From: Aleš Mrázek <ales.mrazek@nic.cz>
Date: Tue, 8 Apr 2025 12:46:30 +0000 (+0200)
Subject: datamodel: move dnssec bogus logging from 'logging' section to 'dnssec' section
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=311381824df9274e4aeee5f3b605538c2a66e43f;p=thirdparty%2Fknot-resolver.git

datamodel: move dnssec bogus logging from 'logging' section to 'dnssec' section
---

diff --git a/NEWS b/NEWS
index d3fa1eaa8..a8fc79b78 100644
--- a/NEWS
+++ b/NEWS
@@ -21,7 +21,8 @@ Incompatible changes
   - /dnssec: true|false -> /dnssec/enabled: true|false
   - /dnssec/keep-removed -> /dnssec/trust-anchors-keep-removed
   - /dnssec/trust-anchor-sentinel -> /dnssec/sentinel
-  - /dnssec/trust-anchor-signal-query -> /dnssec/signal-query 
+  - /dnssec/trust-anchor-signal-query -> /dnssec/signal-query
+  - /logging/dnssec-bogus -> /dnssec/log-bogus
   - /network/tls/files-watchdog -> /network/tls/watchdog
 
 
diff --git a/doc/_static/config.schema.json b/doc/_static/config.schema.json
index 701b21dec..7af6bae48 100644
--- a/doc/_static/config.schema.json
+++ b/doc/_static/config.schema.json
@@ -1244,6 +1244,11 @@
                     "description": "Enable/disable DNSSEC.",
                     "default": true
                 },
+                "log-bogus": {
+                    "type": "boolean",
+                    "description": "Enable logging for each DNSSEC validation failure if '/logging/level' is set to at least 'notice'.",
+                    "default": false
+                },
                 "sentinel": {
                     "type": "boolean",
                     "description": "Allows users of DNSSEC validating resolver to detect which root keys are configured in resolver's chain of trust. (RFC 8509)",
@@ -1309,6 +1314,7 @@
             },
             "default": {
                 "enabled": true,
+                "log_bogus": false,
                 "sentinel": true,
                 "signal_query": true,
                 "trust_anchors_keep_removed": 0,
@@ -1457,11 +1463,6 @@
                     "description": "List of groups for which 'debug' logging level is set.",
                     "default": null
                 },
-                "dnssec-bogus": {
-                    "type": "boolean",
-                    "description": "Logging a message for each DNSSEC validation failure.",
-                    "default": false
-                },
                 "dnstap": {
                     "anyOf": [
                         {
@@ -1504,7 +1505,6 @@
                 "level": "notice",
                 "target": "stdout",
                 "groups": null,
-                "dnssec_bogus": false,
                 "dnstap": false
             }
         },
diff --git a/doc/user/config-logging-bogus.rst b/doc/user/config-logging-bogus.rst
index 578767bdd..7b3e78206 100644
--- a/doc/user/config-logging-bogus.rst
+++ b/doc/user/config-logging-bogus.rst
@@ -13,8 +13,8 @@ Add following line to your configuration file to enable it:
 
 .. code-block:: yaml
 
-   logging:
-      dnssec-bogus: true
+   dnssec:
+      log-bogus: true
 
 Example of error message logged:
 
diff --git a/python/knot_resolver/datamodel/dnssec_schema.py b/python/knot_resolver/datamodel/dnssec_schema.py
index 3f051a68b..4044a0b8e 100644
--- a/python/knot_resolver/datamodel/dnssec_schema.py
+++ b/python/knot_resolver/datamodel/dnssec_schema.py
@@ -24,6 +24,7 @@ class DnssecSchema(ConfigSchema):
 
     ---
     enabled: Enable/disable DNSSEC.
+    log_bogus: Enable logging for each DNSSEC validation failure if '/logging/level' is set to at least 'notice'.
     sentinel: Allows users of DNSSEC validating resolver to detect which root keys are configured in resolver's chain of trust. (RFC 8509)
     signal_query: Signaling Trust Anchor Knowledge in DNSSEC Using Key Tag Query, according to (RFC 8145#section-5).
     trust_anchors_keep_removed: How many removed keys should be held in history (and key file) before being purged.
@@ -34,6 +35,7 @@ class DnssecSchema(ConfigSchema):
     """
 
     enabled: bool = True
+    log_bogus: bool = False
     sentinel: bool = True
     signal_query: bool = True
     trust_anchors_keep_removed: IntNonNegative = IntNonNegative(0)
diff --git a/python/knot_resolver/datamodel/logging_schema.py b/python/knot_resolver/datamodel/logging_schema.py
index a504c3a83..bca23d5e8 100644
--- a/python/knot_resolver/datamodel/logging_schema.py
+++ b/python/knot_resolver/datamodel/logging_schema.py
@@ -89,14 +89,12 @@ class LoggingSchema(ConfigSchema):
         level: Global logging level.
         target: Global logging stream target. "from-env" uses $KRES_LOGGING_TARGET and defaults to "stdout".
         groups: List of groups for which 'debug' logging level is set.
-        dnssec_bogus: Logging a message for each DNSSEC validation failure.
         dnstap: Logging DNS requests and responses to a unix socket.
         """
 
         level: LogLevelEnum = "notice"
         target: Union[LogTargetEnum, Literal["from-env"]] = "from-env"
         groups: Optional[List[LogGroupsEnum]] = None
-        dnssec_bogus: bool = False
         dnstap: Union[Literal[False], DnstapSchema] = False
 
     _LAYER = Raw
@@ -104,7 +102,6 @@ class LoggingSchema(ConfigSchema):
     level: LogLevelEnum
     target: LogTargetEnum
     groups: Optional[List[LogGroupsEnum]]
-    dnssec_bogus: bool
     dnstap: Union[Literal[False], DnstapSchema]
 
     def _target(self, raw: Raw) -> LogTargetEnum:
diff --git a/python/knot_resolver/datamodel/templates/dnssec.lua.j2 b/python/knot_resolver/datamodel/templates/dnssec.lua.j2
index 30f98dbea..1fbaf4d2b 100644
--- a/python/knot_resolver/datamodel/templates/dnssec.lua.j2
+++ b/python/knot_resolver/datamodel/templates/dnssec.lua.j2
@@ -2,6 +2,13 @@
 
 {% if cfg.dnssec.enabled %}
 
+-- dnssec.logging-bogus
+{% if cfg.dnssec.log_bogus %}
+modules.load('bogus_log')
+{% else %}
+-- modules.unload('bogus_log')
+{% endif %}
+
 -- dnssec.sentinel
 {% if cfg.dnssec.sentinel %}
 modules.load('ta_sentinel')
diff --git a/python/knot_resolver/datamodel/templates/logging.lua.j2 b/python/knot_resolver/datamodel/templates/logging.lua.j2
index c031b47cc..a173ad754 100644
--- a/python/knot_resolver/datamodel/templates/logging.lua.j2
+++ b/python/knot_resolver/datamodel/templates/logging.lua.j2
@@ -19,10 +19,6 @@ log_groups({
 })
 {% endif %}
 
-{% if cfg.logging.dnssec_bogus %}
-modules.load('bogus_log')
-{% endif %}
-
 {% if cfg.logging.dnstap -%}
 -- logging.dnstap
 modules.load('dnstap')