
t.link(child_zone, child)
-child.zonefile_sync = 24 * 60 * 60
+child.conf_zone(child_zone).zonefile_sync = 24 * 60 * 60
child.dnssec(child_zone).enable = True
child.dnssec(child_zone).manual = False
-child.dnssec(child_zone).alg = "ECDSAP256SHA256"
+child.dnssec(child_zone).algorithm = "ECDSAP256SHA256"
child.dnssec(child_zone).dnskey_ttl = 2
child.dnssec(child_zone).zsk_lifetime = 99999
child.dnssec(child_zone).ksk_lifetime = 300 # this can be possibly left also infinity
child.dnssec(child_zone).propagation_delay = 4
-child.dnssec(child_zone).ksk_sbm_check = [ parent ]
-child.dnssec(child_zone).ksk_sbm_check_interval = 2
-child.dnssec(child_zone).ds_push = parent
child.dnssec(child_zone).ksk_shared = True
-child.dnssec(child_zone).cds_publish = "always"
+child.dnssec(child_zone).cds_cdnskey_publish = "always"
+
+child.conf_zone(child_zone).ds_push = [ parent ]
+child.conf_ss("submission", child_zone).parent = [ parent ]
+child.conf_ss("submission", child_zone).check_interval = 2
#t.start()
t.generate_conf()
if resp.resp.answer[0].ttl != child.dnssec(child_zone).dnskey_ttl:
set_err("DS TTL")
-child.dnssec(child_zone).ds_push = "" # empty list []
+child.conf_zone(child_zone).ds_push = [ ]
child.gen_confile()
child.reload()
child.ctl("zone-key-rollover %s ksk" % child_zone[0].name)
if rtime > timeout:
break
-t = Test()
+t = Test(tsig=False)
parent = t.server("knot")
parent_zone = t.zone("com.", storage=".")
#parent.dnssec(parent_zone).enable = True
+CHILDZ = "example.com."
child = t.server("knot")
-child_zone = t.zone("example.com.", storage=".")
+child_zone = t.zone(CHILDZ, storage=".")
t.link(child_zone, child)
def cds_submission():
up.add(ZONE, 7, "DS", cds_rdata)
up.send("NOERROR")
-child.zonefile_sync = 24 * 60 * 60
+child.conf_zone(child_zone).zonefile_sync = 24 * 60 * 60
child.dnssec(child_zone).enable = True
child.dnssec(child_zone).manual = False
-child.dnssec(child_zone).alg = "ECDSAP384SHA384"
+child.dnssec(child_zone).algorithm = "ECDSAP384SHA384"
child.dnssec(child_zone).dnskey_ttl = 2
child.dnssec(child_zone).zsk_lifetime = 99999
child.dnssec(child_zone).ksk_lifetime = 9999
child.dnssec(child_zone).propagation_delay = 4
-child.dnssec(child_zone).ksk_sbm_check_interval = 2
+child.conf_ss("submission", child_zone).check_interval = 2
# parameters
ZONE = "example.com."
cds_submission()
-child.dnssec(child_zone).ksk_sbm_check = [ parent ]
+child.conf_ss("submission", child_zone).parent = [ parent ]
child.dnssec(child_zone).ksk_lifetime = 13
child.gen_confile()
wait_for_count(t, child, "DNSKEY", 3, 20) # initiation of KSK rollover means the initial submission was successful
check_zone(child, child_zone, 3, 2, 0, 1, "KSK rollover start")
-child.dnssec(child_zone).ksk_sbm_check = [ ]
+child.conf_ss("submission", child_zone).parent = [ ]
child.dnssec(child_zone).ksk_lifetime = 150
child.gen_confile()
cds_submission()
t.sleep(1)
-child.dnssec(child_zone).ksk_sbm_check = [ parent ]
+child.conf_ss("submission", child_zone).parent = [ parent ]
child.gen_confile()
child.reload()
master.dnssec(z).enable = True
master.dnssec(z).rrsig_lifetime = 10
master.dnssec(z).rrsig_refresh = 1
- master.dnssec(z).rrsig_prerefresh = 1
+ master.dnssec(z).rrsig_pre_refresh = 1
t.start()
master.dnssec(z).enable = True
master.dnssec(z).rrsig_lifetime = 40
master.dnssec(z).rrsig_refresh = 5
- master.dnssec(z).rrsig_prerefresh = 0
+ master.dnssec(z).rrsig_pre_refresh = 0
master.dnssec(z).propagation_delay = 0
def send_ddns(server, zone, data):
server.dnssec(z).enable = True
server.dnssec(z).rrsig_lifetime = 20
server.dnssec(z).rrsig_refresh = 10
- server.dnssec(z).rrsig_prerefresh = 4
+ server.dnssec(z).rrsig_pre_refresh = 4
-server.journal_max_usage = 128*1024
+server.conf_zone(zone).journal_max_usage = 128*1024
t.start()
same_dnskey_count(t, bind, knot, knot.zones[z.name], i, msg, timeout)
def clone_policy(zone):
- knot.zones[zone.name].dnssec = copy.copy(bind.zones[zone.name].dnssec)
- knot.zones[zone.name].dnssec.ksk_lifetime -= 2 * int(knot.zones[zone.name].dnssec.dnskey_ttl)
+ knot.conf["policy"][zone.name] = copy.copy(bind.conf["policy"][zone.name])
+ knot.dnssec(zone).ksk_lifetime -= 2 * int(knot.dnssec(zone).dnskey_ttl)
def knot_import_zone(zone):
if zone.name not in knot.zones:
bind.dnssec(z).ksk_lifetime = 40
bind.dnssec(z).rrsig_lifetime = "8"
bind.dnssec(z).rrsig_refresh = "4"
- bind.dnssec(z).rrsig_prerefresh = "1"
- bind.dnssec(z).ksk_sbm_check_interval = 1
+ bind.dnssec(z).rrsig_pre_refresh = "1"
+ bind.conf["submission"][z.name] = { "check-interval": 1 }
t.generate_conf()
bind.start()
ZONE = zone[0].name
-slave.zonefile_sync = "-1"
+slave.conf_zone(zone).zonefile_sync = "-1"
if FAIL2ROLL:
- slave.journal_max_usage = 128 * 1024
+ slave.conf_zone(zone).journal_max_usage = 128 * 1024
slave.dnssec(zone).enable = True
slave.dnssec(zone).dnskey_ttl = 3
zones = t.zone_rnd(12)
else:
zones = t.zone_rnd(4, records=100)
- slave.tcp_remote_io_timeout = 20000
+ slave.conf_srv().tcp_remote_io_timeout = 20000
master.ctl_params_append = ["-t", "30"]
t.link(zones, master, slave, ixfr=True)
-master.semantic_check = False
+master.conf_zone(zones).semantic_checks = False
master.zonefile_sync = "-1"
for zone in zones:
master.dnssec(zone).enable = True
if set_stss is not None:
server.dnssec(zone).single_type_signing = set_stss
- server.dnssec(zone).alg = set_alg
+ server.dnssec(zone).algorithm = set_alg
server.gen_confile()
server.reload()
wait_for_count(t, server, "DNSKEY", after_keys, 14, 20, msg)
check_zone(server, zone, slave, after_keys, 1, 1, 1, msg)
-t = Test()
+t = Test(tsig=False) # the facility of DS Query does not work with TSIG
parent = t.server("knot")
parent_zone = t.zone("com.", storage=".")
up.add(ZONE, 7, "DS", rd.to_text())
up.send("NOERROR")
-child.zonefile_sync = 24 * 60 * 60
+child.conf_zone(child_zone).zonefile_sync = 24 * 60 * 60
child.dnssec(child_zone).enable = True
child.dnssec(child_zone).manual = False
-child.dnssec(child_zone).alg = "ECDSAP384SHA384"
+child.dnssec(child_zone).algorithm = "ECDSAP384SHA384"
child.dnssec(child_zone).dnskey_ttl = 2
child.dnssec(child_zone).zsk_lifetime = 99999
child.dnssec(child_zone).ksk_lifetime = 300 # this can be possibly left also infinity
child.dnssec(child_zone).delete_delay = DELETE_DELAY
-child.dnssec(child_zone).dnskey_mgmt = "incremental" if INCREMENTAL else "full"
+child.dnssec(child_zone).dnskey_management = "incremental" if INCREMENTAL else "full"
child.dnssec(child_zone).propagation_delay = 11
-child.dnssec(child_zone).ksk_sbm_check = [ parent ]
-child.dnssec(child_zone).ksk_sbm_check_interval = 2
-child.dnssec(child_zone).ksk_sbm_delay = 6
child.dnssec(child_zone).ksk_shared = True
-child.dnssec(child_zone).cds_publish = "always"
+child.dnssec(child_zone).cds_cdnskey_publish = "always"
if DOUBLE_DS:
- child.dnssec(child_zone).cds_publish = "double-ds"
-child.dnssec(child_zone).cds_digesttype = CDS_DT
+ child.dnssec(child_zone).cds_cdnskey_publish = "double-ds"
+child.dnssec(child_zone).cds_digest_type = CDS_DT
+child.conf_ss("submission", child_zone).parent = [ parent ]
+child.conf_ss("submission", child_zone).check_interval = 2
+child.conf_ss("submission", child_zone).parent_delay = 6
-slave.dnssec(child_zone).validate = True
+slave.conf_zone(child_zone).dnssec_validation = True
# parameters
ZONE = "example.com."
server.dnssec(zone).enable = True
server.dnssec(zone).propagation_delay = 1
-server.dnssec(zone).keystores = [ "keys1", "keys2" ]
+server.dnssec(zone).keystore = [ "keys1", "keys2" ]
t.start()
serial = server.zone_wait(zone)
check_key_count(server, "keys1", 2)
check_key_count(server, "keys2", 0)
-server.dnssec(zone).keystores = [ "keys2", "keys1" ]
+server.dnssec(zone).keystore = [ "keys2", "keys1" ]
server.gen_confile()
server.reload()
server.ctl("zone-key-rollover %s zsk" % zone[0].name)
server.flush(zone[0], wait=True)
server.zone_verify(zone[0])
-server.dnssec(zone).keystores = [ "keys0ksk", "keys1", "keys2" ]
+server.dnssec(zone).keystore = [ "keys0ksk", "keys1", "keys2" ]
server.gen_confile()
server.reload()
knot.dnssec(zone).manual = True
knot.dnssec(zone).rrsig_lifetime = 50
knot.dnssec(zone).rrsig_refresh = 2
-knot.dnssec(zone).rrsig_prerefresh = 1
+knot.dnssec(zone).rrsig_pre_refresh = 1
knot.dnssec(zone).dnskey_ttl = 1
knot.dnssec(zone).propagation_delay = 1
-knot.zonefile_sync = "0"
+knot.conf_zone(zone).zonefile_sync = "0"
# install KASP db (one always enabled, one for testing)
keydir = knot.keydir
wait_for_count(t, server, "DNSKEY", after_keys, 10, 20, msg) # ds_ttl
check_zone(server, zone, server, after_keys, 1, 0, 1, msg)
-t = Test()
+t = Test(tsig=False)
parent = t.server("knot")
parent_zone = t.zone("com.", storage=".")
child.dnssec(child_zone).enable = True
child.dnssec(child_zone).dnskey_ttl = 6
child.dnssec(child_zone).propagation_delay = 11
-child.dnssec(child_zone).ksk_sbm_check = [ parent ]
-child.dnssec(child_zone).ksk_sbm_check_interval = 3
-child.dnssec(child_zone).cds_publish = "rollover"
+child.dnssec(child_zone).cds_cdnskey_publish = "rollover"
+child.conf_ss("submission", child_zone).parent = [ parent ]
+child.conf_ss("submission", child_zone).check_interval = 3
t.start()
child.zone_wait(child_zone)
t.link(nsec3_zone, master)
t.link(static_zone, master)
-master.dnssec(nsec_zone).alg = "rsasha1"
-master.dnssec(nsec3_zone).alg = "rsasha1"
+master.dnssec(nsec_zone).algorithm = "rsasha1"
+master.dnssec(nsec3_zone).algorithm = "rsasha1"
master.dnssec(nsec3_zone).nsec3 = True
-master.dnssec(nsec3_zone).nsec3_iters = 0
-master.dnssec(nsec3_zone).nsec3_salt_len = 0
-master.dnssec(static_zone).alg = "ecdsap256sha256"
-master.dnssec(nsec_zone).cds_publish = "rollover"
-master.dnssec(nsec3_zone).cds_publish = "rollover"
-master.dnssec(static_zone).cds_publish = "rollover"
+master.dnssec(nsec3_zone).nsec3_iterations = 0
+master.dnssec(nsec3_zone).nsec3_salt_length = 0
+master.dnssec(static_zone).algorithm = "ecdsap256sha256"
+master.dnssec(nsec_zone).cds_cdnskey_publish = "rollover"
+master.dnssec(nsec3_zone).cds_cdnskey_publish = "rollover"
+master.dnssec(static_zone).cds_cdnskey_publish = "rollover"
# install KASP db
keydir = master.keydir
zone = t.zone("example.com.", storage=".")
