From: Tomas Krizek Date: Tue, 19 Mar 2019 11:20:55 +0000 (+0100) Subject: trust_anchors: always load keyfile_default X-Git-Tag: v4.0.0~15^2~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8abc490f6fe6d226ea0aaa5ad5accab6d620b587;p=thirdparty%2Fknot-resolver.git trust_anchors: always load keyfile_default --- diff --git a/daemon/README.rst b/daemon/README.rst index a5e0672eb..b2de69ba7 100644 --- a/daemon/README.rst +++ b/daemon/README.rst @@ -391,7 +391,7 @@ add the following snippet to your configuration file. .. code-block:: lua -- turns off DNSSEC validation - trust_anchors.keyfile_default = nil + trust_anchors.remove('.') The resolver supports DNSSEC including :rfc:`5011` automated DNSSEC TA updates and :rfc:`7646` negative trust anchors. Depending on your distribution, DNSSEC @@ -436,10 +436,6 @@ policy, or automatically maintained by the resolver itself. If you want to disable DNSSEC validation for a particular domain but keep it enabled for the rest of DNS tree, use :func:`trust_anchors.set_insecure`. -.. envvar:: trust_anchors.keyfile_default = keyfile_default - - Set by ``keyfile_default`` option during compilation. - .. envvar:: trust_anchors.hold_down_time = 30 * day :return: int (default: 30 * day) diff --git a/daemon/cache.test/clear.test.lua b/daemon/cache.test/clear.test.lua index e7e96fd81..ed13186dc 100644 --- a/daemon/cache.test/clear.test.lua +++ b/daemon/cache.test/clear.test.lua @@ -32,7 +32,7 @@ ev = event.after(0, function () return 1 end) -- Import fake root zone; avoid interference with configured keyfile_default. -trust_anchors.keyfile_default = nil +trust_anchors.remove('.') trust_anchors.add('. IN DS 48409 8 2 3D63A0C25BCE86621DE63636F11B35B908EFE8E9381E0E3E9DEFD89EA952C27D') local function check_answer(desc, qname, qtype, expected_rcode) diff --git a/daemon/lua/config.lua.in b/daemon/lua/config.lua similarity index 75% rename from daemon/lua/config.lua.in rename to daemon/lua/config.lua index 26f756a5c..66e9c35e8 100644 --- a/daemon/lua/config.lua.in +++ b/daemon/lua/config.lua @@ -31,13 +31,3 @@ end if require('ffi').C.kr_zonecut_is_empty(kres.context().root_hints) then _hint_root_file() end - -if not trust_anchors.keysets['\0'] and trust_anchors.keyfile_default then - if io.open(trust_anchors.keyfile_default, 'r') then - trust_anchors.config(trust_anchors.keyfile_default, @unmanaged@) - else - panic("cannot open default trust anchor file:'%s'", - trust_anchors.keyfile_default - ) - end -end diff --git a/daemon/lua/meson.build b/daemon/lua/meson.build index d11bf7731..b2e51e20a 100644 --- a/daemon/lua/meson.build +++ b/daemon/lua/meson.build @@ -15,9 +15,10 @@ trust_anchors = configure_file( output: 'trust_anchors.lua', configuration: ta_config, ) -config_lua = configure_file( - input: 'config.lua.in', - output: 'config.lua', + +sandbox = configure_file( + input: 'sandbox.lua.in', + output: 'sandbox.lua', configuration: ta_config, ) @@ -27,10 +28,10 @@ run_target( # run manually to re-generate kres-gen.lua ) lua_src = [ - config_lua, + files('config.lua'), files('kres.lua'), files('kres-gen.lua'), - files('sandbox.lua'), + sandbox, trust_anchors, files('zonefile.lua'), ] diff --git a/daemon/lua/sandbox.lua b/daemon/lua/sandbox.lua.in similarity index 99% rename from daemon/lua/sandbox.lua rename to daemon/lua/sandbox.lua.in index 79ebc4a61..99c9da137 