From: Tomas Krizek Date: Wed, 6 Feb 2019 17:48:46 +0000 (+0100) Subject: meson: etc/config - move and unify configs X-Git-Tag: v4.0.0~24^2~175 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fd1518cd0bc86659cedaaf28a058c171a887a005;p=thirdparty%2Fknot-resolver.git meson: etc/config - move and unify configs --- diff --git a/daemon/README.rst b/daemon/README.rst index 765d2abdc..3243b5841 100644 --- a/daemon/README.rst +++ b/daemon/README.rst @@ -498,6 +498,9 @@ Trust anchors and DNSSEC Enabling DNSSEC =============== +TODO - change section to disabling DNSSEC +-- trust_anchors.keyfile_default = nil + The resolver supports DNSSEC including :rfc:`5011` automated DNSSEC TA updates and :rfc:`7646` negative trust anchors. To enable it, you need to provide trusted root keys. Bootstrapping of the keys is automated, and kresd fetches root trust anchors set `over a secure channel `_ from IANA. From there, it can perform :rfc:`5011` automatic updates for you. diff --git a/distro/common/kresd.conf b/distro/common/kresd.conf deleted file mode 100644 index a82a89391..000000000 --- a/distro/common/kresd.conf +++ /dev/null @@ -1,19 +0,0 @@ --- vim:syntax=lua: --- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration - --- Load useful modules -modules = { - 'hints > iterate', -- Load /etc/hosts and allow custom root hints - 'stats', -- Track internal statistics - 'predict', -- Prefetch expiring/frequent records -} - --- See kresd.systemd(7) about configuring network interfaces when using systemd --- Listen on localhost (default) --- net = { '127.0.0.1', '::1' } - --- Enable DNSSEC validation -trust_anchors.file = '/etc/knot-resolver/root.keys' - --- Cache size -cache.size = 100 * MB diff --git a/distro/common/kresd.no_ta.conf b/distro/common/kresd.no_ta.conf deleted file mode 100644 index e452f0e85..000000000 --- a/distro/common/kresd.no_ta.conf +++ /dev/null @@ -1,19 +0,0 @@ --- vim:syntax=lua: --- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration - --- Load useful modules -modules = { - 'hints > iterate', -- Load /etc/hosts and allow custom root hints - 'stats', -- Track internal statistics - 'predict', -- Prefetch expiring/frequent records -} - --- See kresd.systemd(7) about configuring network interfaces when using systemd --- Listen on localhost (default) --- net = { '127.0.0.1', '::1' } - --- To disable DNSSEC validation, uncomment the following line (not recommended) --- trust_anchors.keyfile_default = nil - --- Cache size -cache.size = 100 * MB diff --git a/etc/config.personal b/etc/config.personal deleted file mode 100644 index 74bdd0eeb..000000000 --- a/etc/config.personal +++ /dev/null @@ -1,23 +0,0 @@ --- Config file example useable for personal resolver. --- The goal is to have a validating resolver with tiny memory footprint, --- while actively tracking and refreshing frequent records to lower user latency. --- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration - --- Listen on localhost (default) --- net = { '127.0.0.1', '::1' } - --- Drop root privileges -user('knot-resolver', 'knot-resolver') - --- Auto-maintain root TA -trust_anchors.file = 'root.keys' - --- Load Useful modules -modules = { - 'hints > iterate', -- Load /etc/hosts and allow custom root hints - 'stats', -- Track internal statistics - 'predict', -- Prefetch expiring/frequent records -} - --- Smaller cache size -cache.size = 10 * MB diff --git a/etc/config.cluster b/etc/config/config.cluster.in similarity index 71% rename from etc/config.cluster rename to etc/config/config.cluster.in index 864758736..467285bf9 100644 --- a/etc/config.cluster +++ b/etc/config/config.cluster.in @@ -1,18 +1,11 @@ +-- vim:syntax=lua:set ts=4 sw=4: -- Config file example useable for larger resolver farms -- In this case cache should be made as large as possible, and prefetching turned off -- as the resolver is busy most of the time. -- Alternative is using `etcd` as a configuration backend. --- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration - --- Listen on localhost and external interface -net = { '127.0.0.1', '::1', '192.168.1.1' } - --- Drop root privileges -user('knot-resolver', 'knot-resolver') - --- Auto-maintain root TA -trust_anchors.file = 'root.keys' - +-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration +@config_defaults@ +@config_managed_ta@ -- Large cache size, so we don't need to flush ever -- This can be larger than available RAM, least frequently accessed -- records will be paged out as long as there's enough disk space to back it @@ -32,9 +25,8 @@ modules = { -- Use local root server copy for performance reasons hints.root({ - ['j.root-servers.net.'] = { '192.168.1.4', '2001:503:c27::2:30', '192.58.128.30' } + ['j.root-servers.net.'] = { '192.168.1.4', '2001:503:c27::2:30', '192.58.128.30' } }) -- Apply