- /dnssec: true|false -> /dnssec/enabled: true|false
- /dnssec/keep-removed -> /dnssec/trust-anchors-keep-removed
- /dnssec/trust-anchor-sentinel -> /dnssec/sentinel
- - /dnssec/trust-anchor-signal-query -> /dnssec/signal-query
+ - /dnssec/trust-anchor-signal-query -> /dnssec/signal-query
+ - /logging/dnssec-bogus -> /dnssec/log-bogus
- /network/tls/files-watchdog -> /network/tls/watchdog
"description": "Enable/disable DNSSEC.",
"default": true
},
+ "log-bogus": {
+ "type": "boolean",
+ "description": "Enable logging for each DNSSEC validation failure if '/logging/level' is set to at least 'notice'.",
+ "default": false
+ },
"sentinel": {
"type": "boolean",
"description": "Allows users of DNSSEC validating resolver to detect which root keys are configured in resolver's chain of trust. (RFC 8509)",
},
"default": {
"enabled": true,
+ "log_bogus": false,
"sentinel": true,
"signal_query": true,
"trust_anchors_keep_removed": 0,
"description": "List of groups for which 'debug' logging level is set.",
"default": null
},
- "dnssec-bogus": {
- "type": "boolean",
- "description": "Logging a message for each DNSSEC validation failure.",
- "default": false
- },
"dnstap": {
"anyOf": [
{
"level": "notice",
"target": "stdout",
"groups": null,
- "dnssec_bogus": false,
"dnstap": false
}
},
.. code-block:: yaml
- logging:
- dnssec-bogus: true
+ dnssec:
+ log-bogus: true
Example of error message logged:
---
enabled: Enable/disable DNSSEC.
+ log_bogus: Enable logging for each DNSSEC validation failure if '/logging/level' is set to at least 'notice'.
sentinel: Allows users of DNSSEC validating resolver to detect which root keys are configured in resolver's chain of trust. (RFC 8509)
signal_query: Signaling Trust Anchor Knowledge in DNSSEC Using Key Tag Query, according to (RFC 8145#section-5).
trust_anchors_keep_removed: How many removed keys should be held in history (and key file) before being purged.
"""
enabled: bool = True
+ log_bogus: bool = False
sentinel: bool = True
signal_query: bool = True
trust_anchors_keep_removed: IntNonNegative = IntNonNegative(0)
level: Global logging level.
target: Global logging stream target. "from-env" uses $KRES_LOGGING_TARGET and defaults to "stdout".
groups: List of groups for which 'debug' logging level is set.
- dnssec_bogus: Logging a message for each DNSSEC validation failure.
dnstap: Logging DNS requests and responses to a unix socket.
"""
level: LogLevelEnum = "notice"
target: Union[LogTargetEnum, Literal["from-env"]] = "from-env"
groups: Optional[List[LogGroupsEnum]] = None
- dnssec_bogus: bool = False
dnstap: Union[Literal[False], DnstapSchema] = False
_LAYER = Raw
level: LogLevelEnum
target: LogTargetEnum
groups: Optional[List[LogGroupsEnum]]
- dnssec_bogus: bool
dnstap: Union[Literal[False], DnstapSchema]
def _target(self, raw: Raw) -> LogTargetEnum:
{% if cfg.dnssec.enabled %}
+-- dnssec.logging-bogus
+{% if cfg.dnssec.log_bogus %}
+modules.load('bogus_log')
+{% else %}
+-- modules.unload('bogus_log')
+{% endif %}
+
-- dnssec.sentinel
{% if cfg.dnssec.sentinel %}
modules.load('ta_sentinel')
})
{% endif %}
-{% if cfg.logging.dnssec_bogus %}
-modules.load('bogus_log')
-{% endif %}
-
{% if cfg.logging.dnstap -%}
-- logging.dnstap
modules.load('dnstap')
projects / thirdparty / knot-resolver.git / commitdiff