100644 --- a/daemon/lua/sandbox.lua +++ b/daemon/lua/sandbox.lua.in @@ -325,6 +325,9 @@ modules.load('detect_time_jump') modules.load('ta_sentinel') modules.load('edns_keepalive') +-- Load keyfile_default +trust_anchors.add_file('@keyfile_default@', @unmanaged@) + -- Interactive command evaluation function eval_cmd(line, raw) -- Compatibility sandbox code loading diff --git a/daemon/lua/trust_anchors.lua.in b/daemon/lua/trust_anchors.lua.in index fb032d5d0..efcdae15d 100644 --- a/daemon/lua/trust_anchors.lua.in +++ b/daemon/lua/trust_anchors.lua.in @@ -351,7 +351,7 @@ local function add_file(path, unmanaged) local keyset_orig = trust_anchors.keysets[owner] if keyset_orig then warn('[ ta ] warning: overriding previously set trust anchors for ' .. owner_str) - if keyset_orig.managed then + if keyset_orig.managed and ta_update then ta_update.stop(owner) end end @@ -427,7 +427,6 @@ trust_anchors = { bootstrap_url = 'https://data.iana.org/root-anchors/root-anchors.xml', bootstrap_ca = '@etc_dir@/icann-ca.pem', - keyfile_default = '@keyfile_default@', -- Load keys from a file, 5011-managed by default. -- If managed and the file doesn't exist, try bootstrapping the root into it. diff --git a/daemon/lua/trust_anchors.test/bootstrap.test.lua b/daemon/lua/trust_anchors.test/bootstrap.test.lua index ea35c487e..78f8d9edd 100644 --- a/daemon/lua/trust_anchors.test/bootstrap.test.lua +++ b/daemon/lua/trust_anchors.test/bootstrap.test.lua @@ -60,7 +60,7 @@ end local host = 'https://localhost:8080/' -- avoid interference with configured keyfile_default -trust_anchors.keyfile_default = nil +trust_anchors.remove('.') local function test_err_cert() trust_anchors.bootstrap_ca = 'x509/wrongca.pem' diff --git a/daemon/lua/trust_anchors.test/ta.test.lua b/daemon/lua/trust_anchors.test/ta.test.lua index 6993f8fd7..ca68c701d 100644 --- a/daemon/lua/trust_anchors.test/ta.test.lua +++ b/daemon/lua/trust_anchors.test/ta.test.lua @@ -1,4 +1,4 @@ -trust_anchors.keyfile_default = nil +trust_anchors.remove('.') local ffi = require('ffi') diff --git a/doc/meson.build b/doc/meson.build index 8c912829e..186042789 100644 --- a/doc/meson.build +++ b/doc/meson.build @@ -4,7 +4,6 @@ man_config = configuration_data() man_config.set('version', meson.project_version()) man_config.set('date', run_command('../scripts/get-date.sh').stdout()) -man_config.set('keyfile_default', keyfile_default) man_config.set('man_seealso_systemd', '') if systemd_files == 'enabled' @@ -13,16 +12,6 @@ elif systemd_files == 'nosocket' man_config.set('man_seealso_systemd', '\\fIkresd.systemd.nosocket(7)\\fR, ') endif -man_config.set('man_managed_keyfile_default', '') -man_config.set('man_unmanaged_keyfile_default', '') -if managed_ta - man_config.set('man_managed_keyfile_default', ''' -Default: "@0@"'''.format(keyfile_default)) -else - man_config.set('man_unmanaged_keyfile_default', ''' -Default: "@0@"'''.format(keyfile_default)) -endif - man_kresd = configure_file( input: 'kresd.8.in', output: 'kresd.8', diff --git a/etc/config/config.cluster.in b/etc/config/config.cluster.in index 709116b04..6984aa092 100644 --- a/etc/config/config.cluster.in +++ b/etc/config/config.cluster.in @@ -7,7 +7,7 @@ @config_defaults@ -- To disable DNSSEC validation, uncomment the following line (not recommended) --- trust_anchors.keyfile_default = nil +-- trust_anchors.remove('.') -- Large cache size, so we don't need to flush ever -- This can be larger than available RAM, least frequently accessed diff --git a/etc/config/config.docker.in b/etc/config/config.docker.in index 4e284af76..1a54f1638 100644 --- a/etc/config/config.docker.in +++ b/etc/config/config.docker.in @@ -6,7 +6,7 @@ net.listen('0.0.0.0') net.listen('0.0.0.0', 853, {tls=true}) -- To disable DNSSEC validation, uncomment the following line (not recommended) --- trust_anchors.keyfile_default = nil +-- trust_anchors.remove('.') -- Load Useful modules modules = { diff --git a/etc/config/config.isp.in b/etc/config/config.isp.in index 30ddbbe00..4c29db19a 100644 --- a/etc/config/config.isp.in +++ b/etc/config/config.isp.in @@ -4,7 +4,7 @@ @config_defaults@ -- To disable DNSSEC validation, uncomment the following line (not recommended) --- trust_anchors.keyfile_default = nil +-- trust_anchors.remove('.') -- Large cache size, so we don't need to flush often -- This can be larger than available RAM, least frequently accessed diff --git a/etc/config/config.personal.in b/etc/config/config.personal.in index 555edc359..6d9844e02 100644 --- a/etc/config/config.personal.in +++ b/etc/config/config.personal.in @@ -3,7 +3,7 @@ @config_defaults@ -- To disable DNSSEC validation, uncomment the following line (not recommended) --- trust_anchors.keyfile_default = nil +-- trust_anchors.remove('.') -- Load useful modules modules = { diff --git a/etc/config/config.splitview.in b/etc/config/config.splitview.in index ae009ac77..60da665d7 100644 --- a/etc/config/config.splitview.in +++ b/etc/config/config.splitview.in @@ -4,7 +4,7 @@ @config_defaults@ -- To disable DNSSEC validation, uncomment the following line (not recommended) --- trust_anchors.keyfile_default = nil +-- trust_anchors.remove('.') -- Load Useful modules modules = { diff --git a/modules/policy/noipv6.test.integr/kresd_config.j2 b/modules/policy/noipv6.test.integr/kresd_config.j2 index 4d9a26149..93099f37e 100644 --- a/modules/policy/noipv6.test.integr/kresd_config.j2 +++ b/modules/policy/noipv6.test.integr/kresd_config.j2 @@ -3,7 +3,7 @@ net.ipv6 = false policy.add(policy.all(policy.STUB({ '::1:2:3:4', '1.2.3.4' }))) -- make sure DNSSEC is turned off for tests -trust_anchors.keyfile_default = nil +trust_anchors.remove('.') -- Disable RFC5011 TA update if ta_update then diff --git a/modules/policy/noipvx.test.integr/kresd_config.j2 b/modules/policy/noipvx.test.integr/kresd_config.j2 index 6b12bb25d..ce9796797 100644 --- a/modules/policy/noipvx.test.integr/kresd_config.j2 +++ b/modules/policy/noipvx.test.integr/kresd_config.j2 @@ -4,7 +4,7 @@ net.ipv6 = false policy.add(policy.all(policy.STUB({ '::1:2:3:4', '1.2.3.4' }))) -- make sure DNSSEC is turned off for tests -trust_anchors.keyfile_default = nil +trust_anchors.remove('.') -- Disable RFC5011 TA update if ta_update then diff --git a/modules/policy/test.integr/kresd_config.j2 b/modules/policy/test.integr/kresd_config.j2 index cb5716aa0..3225c5379 100644 --- a/modules/policy/test.integr/kresd_config.j2 +++ b/modules/policy/test.integr/kresd_config.j2 @@ -2,7 +2,7 @@ policy.add(policy.suffix(policy.REFUSE, {todname('refuse.example.com')})) -- make sure DNSSEC is turned off for tests -trust_anchors.keyfile_default = nil +trust_anchors.remove('.') -- Disable RFC5011 TA update if ta_update then diff --git a/modules/rebinding/test.integr/kresd_config.j2 b/modules/rebinding/test.integr/kresd_config.j2 index 99919a31b..e044351f9 100644 --- a/modules/rebinding/test.integr/kresd_config.j2 +++ b/modules/rebinding/test.integr/kresd_config.j2 @@ -1,6 +1,6 @@ {% raw %} -- make sure DNSSEC is turned off for tests -trust_anchors.keyfile_default = nil +trust_anchors.remove('.') -- Disable RFC5011 TA update if ta_update then diff --git a/modules/serve_stale/test.integr/kresd_config.j2 b/modules/serve_stale/test.integr/kresd_config.j2 index b0350cbca..5beff9e3f 100644 --- a/modules/serve_stale/test.integr/kresd_config.j2 +++ b/modules/serve_stale/test.integr/kresd_config.j2 @@ -2,7 +2,7 @@ modules = { 'serve_stale < cache' } -- make sure DNSSEC is turned off for tests -trust_anchors.keyfile_default = nil +trust_anchors.remove('.') -- Disable RFC5011 TA update if ta_update then diff --git a/modules/stats/test.integr/kresd_config.j2 b/modules/stats/test.integr/kresd_config.j2 index 1ee2780b8..a93ece40b 100644 --- a/modules/stats/test.integr/kresd_config.j2 +++ b/modules/stats/test.integr/kresd_config.j2 @@ -52,7 +52,7 @@ policy.add(policy.pattern(reply_result, 'stats.test.')) policy.add(policy.all(FWD_TARGET)) -- avoid iteration -- make sure DNSSEC is turned off for tests -trust_anchors.keyfile_default = nil +trust_anchors.remove('.') -- Disable RFC5011 TA update if ta_update then diff --git a/modules/ta_update/ta_update.test.lua b/modules/ta_update/ta_update.test.lua index 7e55075ed..774b9515e 100644 --- a/modules/ta_update/ta_update.test.lua +++ b/modules/ta_update/ta_update.test.lua @@ -3,7 +3,7 @@ ta_update.refresh_time = 0.1 * sec ta_update.hold_down_time = 0.2 * sec -- prevent build-time config from interfering with the test -trust_anchors.keyfile_default = nil +trust_anchors.remove('.') -- count . IN DNSKEY queries counter = 0 diff --git a/modules/view/addr.test.integr/kresd_config.j2 b/modules/view/addr.test.integr/kresd_config.j2 index d9052875c..08a6be20f 100644 --- a/modules/view/addr.test.integr/kresd_config.j2 +++ b/modules/view/addr.test.integr/kresd_config.j2 @@ -6,7 +6,7 @@ view:addr('127.0.0.0/24', policy.suffix(policy.DENY_MSG("addr 127.0.0.0/24 match policy.add(policy.all(policy.FORWARD('1.2.3.4'))) -- make sure DNSSEC is turned off for tests -trust_anchors.keyfile_default = nil +trust_anchors.remove('.') -- Disable RFC5011 TA update if ta_update then diff --git a/modules/view/tsig.test.integr/kresd_config.j2 b/modules/view/tsig.test.integr/kresd_config.j2 index e69799be0..c306989f7 100644 --- a/modules/view/tsig.test.integr/kresd_config.j2 +++ b/modules/view/tsig.test.integr/kresd_config.j2 @@ -28,7 +28,7 @@ if detect_time_skew then end -- make sure DNSSEC is turned off for tests -trust_anchors.keyfile_default = nil +trust_anchors.remove('.') _hint_root_file('hints') cache.size = 2*MB diff --git a/tests/pytests/templates/kresd.conf.j2 b/tests/pytests/templates/kresd.conf.j2 index 6e16b1072..72f0ee1a7 100644 --- a/tests/pytests/templates/kresd.conf.j2 +++ b/tests/pytests/templates/kresd.conf.j2 @@ -43,7 +43,7 @@ policy.add(policy.suffix(policy.PASS, {todname('test.')})) {% endif %} -- make sure DNSSEC is turned off for tests -trust_anchors.keyfile_default = nil +trust_anchors.remove('.') modules.unload("ta_update") modules.unload("ta_signal_query") modules.unload("priming")