RPZ for all clients, default rule is DENY policy.add(policy.rpz(policy.DENY, 'blacklist.rpz')) - diff --git a/etc/config.docker b/etc/config/config.docker.in similarity index 83% rename from etc/config.docker rename to etc/config/config.docker.in index d239dba80..a7aa6edfe 100644 --- a/etc/config.docker +++ b/etc/config/config.docker.in @@ -1,11 +1,10 @@ --- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration +-- vim:syntax=lua:set ts=4 sw=4: +-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration -- Listen on all interfaces (localhost would not work in Docker) net.listen('0.0.0.0') net.listen('0.0.0.0', 853, {tls=true}) - --- Auto-maintain root TA -trust_anchors.file = '/etc/knot-resolver/root.keys' +@config_managed_ta@ -- Load Useful modules modules = { diff --git a/etc/config.isp b/etc/config/config.isp.in similarity index 75% rename from etc/config.isp rename to etc/config/config.isp.in index 27dc76e3e..8ed834e87 100644 --- a/etc/config.isp +++ b/etc/config/config.isp.in @@ -1,15 +1,8 @@ +-- vim:syntax=lua:set ts=4 sw=4: -- Config file example useable for multi-user ISP resolver --- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration - --- Listen on localhost and external interface -net = { '127.0.0.1', '::1', '192.168.1.1' } - --- Drop root privileges -user('knot-resolver', 'knot-resolver') - --- Auto-maintain root TA -trust_anchors.file = 'root.keys' - +-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration +@config_defaults@ +@config_managed_ta@ -- Large cache size, so we don't need to flush often -- This can be larger than available RAM, least frequently accessed -- records will be paged out diff --git a/etc/config/config.personal.in b/etc/config/config.personal.in new file mode 100644 index 000000000..31e77240f --- /dev/null +++ b/etc/config/config.personal.in @@ -0,0 +1,13 @@ +-- vim:syntax=lua:set ts=4 sw=4: +-- Refer to manual: http://knot-resolver.readthedocs.org/en/stable/daemon.html#configuration +@config_defaults@ +@config_managed_ta@ +-- Load useful modules +modules = { + 'hints > iterate', -- Load /etc/hosts and allow custom root hints + 'stats', -- Track internal statistics + 'predict', -- Prefetch expiring/frequent records +} + +-- Cache size +cache.size = 100 * MB diff --git a/etc/config.splitview b/etc/config/config.splitview.in similarity index 72% rename from etc/config.splitview rename to etc/config/config.splitview.in index fbd014021..797002ac0 100644 --- a/etc/config.splitview +++ b/etc/config/config.splitview.in @@ -1,15 +1,8 @@ +-- vim:syntax=lua:set ts=4 sw=4: -- Config file with split-view for internal zone --- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration - --- Listen on localhost and external interface -net = { '127.0.0.1', '::1', '192.168.1.1' } - --- Drop root privileges -user('knot-resolver', 'knot-resolver') - --- Auto-maintain root TA -trust_anchors.file = 'root.keys' - +-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration +@config_defaults@ +@config_managed_ta@ -- Load Useful modules modules = { 'hints > iterate', -- Load /etc/hosts and allow custom root hints diff --git a/etc/config/meson.build b/etc/config/meson.build new file mode 100644 index 000000000..aade9b160 --- /dev/null +++ b/etc/config/meson.build @@ -0,0 +1,40 @@ +# etc: config examples + +# Config snippets (build-dependant) +if true # TODO systemd.nosocket, systemd=no + config_defaults = ''' +-- Network interface configuration: see kresd.systemd(7)''' +else + config_defaults = ''' +-- Listen on localhost (default) and external interface +-- net = { '127.0.0.1', '::1', '192.0.2.1' } + +-- Drop root privileges +user('knot-resolver', 'knot-resolver')''' # TODO user, group +endif + +if true # TODO managed_ta = false + config_managed_ta = ''' +-- Auto-manage DNSSEC trust anchors (RFC 5011) +trust_anchors.file = '@0@/root.keys' +'''.format(etc_dir) +else + config_managed_ta = '' +endif + + +example_configs = [ + 'config.cluster.in', + 'config.docker.in', + 'config.isp.in', + 'config.personal.in', + 'config.splitview.in', +] + +# TODO kresd.conf + +# TODO configure, install +#install_data( +# sources: example_configs, +# install_dir: join_paths(doc_dir, 'examples'), +#) diff --git a/etc/meson.build b/etc/meson.build index 241e8bbdd..d921b874f 100644 --- a/etc/meson.build +++ b/etc/meson.build @@ -1,23 +1,13 @@ # etc -example_configs = [ - 'config.cluster', - 'config.docker', - 'config.isp', - 'config.personal', - 'config.splitview', -] - etc_files = [ 'icann-ca.pem', 'root.hints', ] -install_data( - sources: example_configs, - install_dir: join_paths(doc_dir, 'examples'), -) +subdir('config') + install_data( sources: etc_files,