.. code-block:: lua
-- turns off DNSSEC validation
- trust_anchors.keyfile_default = nil
+ trust_anchors.remove('.')
The resolver supports DNSSEC including :rfc:`5011` automated DNSSEC TA updates
and :rfc:`7646` negative trust anchors. Depending on your distribution, DNSSEC
If you want to disable DNSSEC validation for a particular domain but keep it enabled for the rest of DNS tree, use :func:`trust_anchors.set_insecure`.
-.. envvar:: trust_anchors.keyfile_default = keyfile_default
-
- Set by ``keyfile_default`` option during compilation.
-
.. envvar:: trust_anchors.hold_down_time = 30 * day
:return: int (default: 30 * day)
-- Import fake root zone; avoid interference with configured keyfile_default.
-trust_anchors.keyfile_default = nil
+trust_anchors.remove('.')
trust_anchors.add('. IN DS 48409 8 2 3D63A0C25BCE86621DE63636F11B35B908EFE8E9381E0E3E9DEFD89EA952C27D')
local function check_answer(desc, qname, qtype, expected_rcode)
if require('ffi').C.kr_zonecut_is_empty(kres.context().root_hints) then
_hint_root_file()
end
-
-if not trust_anchors.keysets['\0'] and trust_anchors.keyfile_default then
- if io.open(trust_anchors.keyfile_default, 'r') then
- trust_anchors.config(trust_anchors.keyfile_default, @unmanaged@)
- else
- panic("cannot open default trust anchor file:'%s'",
- trust_anchors.keyfile_default
- )
- end
-end
output: 'trust_anchors.lua',
configuration: ta_config,
)
-config_lua = configure_file(
- input: 'config.lua.in',
- output: 'config.lua',
+
+sandbox = configure_file(
+ input: 'sandbox.lua.in',
+ output: 'sandbox.lua',
configuration: ta_config,
)
)
lua_src = [
- config_lua,
+ files('config.lua'),
files('kres.lua'),
files('kres-gen.lua'),
- files('sandbox.lua'),
+ sandbox,
trust_anchors,
files('zonefile.lua'),
]
modules.load('ta_sentinel')
modules.load('edns_keepalive')
+-- Load keyfile_default
+trust_anchors.add_file('@keyfile_default@', @unmanaged@)
+
-- Interactive command evaluation
function eval_cmd(line, raw)
-- Compatibility sandbox code loading
local keyset_orig = trust_anchors.keysets[owner]
if keyset_orig then
warn('[ ta ] warning: overriding previously set trust anchors for ' .. owner_str)
- if keyset_orig.managed then
+ if keyset_orig.managed and ta_update then
ta_update.stop(owner)
end
end
bootstrap_url = 'https://data.iana.org/root-anchors/root-anchors.xml',
bootstrap_ca = '@etc_dir@/icann-ca.pem',
- keyfile_default = '@keyfile_default@',
-- Load keys from a file, 5011-managed by default.
-- If managed and the file doesn't exist, try bootstrapping the root into it.
local host = 'https://localhost:8080/'
-- avoid interference with configured keyfile_default
-trust_anchors.keyfile_default = nil
+trust_anchors.remove('.')
local function test_err_cert()
trust_anchors.bootstrap_ca = 'x509/wrongca.pem'
-trust_anchors.keyfile_default = nil
+trust_anchors.remove('.')
local ffi = require('ffi')
man_config = configuration_data()
man_config.set('version', meson.project_version())
man_config.set('date', run_command('../scripts/get-date.sh').stdout())
-man_config.set('keyfile_default', keyfile_default)
man_config.set('man_seealso_systemd', '')
if systemd_files == 'enabled'
man_config.set('man_seealso_systemd', '\\fIkresd.systemd.nosocket(7)\\fR, ')
endif
-man_config.set('man_managed_keyfile_default', '')
-man_config.set('man_unmanaged_keyfile_default', '')
-if managed_ta
- man_config.set('man_managed_keyfile_default', '''
-Default: "@0@"'''.format(keyfile_default))
-else
- man_config.set('man_unmanaged_keyfile_default', '''
-Default: "@0@"'''.format(keyfile_default))
-endif
-
man_kresd = configure_file(
input: 'kresd.8.in',
output: 'kresd.8',
@config_defaults@
-- To disable DNSSEC validation, uncomment the following line (not recommended)
--- trust_anchors.keyfile_default = nil
+-- trust_anchors.remove('.')
