- /network/tls/auto-discovery
- /webmgmt
- Renamed/moved options in the declarative configuration model (YAML).
- - /cache/garbage-collector -> /cache/garbage-collector/enabled
- - /dns64: true|false -> /dns64/enabled: true|false
+ - /cache/garbage-collector -> /cache/garbage-collector/enable
+ - /dns64: true|false -> /dns64/enable: true|false
- /dns64/rev-ttl -> /dns64/reverse-ttl
- - /dnssec: true|false -> /dnssec/enabled: true|false
+ - /dnssec: true|false -> /dnssec/enable: true|false
- /dnssec/keep-removed -> /dnssec/trust-anchors-keep-removed
- /dnssec/trust-anchor-sentinel -> /dnssec/sentinel
- /dnssec/trust-anchor-signal-query -> /dnssec/signal-query
- /logging/dnssec-bogus -> /dnssec/log-bogus
- /monitoring/enabled -> /monitoring/metrics
- - /monitoring/graphite -> /monitoring/graphite/enabled
+ - /monitoring/graphite -> /monitoring/graphite/enable
- /network/tls/files-watchdog -> /network/tls/watchdog
- - /rate-limiting -> /rate-limiting/enabled
+ - /rate-limiting -> /rate-limiting/enable
Knot Resolver 6.0.15 (2025-07-17)
"description": "Use the garbage collector (kres-cache-gc) to periodically clear cache.",
"type": "object",
"properties": {
- "enabled": {
+ "enable": {
"type": "boolean",
"description": "Enable/disable cache garbage collector.",
"default": true
}
},
"default": {
- "enabled": true,
+ "enable": true,
"interval": "1s",
"threshold": 80,
"release": 10,
"storage": "/var/cache/knot-resolver",
"size_max": "100M",
"garbage_collector": {
- "enabled": true,
+ "enable": true,
"interval": "1s",
"threshold": 80,
"release": 10,
"description": "DNSSEC configuration.",
"type": "object",
"properties": {
- "enabled": {
+ "enable": {
"type": "boolean",
"description": "Enable/disable DNSSEC.",
"default": true
}
},
"default": {
- "enabled": true,
+ "enable": true,
"log_bogus": false,
"sentinel": true,
"signal_query": true,
"description": "DNS64 (RFC 6147) configuration.",
"type": "object",
"properties": {
- "enabled": {
+ "enable": {
"type": "boolean",
"description": "Enable/disable DNS64.",
"default": false
}
},
"default": {
- "enabled": false,
+ "enable": false,
"prefix": "64:ff9b::/96",
"reverse_ttl": null,
"exclude_subnets": null
"graphite": {
"type": "object",
"properties": {
- "enabled": {
+ "enable": {
"type": "boolean",
"default": false
},
},
"description": "optionally configures where should graphite metrics be sent to",
"default": {
- "enabled": false,
+ "enable": false,
"host": null,
"port": 2003,
"prefix": "",
"default": {
"metrics": "lazy",
"graphite": {
- "enabled": false,
+ "enable": false,
"host": null,
"port": 2003,
"prefix": "",
"description": "Configuration of rate limiting.",
"type": "object",
"properties": {
- "enabled": {
+ "enable": {
"type": "boolean",
"description": "Enable/disable rate limiting",
"default": false
}
},
"default": {
- "enabled": false,
+ "enable": false,
"rate_limit": null,
"instant_limit": 50,
"capacity": 524288,
"description": "Configuration of request prioritization (defer).",
"type": "object",
"properties": {
- "enabled": {
+ "enable": {
"type": "boolean",
"description": "Use request prioritization.",
"default": false
}
},
"default": {
- "enabled": false,
+ "enable": false,
"log_period": "0s"
}
},
The data of all deferred queries may occupy 64 MiB of memory per :ref:`worker <config-multiple-workers>`.
-.. option:: defer/enabled: true|false
+.. option:: defer/enable: true|false
:default: false
.. code-block:: yaml
dns64:
- enabled: true
+ enable: true
It is also possible to configure own prefix.
.. code-block:: yaml
dns64:
- enabled: true
+ enable: true
prefix: 2001:db8::aabb:0:0/96
.. warning::
# turns off DNSSEC validation
dnssec:
- enabled: false
+ enable: false
The resolver supports DNSSEC including :rfc:`5011` automated DNSSEC TA updates
and :rfc:`7646` negative trust anchors. Depending on your distribution, DNSSEC
DNSSEC configuration options.
