Trust anchors and DNSSEC
^^^^^^^^^^^^^^^^^^^^^^^^
+.. envvar:: trust_anchors.hold_down_time = 30 * day
+
+ :return: int (default: 30 * day)
+
+ Modify RFC5011 hold-down timer to given value. Example: ``30 * second``
+
+.. envvar:: trust_anchors.refresh_time = nil
+
+ :return: int (default: nil)
+
+ Modify RFC5011 refresh timer to given value (not set by default), this will force trust anchors
+ to be updated every N seconds periodically instead of relying on RFC5011 logic and TTLs.
+ Example: ``10 * second``
+
+.. envvar:: trust_anchors.keep_removed = 0
+
+ :return: int (default: 1)
+
+ How many ``Removed`` keys should be held in history (and key file) before being purged.
+ Note: all ``Removed`` keys will be purged from key file after restarting the process.
+
.. function:: trust_anchors.config(keyfile)
:param string keyfile: File containing DNSKEY records, should be writeable.
-- Schedule itself with updated timeout
local next_time = refresh_cb(trust_anchors, kres.pkt_t(pkt), bootstrap)
if trust_anchors.refresh_time ~= nil then
- next_time = math.min(next_time, trust_anchors.refresh_time)
+ next_time = trust_anchors.refresh_time
end
print('[ ta ] next refresh: '..next_time)
refresh_plan(trust_anchors, next_time, refresh_cb)
keyset = {},
insecure = {},
hold_down_time = 30 * day,
+ keep_removed = 0,
-- Update existing keyset
update = function (new_keys, initial)
if not new_keys then return false end
-- Filter TAs to be purged from the keyset (KeyRem)
local hold_down = trust_anchors.hold_down_time / 1000
local keyset = {}
+ local keep_removed = trust_anchors.keep_removed
for i, ta in ipairs(trust_anchors.keyset) do
local keep = true
if not ta_find(new_keys, ta) then
keep = ta_missing(ta, hold_down)
end
+ -- Purge removed keys
+ if ta.state == key_state.Removed then
+ if keep_removed > 0 then
+ keep_removed = keep_removed - 1
+ else
+ keep = false
+ end
+ end
if keep then
table.insert(keyset, ta)
end
projects / thirdparty / knot-resolver.git / commitdiff
