Trust anchors and DNSSEC
^^^^^^^^^^^^^^^^^^^^^^^^
-Since version 4.0, *DNSSEC validation is enabled by default*. To turn it off,
-add the following snippet to your configuration file.
+Since version 4.0, **DNSSEC validation is enabled by default**.
+This is secure default and should not be changed unless absolutely necessary.
+
+**Options in this section are intended only for expert users and normally
+should not be needed.**
+
+If you really need to turn DNSSEC off and are okay with lowering security of your
+system by doing so, add the following snippet to your configuration file.
.. code-block:: lua
trust anchors should be either maintained in accordance with the distro-wide
policy, or automatically maintained by the resolver itself.
+In practice this means that you can forget about it and your favorite Linux
+distribution will take care of it for you.
+
+
.. function:: trust_anchors.add_file(keyfile[, readonly = false])
:param string keyfile: path to the file.
:ref:`dnssec-config`.
* ``-k/--keyfile`` and ``-K/--keyfile-ro`` daemon options were removed. If needed,
use ``trust_anchors.add_file()`` in configuration file instead.
-* Configuration for ``http`` module changed significantly, especially for
- network interfaces. Refer to :ref:`mod-http` and update your configuration
- accordingly.
+* Configuration for :ref:`HTTP module <mod-http>` changed significantly as result of
+ adding :ref:`mod-http-doh` support. Please see examples below.
* In case you are using your own custom modules, move them to the new module
location. The exact location depends on your distribution. Generally, modules previously
in ``/usr/lib/kdns_modules`` should be moved to ``/usr/lib/knot-resolver/kres_modules``.
-Configuration
-~~~~~~~~~~~~~
+Configuration file
+~~~~~~~~~~~~~~~~~~
* ``trust_anchors.file``, ``trust_anchors.config()`` and ``trust_anchors.negative``
- aliases were removed to avoid duplicity
+ aliases were removed to avoid duplicity and confusion. Migration table:
.. csv-table::
:header: "3.x configuration", "4.x configuration"
"``trust_anchors.config(path, readonly)``", "``trust_anchors.add_file(path, readonly)``"
"``trust_anchors.negative = nta_set``", "``trust_anchors.set_insecure(nta_set)``"
-* ``trust_anchors.keyfile_default`` is no longer accessible and is only possible to set
- at compile time. To turn off DNSSEC, use ``trust_anchors.remove('.')``.
+* ``trust_anchors.keyfile_default`` is no longer accessible and is can be set
+ only at compile time. To turn off DNSSEC, use :func:`trust_anchors.remove()`.
.. csv-table::
:header: "3.x configuration", "4.x configuration"
"``trust_anchors.keyfile_default = nil``", "``trust_anchors.remove('.')``"
+* Network for HTTP endpoints is now configured using same mechanism as for normal DNS enpoints,
+ please refer to chapter :ref:`network-configuration`. Migration table:
+
+ .. csv-table::
+ :header: "3.x configuration", "4.x configuration"
+
+ "``modules = { http = { host = '192.0.2.1', port = 443 }}``","see chapter :ref:`network-configuration`"
+ "``http.config({ host = '192.0.2.1', port = 443 })``","see chapter :ref:`network-configuration`"
+ "``modules = { http = { endpoints = ... }}``","see chapter :ref:`mod-http-custom-endpoint`"
+ "``http.config({ endpoints = ... })``","see chapter :ref:`mod-http-custom-endpoint`"
Packagers & Developers
----------------------
projects / thirdparty / knot-resolver.git / commitdiff