-t.link(zone, master, ixfr=True, journal_content="all")
+t.link(zone, master, ixfr=True)
+master.conf_zone(zone).journal_content = "all"
master.dnssec(zone).enable = True
-master.dnssec(zone).repro_sign = True
+master.dnssec(zone).reproducible_signing = True
t.start()
master.dnssec(zone).enable = True
master.dnssec(zone).nsec3 = True
-master.dnssec(zone).nsec3_iters = 2
-master.dnssec(zone).nsec3_salt_len = 8
+master.dnssec(zone).nsec3_iterations = 2
+master.dnssec(zone).nsec3_salt_length = 8
master.dnssec(zone).nsec3_opt_out = False
t.start()
t.link(zone, master)
-master.journal_max_usage = 51200 # the creation of NSEC3 tree fails on ESPACE
+master.conf_zone(zone).journal_max_usage = 51200 # the creation of NSEC3 tree fails on ESPACE
t.start()
master.zone_wait(zone)
for zone in zones:
master.dnssec(zone).enable = True
master.dnssec(zone).nsec3 = True
- master.dnssec(zone).nsec3_iters = 2
- master.dnssec(zone).nsec3_salt_len = 10
+ master.dnssec(zone).nsec3_iterations = 2
+ master.dnssec(zone).nsec3_salt_length = 10
master.dnssec(zone).nsec3_opt_out = True
t.start()
from dnstest.test import Test
def check_salt(server, zone):
- expect_salt_len = server.dnssec(zone).nsec3_salt_len * 2 # *2 because we get hex string
+ expect_salt_len = server.dnssec(zone).nsec3_salt_length * 2 # *2 because we get hex string
if expect_salt_len == 0:
expect_salt_len = 1 # there will be a dash
master.dnssec(zone1).enable = True
master.dnssec(zone2).enable = True
master.dnssec(zone2).nsec3 = True
-master.dnssec(zone2).nsec3_iters = 2
-master.dnssec(zone2).nsec3_salt_len = 2
+master.dnssec(zone2).nsec3_iterations = 2
+master.dnssec(zone2).nsec3_salt_length = 2
master.gen_confile()
master.reload()
# Reconfigure autosigning.
master.dnssec(zone1).nsec3 = True
-master.dnssec(zone1).nsec3_iters = 2
-master.dnssec(zone1).nsec3_salt_len = 2
+master.dnssec(zone1).nsec3_iterations = 2
+master.dnssec(zone1).nsec3_salt_length = 2
master.dnssec(zone2).nsec3 = True
-master.dnssec(zone2).nsec3_iters = 1
-master.dnssec(zone2).nsec3_salt_len = 0
+master.dnssec(zone2).nsec3_iterations = 1
+master.dnssec(zone2).nsec3_salt_length = 0
master.gen_confile()
# Intentionally restarted to ensure the zone file is fully loaded.
master.stop()
# Reconfigure autosigning.
master.dnssec(zone1).nsec3 = True
-master.dnssec(zone1).nsec3_iters = 1
-master.dnssec(zone1).nsec3_salt_len = 0
+master.dnssec(zone1).nsec3_iterations = 1
+master.dnssec(zone1).nsec3_salt_length = 0
master.dnssec(zone2).nsec3 = False
master.gen_confile()
master.reload()
for zone in zones:
master.dnssec(zone).enable = True
master.dnssec(zone).nsec3 = random.choice([True, False])
- master.dnssec(zone).nsec3_iters = 2
- master.dnssec(zone).nsec3_salt_len = random.choice([0, 1, 9, 64, 128, 255])
+ master.dnssec(zone).nsec3_iterations = 2
+ master.dnssec(zone).nsec3_salt_length = random.choice([0, 1, 9, 64, 128, 255])
master.dnssec(zone).nsec3_opt_out = (random.random() < 0.5)
if not slave.valgrind:
- slave.dnssec(zone).validate = True
+ slave.conf_zone(zone).dnssec_validation = True
slave.dnssec(zone).nsec3 = master.dnssec(zone).nsec3
slave.dnssec(zone).nsec3_opt_out = master.dnssec(zone).nsec3_opt_out
# update salt with keymgr and see if zone correctly re-NSEC3-d after update
for z in zones1:
- salt = "-" if master.dnssec(z).nsec3_salt_len == 0 else "fe" * master.dnssec(z).nsec3_salt_len
+ salt = "-" if master.dnssec(z).nsec3_salt_length == 0 else "fe" * master.dnssec(z).nsec3_salt_length
Keymgr.run_check(master.confile, z.name, "nsec3-salt", salt)
up = master.update(z)
up.add("abc." + z.name, 3600, "A", "1.2.3.4")
master = t.server("knot")
t.link(zone, master, knot)
if not IXFR:
- master.zones[ZONE].journal_content = "none"
+ master.conf_zone(zone).journal_content = "none"
else:
master = t.server("dummy")
t.link(zone, knot)
-knot.zonefile_sync = 24 * 60 * 60
+knot.conf_zone(zone).zonefile_sync = 24 * 60 * 60
# ZSK side
knot.dnssec(zone).enable = True
knot.dnssec(zone).zone_max_ttl = 3
knot.dnssec(zone).keytag_modulo = "0/2"
# optional
-knot.dnssec(zone).alg = "ECDSAP384SHA384"
+knot.dnssec(zone).algorithm = "ECDSAP384SHA384"
knot.dnssec(zone).zsk_lifetime = STARTUP + 6 * TICK # see ksk1 lifetime
knot.dnssec(zone).propagation_delay = TICK - 2
-knot.dnssec(zone).cds_publish = "rollover"
+knot.dnssec(zone).cds_cdnskey_publish = "rollover"
knot.dnssec(zone).rrsig_lifetime = 15
knot.dnssec(zone).rrsig_refresh = 6
-knot.dnssec(zone).rrsig_prerefresh = 1
+knot.dnssec(zone).rrsig_pre_refresh = 1
# options without any effect
knot.dnssec(zone).ksk_lifetime = NONSENSE
signer.dnssec(zone).rrsig_refresh = 2
signer.dnssec(zone).keytag_modulo = "1/2"
# optional
-signer.dnssec(zone).alg = "ECDSAP384SHA384"
-signer.dnssec(zone).cds_publish = random.choice(["none", "rollover"])
+signer.dnssec(zone).algorithm = "ECDSAP384SHA384"
+signer.dnssec(zone).cds_cdnskey_publish = random.choice(["none", "rollover"])
signer.dnssec(zone).rrsig_lifetime = 6
-signer.dnssec(zone).rrsig_prerefresh = 1
+signer.dnssec(zone).rrsig_pre_refresh = 1
# options without any effect
signer.dnssec(zone).dnskey_ttl = int(NONSENSE / 10)
signer.dnssec(zone).zone_max_ttl = NONSENSE
zone = t.zone(ZONE)
t.link(zone, knot)
-knot.zonefile_sync = 24 * 60 * 60
+knot.conf_zone(zone).zonefile_sync = 24 * 60 * 60
# ZSK side
knot.dnssec(zone).enable = True
slave.stop()
server_purge(slave, zone)
master.zones[zone[0].name].zfile.update_soa(serial=initial_serial)
- master.serial_policy = master_policy
- slave.serial_policy = slave_policy
+ master.conf_zone(zone).serial_policy = master_policy
+ slave.conf_zone(zone).serial_policy = slave_policy
master.gen_confile()
slave.gen_confile()
master.start()
master.dnssec(zone).enable = True
master.dnssec(zone).rrsig_lifetime = 20
-master.dnssec(zone).rrsig_prerefresh = 4
+master.dnssec(zone).rrsig_pre_refresh = 4
master.dnssec(zone).propagation_delay = 1
master.dnssec(zone).dnskey_ttl = 1
for s in [slave1, slave2]:
s.dnssec(z).enable = True
s.dnssec(z).manual = True
- s.dnssec(z).alg = alg['name']
- s.dnssec(z).repro_sign = not alg['always_reproducible']
+ s.dnssec(z).algorithm = alg['name']
+ s.dnssec(z).reproducible_signing = not alg['always_reproducible']
slave1.gen_confile() # needed for keymgr
for z in zones:
knot.dnssec(z).enable = True
knot.dnssec(z).ksk_shared = True
- knot.dnssec(z).alg = "ECDSAP256SHA256"
+ knot.dnssec(z).algorithm = "ECDSAP256SHA256"
knot.dnssec(z).shared_policy_with = zones[0].name
t.start()
# perform algorithm rollover
for z in zones:
- knot.dnssec(z).alg = "ECDSAP384SHA384"
- knot.dnssec(z).ksk_sbm_timeout = 10
+ knot.dnssec(z).algorithm = "ECDSAP384SHA384"
+ knot.conf_ss("submission", z).timeout = 10
knot.dnssec(z).propagation_delay = 5
knot.gen_confile()
for z in zones_add:
knot.dnssec(z).enable = True
knot.dnssec(z).ksk_shared = True
- knot.dnssec(z).alg = "ECDSAP384SHA384"
- knot.dnssec(z).ksk_sbm_timeout = 10
+ knot.dnssec(z).algorithm = "ECDSAP384SHA384"
+ knot.conf_ss("submission", z).timeout = 10
knot.dnssec(z).propagation_delay = 5
knot.dnssec(z).shared_policy_with = zones[0].name
for z in zones:
knot.dnssec(z).enable = (z.name == z0name)
knot.dnssec(z).ksk_shared = True
- knot.dnssec(z).alg = "ECDSAP256SHA256"
+ knot.dnssec(z).algorithm = "ECDSAP256SHA256"
knot.dnssec(z).shared_policy_with = zones[0].name
t.start()
for z in zones:
check_zone(knot, z, 1 if z.name == z0name else 0, "initial sign")
- knot.dnssec(z).disable = knot.dnssec(z).enable
- knot.dnssec(z).enable = True
- knot.dnssec(z).alg = "ECDSAP384SHA384"
+ knot.dnssec(z).enable = not knot.dnssec(z).enable
+ knot.dnssec(z).algorithm = "ECDSAP384SHA384"
knot.gen_confile()
knot.reload()
t.link(zone, master, slave, ddns=True)
-master.serial_policy = random.choice(["increment", "unixtime", "dateserial"])
-slave.serial_policy = random.choice(["increment", "unixtime", "dateserial"])
+master.conf_zone(zone).serial_policy = random.choice(["increment", "unixtime", "dateserial"])
+slave.conf_zone(zone).serial_policy = random.choice(["increment", "unixtime", "dateserial"])
slave.dnssec(zone).nsec3 = random.choice([False, True])
-slave.zonefile_load = random.choice(["none", "whole"])
-for z in zone:
- slave.zones[z.name].journal_content = random.choice(["all", "none", "changes"])
+slave.conf_zone(zone).zonefile_load = random.choice(["none", "whole"])
+slave.conf_zone(zone).journal_content = random.choice(["all", "none", "changes"])
cold_reload = random.choice([False, True])
-if slave.zonefile_load == "none" and slave.zones[zone[0].name].journal_content != "all":
+if slave.conf_zone(zone[0]).zonefile_load == "none" and slave.conf_zone(zone[0]).journal_content != "all":
cold_reload = False
t.start()
zones = zones_ok + zones_ok3 + zones_nok + zones_nok3
t.link(zones + zones_unsigned, master, slave, ixfr=True)
-for z in zones_ok + zones_nok:
- slave.dnssec(z).validate = True
-for z in zones_ok3 + zones_nok3:
- slave.dnssec(z).validate = True
-for z in zones_unsigned:
- slave.dnssec(z).validate = True
+slave.conf_zone(zones_ok + zones_nok + zones_ok3 + zones_nok3 + zones_unsigned).dnssec_validation = True
t.start()
for z in zones:
master.dnssec(z).enable = True
- slave.dnssec(z).validate = True
+ slave.conf_zone(z).dnssec_validation = True
for z in zones_nsec3:
master.dnssec(z).nsec3 = True
master.dnssec(z).enable = True
master.dnssec(z).rrsig_lifetime = 10
master.dnssec(z).rrsig_refresh = 1
- master.dnssec(z).rrsig_prerefresh = 1
+ master.dnssec(z).rrsig_pre_refresh = 1
t.start()
# SCENARIO II -- configured dnssec-validation
master.start()
slave.stop()
-for z in zones:
- slave.dnssec(z).validate = True
+slave.conf_zone(zones).dnssec_validation = True
slave.gen_confile()
slave.start()
serials = slave.zones_wait(zones, serials)
zone = t.zone("example.com.", storage=".")