- .. option:: enabled: true|false
+ .. option:: enable: true|false
:default: true
.. code-block:: yaml
monitoring:
- enabled: always
+ enable: always
These metrics can be either exported to :ref:`config-monitoring-graphite` or
exposed as :ref:`config-monitoring-prometheus`.
monitoring:
graphite:
- enabled: true
+ enable: true
host: 127.0.0.1 # graphite server address
port: 200 # optional graphite server port (2003 is default)
interval: 5s # optional publish interval (5s is default)
.. option:: monitoring/graphite:
- .. option:: enabled: true|false
+ .. option:: enable: true|false
:default: false
The limits can be adjusted for different packet origins using :option:`price-factor <price-factor: <float>` in :ref:`views <config-views>`.
-.. option:: rate-limiting/enabled: true|false
+.. option:: rate-limiting/enable: true|false
:default: false
defer:
- enabled: true
+ enable: true
log-period: 1s
if gc_key in new[cache_key]:
gc = new[cache_key][gc_key]
if gc is False:
- _add(new, "/cache/garbage-collector/enabled", False)
+ _add(new, "/cache/garbage-collector/enable", False)
else:
- _add(new, "/cache/garbage-collector/enabled", True)
+ _add(new, "/cache/garbage-collector/enable", True)
dns64_key = "dns64"
if dns64_key in new:
if new[dns64_key] is False:
- _add(new, "/dns64/enabled", False, rewrite=True)
+ _add(new, "/dns64/enable", False, rewrite=True)
else:
- _add(new, "/dns64/enabled", True, rewrite=True)
+ _add(new, "/dns64/enable", True, rewrite=True)
_rename(new, "/dns64/rev-ttl", "/dns64/reverse-ttl")
dnssec_key = "dnssec"
if dnssec_key in new:
if new[dnssec_key] is False:
- _add(new, "/dnssec/enabled", False, rewrite=True)
+ _add(new, "/dnssec/enable", False, rewrite=True)
else:
# by default the DNSSEC is enabled
pass
if graphite_key in new[monitoring_key]:
graphite = new[monitoring_key][graphite_key]
if graphite is False:
- _add(new, "/monitoring/graphite/enabled", False)
+ _add(new, "/monitoring/graphite/enable", False)
else:
- _add(new, "/monitoring/graphite/enabled", True)
+ _add(new, "/monitoring/graphite/enable", True)
_rename(new, "/network/tls/files-watchdog", "/network/tls/watchdog")
rate_limiting_key = "rate-limiting"
if rate_limiting_key in new:
- _add(new, "/rate-limiting/enabled", True)
+ _add(new, "/rate-limiting/enable", True)
# remove empty dicts
new = {k: v for k, v in new.items() if v}
Configuration options of the cache garbage collector (kres-cache-gc).
---
- enabled: Enable/disable cache garbage collector.
+ enable: Enable/disable cache garbage collector.
interval: Time interval how often the garbage collector will be run.
threshold: Cache usage in percent that triggers the garbage collector.
release: Percent of used cache to be freed by the garbage collector.
dry_run: Run the garbage collector in dry-run mode.
"""
- enabled: bool = True
+ enable: bool = True
interval: TimeUnit = TimeUnit("1s")
threshold: Percent = Percent(80)
release: Percent = Percent(10)
Configuration of request prioritization (defer).
---
- enabled: Use request prioritization.
+ enable: Use request prioritization.
log_period: Minimal time between two log messages, or '0s' to disable.
"""
- enabled: bool = False
+ enable: bool = False
log_period: TimeUnit = TimeUnit("0s")
DNS64 (RFC 6147) configuration.
---
- enabled: Enable/disable DNS64.
+ enable: Enable/disable DNS64.
prefix: IPv6 prefix to be used for synthesizing AAAA records.
reverse_ttl: TTL in CNAME generated in the reverse 'ip6.arpa.' subtree.
exclude_subnets: IPv6 subnets that are disallowed in answer.
"""
- enabled: bool = False
+ enable: bool = False
prefix: IPv6Network96 = IPv6Network96("64:ff9b::/96")
reverse_ttl: Optional[TimeUnit] = None
exclude_subnets: Optional[List[IPv6Network]] = None
DNSSEC configuration.
---
- enabled: Enable/disable DNSSEC.
+ enable: Enable/disable DNSSEC.
log_bogus: Enable logging for each DNSSEC validation failure if '/logging/level' is set to at least 'notice'.
sentinel: Allows users of DNSSEC validating resolver to detect which root keys are configured in resolver's chain of trust. (RFC 8509)
signal_query: Signaling Trust Anchor Knowledge in DNSSEC Using Key Tag Query, according to (RFC 8145#section-5).
negative_trust_anchors: List of domain names representing negative trust-anchors. (RFC 7646)
"""
- enabled: bool = True
+ enable: bool = True
log_bogus: bool = False
sentinel: bool = True
signal_query: bool = True
class GraphiteSchema(ConfigSchema):
- enabled: bool = False
+ enable: bool = False
host: Union[None, IPAddress, DomainName] = None
port: PortNumber = PortNumber(2003)
prefix: EscapedStr = EscapedStr("")
tcp: bool = False
def _validate(self) -> None:
- if self.enabled and not self.host:
+ if self.enable and not self.host:
raise ValueError("'host' option must be configured to enable graphite bridge")
Configuration of rate limiting.
