From: Remi Gacogne Date: Fri, 27 Dec 2024 12:23:33 +0000 (+0100) Subject: dnsdist: Add more YAML example to the documentation X-Git-Tag: dnsdist-2.0.0-alpha1~160^2~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7d05eed2f4ad1797ba7194c6c8962dff583b3dca;p=thirdparty%2Fpdns.git dnsdist: Add more YAML example to the documentation --- diff --git a/pdns/dnsdistdist/docs/guides/cache.rst b/pdns/dnsdistdist/docs/guides/cache.rst index 0217ca6057..cf9eb1cb6a 100644 --- a/pdns/dnsdistdist/docs/guides/cache.rst +++ b/pdns/dnsdistdist/docs/guides/cache.rst @@ -25,6 +25,22 @@ Something along the lines of a dozen bytes per pre-allocated entry can be expect That does not mean that the memory is completely allocated up-front, the final memory usage depending mostly on the size of cached responses and therefore varying during the cache's lifetime. Assuming an average response size of 512 bytes, a cache size of 10000000 entries on a 64-bit host with 8GB of dedicated RAM would be a safe choice. +The equivalent ``yaml`` configuration would be: + +.. code-block:: yaml + + packet-caches: + - name: "pc" + size: 1000 + max-ttl: 86400 + min-ttl: 0 + temporary-failure-ttl: 60 + state-ttl: 60 + dont-age: false + pools: + - name: "" + packet-cache: "pc" + The :func:`setStaleCacheEntriesTTL` directive can be used to allow dnsdist to use expired entries from the cache when no backend is available. Only entries that have expired for less than n seconds will be used, and the returned TTL can be set when creating a new cache with :func:`newPacketCache`. diff --git a/pdns/dnsdistdist/docs/guides/carbon.rst b/pdns/dnsdistdist/docs/guides/carbon.rst index bac9ffaaed..2cbad5ca55 100644 --- a/pdns/dnsdistdist/docs/guides/carbon.rst +++ b/pdns/dnsdistdist/docs/guides/carbon.rst @@ -11,6 +11,19 @@ To emit metrics to Graphite, or any other software supporting the Carbon protoco Where ``ourname`` can be used to override your hostname, and ``30`` is the reporting interval in seconds. ``dnsdist`` and ``main`` are used as namespace and instance variables. For querycount statistics these two variables are currently ignored. The last four arguments can be omitted. The latest version of `PowerDNS Metronome `_ comes with attractive graphs for dnsdist by default. +The equivalent ``yaml`` configuration: + +.. code-block:: yaml + + metrics: + carbon: + - address: "ip-address-of-carbon-server" + name: "ourname" + interval: "30" + namespace: "dnsdist" + instance: "main" + + Query counters -------------- diff --git a/pdns/dnsdistdist/docs/guides/console.rst b/pdns/dnsdistdist/docs/guides/console.rst index b039320f7d..94c62cd2ef 100644 --- a/pdns/dnsdistdist/docs/guides/console.rst +++ b/pdns/dnsdistdist/docs/guides/console.rst @@ -11,6 +11,14 @@ The console can be enabled with :func:`controlSocket`: controlSocket('192.0.2.53:5199') +Or in ``yaml``: + +.. code-block:: yaml + + console: + listen-address: "192.0.2.53:5199" + + Enabling the console without encryption enabled is not recommended. Note that encryption requires building dnsdist with either libsodium or libcrypto support enabled. Once you have a console-enabled dnsdist, the first step to enable encryption is to generate a key with :func:`makeKey`:: @@ -40,6 +48,12 @@ Then add the generated :func:`setKey` line to your dnsdist configuration file, a controlSocket('192.0.2.53:5199') -- Listen on this IP and port for client connections setKey("ENCODED KEY") -- Shared secret for the console +.. code-block:: yaml + + console: + listen-address: "192.0.2.53:5199" + key: "ENCODED KEY" + Now you can run ``dnsdist -c`` to connect to the console. This makes dnsdist read its configuration file and use the :func:`controlSocket` and :func:`setKey` statements to set up its connection to the server. @@ -60,6 +74,15 @@ Since 1.3.0, dnsdist supports restricting which client can connect to the consol controlSocket('192.0.2.53:5199') setConsoleACL('192.0.2.0/24') +.. code-block:: yaml + + console: + listen-address: "192.0.2.53:5199" + key: "ENCODED KEY" + acl: + - "192.0.2.0/24" + + The default value is '127.0.0.1', restricting the use of the console to local users. Please make sure that encryption is enabled before using :func:`addConsoleACL` or :func:`setConsoleACL` to allow connection from remote clients. Even if the console is restricted to local users, the use of encryption is still strongly advised to prevent unauthorized local users from connecting to diff --git a/pdns/dnsdistdist/docs/guides/dns-over-http3.rst b/pdns/dnsdistdist/docs/guides/dns-over-http3.rst index 0b907e5790..1282b02f03 100644 --- a/pdns/dnsdistdist/docs/guides/dns-over-http3.rst +++ b/pdns/dnsdistdist/docs/guides/dns-over-http3.rst @@ -21,6 +21,19 @@ The fourth parameter, if present, indicates various options. For instance, you c addDOH3Local('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key', {congestionControlAlgo="bbr"}) +.. code-block:: yaml + + binds: + - listen-address: "2001:db8:1:f00::1" + protocol: "DoH3" + tls: + certificates: + - certificate: "/etc/ssl/certs/example.com.pem" + key: "/etc/ssl/private/example.com.key" + quic: + congestion-control-algorithm: "bbr" + + A particular attention should be taken to the permissions of the certificate and key files. Many ACME clients used to get and renew certificates, like CertBot, set permissions assuming that services are started as root, which is no longer true for dnsdist as of 1.5.0. For that particular case, making a copy of the necessary files in the /etc/dnsdist directory is advised, using for example CertBot's ``--deploy-hook`` feature to copy the files with the right permissions after a renewal. More information about sessions management can also be found in :doc:`../advanced/tls-sessions-management`. diff --git a/pdns/dnsdistdist/docs/guides/dns-over-https.rst b/pdns/dnsdistdist/docs/guides/dns-over-https.rst index c1f4fcbcf9..2ee14f556b 100644 --- a/pdns/dnsdistdist/docs/guides/dns-over-https.rst +++ b/pdns/dnsdistdist/docs/guides/dns-over-https.rst @@ -34,6 +34,25 @@ A more complicated (and more realistic) example is when you want to indicate met addDOHLocal('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key', "/", {customResponseHeaders={["link"]=" rel=\\"service-meta\\"; type=\\"text/html\\""}}) +Or in ``yaml``: + +.. code-block:: yaml + + - listen-address: "2001:db8:1:f00::1" + protocol: "DoH" + tls: + certificates: + - certificate: "/etc/ssl/certs/example.com.pem" + key: "/etc/ssl/private/example.com.key" + doh: + provider: "nghttp2" + paths: + - "/" + custom-response-headers: + - key: "link" + value: " rel=\\"service-meta\\"; type=\\"text/html\\"" + + A particular attention should be taken to the permissions of the certificate and key files. Many ACME clients used to get and renew certificates, like CertBot, set permissions assuming that services are started as root, which is no longer true for dnsdist as of 1.5.0. For that particular case, making a copy of the necessary files in the /etc/dnsdist directory is advised, using for example CertBot's ``--deploy-hook`` feature to copy the files with the right permissions after a renewal. More information about sessions