t.link(zone, unsigned_master, master, ddns=True)
-unsigned_master.zones[zone[0].name].journal_content = "none"
-master.ixfr_from_axfr = True
+unsigned_master.conf_zone(zone).journal_content = "none"
+master.conf_zone(zone).ixfr_from_axfr = True
master.dnssec(zone).enable = True
master.dnssec(zone).manual = False
master.dnssec(zone).zsk_lifetime = 16
master.dnssec(zone).propagation_delay = 3
master.dnssec(zone).nsec3 = True
-master.dnssec(zone).nsec3_salt_len = 8
+master.dnssec(zone).nsec3_salt_length = 8
master.dnssec(zone).nsec3_salt_lifetime = -1
t.start()
server6 = t.server("knot", address=6)
zone = t.zone("flags.")
-# Set common payload limit.
-server4.udp_max_payload = 1220
-server6.udp_max_payload = 1220
-
t.link(zone, server4)
t.link(zone, server6)
+# Set common payload limit.
+server4.conf_srv().udp_max_payload = 1220
+server6.conf_srv().udp_max_payload = 1220
+
t.start()
# Check common limit if 1220 fits and 1221 does not.
resp.check(flags="TC")
# Set IP family specific limit.
-server4.udp_max_payload_ipv4 = 1220
-server4.udp_max_payload_ipv6 = 1221 # Should not affect IPv4
-server4.udp_max_payload = 1221 # Should not override IPv4 specific
+server4.conf_srv().udp_max_payload_ipv4 = 1220
+server4.conf_srv().udp_max_payload_ipv6 = 1221 # Should not affect IPv4
+server4.conf_srv().udp_max_payload = 1221 # Should not override IPv4 specific
-server6.udp_max_payload_ipv6 = 1220
-server6.udp_max_payload_ipv4 = 1221 # Should not affect IPv6
-server6.udp_max_payload = 1221 # Should not override IPv6 specific
+server6.conf_srv().udp_max_payload_ipv6 = 1220
+server6.conf_srv().udp_max_payload_ipv4 = 1221 # Should not affect IPv6
+server6.conf_srv().udp_max_payload = 1221 # Should not override IPv6 specific
server4.gen_confile()
server4.reload()
master = t.server("bind")
slave = t.server("knot")
-slave.zonefile_sync = "5s"
zone = t.zone("example.")
t.link(zone, master, slave)
+slave.conf_zone(zone).zonefile_sync = "5s"
+
zone_path = slave.zones[zone[0].name].zfile.path
t.start()
set_err("NO POST-TRANSFER FLUSH")
# Set the zonefile-sync parameter to 60s and update master - should not flush
-slave.zonefile_sync = "60s"
+slave.conf_zone(zone).zonefile_sync = "60s"
slave.gen_confile()
slave.reload()
t.sleep(FLUSH_SLEEP) # ~ 15s wait for master to start
set_err("SOON POST-RELOAD FLUSH")
# Set the zonefile-sync parameter to 1s - should flush
-slave.zonefile_sync = "1s"
+slave.conf_zone(zone).zonefile_sync = "1s"
slave.gen_confile()
slave.reload()
t.sleep(1.5)
master.disable_notify = True
slave = t.server("knot")
- slave.tcp_remote_io_timeout = "1000"
+ slave.conf_srv().tcp_remote_io_timeout = "1000"
t.link(zone, master, slave)
slave = t.server("knot", tsig=TSIG)
zones = t.zone("example.com.")
-master.auto_acl = MASTER_AUTO
-slave.auto_acl = SLAVE_AUTO
-
t.link(zones, master, slave, ixfr=True)
+master.conf_srv().automatic_acl = MASTER_AUTO
+slave.conf_srv().automatic_acl = SLAVE_AUTO
+
t.start()
# Wait for AXFR to slave server.
for z in zone:
master.dnssec(z).enable = True
master.disable_notify = True
-slave.zones[zone[0].name].retry_max = 10
+slave.conf_zone(zone).retry_max_interval = 10
t.start()
slave = t.server("knot")
zone = t.zone("xfr", storage=".")
-t.link(zone, master, slave, journal_content="none")
+t.link(zone, master, slave)
+
+master.conf_zone(zone).journal_content = "none"
t.start()
t.link(zones, master, slave, ixfr=True)
-slave.tcp_io_timeout = 3000
-slave.tcp_remote_io_timeout = 8000
+slave.conf_srv().tcp_io_timeout = 3000
+slave.conf_srv().tcp_remote_io_timeout = 8000
t.start()
t.link(zone, master, slave)
t.link(zone, slave, sub_slave)
-slave.ixfr_from_axfr = True
+slave.conf_zone(zone).ixfr_from_axfr = True
t.start()
-serial = master.zones_wait(zone)
+serial = sub_slave.zones_wait(zone)
serial_init = serial
# update zone with small change
# test case 2: generate+verify ZONEMD
-slave.zonemd_generate = "zonemd-sha384"
-sub_slave.zonemd_verify = True
+slave.conf_zone(zone).zonemd_generate = "zonemd-sha384"
+sub_slave.conf_zone(zone).zonemd_verify = True
slave.gen_confile()
sub_slave.gen_confile()
for z in zone:
slave.dnssec(z).enable = True
- sub_slave.dnssec(z).validate = True
+ sub_slave.conf_zone(z).dnssec_validation = True
slave.gen_confile()
sub_slave.gen_confile()
master.dnssec(zones[0]).enable = True
master.dnssec(zones[0]).nsec3 = True
master.dnssec(zones[0]).nsec3_opt_out = True
-master.dnssec(zones[0]).nsec3_iters = 1
+master.dnssec(zones[0]).nsec3_iterations = 1
t.start()
master.zones_wait(zones)
-master.dnssec(zones[0]).nsec3_iters = 2
+master.dnssec(zones[0]).nsec3_iterations = 2
master.gen_confile()
master.reload()
t.sleep(8)
resp.check_count(0, rtype="NSEC3", section="authority")
if random.random() < 0.5:
- master.dnssec(zones[0]).nsec3_iters = 3
+ master.dnssec(zones[0]).nsec3_iterations = 3
master.gen_confile()
master.reload()
t.sleep(6)
t.link(zones, s2, s3, ixfr=True)
if not s1.valgrind:
- s2.tcp_remote_io_timeout = 8000
- s3.tcp_remote_io_timeout = 8000
+ s2.conf_srv().tcp_remote_io_timeout = 8000
+ s3.conf_srv().tcp_remote_io_timeout = 8000
else:
- s1.tcp_remote_io_timeout = 45000
- s2.tcp_remote_io_timeout = 45000
- s3.tcp_remote_io_timeout = 45000
+ s1.conf_srv().tcp_remote_io_timeout = 45000
+ s2.conf_srv().tcp_remote_io_timeout = 45000
+ s3.conf_srv().tcp_remote_io_timeout = 45000
s1.ctl_params_append = ["-t", "45"]
s2.ctl_params_append = ["-t", "45"]
s3.ctl_params_append = ["-t", "45"]
t.link(zones, master, slave, ixfr=True)
-master.tcp_io_timeout = 3000
+master.conf_srv().tcp_io_timeout = 3000
t.start()
t.link(zones, master, slave, ixfr=True)
if master.valgrind:
- master.semantic_check = False
- slave.semantic_check = False
+ master.conf_zone(zones).semantic_checks = False
+ slave.conf_zone(zones).semantic_checks = False
-master.tcp_io_timeout = 3000
-slave.tcp_io_timeout = 3000
-slave.tcp_remote_io_timeout = 8000
+master.conf_srv().tcp_io_timeout = 3000
+slave.conf_srv().tcp_io_timeout = 3000
+slave.conf_srv().tcp_remote_io_timeout = 8000
t.start()
t.link(zones, masterA, slave, ixfr=True)
-slave.master_pin_tol = PERIOD
+slave.conf_zone(zones).master_pin_tolerance = PERIOD
masterA.disable_notify = DISABLE_NOTIFY
masterB.disable_notify = DISABLE_NOTIFY
t.link(zones, masterB, slave, ixfr=True)
for m in [ masterA, masterB ]:
- m.serial_policy = "unixtime"
- m.zonefile_load = "difference-no-serial"
- m.dnssec(zone).enable = True
- m.zones[zone.name].journal_content = "all"
+ m.conf_zone(zones).serial_policy = "unixtime"
+ m.conf_zone(zones).zonefile_load = "difference-no-serial"
+ m.dnssec(zones).enable = True
+ m.conf_zone(zones).journal_content = "all"
masterB.zones[zone.name].serial_modulo = str(-PIN)
t.link(zones, master, slave, ixfr=True)
-slave.ixfr_by_one = "on"
+slave.conf_zone(zones).ixfr_by_one = True
t.start()
slave.zones_wait(zone, serial_init)
# Disable IXFR and check AXFR-style IXFR.
-master.provide_ixfr = False
+master.conf_zone(zone).provide_ixfr = False
master.gen_confile()
master.reload()
master.zones_wait(zone, serial_init)
t.check_axfr_style_ixfr(master, zone[0].name, serial_init[zone[0].name])
# Enable IXFR and compare with slave.
-master.provide_ixfr = True
+master.conf_zone(zone).provide_ixfr = True
master.gen_confile()
master.reload()
master.zones_wait(zone, serial_init)
t.link(zone, master, slave, ixfr=True)
if IGNORE:
- slave.ixfr_benevolent = True
+ slave.conf_zone(zone).ixfr_benevolent = True
slave.update_zonefile(zone, version="slave0")
MSGDELAY = 90
-master.tcp_remote_io_timeout = 4000
-master.tcp_io_timeout = 4000
+master.conf_srv().tcp_remote_io_timeout = 4000
+master.conf_srv().tcp_io_timeout = 4000
def slow_ixfr(server, zname, serial):
server.kdig(zname, "IXFR=" + str(serial), msgdelay=MSGDELAY)
t.link(zone, master, slave)
-for z in master.zones:
- slave.zones[z].journal_content = "none"
-
-for z in slave.zones:
- slave.zones[z].journal_content = "all"
-
slave.max_journal_usage = 150 * 1024
-master.zonefile_sync = "0"
-slave.zonefile_sync = "-1"
-slave.zonefile_load = "none"
+master.conf_zone(zone).zonefile_sync = "0"
+master.conf_zone(zone).journal_content = "none"
+
+slave.conf_zone(zone).zonefile_sync = "-1"
+slave.conf_zone(zone).zonefile_load = "none"
+slave.conf_zone(zone).journal_content = "all"
master.dnssec(zone).enable = "true"
master1 = t.server("knot")
slave = t.server("knot")
zone = t.zone("example.com.", storage=".", version=1)
-slave.zone_size_limit = 230
t.link(zone, master1, slave, ixfr=True)
+slave.conf_zone(zone).zone_max_size = 230
+
t.start()
# Wait for zones.
master.zones[ZONE].zfile.update_soa(serial=1718378850)
-master.journal_max_depth = 10
+master.conf_zone(zones).journal_max_depth = 10
t.start()
serials = master.zones_wait(zones)
master.journal_db_size = 200 * 1024 * 1024
slave.journal_db_size = 200 * 1024 * 1024
-master.journal_max_usage = 100 * 1024 * 1024
-slave.journal_max_usage = 100 * 1024 * 1024
+master.conf_zone(zones).journal_max_usage = 100 * 1024 * 1024
+slave.conf_zone(zones).journal_max_usage = 100 * 1024 * 1024
t.start()
serial = slave.zones_wait(zones)
t.link(zone_remote, remote)
if local.valgrind:
- local.semantic_check = False
- remote.semantic_check = False
+ local.conf_zone(zone_common1 + zone_local).semantic_checks = False
+ remote.conf_zone(zone_common2 + zone_remote).semantic_checks = False
def fallback_checks(server, zone_local, zone_remote, nxdomain):
# Local preferred OK, try with local TSIG.
ModNoudp.check()
knot = t.server("knot")
-knot.udp_workers = 1
zone_tc = t.zone("example.")