-- Large cache size, so we don't need to flush ever
-- This can be larger than available RAM, least frequently accessed
net.listen('0.0.0.0', 853, {tls=true})
-- To disable DNSSEC validation, uncomment the following line (not recommended)
--- trust_anchors.keyfile_default = nil
+-- trust_anchors.remove('.')
-- Load Useful modules
modules = {
@config_defaults@
-- To disable DNSSEC validation, uncomment the following line (not recommended)
--- trust_anchors.keyfile_default = nil
+-- trust_anchors.remove('.')
-- Large cache size, so we don't need to flush often
-- This can be larger than available RAM, least frequently accessed
@config_defaults@
-- To disable DNSSEC validation, uncomment the following line (not recommended)
--- trust_anchors.keyfile_default = nil
+-- trust_anchors.remove('.')
-- Load useful modules
modules = {
@config_defaults@
-- To disable DNSSEC validation, uncomment the following line (not recommended)
--- trust_anchors.keyfile_default = nil
+-- trust_anchors.remove('.')
-- Load Useful modules
modules = {
policy.add(policy.all(policy.STUB({ '::1:2:3:4', '1.2.3.4' })))
-- make sure DNSSEC is turned off for tests
-trust_anchors.keyfile_default = nil
+trust_anchors.remove('.')
-- Disable RFC5011 TA update
if ta_update then
policy.add(policy.all(policy.STUB({ '::1:2:3:4', '1.2.3.4' })))
-- make sure DNSSEC is turned off for tests
-trust_anchors.keyfile_default = nil
+trust_anchors.remove('.')
-- Disable RFC5011 TA update
if ta_update then
policy.add(policy.suffix(policy.REFUSE, {todname('refuse.example.com')}))
-- make sure DNSSEC is turned off for tests
-trust_anchors.keyfile_default = nil
+trust_anchors.remove('.')
-- Disable RFC5011 TA update
if ta_update then
{% raw %}
-- make sure DNSSEC is turned off for tests
-trust_anchors.keyfile_default = nil
+trust_anchors.remove('.')
-- Disable RFC5011 TA update
if ta_update then
modules = { 'serve_stale < cache' }
-- make sure DNSSEC is turned off for tests
-trust_anchors.keyfile_default = nil
+trust_anchors.remove('.')
-- Disable RFC5011 TA update
if ta_update then
policy.add(policy.all(FWD_TARGET)) -- avoid iteration
-- make sure DNSSEC is turned off for tests
-trust_anchors.keyfile_default = nil
+trust_anchors.remove('.')
-- Disable RFC5011 TA update
if ta_update then
ta_update.hold_down_time = 0.2 * sec
-- prevent build-time config from interfering with the test
-trust_anchors.keyfile_default = nil
+trust_anchors.remove('.')
-- count . IN DNSKEY queries
counter = 0
policy.add(policy.all(policy.FORWARD('1.2.3.4')))
-- make sure DNSSEC is turned off for tests
-trust_anchors.keyfile_default = nil
+trust_anchors.remove('.')
-- Disable RFC5011 TA update
if ta_update then
end
-- make sure DNSSEC is turned off for tests
-trust_anchors.keyfile_default = nil
+trust_anchors.remove('.')
_hint_root_file('hints')
cache.size = 2*MB
{% endif %}
-- make sure DNSSEC is turned off for tests
-trust_anchors.keyfile_default = nil
+trust_anchors.remove('.')
modules.unload("ta_update")
modules.unload("ta_signal_query")
modules.unload("priming")
projects / thirdparty / knot-resolver.git / commitdiff
