Operation not permitted
-.. function:: mode('strict' | 'normal' | 'permissive')
-
- :return: Change resolver strictness checking level.
-
- By default, resolver runs in *normal* mode. There are possibly many small adjustments
- hidden behind the mode settings, but the main idea is that in *permissive* mode, the resolver
- tries to resolve a name with as few lookups as possible, while in *strict* mode it spends much
- more effort resolving and checking referral path. However, if majority of the traffic is covered
- by DNSSEC, some of the strict checking actions are counter-productive.
-
- .. csv-table::
- :header: "Glue type", "Modes when it is accepted", "Example glue [#example_glue]_"
-
- "mandatory glue", "strict, normal, permissive", "ns1.example.org"
- "in-bailiwick glue", "normal, permissive", "ns1.example2.org"
- "any glue records", "permissive", "ns1.example3.net"
-
- .. [#example_glue] The examples show glue records acceptable from servers
- authoritative for `org` zone when delegating to `example.org` zone.
- Unacceptable or missing glue records trigger resolution of names listed
- in NS records before following respective delegation.
-
-
.. function:: reorder_RR([true | false])
:param boolean value: New value for the option *(optional)*
.. _dnssec-config:
-DNSSEC
-======
+DNSSEC, data verification
+=========================
Since version 4.0, **DNSSEC validation is enabled by default**.
This is secure default and should not be changed unless absolutely necessary.
.. function:: trust_anchors.summary()
Return string with summary of configured DNSSEC trust anchors, including negative TAs.
+
+DNSSEC is main technology to protect data, but it is also possible to change how strictly
+resolver checks data from insecure DNS zones:
+
+.. include:: ../lib/layer/mode.rst
.. include:: ../daemon/bindings/cache.rst
.. include:: ../daemon/lua/trust_anchors.rst
+
Multiple instances
==================
--- /dev/null
+.. function:: mode(['strict' | 'normal' | 'permissive'])
+
+ :param: New checking level specified as string (*optional*).
+ :return: Current checking level.
+
+ Get or change resolver strictness checking level.
+
+ By default, resolver runs in *normal* mode. There are possibly many small adjustments
+ hidden behind the mode settings, but the main idea is that in *permissive* mode, the resolver
+ tries to resolve a name with as few lookups as possible, while in *strict* mode it spends much
+ more effort resolving and checking referral path. However, if majority of the traffic is covered
+ by DNSSEC, some of the strict checking actions are counter-productive.
+
+ .. csv-table::
+ :header: "Glue type", "Modes when it is accepted", "Example glue [#example_glue]_"
+
+ "mandatory glue", "strict, normal, permissive", "ns1.example.org"
+ "in-bailiwick glue", "normal, permissive", "ns1.example2.org"
+ "any glue records", "permissive", "ns1.example3.net"
+
+ .. [#example_glue] The examples show glue records acceptable from servers
+ authoritative for `org` zone when delegating to `example.org` zone.
+ Unacceptable or missing glue records trigger resolution of names listed
+ in NS records before following respective delegation.
projects / thirdparty / knot-resolver.git / commitdiff