zone_notc = t.zone("flags.")
t.link(zones, knot)
+knot.conf_srv().udp_workers = 1
+
knot.add_module(zone_tc, ModNoudp())
knot.add_module(zone_notc, ModNoudp(allow_rate=1))
knot.add_module(zone_50_50, ModNoudp(trunc_rate=2))
knot = t.server("knot")
zones = t.zone_rnd(4, dnssec=False, records=5)
-t.link(zones, knot, journal_content="none")
+t.link(zones, knot)
+
+knot.conf_zone(zones).journal_content = "none"
knot.add_module(zones[0], ModOnlineSign())
knot.add_module(zones[1], ModOnlineSign("ECDSAP384SHA384", key_size="384"))
knot.dnssec(zones[2]).enable = True
wait_for_dnskey_count(t, server, after_keys, 28)
check_zone(server, zone, after_keys, 1, 1, 1, desc + ": old key removed")
-t = Test(stress=False)
+t = Test(stress=False, tsig=False)
ModOnlineSign.check()
child.zonefile_sync = 24 * 60 * 60
-child.dnssec(child_zone).ksk_sbm_check = [ parent ]
+child.conf_ss("submission", child_zone).parent = [ parent ]
+
child.add_module(child_zone, ModOnlineSign("ECDSAP384SHA384", key_size="384", prop_delay=11, ksc = [ parent ],
ksci = 2, ksk_shared=True, cds_publish="always",
cds_digesttype=random.choice(["sha256", "sha384"])))
t.link(zone, master, slave2)
t.link(zone, master, slave3)
-master.zones[zone[0].name].retry_max = 10
+master.conf_zone(zone).retry_max_interval = 10
t.start()
for z in zones:
sender.dnssec(z).enable = True
sender.dnssec(z).propagation_delay = 4
- sender.dnssec(z).dnskey_sync = [ recver ]
+ sender.conf_ss("dnskey-sync", z).remote = [ recver ]
sender.dnssec(z).keytag_modulo = "0/1"
sender.check_quic()
master.dnssec(z).enable = True
if master.valgrind:
- slave.quic_idle_close_timeout = 25 # for DoQ xfrs
- slave.tcp_remote_io_timeout = 20000
+ slave.conf_srv().quic_idle_close_timeout = 25 # for DoQ xfrs
+ slave.conf_srv().tcp_remote_io_timeout = 20000
if slave.valgrind:
- master.quic_idle_close_timeout = 25 # for sending DoQ notify
- master.tcp_remote_io_timeout = 20000
+ master.conf_srv().quic_idle_close_timeout = 25 # for sending DoQ notify
+ master.conf_srv().tcp_remote_io_timeout = 20000
MSG_DENIED_NOTIFY = "ACL, denied, action notify"
MSG_DENIED_TRANSFER = "ACL, denied, action transfer"
t.link(zone, master, slave)
t.link(zone, zfloader)
-master.zonefile_load = "none"
-master.zones[ZONE].journal_content = "all"
+master.conf_zone(zone).zonefile_load = "none"
+master.conf_zone(zone).journal_content = "all"
-zfloader.zonefile_load = "difference-no-serial"
-zfloader.zones[ZONE].journal_content = "all"
+zfloader.conf_zone(zone).zonefile_load = "difference-no-serial"
+zfloader.conf_zone(zone).journal_content = "all"
shutil.copytree(os.path.join(t.data_dir, "journal"), os.path.join(master.dir, "journal"))
t.link(zones, master)
t.link(zones, slave)
-master.zonefile_sync = "0"
+master.conf_zone(zones).zonefile_sync = "0"
+master.conf_zone(zones).zone_db_output = "1"
+slave.conf_zone(zones).zone_db_input = "1"
for z in zones:
- master.zones[z.name].redis_out = "1"
- slave.zones[z.name].redis_in = "1"
slave.zones[z.name].zfile.remove()
t.start()
# Add to DB manually. Slave will diverge from master.
for z in zones:
- txn = t.redis.cli("knot.upd.begin", z.name, master.zones[z.name].redis_out)
+ txn = t.redis.cli("knot.upd.begin", z.name, master.conf_zone(z).zone_db_output)
r = t.redis.cli("knot.upd.remove", z.name, txn, "example.com. 3600 in soa dns1.example.com. hostmaster.example.com. %d 10800 3600 1209600 7200" % serials3[z.name])
r = t.redis.cli("knot.upd.add", z.name, txn, "example.com. 3600 in soa dns1.example.com. hostmaster.example.com. %d 10800 3600 1209600 7200" % (serials3[z.name] + 1))
r = t.redis.cli("knot.upd.add", z.name, txn, "txtadd 3600 A 1.2.3.4")
r = t.redis.cli("knot.upd.commit", z.name, txn)
- r = t.redis.cli("knot.upd.load", z.name, master.zones[z.name].redis_out, str(serials3[z.name]))
+ r = t.redis.cli("knot.upd.load", z.name, master.conf_zone(z).zone_db_output, str(serials3[z.name]))
if not "txtadd" in r:
set_err("NO TXTADD IN UPD")
for z in zones:
sender.dnssec(z).enable = True
sender.dnssec(z).propagation_delay = 4
- sender.dnssec(z).dnskey_sync = [ recver ]
+ sender.conf_ss("dnskey-sync", z).remote = [ recver ]
sender.dnssec(z).keytag_modulo = "0/1"
t.start()
master.dnssec(z).enable = True
if master.valgrind:
- slave.quic_idle_close_timeout = 10 # for DoQ xfrs
- master.tcp_io_timeout = 10000
- slave.tcp_io_timeout = 10000
- master.tcp_remote_io_timeout = 10000
- slave.tcp_remote_io_timeout = 10000
+ slave.conf_srv().quic_idle_close_timeout = 10 # for DoQ xfrs
+ master.conf_srv().tcp_io_timeout = 10000
+ slave.conf_srv().tcp_io_timeout = 10000
+ master.conf_srv().tcp_remote_io_timeout = 10000
+ slave.conf_srv().tcp_remote_io_timeout = 10000
if slave.valgrind:
- master.quic_idle_close_timeout = 10 # for sending DoQ notify
+ master.conf_srv().quic_idle_close_timeout = 10 # for sending DoQ notify
MSG_DENIED_NOTIFY = "ACL, denied, action notify"
MSG_DENIED_TRANSFER = "ACL, denied, action transfer"
t.link(zones, master, slave)
+slave.conf_zone(zones).journal_content = "all"
+slave.conf_zone(zones).zonefile_load = "none"
+
for z in zones:
if random.choice([True, False]):
master.dnssec(z).enable = True
- master.dnssec(z).alg = "ECDSAP256SHA256"
+ master.dnssec(z).algorithm = "ECDSAP256SHA256"
master.dnssec(z).single_type_signing = False
else:
master.add_module(z, ModOnlineSign(algorithm="ECDSAP256SHA256"))
- slave.zones[z.name].journal_content = "all"
- slave.zonefile_load = "none"
backup_dir = master.dir + "/backup"
backup_dir2 = master.dir + "/backup2" # Backup of a backup, for debugging.
valgrind_delay += 2 # even without valgrind, add some tolerance because rounding timestamps to whole seconds multiple times
if master.valgrind:
- master.semantic_check = False
- slave.semantic_check = False
+ master.conf_zone(zones).semantic_checks = False
+ slave.conf_zone(zones).semantic_checks = False
t.start()
serials_init = slave.zones_wait(zones)
labelfile = os.path.join(backup_dir, "knot_backup.label")
if master.valgrind:
- master.semantic_check = False
- master2.semantic_check = False
+ master.conf_zone(zones).semantic_checks = False
+ master2.conf_zone(zones).semantic_checks = False
t.start()
serials_init = master.zones_wait(zones)
t.link(zone, master1)
t.link(zone, master2)
-master1.dnssec(zone[0]).enable = True
-master1.zonefile_sync = -1
+master1.dnssec(zone).enable = True
+master1.conf_zone(zone).zonefile_sync = -1
t.start()
knot = t.server("knot")
zone = t.zone("example.com.", storage=".")
t.link(zone, knot)
-knot.zonefile_sync = "-1"
-knot.zones[zone[0].name].journal_content = "all"
-knot.zonefile_load = "difference-no-serial"
+
+knot.conf_zone(zone).zonefile_sync = "-1"
+knot.conf_zone(zone).journal_content = "all"
+knot.conf_zone(zone).zonefile_load = "difference-no-serial"
knot.update_zonefile(zone, version=start_version)
knot = t.server("knot")
zone = t.zone("example.", storage=".")
t.link(zone, knot)
+
knot.dnssec(zone).enable = True
-knot.zonefile_sync = "-1"
+knot.conf_zone(zone).zonefile_sync = "-1"
t.start()
serial = knot.zone_wait(zone)
-knot.zones[zone[0].name].journal_content = "all"
-knot.zonefile_load = "difference-no-serial"
+knot.conf_zone(zone).journal_content = "all"
+knot.conf_zone(zone).zonefile_load = "difference-no-serial"
if purge_beforehand:
knot.ctl("zone-purge -f +expire example.")
t.link(zones, master, slave)
-master.zonefile_sync = 0
-master.zonefile_load = "difference-no-serial"
-master.zones[ZONE].journal_content = "all"
+master.conf_zone(zones).zonefile_sync = 0
+master.conf_zone(zones).zonefile_load = "difference-no-serial"
+master.conf_zone(zones).journal_content = "all"
if random.choice([False, True]):
master.dnssec(zones[0]).enable = True
master = t.server("knot")
slave = t.server("knot")
sub_slave = t.server("knot")
-slave.tcp_remote_io_timeout = "1000"
t.link(zone, master, slave)
t.link(zone, slave, sub_slave)
-slave.zones[zone[0].name].expire_min = 16
-sub_slave.zones[zone[0].name].expire_min = 16
+slave.conf_srv().tcp_remote_io_timeout = "1000"
+slave.conf_zone(zone).expire_min_interval = 16
+sub_slave.conf_zone(zone).expire_min_interval = 16
t.start()
# expire timer difference (normally caused by multi-path propagation)
# by lowering the expire value while keeping the serial.
# Journal must be disabled in order to allow mangled SOA serials.
-master.zones["example."].journal_content = "none"
+master.conf_zone(zone).journal_content = "none"
master.gen_confile()
master.reload()
master.ctl("zone-begin example.")