management can also be found in :doc:`../advanced/tls-sessions-management`. @@ -128,6 +147,18 @@ That support can be enabled via the ``dohPath`` parameter of the :func:`newServe newServer({address="[2001:DB8::1]:443", tls="openssl", subjectName="doh.powerdns.com", dohPath="/dns-query", validateCertificates=true}) +.. code-block:: yaml + + backends: + - address: "127.0.0.1:%d" + protocol: "DoH" + tls: + provider: "openssl" + validate-certificate: true + subject-name: "doh.powerdns.com" + doh: + path: "/dns-query" + Internal design ^^^^^^^^^^^^^^^ diff --git a/pdns/dnsdistdist/docs/guides/dns-over-quic.rst b/pdns/dnsdistdist/docs/guides/dns-over-quic.rst index 957c82edbc..b71762d839 100644 --- a/pdns/dnsdistdist/docs/guides/dns-over-quic.rst +++ b/pdns/dnsdistdist/docs/guides/dns-over-quic.rst @@ -18,6 +18,19 @@ The fourth parameter, if present, indicates various options. For instance, you c addDOQLocal('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key', {congestionControlAlgo="bbr"}) +.. code-block:: yaml + + binds: + - listen-address: "2001:db8:1:f00::1" + protocol: "DoQ" + tls: + certificates: + - certificate: "/etc/ssl/certs/example.com.pem" + key: "/etc/ssl/private/example.com.key" + quic: + congestion-control-algorithm: "bbr" + + A particular attention should be taken to the permissions of the certificate and key files. Many ACME clients used to get and renew certificates, like CertBot, set permissions assuming that services are started as root, which is no longer true for dnsdist as of 1.5.0. For that particular case, making a copy of the necessary files in the /etc/dnsdist directory is advised, using for example CertBot's ``--deploy-hook`` feature to copy the files with the right permissions after a renewal. More information about sessions management can also be found in :doc:`../advanced/tls-sessions-management`. diff --git a/pdns/dnsdistdist/docs/guides/dns-over-tls.rst b/pdns/dnsdistdist/docs/guides/dns-over-tls.rst index 62362adeba..35cff85c52 100644 --- a/pdns/dnsdistdist/docs/guides/dns-over-tls.rst +++ b/pdns/dnsdistdist/docs/guides/dns-over-tls.rst @@ -18,6 +18,18 @@ In order to support multiple certificates and keys, for example an ECDSA and an addTLSLocal('192.0.2.55', {'/etc/ssl/certs/example.com.rsa.pem', '/etc/ssl/certs/example.com.ecdsa.pem'}, {'/etc/ssl/private/example.com.rsa.key', '/etc/ssl/private/example.com.ecdsa.key'}) +.. code-block:: yaml + + binds: + - listen-address: "192.0.2.55" + protocol: "DoT" + tls: + certificates: + - certificate: "/etc/ssl/certs/example.com.rsa.pem" + key: "/etc/ssl/private/example.com.rsa.key" + - certificate: "/etc/ssl/certs/example.com.ecdsa.pem" + key: "/etc/ssl/private/example.com.ecdsa.key" + The certificate chain presented by the server to an incoming client will then be selected based on the algorithms this client advertised support for. A particular attention should be taken to the permissions of the certificate and key files. Many ACME clients used to get and renew certificates, like CertBot, set permissions assuming that services are started as root, which is no longer true for dnsdist as of 1.5.0. For that particular case, making a copy of the necessary files in the /etc/dnsdist directory is advised, using for example CertBot's ``--deploy-hook`` feature to copy the files with the right permissions after a renewal. @@ -42,4 +54,3 @@ dnsdist provides a lot of counters to investigate issues: * :func:`showTCPStats` will display a lot of information about current and passed connections * :func:`showTLSErrorCounters` some metrics about