---
- enabled: Enable/disable rate limiting
+ enable: Enable/disable rate limiting
rate_limit: Maximal number of allowed queries per second from a single host.
instant_limit: Maximal number of allowed queries at a single point in time from a single host.
capacity: Expected maximal number of blocked networks/hosts at the same time.
dry_run: Perform only classification and logging but no restrictions.
"""
- enabled: bool = False
+ enable: bool = False
rate_limit: Optional[IntPositive] = None
instant_limit: IntPositive = IntPositive(50)
capacity: IntPositive = IntPositive(524288)
dry_run: bool = False
def _validate(self) -> None:
- if self.enabled and not self.rate_limit:
+ if self.enable and not self.rate_limit:
raise ValueError("'rate-limit' has to be configured to enable rate limiting")
max_instant_limit = int(2**32 // 768 - 1)
{% from 'macros/common_macros.lua.j2' import boolean %}
-{% if cfg.defer.enabled and disable_defer is not defined -%}
+{% if cfg.defer.enable and disable_defer is not defined -%}
assert(C.defer_init(
'{{ cfg.rundir }}/defer',
{{ cfg.defer.log_period.millis() }},
{% from 'macros/common_macros.lua.j2' import string_table %}
-{% if cfg.dns64.enabled %}
+{% if cfg.dns64.enable %}
-- Enable DNS64 by loading module
modules.load('dns64')
{% from 'macros/common_macros.lua.j2' import boolean %}
-{% if cfg.dnssec.enabled %}
+{% if cfg.dnssec.enable %}
-- dnssec.logging-bogus
{% if cfg.dnssec.log_bogus %}
{% from 'macros/common_macros.lua.j2' import boolean %}
-{% if cfg.rate_limiting.enabled %}
+{% if cfg.rate_limiting.enable %}
assert(
C.ratelimiting_init(
'{{ cfg.rundir }}/ratelimiting',
await self._rolling_restart(config)
await self._ensure_number_of_children(config, int(config.workers))
- if self._is_gc_running() != config.cache.garbage_collector.enabled:
- if config.cache.garbage_collector.enabled:
+ if self._is_gc_running() != config.cache.garbage_collector.enable:
+ if config.cache.garbage_collector.enable:
logger.debug("Starting cache GC")
await self._start_gc(config)
else:
Starts graphite bridge if required
"""
global _graphite_bridge
- if config.monitoring.graphite.enabled and _graphite_bridge is None:
+ if config.monitoring.graphite.enable and _graphite_bridge is None:
logger.info(
"Starting Graphite metrics exporter for [%s]:%d",
str(config.monitoring.graphite.host),
)
async def _deny_turning_off_graphite_bridge(old_config: KresConfig, new_config: KresConfig) -> Result[None, str]:
- if old_config.monitoring.graphite.enabled and not new_config.monitoring.graphite.enabled:
+ if old_config.monitoring.graphite.enable and not new_config.monitoring.graphite.enable:
return Result.err(
"You can't turn off graphite monitoring dynamically. If you really want this feature, please let the developers know."
)
if (
- old_config.monitoring.graphite.enabled
- and new_config.monitoring.graphite.enabled
+ old_config.monitoring.graphite.enable
+ and new_config.monitoring.graphite.enable
and old_config.monitoring.graphite != new_config.monitoring.graphite
):
return Result.err("Changing graphite exporter configuration in runtime is not allowed.")
config = KresConfig()
# DNS64 default
- assert config.dns64.enabled == False
+ assert config.dns64.enable == False
def test_dnssec_false():
- config = KresConfig({"dnssec": {"enabled": False}})
+ config = KresConfig({"dnssec": {"enable": False}})
- assert config.dnssec.enabled == False
+ assert config.dnssec.enable == False
def test_dnssec_default_true():
config = KresConfig()
# DNSSEC defaults
- assert config.dnssec.enabled == True
+ assert config.dnssec.enable == True
assert config.dnssec.sentinel == True
assert config.dnssec.signal_query == True
assert int(config.dnssec.trust_anchors_keep_removed) == 0
def test_dns64_prefix_default():
- config = KresConfig({"dns64": {"enabled": True}})
+ config = KresConfig({"dns64": {"enable": True}})
- assert config.dns64.enabled == True
+ assert config.dns64.enable == True
assert str(config.dns64.prefix) == "64:ff9b::/96"
projects / thirdparty / knot-resolver.git / commitdiff