ZONE = zone[0].name
LOG = "for external validation"
-slave.async_start = True
-slave.zones[ZONE].external = { "timeout": "10",
- "new": dump_file(slave, "new"),
- "rem": dump_file(slave, "diff"),
- "add": dump_file(slave, "diff") }
+slave.conf_srv().async_start = True
+slave.conf_ss("external", zone).timeout = 10
+slave.conf_ss("external", zone).dump_new_zone = dump_file(slave, "new")
+slave.conf_ss("external", zone).dump_removals = dump_file(slave, "diff")
+slave.conf_ss("external", zone).dump_additions = dump_file(slave, "diff")
def check_diff_types(types):
- check_zf_types(slave.zones[ZONE].external["add"], types)
+ check_zf_types(slave.conf_ss("external", zone).dump_additions, types)
-master.notify_delay = 0
+master.conf_zone(zone).notify_delay = 0
master.dnssec(zone[0]).enable = False
t.start()
serial = master.zone_wait(zone, serial)
t.sleep(2)
log_count_expect(slave, LOG, 3)
-t.sleep(int(slave.zones[ZONE].external["timeout"]))
+t.sleep(int(slave.conf_ss("external", zone).timeout))
resp = slave.dig(ZONE, "SOA")
resp.check_soa_serial(serial - 2)
up.send()
serial = master.zone_wait(zone, serial)
-slave.zonemd_generate = "zonemd-sha512"
+slave.conf_zone(zone).zonemd_generate = "zonemd-sha512"
slave.gen_confile()
t.sleep(2)
ctl.send_block(cmd="zone-thaw", zone=ZONE)
master.dnssec(zone).enable = True
-master.zonefile_sync = 0
-slave.zonefile_sync = 0
+master.conf_zone(zone).zonefile_sync = 0
+slave.conf_zone(zone).zonefile_sync = 0
if master.valgrind:
- master.semantic_check = False
- slave.semantic_check = False
+ master.conf_zone(zone).semantic_checks = False
+ slave.conf_zone(zone).semantic_checks = False
t.start()
parent_master = master if tld_axfr else flattener
-flattener.zones[parent[0].name].include_from = childs
+flattener.conf_zone(parent).include_from = [ z.name for z in childs ]
flattener.dnssec(parent).enable = random.choice([False, True])
invalid_conf = random.choice(["include_self", "include_parent", "also_reverse"])
if invalid_conf == "include_self":
- flattener.zones[parent[0].name].include_from = parent
+ flattener.conf_zone(parent).include_from = parent[0].name
elif invalid_conf == "include_parent":
- flattener.zones[childs[0].name].include_from = parent
+ flattener.conf_zone(childs[0]).include_from = parent[0].name
else:
- flattener.zones[parent[0].name].reverse_from = childs
+ flattener.conf_zone(parent).reverse_generate = [ z.name for z in childs ]
flattener.gen_confile()
try:
flattener.reload()
for z in zone:
slave.dnssec(z).enable = True
slave.dnssec(z).nsec3 = True
- slave.dnssec(z).nsec3_salt_len = 0
+ slave.dnssec(z).nsec3_salt_length = 0
slave.dnssec(z).rrsig_lifetime = 25 if SCENARIO == 1 else 20
slave.dnssec(z).rrsig_refresh = 5
- slave.dnssec(z).rrsig_prerefresh = 1
+ slave.dnssec(z).rrsig_pre_refresh = 1
slave.dnssec(z).zone_max_ttl = 4
- slave.zones[z.name].journal_content = "all"
-slave.zonefile_sync = "-1"
-slave.zonefile_load = "none"
-slave.zonemd_generate = "zonemd-sha384"
+
+slave.conf_zone(zone).journal_content = "all"
+slave.conf_zone(zone).zonefile_sync = "-1"
+slave.conf_zone(zone).zonefile_load = "none"
+slave.conf_zone(zone).zonemd_generate = "zonemd-sha384"
t.start()
slave.zones_wait(zone)
if SCENARIO == 2:
- slave.zonemd_generate = "zonemd-sha512"
+ slave.conf_zone(zone).zonemd_generate = "zonemd-sha512"
slave.gen_confile()
slave.ctl("reload")
t.link(zones, knot)
-knot.zonefile_load = "difference-no-serial"
-knot.zones[zones[0].name].journal_content = "all"
+knot.conf_zone(zones).zonefile_load = "difference-no-serial"
+knot.conf_zone(zones).journal_content = "all"
knot.dnssec(zones).enable = True
t.start()
master.disable_notify = True
-slave.zones[zone_min.name].refresh_min = 12
-slave.zones[zone_max.name].refresh_max = 9
-slave.zones[zone_min.name].retry_min = 12
-slave.zones[zone_max.name].retry_max = 9
-slave.zones[zone_min.name].expire_min = 24
-slave.zones[zone_max.name].expire_max = 18
+slave.conf_zone(zone_min).refresh_min_interval = 12
+slave.conf_zone(zone_max).refresh_max_interval = 9
+slave.conf_zone(zone_min).retry_min_interval = 12
+slave.conf_zone(zone_max).retry_max_interval = 9
+slave.conf_zone(zone_min).expire_min_interval = 24
+slave.conf_zone(zone_max).expire_max_interval = 18
t.start()
zone = t.zone("example.com.", storage=".")
t.link(zone, master, slave)
-slave.zonefile_sync = 0
+slave.conf_zone(zone).zonefile_sync = 0
# Load newer zone to the slave
slave.update_zonefile(zone, version="slave")
t.zone("0.8.b.d.1.0.0.2.ip6.arpa.", storage=".")
t.link(zones, knot)
-knot.zones[zones[2].name].reverse_from = [ zones[0], zones[1] ]
-knot.zones[zones[3].name].reverse_from = [ zones[0], zones[1] ]
+knot.conf_zone(zones[2:]).reverse_generate = [ zones[0].name, zones[1].name ]
for z in zones:
knot.dnssec(z).enable = random.choice([False, True])
t.link(zone, master, slave, ixfr=True)
-master.semantic_check = "soft"
-slave.semantic_check = "soft"
+master.conf_zone(zone).semantic_checks = "soft"
+slave.conf_zone(zone).semantic_checks = "soft"
t.start()
source = knot
t.link(zones, knot)
-for z in zones:
- knot.dnssec(z).enable = True
- knot.zones[z.name].serial_modulo = "%d/%d" % (MODULO_A, MODULO_B)
-
- knot.zonefile_load = "difference-no-serial"
- knot.zones[z.name].journal_content = "all"
+knot.dnssec(zones).enable = True
+knot.conf_zone(zones).serial_modulo = "%d/%d" % (MODULO_A, MODULO_B)
+knot.conf_zone(zones).zonefile_load = "difference-no-serial"
+knot.conf_zone(zones).journal_content = "all"
detail_log("SCENARIO " + SCENARIO)
t.start()
server.dnssec(zone).enable = True
-server.zonefile_skip = [ "aaaa", "dnssec" ]
+server.conf_zone(zone).zonefile_skip = [ "aaaa", "dnssec" ]
t.start()
zf.check_count(0, "RRSIG")
zf.check_count(0, "NSEC")
-server.zonefile_skip = [ "a", "nsec" ]
+server.conf_zone(zone).zonefile_skip = [ "a", "nsec" ]
server.gen_confile()
server.reload()
t.sleep(2)
zf.check_count(10, "RRSIG")
zf.check_count(0, "NSEC")
-server.zonefile_sync = "-1"
-server.zonefile_load = "difference-no-serial"
-server.zones[zone[0].name].journal_content = "all"
+server.conf_zone(zone).zonefile_sync = "-1"
+server.conf_zone(zone).zonefile_load = "difference-no-serial"
+server.conf_zone(zone).journal_content = "all"
server.gen_confile()
server.reload()
t.sleep(1)
slave = t.server("knot")
for server in [master, slave]:
- server.tcp_remote_io_timeout = "1000"
+ server.conf_srv().tcp_remote_io_timeout = "1000"
t.link([zone], master, slave)
master.disable_notify = True
t.link(zones, master, slave)
-master.update_delay = 6
-slave.update_delay = 6
+master.conf_zone(zones).update_delay = 6
+slave.conf_zone(zones).update_delay = 6
-master.serial_policy = "unixtime"
-slave.serial_policy = "unixtime"
+master.conf_zone(zones).serial_policy = "unixtime"
+slave.conf_zone(zones).serial_policy = "unixtime"
for z in zones:
master.zones[z.name].zfile.update_soa(serial=int(time.time()))
def increment_serials(server, zones, serials):
res = serials
for z in zones:
- res[z.name] += server.update_delay
+ res[z.name] += server.conf_zone(zones[0]).update_delay
return res
def zones_wait_eq(server, zones, serials):
knot.stop()
-knot.zones[zone[0].name].journal_content = "all"
-knot.zonefile_load = "none"
+knot.conf_zone(zone).journal_content = "all"
+knot.conf_zone(zone).zonefile_load = "none"
knot.gen_confile()
knot.zones[zone[0].name].zfile.remove() # just to make sure
if DNSSEC:
for z in zone:
master.dnssec(z).enable = True
- slave.dnssec(z).validate = True
+ slave.conf_zone(z).dnssec_validation = True
-master.zonefile_sync = 0
-master.zonemd_generate = "none"
-slave.zonemd_verify = False
+master.conf_zone(zone).zonefile_sync = 0
+master.conf_zone(zone).zonemd_generate = "none"
+slave.conf_zone(zone).zonemd_verify = False
t.start()
serial = slave.zones_wait(zone)
check_zonemd(master, zone, Algo.NONE)
-master.zonemd_generate = "zonemd-sha384"
+master.conf_zone(zone).zonemd_generate = "zonemd-sha384"
master.gen_confile()
master.reload()
-slave.zonemd_verify = True
+slave.conf_zone(zone).zonemd_verify = True
check_serial_incr(slave, zone, serial, 1, "alg change")
check_zonemd(master, zone, Algo.SHA384)
-master.zonemd_generate = "zonemd-sha512"
+master.conf_zone(zone).zonemd_generate = "zonemd-sha512"
master.gen_confile()
master.reload()
check_serial_incr(slave, zone, serial, 1, "alg change")
check_serial_incr(slave, zone, serial, 2, "ZF reload")
check_zonemd(master, zone, Algo.SHA512)
-slave.zonemd_verify = False
+slave.conf_zone(zone).zonemd_verify = False
slave.gen_confile()
slave.reload()
-master.zonemd_generate = "none"
+master.conf_zone(zone).zonemd_generate = "none"
master.gen_confile()
master.reload()
check_zonemd(master, zone, Algo.SHA512)
-master.zonemd_generate = "remove"
+master.conf_zone(zone).zonemd_generate = "remove"
master.gen_confile()
master.reload()
check_serial_incr(slave, zone, serial, 1, "ZONEMD remove")
check_zonemd(master, zone, Algo.NONE)
# removing when there's nothing left to remove shouldn't do anything
-master.zonemd_generate = "none"
+master.conf_zone(zone).zonemd_generate = "none"
master.gen_confile()
master.reload()
check_zonemd(master, zone, Algo.NONE)
-master.zonemd_generate = "remove"
+master.conf_zone(zone).zonemd_generate = "remove"
master.gen_confile()
master.reload()
check_zonemd(master, zone, Algo.NONE)
zone = t.zone(ZONE)
t.link(zone, master, slave)
-master.zonefile_sync = -1
-master.zonemd_generate = "zonemd-sha384"
-slave.zonemd_verify = True
+master.conf_zone(zone).zonefile_sync = -1
+master.conf_zone(zone).zonemd_generate = "zonemd-sha384"
+slave.conf_zone(zone).zonemd_verify = True
VALIDATE_ZONEFILE = random.choice([True, False])
backup_cnt = 0
check_log("ZONE FILE LOAD: " + load + ", DNSSEC: " + str(dnssec) + ", valide ZF: " + str(VALIDATE_ZONEFILE))
master.ctl("-f zone-purge +journal +timers +kaspdb " + ZONE)
- master.zonefile_load = load
- master.zones[ZONE].journal_content = "all" if load == "difference-no-serial" else "changes"
- master.zones[ZONE].dnssec.enable = dnssec
+ master.conf_zone(zone).zonefile_load = load
+ master.conf_zone(zone).journal_content = "all" if load == "difference-no-serial" else "changes"
+ master.dnssec(zone).enable = dnssec
master.gen_confile()
master.stop()
master.start()
self.conf += ', '.join(str(value) for value in values)
self.conf += "]\n"
+ def item_list_str(self, name, values):
+ self.conf += " %s: [ \"" % name
+ self.conf += '\", \"'.join(str(value) for value in values)
+ self.conf += "\" ]\n"
+
+ def item_type(self, name, value):
+ if value is None:
+ return
+ elif isinstance(value, bool):
+ self.item(name, "on" if value else "off")
+ elif isinstance(value, str):
+ self.item_str(name, value)
+ elif isinstance(value, list):
+ if len(value) < 1:
+ return
+ elif isinstance(value[0], str):
+ self.item_list_str(name, value)
+ else:
+ self.item_list(name, value)
+ else:
+ self.item(name, value)
+
def id_item(self, name, value):
if not self.first_item:
self.conf += "\n"
return zone[0]
return zone
-class ZoneDnssec(object):
- '''Zone DNSSEC signing configuration'''
-
- def __init__(self):
- self.enable = None
- self.validate = None
- self.disable = None # create the policy in config, but set dnssec-signing: off
- self.manual = None
- self.keystores = []
- self.single_type_signing = None
- self.alg = None
- self.ksk_size = None
- self.zsk_size = None
- self.dnskey_ttl = None
- self.zone_max_ttl = None
- self.keytag_modulo = "0/1"
- self.ksk_lifetime = None
- self.zsk_lifetime = None
- self.delete_delay = None
- self.propagation_delay = None
- self.rrsig_lifetime = None
- self.rrsig_refresh = None
- self.rrsig_prerefresh = None
- self.repro_sign = None
- self.nsec3 = None
- self.nsec3_iters = None
- self.nsec3_opt_out = None
- self.nsec3_salt_lifetime = None
- self.nsec3_salt_len = None
- self.ksk_sbm_check = []
- self.ksk_sbm_check_interval = None
- self.ksk_sbm_timeout = None
- self.ksk_sbm_delay = None
- self.ds_push = None
- self.dnskey_sync = None
- self.ksk_shared = None
- self.shared_policy_with = None
- self.cds_publish = None
- self.cds_digesttype = None
- self.dnskey_mgmt = None
- self.offline_ksk = None
- self.signing_threads = None
+class ConfMultidict(object):
+ def __init__(self, zonenames, all_zones_conf, remotes):
+ # NOTE this works like `self.zonenames = zonenames` EXCEPT that would interfere with the redefinition of __setattr__ therefore setting thru self.__dict__ which is inertial.