why TLS sessions failed to establish - diff --git a/pdns/dnsdistdist/docs/guides/dnscrypt.rst b/pdns/dnsdistdist/docs/guides/dnscrypt.rst index 00b08d4aca..7d8b293b0f 100644 --- a/pdns/dnsdistdist/docs/guides/dnscrypt.rst +++ b/pdns/dnsdistdist/docs/guides/dnscrypt.rst @@ -6,6 +6,21 @@ To make :program:`dnsdist` listen to incoming DNSCrypt queries on 127.0.0.1 port addDNSCryptBind("127.0.0.1:8443", "2.providername", "/path/to/resolver.cert", "/path/to/resolver.key") + +And in ``yaml``: + +.. code-block:: yaml + + binds: + - listen-address: "127.0.0.1:8443" + protocol: "DNSCrypt" + dnscrypt: + provider-name: "2.providername" + certificates: + - certificate: "/path/to/resolver.cert" + key: "/path/to/resolver.key" + + To generate the provider and resolver certificates and keys, you can simply do:: > generateDNSCryptProviderKeys("/path/to/providerPublic.key", "/path/to/providerPrivate.key") diff --git a/pdns/dnsdistdist/docs/guides/downstreams.rst b/pdns/dnsdistdist/docs/guides/downstreams.rst index 52e534915e..60c32fd08d 100644 --- a/pdns/dnsdistdist/docs/guides/downstreams.rst +++ b/pdns/dnsdistdist/docs/guides/downstreams.rst @@ -56,6 +56,20 @@ e.g.:: newServer({address="192.0.2.1", checkType="AAAA", checkClass=DNSClass.CHAOS, checkName="a.root-servers.net.", mustResolve=true}) +In ``yaml``: + +.. code-block:: yaml + + backends: + - address: "192.0.2.1" + protocol: "Do53" + health-checks: + qname: "a.root-servers.net." + qtype: "AAAA" + qclass: "CHAOS" + must-resolve: true + + You can turn on logging of health check errors using the :func:`setVerboseHealthChecks` function. Lazy health-checking @@ -86,6 +100,23 @@ So for example, if we set ``healthCheckMode`` to ``lazy``, ``lazyHealthCheckSamp newServer({address="192.0.2.1", healthCheckMode='lazy', checkInterval=1, lazyHealthCheckFailedInterval=30, rise=2, maxCheckFailures=3, lazyHealthCheckThreshold=30, lazyHealthCheckSampleSize=100, lazyHealthCheckMinSampleCount=10, lazyHealthCheckMode='TimeoutOnly'}) +.. code-block:: yaml + + backends: + - address: "192.0.2.1" + protocol: "Do53" + health-checks: + mode: "lazy" + rise: 2 + max-failures: 3 + check-interval: 1 + lazy: + mode: "TimeoutOnly" + interval: 30 + threshold: 30 + sample-size: 100 + min-sample-count: 10 + The 'lazy' mode also supports using an exponential back-off time between health-check queries, once a backend has been moved to the 'down' state. This can be enabled by setting the ``lazyHealthCheckUseExponentialBackOff`` parameter to 'true'. Once the backend has been marked as 'down', the first query will be sent after ``lazyHealthCheckFailedInterval`` seconds, the second one after 2 times ``lazyHealthCheckFailedInterval`` seconds, the third after 4 times ``lazyHealthCheckFailedInterval`` seconds, and so on and so forth, until ``lazyHealthCheckMaxBackOff`` has been reached. Then probes will be sent every ``lazyHealthCheckMaxBackOff`` seconds (default is 3600 so one hour) until the backend comes 'up' again. Source address selection @@ -98,6 +129,13 @@ interface used by dnsdist to contact a downstream server. This can be done by us newServer({address="192.0.2.1", source="eth1"}) newServer({address="192.0.2.1", source="192.0.2.127@eth1"}) +.. code-block:: yaml + + backends: + - address: "192.0.2.1" + protocol: "Do53" + source: "192.0.2.127@eth1" + The supported values for source are: - an IPv4 or IPv6 address, which must exist on the system diff --git a/pdns/dnsdistdist/docs/guides/serverpools.rst b/pdns/dnsdistdist/docs/guides/serverpools.rst index 18790ed4f3..700ede19ea 100644 --- a/pdns/dnsdistdist/docs/guides/serverpools.rst +++ b/pdns/dnsdistdist/docs/guides/serverpools.rst @@ -2,7 +2,7 @@ Server pools ------------ dnsdist has the concept to "server pools", any number of servers can belong to a group. -A default pool, identified by the empty string ``''`` is always present, and `newServer` without a pool argument will assign the new server to that pool. +A default pool, identified by the empty string ``''`` is always present, and :func:`newServer` without a pool argument will assign the new server to that pool. Let's say we know we're getting a whole bunch of traffic for a domain used in DoS attacks, for example 'example.com'. We can do two things with this kind of traffic. @@ -42,4 +42,3 @@ Traffic exceeding the :term:`QPS` limit will not match that rule, and subsequent getServer(4):addPool("abuse") getServer(4):rmPool("abuse") - diff --git a/pdns/dnsdistdist/docs/guides/webserver.rst b/pdns/dnsdistdist/docs/guides/webserver.rst index 8ac3ec32f4..21c70e1044 100755 --- a/pdns/dnsdistdist/docs/guides/webserver.rst +++ b/pdns/dnsdistdist/docs/guides/webserver.rst @@ -16,6 +16,18 @@ Since 1.5.0, only connections from 127.0.0.1 and ::1 are allowed by default. To setWebserverConfig({password="supersecretpassword", apiKey="supersecretAPIkey", acl="192.0.2.0/24, !192.0.2.1"}) +The equivalent ``yaml`` configuration would be: + +.. code-block:: yaml + + webserver: + listen-address: "127.0.0.1:8083" + password: "supersecretpassword" + api-key: "supersecretAPIkey" + acl: + - "192.0.2.0/24" + - "!192.0.2.1" + Security of the Webserver ------------------------- diff --git a/pdns/dnsdistdist/docs/index.rst b/pdns/dnsdistdist/docs/index.rst index a87777af4d..8bc1eb7410 100644 --- a/pdns/dnsdistdist/docs/index.rst +++ b/pdns/dnsdistdist/docs/index.rst @@ -1,22 +1,44 @@ dnsdist Overview ================ -dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. +:program:`dnsdist` is a highly DNS-, DoS- and abuse-aware loadbalancer. Its goal in life is to route traffic to the best server, delivering top performance to legitimate users while shunting or blocking abusive traffic. -dnsdist is dynamic, its configuration language is `Lua `_ and it can be changed at runtime, and its statistics can be queried from a console-like interface or an HTTP API. +:program:`dnsdist` is dynamic, its configuration can be changed at runtime via a :doc:`console-like interface `. +It exposes :doc:`metrics ` that can be exported via Carbon, Prometheus, an HTTP API and the console. + +Until 2.0.0 the configuration was written in `Lua `_, but it is now possible to write the configuration in :doc:`yaml ` as well. A configuration to balance DNS queries to several backend servers: .. code-block:: lua - newServer({address="2620:fe::fe", qps=1}) - newServer({address="2620:fe::9", qps=1}) - newServer({address="9.9.9.9", qps=1}) - newServer({address="2001:db8::1", qps=10}) - newServer({address="[2001:db8::2]:5300", name="dns1", qps=10}) + newServer({address="2620:fe::fe"}) + newServer({address="2620:fe::9"}) + newServer({address="9.9.9.9"}) + newServer({address="2001:db8::1"}) + newServer({address="[2001:db8::2]:5300", name="dns1"}) newServer("192.0.2.1") - setServerPolicy(firstAvailable) -- first server within its QPS limit + +Or in ``yaml``: + +.. code-block:: yaml + + backends: + - address: "2620:fe::fe" + protocol: Do53 + - address: "2620:fe::9" + protocol: Do53 + - address: "9.9.9.9" + protocol: Do53 + - address: "2001:db8::1" + protocol: Do53 + - address: "[2001:db8::1]:5300" + name: "dns1" + protocol: Do53 + - address: "192.0.2.1" + protocol: Do53 + Running dnsdist --------------- diff --git a/pdns/dnsdistdist/docs/install.rst b/pdns/dnsdistdist/docs/install.rst index 34e3af1bfd..5d455d7638 100644 --- a/pdns/dnsdistdist/docs/install.rst +++ b/pdns/dnsdistdist/docs/install.rst @@ -9,7 +9,7 @@ Building from source is also supported. Installing from Packages ------------------------ -If dnsdist is available in your operating system's software repositories, install it from there. +If dnsdist is available in your operating system's software repositories, you can install it from there. However, the version of dnsdist in the repositories might be an older version that might not have a feature that was added in a later version. Or you might want to be brave and try a development snapshot from the master branch. PowerDNS provides software repositories for the most popular distributions. @@ -49,20 +49,21 @@ dnsdist depends on the following libraries: * `Lua `_ 5.1+ or `LuaJit `_ * `Editline (libedit) `_ * `libfstrm `_ (optional, dnstap support) -* `GnuTLS `_ (optional, DoT and outgoing DoH support) +* `GnuTLS `_ (optional, DoT and DoH support) * `libbpf `_ and `libxdp `_ (optional, `XSK`/`AF_XDP` support) * `libcap `_ (optional, capabilities support) * `libh2o `_ (optional, incoming DoH support, deprecated in 1.9.0 in favor of ``nghttp2``) -* `libsodium `_ (optional, DNSCrypt and console encryption support) +* `libsodium `_ (optional, DNSCrypt support) * `LMDB `_ (optional, LMDB support) * `net-snmp `_ (optional, SNMP support) -* `nghttp2 `_ (optional, outgoing DoH support) +* `nghttp2 `_ (optional, DoH support) * `OpenSSL `_ (optional, DoT and DoH support) -* `protobuf `_ (optional, not needed as of 1.6.0) -* `quiche `_ (optional, incoming DoQ support) +* `Quiche `_ (optional, incoming DoQ and DoH3 support) * `re2 `_ (optional) * `TinyCDB `_ (optional, CDB support) +Since 2.0.0, the optional ``yaml`` configuration requires a Rust compiler and a Python 3 interpreter. + Should :program:`dnsdist` be run on a system with systemd, it is highly recommended to have the systemd header files (``libsystemd-dev`` on Debian and ``systemd-devel`` on CentOS) installed to have :program:`dnsdist` support ``systemd-notify``. diff --git a/pdns/dnsdistdist/docs/quickstart.rst b/pdns/dnsdistdist/docs/quickstart.rst index 179f841d1d..45cef80c82 100644 --- a/pdns/dnsdistdist/docs/quickstart.rst +++ b/pdns/dnsdistdist/docs/quickstart.rst @@ -17,6 +17,8 @@ This will make dnsdist listen on IP address 127.0.0.1, port 5300 and forward all Here is more complete configuration, save it to ``dnsdist.conf``:: +.. code-block:: lua + newServer({address="2001:db8::1", qps=1}) newServer({address="2001:db8::2", qps=1}) newServer({address="[2001:db8::3]:5300", qps=10}) @@ -26,6 +28,29 @@ Here is more complete configuration, save it to ``dnsdist.conf``:: The :func:`newServer` function is used to add a backend server to the configuration. +The ``yaml`` equivalent, from 2.0+ onwards, would be: + +.. code-block:: yaml + + backends: + - address: "2001:db8::1" + protocol: Do53 + qps: 1 + - address: "2001:db8::2" + protocol: Do53 + qps: 1 + - address: "[2001:db8::3]:5300" + protocol: Do53 + qps: 10 + - address: "[2001:db8::4]" + name: "dns1" + protocol: Do53 + qps: 10 + - address: "192.0.2.1" + protocol: Do53 + load-balancing-policies: + default-policy: "firstAvailable" + Now run dnsdist again, reading this configuration:: $ dnsdist -C dnsdist.conf --local=0.0.0.0:5300 @@ -118,6 +143,20 @@ Adding network ranges to the :term:`ACL` is done with the :func:`setACL` and :fu