--------------------
- see upgrading guide:
https://knot-resolver.readthedocs.io/en/v4.0.0/upgrading.html#upgrade-from-3-to-4
+- configuration: trust_anchors aliases .file, .config() and .negative were removed (!788)
+- configuration: trust_anchors.keyfile_default is no longer accessible (!788)
- meson build system is now used for builds (!771)
- build with embedded LMBD is no longer supported
- default modules dir location has changed
- policy.RPZ: log problems from zone-file level of parser as well (#453)
- fix flushing of messages to logs in some cases (!781)
- fix fallback when SERVFAIL or REFUSED is received from upstream (!784)
+- fix crash when dealing with unknown TA key algorhitm (#449)
Module API changes
------------------
net.ipv6=false
-- Auto-maintain root TA
-trust_anchors.file = '.local/etc/knot-resolver/root.keys'
+trust_anchors.add_file('.local/etc/knot-resolver/root.keys')
-- Large cache size, so we don't need to flush often
-- This can be larger than available RAM, least frequently accessed
net = { '127.0.0.1', '::1' }
-- unprivileged
cache.size = 100*MB
- trust_anchors.file = 'root.key'
+ trust_anchors.add_file('root.key')
Example output:
trust anchors should be either maintained in accordance with the distro-wide
policy, or automatically maintained by the resolver itself.
-.. function:: trust_anchors.add_file(keyfile, readonly)
+.. function:: trust_anchors.add_file(keyfile[, readonly = false])
:param string keyfile: path to the file.
:param readonly: if true, do not attempt to update the file.
[ ta ] key: 19036 state: Valid
-.. function:: trust_anchors.config(keyfile, readonly)
-
- Alias for `add_file`. Its use is discouraged and will be removed in future versions.
-
.. function:: trust_anchors.remove(zonename)
Remove specified trust anchor from trusted key set. Removing trust anchor for the root zone effectivelly disables DNSSEC validation (unless you configured another trust anchor).
$ kresd-query.lua www.sub.nic.cz 'assert(kres.dname2str(req:resolved().zone_cut.name) == "nic.cz.")' && echo "yes"
yes
- $ kresd-query.lua -C 'trust_anchors.config("root.keys")' nic.cz 'assert(req:resolved().flags.DNSSEC_WANT)'
+ $ kresd-query.lua -C 'trust_anchors.add_file("root.keys")' nic.cz 'assert(req:resolved().flags.DNSSEC_WANT)'
$ echo $?
0
Missing = 'Missing', Revoked = 'Revoked', Removed = 'Removed'
}
+local function upgrade_required(field)
+ panic('Configuration upgrade required! Please refer to ' ..
+ 'https://knot-resolver.readthedocs.io/en/stable/upgrading.html')
+end
+
-- TODO: Move bootstrap to a separate module or even its own binary
-- Fetch over HTTPS with peert cert checked
local function https_fetch(url, ca)
-- Load keys from a file, 5011-managed by default.
-- If managed and the file doesn't exist, try bootstrapping the root into it.
add_file = add_file,
- config = add_file,
+ config = upgrade_required,
remove = remove,
keyset_publish = keyset_publish,
-- Syntactic sugar for TA store
setmetatable(trust_anchors, {
- __newindex = function (t,k,v)
- if k == 'file' then t.config(v)
- elseif k == 'negative' then t.set_insecure(v)
- else rawset(t, k, v) end
- end,
+ __newindex = function (t,k,v)
+ if k == 'file' then upgrade_required()
+ elseif k == 'negative' then upgrade_required()
+ elseif k == 'keyfile_default' then upgrade_required()
+ else rawset(t, k, v) end
+ end,
})
return trust_anchors
location. The exact location depends on your distribution. Generally, modules previously
in ``/usr/lib/kdns_modules`` should be moved to ``/usr/lib/knot-resolver/kres_modules``.
+Configuration
+~~~~~~~~~~~~~
+
+* ``trust_anchors.file``, ``trust_anchors.config()`` and ``trust_anchors.negative``
+ aliases were removed to avoid duplicity
+
+ .. csv-table::
+ :header: "3.x configuration", "4.x configuration"
+
+ "``trust_anchors.file = path``", "``trust_anchors.add_file(path)``"
+ "``trust_anchors.config(path, readonly)``", "``trust_anchors.add_file(path, readonly)``"
+ "``trust_anchors.negative = nta_set``", "``trust_anchors.set_insecure(nta_set)``"
+
+* ``trust_anchors.keyfile_default`` is no longer accessible and is only possible to set
+ at compile time. To turn off DNSSEC, use ``trust_anchors.remove('.')``.
+
+ .. csv-table::
+ :header: "3.x configuration", "4.x configuration"
+
+ "``trust_anchors.keyfile_default = nil``", "``trust_anchors.remove('.')``"
+
+
Packagers & Developers
----------------------
k = k + 1
table.insert(config, arg[k])
elseif v == '-D' then
- table.insert(config, 'trust_anchors.file = "root.keys"')
+ table.insert(config, 'trust_anchors.add_file("root.keys")')
elseif v == '-f' then
k = k + 1
- table.insert(config, string.format('trust_anchors.file = "%s"', arg[k]))
+ table.insert(config, string.format('trust_anchors.add_file("%s")', arg[k]))
elseif v == '-v' then
verbose = true
elseif v == '-d' then
projects / thirdparty / knot-resolver.git / commitdiff