+ self.__dict__['zonenames'] = zonenames # List of names (strings!) of zones that are to be manipulated by this multidict. They SHOULD be a subset of zones configured at the server.
+ self.__dict__['all_zones_conf'] = all_zones_conf # Whole subsection configuration of the server, which is a dict() mapping zone names to dicts of configuration options belonging to this one subsection. This covers ALL server's configured zones.
+ self.__dict__['remotes'] = remotes # List of server remotes. These are augmented if any remote-relevant option value is configured.
+ # NOTE for configuration options not tied to any zones (e.g. 'server' subsection), the "server" string is a placeholder for zone name, so that the depth of nested dict()s is preserved.
+
+ def __getattr__(self, attr):
+ if len(self.__dict__['zonenames']) != 1:
+ raise Exception("can't read configuration of multiple zones")
+ zonename = self.__dict__['zonenames'][0]
+ try:
+ return self.__dict__['all_zones_conf'][zonename][attr]
+ except KeyError:
+ return None
+
+ def __setattr__(self, key, value):
+ if isinstance(value, list) and len(value) > 0:
+ if isinstance(value[0], Server):
+ if self.__dict__['remotes'] is not None:
+ self.__dict__['remotes'].update(value)
+ value = [ v.name for v in value ]
+ else:
+ if isinstance(value, Server):
+ if self.__dict__['remotes'] is not None:
+ self.__dict__['remotes'].add(value)
+ value = value.name
+ for zonename in self.__dict__['zonenames']:
+ self.__dict__['all_zones_conf'][zonename][key] = value
class ZoneCatalogRole(enum.IntEnum):
"""Zone catalog roles."""
class Zone(object):
'''DNS zone description'''
- def __init__(self, zone_file, ddns=False, ixfr=False, journal_content="changes"):
+ def __init__(self, zone_file, ddns=False, ixfr=False):
self.zfile = zone_file
self.masters = set()
self.slaves = set()
- self.redis_in = None
- self.redis_out = None
- self.serial_modulo = None
self.ddns = ddns
self.ixfr = ixfr
- self.journal_content = journal_content # journal contents
self.modules = []
- self.reverse_from = None
- self.include_from = None
- self.external = None
- self.dnssec = ZoneDnssec()
+ self.dnssec = None # TODO temporary, refactor to remove
self.catalog_role = ZoneCatalogRole.NONE
self.catalog_gen_name = None # Generated catalog name for this member
self.catalog_group = None
- self.refresh_max = None
- self.refresh_min = None
- self.retry_max = None
- self.retry_min = None
- self.expire_max = None
- self.expire_min = None
@property
def name(self):
self.data_dir = None
+ self.conf = { "server": { "server": self.conf_defaults_server() }, # see comments at ConfMultidict
+ "zone": dict(),
+ "policy": dict(),
+ "submission": dict(),
+ "dnskey-sync": dict(),
+ "external": dict() }
+ self.remotes = set()
+
self.nsid = None
self.ident = None
self.version = None
self.cert_hostname = list()
self.ca_file = str()
self.cert_key_file = None # quadruple (key_file, cert_file, hostname, pin)
- self.udp_workers = None
- self.tcp_workers = None
- self.bg_workers = None
self.fixed_port = False
self.ctlport = None
- self.external = False
+ self.external = False # Means an externally running server
self.ctlkey = None
self.ctlkeyfile = None
self.tsig = None
self.zones = dict()
- self.tcp_reuseport = None
- self.tcp_remote_io_timeout = None
- self.tcp_io_timeout = None
- self.tcp_idle_timeout = None
- self.quic_idle_close_timeout = None
- self.udp_max_payload = None
- self.udp_max_payload_ipv4 = None
- self.udp_max_payload_ipv6 = None
self.disable_notify = None
- self.ddns_master = None
- self.semantic_check = True
- self.zonefile_sync = "1d"
- self.notify_delay = None
- self.update_delay = None
- self.zonefile_load = None
- self.zonefile_skip = None
- self.zonemd_verify = None
- self.zonemd_generate = None
- self.ixfr_benevolent = None
- self.ixfr_by_one = None
- self.ixfr_from_axfr = None
self.journal_db_size = 20 * 1024 * 1024
- self.journal_max_usage = 5 * 1024 * 1024
- self.journal_max_depth = 100
self.timer_db_size = 1 * 1024 * 1024
self.kasp_db_size = 10 * 1024 * 1024
self.catalog_db_size = 10 * 1024 * 1024
- self.zone_size_limit = None
- self.serial_policy = None
- self.auto_acl = None
- self.async_start = None
- self.provide_ixfr = None
- self.master_pin_tol = None
self.quic_log = None
self.inquirer = None
self.binding_errors = 0
+ def conf_base(self, conf_section, zones):
+ if not isinstance(zones, list):
+ zones = [ zones ]
+ zonenames = [ z if isinstance(z, str) else z.name for z in zones ]
+
+ for zn in zonenames:
+ if zn not in conf_section:
+ conf_section[zn] = dict()
+ return ConfMultidict(zonenames, conf_section, self.remotes)
+
+ def conf_ss(self, subsection, zones):
+ return self.conf_base(self.conf[subsection], zones)
+
+ def conf_zone(self, zones):
+ return self.conf_ss("zone", zones)
+
+ def conf_srv(self):
+ return self.conf_ss("server", ["server"])
+
+ def conf_defaults(self, zone_name):
+ return { "zone": dict() }
+
+ def conf_defaults_server(self):
+ return dict()
+
def _check_socket(self, proto, port):
if self.addr.startswith("/"):
ux_socket = True
xdp = (random.random() < 0.8)
return self.xdp_port if xdp else self.port
- def set_master(self, zone, slave=None, ddns=False, ixfr=False, journal_content="changes"):
+ def set_new_zone(self, name, z):
+ self.zones[name] = z
+ cd = self.conf_defaults(name)
+ for subsection in cd:
+ self.conf[subsection].update(cd[subsection])
+
+ def set_master(self, zone, slave=None, ddns=False, ixfr=False):
'''Set the server as a master for the zone'''
if zone.name not in self.zones:
master_file = zone.clone(self.dir + "/master")
- z = Zone(master_file, ddns, ixfr, journal_content)
- self.zones[zone.name] = z
+ z = Zone(master_file, ddns, ixfr)
+ self.set_new_zone(zone.name, z)
else:
z = self.zones[zone.name]
if slave:
z.slaves.add(slave)
- def set_slave(self, zone, master, ddns=False, ixfr=False, journal_content="changes"):
+ def set_slave(self, zone, master, ddns=False, ixfr=False):
'''Set the server as a slave for the zone'''
slave_file = zone.clone(self.dir + "/slave", exists=False)
if zone.name not in self.zones:
- z = Zone(slave_file, ddns, ixfr, journal_content)
- self.zones[zone.name] = z
+ z = Zone(slave_file, ddns, ixfr)
+ self.set_new_zone(zone.name, z)
else:
z = self.zones[zone.name]
z.disable_master(slave_file)
distutils.dir_util.copy_tree(zone.key_dir, self.keydir, update=True)
def dnssec(self, zone):
- zone = zone_arg_check(zone)
-
- return self.zones[zone.name].dnssec
+ return self.conf_ss("policy", zone)
def enable_nsec3(self, zone, **args):
zone = zone_arg_check(zone)
for zone in sorted(self.zones):
z = self.zones[zone]
+ z.dnssec = self.dnssec(z)
if not z.dnssec.enable:
continue
for zone in sorted(self.zones):
z = self.zones[zone]
+ z.dnssec = self.dnssec(z)
s.begin("zone", z.name)
s.item_str("file", z.zfile.path)
s.item("check-names", "warn")
s.item("inline-signing", "yes")
s.item("dnssec-policy", z.name)
s.item_str("key-directory", self.keydir)
- if z.dnssec.ksk_sbm_check:
+ if zone in self.conf["submission"] and "parent" in self.conf["submission"][zone]:
parents = ""
- for parent in z.dnssec.ksk_sbm_check:
- parents += "%s port %i; " % (parent.addr, parent.port)
+ for parent in self.conf["submission"][zone]["parent"]:
+ parmt = None
+ for rmt in self.remotes:
+ if rmt.name == parent:
+ parmt = rmt
+ if parmt:
+ parents += "%s port %i; " % (parmt.addr, parmt.port)
s.item("parental-agents", "{ %s}" % parents)
s.end()
def start(self, clean=False, fatal=True):
for zname in self.zones:
z = self.zones[zname]
+ z.dnssec = self.dnssec(z)
if z.dnssec.enable != True:
continue
outf.write(line)
#if z.dnssec.nsec3:
#n3flag = 1 if z.dnssec.nsec3_opt_out else 0
- #n3iters = z.dnssec.nsec3_iters or 0
+ #n3iters = z.dnssec.nsec3_iterations or 0
#outf.write("%s NSEC3PARAM 1 %d %d -\n" % (z.name, n3flag, n3iters)) # this does not work!