setACL({'192.0.2.0/28', '2001:db8:1::/56'}) -- Set the ACL to only allow these subnets addACL('2001:db8:2::/56') -- Add this subnet to the existing ACL +And in ``yaml`` format: + +.. code-block:: yaml +acl: + - "192.0.2.0/28" + - "2001:db8:1::/56" + - "2001:db8:2::/56" +binds: + - listen-address: "192.0.2.53" + protocol: Do53 + - listen-address: "[::1]:5300" + protocol: Do53 + + Securing the path to the backend -------------------------------- diff --git a/pdns/dnsdistdist/docs/reference/actions.rst b/pdns/dnsdistdist/docs/reference/actions.rst index e665a77462..5442d647c4 100644 --- a/pdns/dnsdistdist/docs/reference/actions.rst +++ b/pdns/dnsdistdist/docs/reference/actions.rst @@ -2,6 +2,8 @@ Rule Actions ============ :doc:`selectors` need to be combined with an action for them to actually do something with the matched packets. +This page describes the ``Lua`` versions of these actions, for the ``YAML`` version please see :doc:`yaml-actions` and :doc:`yaml-response-actions`. + Some actions allow further processing of rules, this is noted in their description. Most of these start with 'Set' with a few exceptions, mostly for logging actions. These exceptions are: - :func:`ClearRecordTypesResponseAction` diff --git a/pdns/dnsdistdist/docs/reference/selectors.rst b/pdns/dnsdistdist/docs/reference/selectors.rst index e0eeaa37a1..2830f68dd4 100644 --- a/pdns/dnsdistdist/docs/reference/selectors.rst +++ b/pdns/dnsdistdist/docs/reference/selectors.rst @@ -11,6 +11,8 @@ These ``DNSRule``\ s be one of the following items: * A list of :class:`DNSName`\ s * A (compounded) ``Rule`` +This page describes the ``Lua`` versions of these selectors, for the ``YAML`` version please see :doc:`yaml-selectors`. + Selectors can be combined via :func:`AndRule`, :func:`OrRule` and :func:`NotRule`. .. function:: AllRule() diff --git a/pdns/dnsdistdist/docs/rules-actions.rst b/pdns/dnsdistdist/docs/rules-actions.rst index 8918ccc74e..fa02bb5353 100644 --- a/pdns/dnsdistdist/docs/rules-actions.rst +++ b/pdns/dnsdistdist/docs/rules-actions.rst @@ -9,7 +9,7 @@ Packet Policies It receives packets on one or several addresses it listens on, and determines whether it will process this packet based on the :doc:`advanced/acl`. Should the packet be processed, :program:`dnsdist` attempts to match any of the configured rules in order and when one matches, the associated action is performed. -These rule and action combinations are considered policies. The complete list of selectors (rules) can be found in :doc:`reference/selectors`, and the list of actions in :doc:`reference/actions`. +These rule and action combinations are considered policies. The complete list of selectors (rules) can be found in :doc:`reference/selectors` (:doc:`reference/yaml-selectors`), and the list of actions in :doc:`reference/actions` (:doc:`reference/yaml-actions` and :doc:`reference/yaml-response-actions`). Packet Actions -------------- diff --git a/pdns/dnsdistdist/docs/upgrade_guide.rst b/pdns/dnsdistdist/docs/upgrade_guide.rst index 40d64175aa..e2c496d103 100644 --- a/pdns/dnsdistdist/docs/upgrade_guide.rst +++ b/pdns/dnsdistdist/docs/upgrade_guide.rst @@ -4,6 +4,8 @@ Upgrade Guide 1.9.x to 2.0.0 -------------- +:program:`dnsdist` supports a new, optional ``yaml`` :doc:`configuration format `. This new format requires a Rust compiler and a Python 3 interpreter. + :func:`showTLSContexts` has been renamed to :func:`showTLSFrontends`. :func:`getTLSContext` and the associated :class:`TLSContext` have been removed, please use :func:`getTLSFrontend` and the associated :class:`TLSFrontend` instead.