super().start(clean, fatal)
z = self.zones[zname]
if z.dnssec.nsec3:
n3flag = 1 if z.dnssec.nsec3_opt_out else 0
- n3iters = z.dnssec.nsec3_iters or 0
+ n3iters = z.dnssec.nsec3_iterations or 0
self.ctl("signing -nsec3param 1 %d %d - %s" % (n3flag, n3iters, z.name))
class Knot(Server):
def wait_function(self, wait=False): # needed for compatibility with Bind class
pass
+ def conf_defaults(self, zone_name):
+ cd = { "zone": dict(), "policy": dict() }
+ cd["zone"][zone_name] = { "zonefile_sync": "1d", "semantic_checks": True, "notify_delay": random.randint(0, 1),
+ "journal_max_usage": 5 * 1024 * 1024, "adjust_threads": random.randint(1, 4) }
+ cd["policy"][zone_name] = { "keystore": [], "keytag_modulo": '0/1', "signing_threads": random.randint(1, 4) }
+ return cd
+
+ def conf_defaults_server(self):
+ return { "remote_pool_limit": random.randint(0, 6), "remote_retry_delay": random.choice([0, 1, 5]) }
+
def flush(self, zone=None, wait=False):
- params = "-f " if str(self.zonefile_sync)[0] == '-' else ""
+ one_zone = list(self.zones)[0] if zone is None and len(self.zones) > 0 else zone
+ params = "-f " if one_zone is not None and str(self.conf_zone(one_zone).zonefile_sync)[0] == '-' else ""
if zone:
self.ctl("%szone-flush %s" % (params, zone.name), wait=wait)
else:
conf.item_str("secret", key.key)
keys.add(key.name)
- def _bool(self, conf, name, value):
- if value != None:
- conf.item_str(name, "on" if value else "off")
-
def _str(self, conf, name, value):
if value != None:
conf.item_str(name, value)
acl += ", acl_%s" % slave.name
if slaves:
conf.item("notify", "[%s]" % slaves)
- for remote in zone.dnssec.dnskey_sync if zone.dnssec.dnskey_sync else []:
- acl += ", acl_%s_ddns" % remote.name
- if not self.auto_acl:
+ if zone.name in self.conf["dnskey-sync"]:
+ for rmt in self.conf["dnskey-sync"][zone.name]["remote"]:
+ acl += ", acl_%s" % rmt
+ if not self.conf_srv().automatic_acl:
conf.item("acl", "[%s]" % acl)
def get_config(self):
self._on_str_hex(s, "nsid", self.nsid)
s.item_str("rundir", self.dir)
s.item_str("pidfile", os.path.join(self.dir, self.pidfile))
+
+ for ci, val in self.conf["server"]["server"].items():
+ s.item_type(ci.replace("_", "-"), val)
+
if self.addr.startswith("/"):
s.item_str("listen", "%s" % self.addr)
else:
s.item_str("listen", "%s@%s" % (self.addr, self.port))
+ for addr in self.addr_extra:
+ s.item_str("listen", "%s@%s" % (addr, self.port))
if self.quic_port:
s.item_str("listen-quic", "%s@%s" % (self.addr, self.quic_port))
if self.tls_port:
s.item_str("listen-tls", "%s@%s" % (self.addr, self.tls_port))
- if self.udp_workers:
- s.item_str("udp-workers", self.udp_workers)
- if self.tcp_workers:
- s.item_str("tcp-workers", self.tcp_workers)
- if self.bg_workers:
- s.item_str("background-workers", self.bg_workers)
- for addr in self.addr_extra:
- s.item_str("listen", "%s@%s" % (addr, self.port))
- self._bool(s, "tcp-reuseport", self.tcp_reuseport)
- self._str(s, "tcp-remote-io-timeout", self.tcp_remote_io_timeout)
- self._str(s, "tcp-io-timeout", self.tcp_io_timeout)
- self._str(s, "tcp-idle-timeout", self.tcp_idle_timeout)
- self._str(s, "quic-idle-close-timeout", self.quic_idle_close_timeout)
- self._str(s, "udp-max-payload", self.udp_max_payload)
- self._str(s, "udp-max-payload-ipv4", self.udp_max_payload_ipv4)
- self._str(s, "udp-max-payload-ipv6", self.udp_max_payload_ipv6)
- self._str(s, "remote-pool-limit", str(random.randint(0,6)))
- self._str(s, "remote-retry-delay", str(random.choice([0, 1, 5])))
- self._bool(s, "automatic-acl", self.auto_acl)
- self._bool(s, "async-start", self.async_start)
if self.cert_key_file:
s.item_str("key-file", self.cert_key_file[0])
s.item_str("cert-file", self.cert_key_file[1])
s.item_str("timeout", "15")
s.end()
+ all_remotes = set()
+ for zone in self.zones:
+ z = self.zones[zone]
+ all_remotes.update(z.masters)
+ all_remotes.update(z.slaves)
+ all_remotes.update(self.remotes)
+
if self.tsig:
keys = set() # Duplicy check.
s.begin("key")
self._key(s, keys, self.tsig_test, "test")
self._key(s, keys, self.tsig, "local")
-
- for zone in sorted(self.zones):
- z = self.zones[zone]
- for master in z.masters:
- self._key(s, keys, master.tsig, master.name)
- for slave in z.slaves:
- self._key(s, keys, slave.tsig, slave.name)
- for remote in z.dnssec.dnskey_sync if z.dnssec.dnskey_sync else []:
- self._key(s, keys, remote.tsig, remote.name)
+ for rmt in all_remotes:
+ self._key(s, keys, rmt.tsig, rmt.name)
s.end()
- have_remote = False
- servers = set() # Duplicity check.
- for zone in sorted(self.zones):
- z = self.zones[zone]
- for master in z.masters:
- if master.name not in servers:
- if not have_remote:
- s.begin("remote")
- have_remote = True
- s.id_item("id", master.name)
- if master.quic_port or master.tls_port:
- s.item_str("address", "%s@%s" % (master.addr, master.tls_port or master.quic_port))
- s.item_str("tls" if master.tls_port else "quic", "on")
- if master.cert_key:
- s.item_str("cert-key", master.cert_key)
- elif master.cert_hostname:
- s.item_list("cert-hostname", master.cert_hostname)
- elif master.cert_key_file:
- s.item_str("cert-key", master.cert_key_file[3])
- else:
- if master.addr.startswith("/"):
- s.item_str("address", "%s" % master.addr)
- else:
- s.item_str("address", "%s@%s" % (master.addr, master.query_port()))
- if self.tsig:
- s.item_str("key", self.tsig.name)
- if self.via:
- s.item_str("via", self.via)
- if master.no_xfr_edns:
- s.item_str("no-edns", "on")
- servers.add(master.name)
- for slave in z.slaves:
- if slave.name not in servers:
- if not have_remote:
- s.begin("remote")
- have_remote = True
- s.id_item("id", slave.name)
- if slave.quic_port or slave.tls_port:
- s.item_str("address", "%s@%s" % (slave.addr, slave.tls_port or slave.quic_port))
- s.item_str("tls" if slave.tls_port else "quic", "on")
- if slave.cert_key:
- s.item_str("cert-key", slave.cert_key)
- elif slave.cert_hostname:
- s.item_list("cert-hostname", slave.cert_hostname)
- elif slave.cert_key_file:
- s.item_str("cert-key", slave.cert_key_file[3])
- else:
- if slave.addr.startswith("/"):
- s.item_str("address", "%s" % slave.addr)
- else:
- s.item_str("address", "%s@%s" % (slave.addr, slave.query_port()))
- if self.via:
- s.item_str("via", self.via)
- if self.tsig:
- s.item_str("key", self.tsig.name)
- servers.add(slave.name)
- for parent in z.dnssec.ksk_sbm_check + [ z.dnssec.ds_push ] if z.dnssec.ds_push else z.dnssec.ksk_sbm_check:
- if isinstance(parent, Server) and parent.name not in servers:
- if not have_remote:
- s.begin("remote")
- have_remote = True
- s.id_item("id", parent.name)
- if parent.addr.startswith("/"):
- s.item_str("address", "%s" % parent.addr)
- else:
- s.item_str("address", "%s@%s" % (parent.addr, parent.port))
- if self.via:
- s.item_str("via", self.via)
- servers.add(parent.name)
- for remote in z.dnssec.dnskey_sync if z.dnssec.dnskey_sync else []:
- if remote.name not in servers:
- if not have_remote:
- s.begin("remote")
- have_remote = True
- s.id_item("id", remote.name)
- if remote.quic_port or remote.tls_port:
- s.item_str("address", "%s@%s" % (remote.addr, remote.tls_port or remote.quic_port))
- s.item_str("tls" if remote.tls_port else "quic", "on")
- if remote.cert_key:
- s.item_str("cert-key", remote.cert_key)
- elif remote.cert_hostname:
- s.item_list("cert-hostname", remote.cert_hostname)
- elif remote.cert_key_file:
- s.item_str("cert-key", remote.cert_key_file[3])
- else:
- if remote.addr.startswith("/"):
- s.item_str("address", "%s" % remote.addr)
- else:
- s.item_str("address", "%s@%s" % (remote.addr, remote.port))
- if remote.via:
- s.item_str("via", self.via)
- if remote.tsig:
- s.item_str("key", self.tsig.name)
- servers.add(remote.name)
-
- if have_remote:
+ for rmt in all_remotes:
+ s.begin("remote")
+ s.id_item("id", rmt.name)
+ if rmt.quic_port or rmt.tls_port:
+ s.item_str("address", "%s@%s" % (rmt.addr, rmt.tls_port or rmt.quic_port))
+ s.item_str("tls" if rmt.tls_port else "quic", "on")
+ if rmt.cert_key:
+ s.item_str("cert-key", rmt.cert_key)
+ elif rmt.cert_hostname:
+ s.item_list("cert-hostname", rmt.cert_hostname)
+ elif rmt.cert_key_file:
+ s.item_str("cert-key", rmt.cert_key_file[3])
+ else:
+ if rmt.addr.startswith("/"):
+ s.item_str("address", "%s" % rmt.addr)
+ else:
+ s.item_str("address", "%s@%s" % (rmt.addr, rmt.query_port()))
+ if self.tsig:
+ s.item_str("key", self.tsig.name)
+ if self.via:
+ s.item_str("via", self.via)
+ if rmt.no_xfr_edns:
+ s.item_str("no-edns", "on")
s.end()
s.begin("acl")
s.item_str("key", self.tsig_test.name)
s.item("action", "[transfer, notify, update]")
- servers = set() # Duplicity check.
- for zone in sorted(self.zones):
- z = self.zones[zone]
- for master in z.masters:
- if master.name not in servers:
- s.id_item("id", "acl_%s" % master.name)
- if master.addr.startswith("/"):
- s.item_str("address", self.addr)
- else:
- s.item_str("address", master.addr)
- if master.tsig:
- s.item_str("key", master.tsig.name)
- if master.cert_key:
- s.item_str("cert-key", master.cert_key)
- if master.cert_hostname:
- s.item_list("cert-hostname", master.cert_hostname)
- s.item("action", "notify")
- servers.add(master.name)
- for slave in z.slaves:
- if slave.name in servers:
- continue
- s.id_item("id", "acl_%s" % slave.name)
- if slave.addr.startswith("/"):
- s.item_str("address", self.addr)
- else:
- s.item_str("address", slave.addr)
- if slave.tsig:
- s.item_str("key", slave.tsig.name)
- if slave.cert_key:
- s.item_str("cert-key", slave.cert_key)
- if slave.cert_hostname:
- s.item_list("cert-hostname", slave.cert_hostname)
- s.item("action", "[transfer" + (", update" if z.ddns else "") + "]")
- servers.add(slave.name)
- for remote in z.dnssec.dnskey_sync if z.dnssec.dnskey_sync else []:
- dupl_name = remote.name + "_ddns"
- if dupl_name in servers:
- continue
- s.id_item("id", "acl_%s" % dupl_name)
- if remote.tsig:
- s.item_str("key", remote.tsig.name)
- s.item("action", "update")
- servers.add(dupl_name)
+ for rmt in all_remotes:
+ aclaction = set()
+ for zone in self.zones:
+ z = self.zones[zone]
+ if rmt in z.masters:
+ aclaction.add("notify")
+ if rmt in z.slaves:
+ aclaction.add("transfer")
+ if z.ddns:
+ aclaction.add("update")
+ if zone in self.conf["dnskey-sync"] and rmt.name in self.conf["dnskey-sync"][zone]["remote"]:
+ aclaction.add("update")
+
+ if len(aclaction) < 1:
+ continue
+
+ s.id_item("id", "acl_%s" % rmt.name)
+ if rmt.addr.startswith("/"):
+ s.item_str("address", self.addr)
+ else:
+ s.item_str("address", rmt.addr)
+ if rmt.tsig:
+ s.item_str("key", rmt.tsig.name)
+ if rmt.cert_key:
+ s.item_str("cert-key", rmt.cert_key)
+ if rmt.cert_hostname:
+ s.item_list("cert-hostname", rmt.cert_hostname)
+ s.item_list("action", list(aclaction))
s.end()
if len(self.modules) > 0:
for module in z.modules:
module.get_conf(s)
- have_sbm = False
- for zone in sorted(self.zones):
- z = self.zones[zone]
- if not z.dnssec.enable:
- continue
- if len(z.dnssec.ksk_sbm_check) < 1 and z.dnssec.ksk_sbm_timeout is None:
- continue
- if not have_sbm:
- s.begin("submission")
- have_sbm = True
- s.id_item("id", z.name)
- parents = ""
- for parent in z.dnssec.ksk_sbm_check:
- if parents:
- parents += ", "
- parents += parent.name
- if parents != "":
- s.item("parent", "[%s]" % parents)
- self._str(s, "check-interval", z.dnssec.ksk_sbm_check_interval)
- if z.dnssec.ksk_sbm_timeout is not None:
- self._str(s, "timeout", z.dnssec.ksk_sbm_timeout)
- if z.dnssec.ksk_sbm_delay is not None:
- self._str(s, "parent-delay", z.dnssec.ksk_sbm_delay)
- if have_sbm:
- s.end()
-
- have_dnskeysync = False
- for zone in sorted(self.zones):
- z = self.zones[zone]
- if not z.dnssec.enable:
- continue
- if z.dnssec.dnskey_sync is None:
- continue
- if not have_dnskeysync:
- s.begin("dnskey-sync")
- have_dnskeysync = True
- s.id_item("id", z.name)
- remotes = ""
- for remote in z.dnssec.dnskey_sync:
- if remotes:
- remotes += ", "
- remotes += remote.name
- if remotes != "":
- s.item("remote", "[%s]" % remotes)
- if have_dnskeysync:
- s.end()
-
- have_external = False
- for zone in sorted(self.zones):
- z = self.zones[zone]
- if not z.external:
- continue
- if not have_external:
- s.begin("external")
- have_external = True
- s.id_item("id", z.name)
- self._str(s, "timeout", z.external["timeout"])
- self._str(s, "dump-new-zone", z.external["new"])
- self._str(s, "dump-removals", z.external["rem"])
- self._str(s, "dump-additions", z.external["add"])
- if have_external:
- s.end()
+ for subsection in [ "submission", "dnskey-sync", "external" ]:
+ for zone in self.conf[subsection]:
+ s.begin(subsection)
+ s.id_item("id", zone)
+ for ci, val in self.conf[subsection][z.name].items():
+ s.item_type(ci.replace("_", "-"), val)
+ s.end()
have_keystore = False
for zone in sorted(self.zones):
z = self.zones[zone]
- if not z.dnssec.keystores:
+ z.dnssec = self.dnssec(z)
+ if not z.dnssec.keystore:
continue
if not have_keystore:
s.begin("keystore")
have_keystore = True
- for ks in z.dnssec.keystores:
+ for ks in z.dnssec.keystore:
s.id_item("id", ks)
s.item("config", ks)
if ks.endswith("ksk"):
have_policy = False
for zone in sorted(self.zones):
z = self.zones[zone]
- if not z.dnssec.enable and not z.dnssec.validate:
- continue
-
- if (z.dnssec.shared_policy_with or z.name) != z.name:
- continue
-
- if not have_policy:
- s.begin("policy")
- have_policy = True
+ z.dnssec = self.dnssec(z)
+ s.begin("policy")
s.id_item("id", z.name)
- self._bool(s, "manual", z.dnssec.manual)
- self._bool(s, "single-type-signing", z.dnssec.single_type_signing)
- if z.dnssec.keystores:
- s.item("keystore", "[ %s ]" % ", ".join(z.dnssec.keystores))
- self._str(s, "algorithm", z.dnssec.alg)
- self._str(s, "ksk-size", z.dnssec.ksk_size)
- self._str(s, "zsk-size", z.dnssec.zsk_size)
- self._str(s, "dnskey-ttl", z.dnssec.dnskey_ttl)
- self._str(s, "zone-max-ttl", z.dnssec.zone_max_ttl)
- self._str(s, "keytag-modulo", z.dnssec.keytag_modulo)
- self._str(s, "ksk-lifetime", z.dnssec.ksk_lifetime)
- self._str(s, "zsk-lifetime", z.dnssec.zsk_lifetime)
- self._str(s, "delete-delay", z.dnssec.delete_delay)
- self._str(s, "propagation-delay", z.dnssec.propagation_delay)
- self._str(s, "rrsig-lifetime", z.dnssec.rrsig_lifetime)
- self._str(s, "rrsig-refresh", z.dnssec.rrsig_refresh)
- self._str(s, "rrsig-pre-refresh", z.dnssec.rrsig_prerefresh)
- self._str(s, "reproducible-signing", z.dnssec.repro_sign)
- self._bool(s, "nsec3", z.dnssec.nsec3)
- self._str(s, "nsec3-iterations", z.dnssec.nsec3_iters)
- self._bool(s, "nsec3-opt-out", z.dnssec.nsec3_opt_out)
- self._str(s, "nsec3-salt-lifetime", z.dnssec.nsec3_salt_lifetime)
- self._str(s, "nsec3-salt-length", z.dnssec.nsec3_salt_len)
- if len(z.dnssec.ksk_sbm_check) > 0 or z.dnssec.ksk_sbm_timeout is not None:
- s.item("ksk-submission", z.name)
- if z.dnssec.dnskey_sync:
- s.item("dnskey-sync", z.name)
- self._bool(s, "ksk-shared", z.dnssec.ksk_shared)
- self._str(s, "cds-cdnskey-publish", z.dnssec.cds_publish)
- if z.dnssec.cds_digesttype:
- self._str(s, "cds-digest-type", z.dnssec.cds_digesttype)
- self._str(s, "dnskey-management", z.dnssec.dnskey_mgmt)
- self._bool(s, "offline-ksk", z.dnssec.offline_ksk)
- self._str(s, "signing-threads",
- z.dnssec.signing_threads if z.dnssec.signing_threads is not None
- else str(random.randint(1,4)))
- if have_policy:
+ for ci, val in self.conf["policy"][z.name].items():
+ if ci not in [ "enable", "shared_policy_with" ]:
+ s.item_type(ci.replace("_", "-"), val)
+
+ if zone in self.conf["dnskey-sync"]:
+ s.item("dnskey-sync", zone)
+ if zone in self.conf["submission"]:
+ s.item("ksk-submission", zone)
s.end()
s.begin("database")
s.begin("template")
s.id_item("id", "default")
s.item_str("storage", self.dir)
- s.item_str("zonefile-sync", self.zonefile_sync)
- if self.notify_delay is None:
- self.notify_delay = random.randint(0, 1)
- s.item_str("notify-delay", self.notify_delay)
- self._str(s, "update-delay", self.update_delay)
- if self.zonemd_verify:
- s.item_str("zonemd-verify", "on")
- if self.zonemd_generate is not None:
- s.item_str("zonemd-generate", self.zonemd_generate)
- s.item_str("journal-max-usage", self.journal_max_usage)
- s.item_str("journal-max-depth", self.journal_max_depth)
- s.item_str("adjust-threads", str(random.randint(1,4)))
- if self.semantic_check == "soft":
- self._str(s, "semantic-checks", self.semantic_check)
- else:
- self._bool(s, "semantic-checks", self.semantic_check)
if len(self.modules) > 0:
modules = ""
for module in self.modules:
modules += ", "
modules += module.get_conf_ref()
s.item("global-module", "[%s]" % modules)
- if self.zone_size_limit:
- s.item("zone-max-size", self.zone_size_limit)
have_catalog = None
for zone in self.zones:
z = self.zones[zone]
+ z.dnssec = self.dnssec(z)
if z.catalog_role in [ZoneCatalogRole.INTERPRET, ZoneCatalogRole.GENERATE]:
have_catalog = z
break
s.id_item("id", "catalog-default")
s.item_str("file", self.dir + "/catalog/%s.zone")
s.item_str("zonefile-load", "difference")
- s.item_str("journal-content", z.journal_content)
+ s.item_str("journal-content", self.conf_zone(z).journal_content)
# this is weird but for the sake of testing, the cataloged zones inherit dnssec policy from catalog zone
- if z.dnssec.enable:
- s.item_str("dnssec-signing", "off" if z.dnssec.disable else "on")
- s.item_str("dnssec-policy", z.name)
+ s.item_str("dnssec-signing", "on" if z.dnssec.enable else "off")
+ s.item_str("dnssec-policy", z.name)
for module in z.modules:
if module.conf_name == "mod-onlinesign":
s.item("module", "[%s]" % module.get_conf_ref())
s.id_item("id", "catalog-signed")
s.item_str("file", self.dir + "/catalog/%s.zone")
- s.item_str("journal-content", z.journal_content)
+ s.item_str("journal-content", self.conf_zone(z).journal_content)
s.item_str("dnssec-signing", "on")
self.config_xfr(z, s)
s.id_item("id", "catalog-unsigned")
s.item_str("file", self.dir + "/catalog/%s.zone")
- s.item_str("journal-content", z.journal_content)
+ s.item_str("journal-content", self.conf_zone(z).journal_content)
self.config_xfr(z, s)
-
s.end()
s.begin("zone")
s.id_item("domain", z.name)
s.item_str("file", z.zfile.path)
- self.config_xfr(z, s)
-
- self._str(s, "zone-db-input", z.redis_in)
- self._str(s, "zone-db-output", z.redis_out)
-
- self._str(s, "serial-policy", self.serial_policy)
- self._str(s, "serial-modulo", z.serial_modulo)
- self._str(s, "ddns-master", self.ddns_master)
+ for ci, val in self.conf["zone"][z.name].items():
+ s.item_type(ci.replace("_", "-"), val)
- s.item_str("journal-content", z.journal_content)
- self._bool(s, "ixfr-benevolent", self.ixfr_benevolent)
- self._bool(s, "ixfr-by-one", self.ixfr_by_one)
- self._bool(s, "ixfr-from-axfr", self.ixfr_from_axfr)
- self._bool(s, "provide-ixfr", self.provide_ixfr)
-
- if z.reverse_from:
- s.item("reverse-generate", "[ " + ", ".join([ x.name for x in z.reverse_from ]) + " ]")
- if z.include_from:
- s.item("include-from", "[ " + ", ".join([ x.name for x in z.include_from ]) + " ]")
-
- self._str(s, "refresh-min-interval", z.refresh_min)
- self._str(s, "refresh-max-interval", z.refresh_max)
- self._str(s, "retry-min-interval", z.retry_min)
- self._str(s, "retry-max-interval", z.retry_max)
- self._str(s, "expire-min-interval", z.expire_min)
- self._str(s, "expire-max-interval", z.expire_max)
+ self.config_xfr(z, s)
- if z.external:
+ if zone in self.conf["external"]:
s.item("external-validation", z.name)
- if self.zonefile_load is not None:
- s.item_str("zonefile-load", self.zonefile_load)
- elif z.ixfr:
+ if "zonefile_load" not in self.conf["zone"][zone] and z.ixfr:
s.item_str("zonefile-load", "difference")
- if self.zonefile_skip is not None:
- s.item_list("zonefile-skip", self.zonefile_skip)
-
- self._str(s, "master-pin-tolerance", self.master_pin_tol)
-
if z.catalog_role == ZoneCatalogRole.GENERATE:
s.item_str("catalog-role", "generate")
elif z.catalog_role == ZoneCatalogRole.MEMBER:
s.item_str("catalog-role", "interpret")
s.item("catalog-template", "[ catalog-default, catalog-signed, catalog-unsigned ]")
- if z.dnssec.enable:
- s.item_str("dnssec-signing", "off" if z.dnssec.disable else "on")
-
- if z.dnssec.enable or z.dnssec.validate:
- s.item_str("dnssec-policy", z.dnssec.shared_policy_with or z.name)
-
- self._bool(s, "dnssec-validation", z.dnssec.validate)
-
- if z.dnssec.ds_push == "":
- s.item("ds-push", "[ ]")
- elif z.dnssec.ds_push:
- self._str(s, "ds-push", z.dnssec.ds_push.name)
+ s.item_str("dnssec-signing", "on" if self.dnssec(z).enable else "off")
+ s.item_str("dnssec-policy", self.dnssec(z).shared_policy_with or z.name)
if len(z.modules) > 0:
modules = ""
return zones
- def link(self, zones, master, slave=None, ddns=False, ixfr=False, journal_content="changes"):
+ def link(self, zones, master, slave=None, ddns=False, ixfr=False):
for zone in zones:
if master not in self.servers:
raise Failed("Server is out of testing scope")
- master.set_master(zone, slave, ddns, ixfr, journal_content)
+ master.set_master(zone, slave, ddns, ixfr)
if slave:
if slave not in self.servers:
raise Failed("Server is out of testing scope")
- slave.set_slave(zone, master, ddns, ixfr, journal_content)
+ slave.set_slave(zone, master, ddns, ixfr)
def _canonize_record(self, rtype, record):
''':-(('''
projects / thirdparty / knot-dns.git / commitdiff
