diff --git a/.gitignore b/.gitignore index fba277042..1c503cf14 100644 --- a/.gitignore +++ b/.gitignore @@ -50,7 +50,6 @@ /doc/html /doc/kresd.8 /doc/texinfo -/doc/_static/config.schema.json /doc/_static/schema_doc* /doc/config-schema-body.md /ephemeral_key.pem diff --git a/doc/_static/config.schema.json b/doc/_static/config.schema.json new file mode 100644 index 000000000..989aaf62e --- /dev/null +++ b/doc/_static/config.schema.json @@ -0,0 +1,1703 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://www.knot-resolver.cz/documentation/v6.0.8/_static/config.schema.json", + "title": "Knot Resolver configuration JSON schema", + "description": "Version Knot Resolver 6.0.8", + "type": "object", + "properties": { + "version": { + "type": "integer", + "description": "Version of the configuration schema. By default it is the latest supported by the resolver, but couple of versions back are be supported as well.", + "default": 1 + }, + "nsid": { + "type": [ + "string", + "null" + ], + "description": "Name Server Identifier (RFC 5001) which allows DNS clients to request resolver to send back its NSID along with the reply to a DNS request.", + "default": null + }, + "hostname": { + "type": [ + "string", + "null" + ], + "description": "Internal DNS resolver hostname. Default is machine hostname.", + "default": null + }, + "rundir": { + "type": "string", + "description": "Directory where the resolver can create files and which will be it's cwd.", + "default": "/var/run/knot-resolver" + }, + "workers": { + "anyOf": [ + { + "type": "string", + "enum": [ + "auto" + ] + }, + { + "type": "integer", + "minimum": 1 + } + ], + "description": "The number of running kresd (Knot Resolver daemon) workers. If set to 'auto', it is equal to number of CPUs available.", + "default": 1 + }, + "max-workers": { + "type": "integer", + "minimum": 1, + "description": "The maximum number of workers allowed. Cannot be changed in runtime.", + "default": 256 + }, + "management": { + "description": "Configuration of management HTTP API.", + "type": "object", + "properties": { + "unix-socket": { + "type": [ + "string", + "null" + ], + "description": "Path to unix domain socket to listen to.", + "default": null + }, + "interface": { + "type": [ + "string", + "null" + ], + "description": "IP address and port number to listen to.", + "default": null + } + }, + "default": { + "unix_socket": "/var/run/knot-resolver/kres-api.sock", + "interface": null + } + }, + "webmgmt": { + "description": "Configuration of legacy web management endpoint.", + "type": [ + "object", + "null" + ], + "properties": { + "unix-socket": { + "type": [ + "string", + "null" + ], + "description": "Path to unix domain socket to listen to.", + "default": null + }, + "interface": { + "type": [ + "string", + "null" + ], + "description": "IP address or interface name with port number to listen to.", + "default": null + }, + "tls": { + "type": "boolean", + "description": "Enable/disable TLS.", + "default": false + }, + "cert-file": { + "type": [ + "string", + "null" + ], + "description": "Path to certificate file.", + "default": null + }, + "key-file": { + "type": [ + "string", + "null" + ], + "description": "Path to certificate key.", + "default": null + } + }, + "default": null + }, + "options": { + "description": "Fine-tuning global parameters of DNS resolver operation.", + "type": "object", + "properties": { + "glue-checking": { + "type": "string", + "enum": [ + "normal", + "strict", + "permissive" + ], + "description": "Glue records scrictness checking level.", + "default": "normal" + }, + "minimize": { + "type": "boolean", + "description": "Send minimum amount of information in recursive queries to enhance privacy.", + "default": true + }, + "query-loopback": { + "type": "boolean", + "description": "Permits queries to loopback addresses.", + "default": false + }, + "reorder-rrset": { + "type": "boolean", + "description": "Controls whether resource records within a RRSet are reordered each time it is served from the cache.", + "default": true + }, + "query-case-randomization": { + "type": "boolean", + "description": "Randomize Query Character Case.", + "default": true + }, + "priming": { + "type": "boolean", + "description": "Initializing DNS resolver cache with Priming Queries (RFC 8109)", + "default": true + }, + "rebinding-protection": { + "type": "boolean", + "description": "Protection against DNS Rebinding attack.", + "default": false + }, + "refuse-no-rd": { + "type": "boolean", + "description": "Queries without RD (recursion desired) bit set in query are answered with REFUSED.", + "default": true + }, + "time-jump-detection": { + "type": "boolean", + "description": "Detection of difference between local system time and expiration time bounds in DNSSEC signatures for '. NS' records.", + "default": true + }, + "violators-workarounds": { + "type": "boolean", + "description": "Workarounds for known DNS protocol violators.", + "default": false + }, + "serve-stale": { + "type": "boolean", + "description": "Allows using timed-out records in case DNS resolver is unable to contact upstream servers.", + "default": false + } + }, + "default": { + "glue_checking": "normal", + "minimize": true, + "query_loopback": false, + "reorder_rrset": true, + "query_case_randomization": true, + "priming": true, + "rebinding_protection": false, + "refuse_no_rd": true, + "time_jump_detection": true, + "violators_workarounds": false, + "serve_stale": false + } + }, + "network": { + "description": "Network connections and protocols configuration.", + "type": "object", + "properties": { + "do-ipv4": { + "type": "boolean", + "description": "Enable/disable using IPv4 for contacting upstream nameservers.", + "default": true + }, + "do-ipv6": { + "type": "boolean", + "description": "Enable/disable using IPv6 for contacting upstream nameservers.", + "default": true + }, + "out-interface-v4": { + "type": [ + "string", + "null" + ], + "description": "IPv4 address used to perform queries. Not set by default, which lets the OS choose any address.", + "default": null + }, + "out-interface-v6": { + "type": [ + "string", + "null" + ], + "description": "IPv6 address used to perform queries. Not set by default, which lets the OS choose any address.", + "default": null + }, + "tcp-pipeline": { + "type": "integer", + "minimum": 0, + "maximum": 65535, + "description": "TCP pipeline limit. The number of outstanding queries that a single client connection can make in parallel.", + "default": 100 + }, + "edns-tcp-keepalive": { + "type": "boolean", + "description": "Allows clients to discover the connection timeout. (RFC 7828)", + "default": true + }, + "edns-buffer-size": { + "description": "Maximum EDNS payload size advertised in DNS packets. Different values can be configured for communication downstream (towards clients) and upstream (towards other DNS servers).", + "type": "object", + "properties": { + "upstream": { + "type": "string", + "pattern": "^(\\d+)(B|K|M|G)$", + "description": "Maximum EDNS upstream (towards other DNS servers) payload size.", + "default": "1232B" + }, + "downstream": { + "type": "string", + "pattern": "^(\\d+)(B|K|M|G)$", + "description": "Maximum EDNS downstream (towards clients) payload size for communication.", + "default": "1232B" + } + }, + "default": { + "upstream": "1232B", + "downstream": "1232B" + } + }, + "address-renumbering": { + "type": [ + "array", + "null" + ], + "items": { + "description": "Renumbers addresses in answers to different address space.", + "type": "object", + "properties": { + "source": { + "type": "string", + "description": "Source subnet." + }, + "destination": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ], + "description": "Destination address prefix." + } + } + }, + "description": "Renumbers addresses in answers to different address space.", + "default": null + }, + "tls": { + "description": "TLS configuration, also affects DNS over TLS and DNS over HTTPS.", + "type": "object", + "properties": { + "cert-file": { + "type": [ + "string", + "null" + ], + "description": "Path to certificate file.", + "default": null + }, + "key-file": { + "type": [ + "string", + "null" + ], + "description": "Path to certificate key file.", + "default": null + }, + "sticket-secret": { + "type": [ + "string", + "null" + ], + "minLength": 32, + "description": "Secret for TLS session resumption via tickets. (RFC 5077).", + "default": null + }, + "sticket-secret-file": { + "type": [ + "string", + "null" + ], + "description": "Path to file with secret for TLS session resumption via tickets. (RFC 5077).", + "default": null + }, + "auto-discovery": { + "type": "boolean", + "description": "Experimental automatic discovery of authoritative servers supporting DNS-over-TLS.", + "default": false + }, + "padding": { + "anyOf": [ + { + "type": "boolean" + }, + { + "type": "integer", + "minimum": 0, + "maximum": 512 + } + ], + "description": "EDNS(0) padding of queries and answers sent over an encrypted channel.", + "default": true + } + }, + "default": { + "cert_file": null, + "key_file": null, + "sticket_secret": null, + "sticket_secret_file": null, + "auto_discovery": false, + "padding": true + } + }, + "proxy-protocol": { + "anyOf": [ + { + "type": "string", + "enum": [ + false + ] + }, + { + "description": "PROXYv2 protocol configuration.", + "type": "object", + "properties": { + "allow": { + "type": "array", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "description": "Allow usage of the PROXYv2 protocol headers by clients on the specified addresses." + } + } + } + ], + "description": "PROXYv2 protocol configuration.", + "default": false + }, + "listen": { + "type": "array", + "items": { + "description": "Configuration of listening interface.", + "type": "object", + "properties": { + "interface": { + "anyOf": [ + { + "type": "null" + }, + { + "anyOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "type": "string" + } + ] + } + ], + "description": "IP address or interface name with optional port number to listen to.", + "default": null + }, + "unix-socket": { + "anyOf": [ + { + "type": "null" + }, + { + "anyOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "type": "string" + } + ] + } + ], + "description": "Path to unix domain socket to listen to.", + "default": null + }, + "port": { + "type": [ + "integer", + "null" + ], + "minimum": 1, + "maximum": 65535, + "description": "Port number to listen to.", + "default": null + }, + "kind": { + "type": "string", + "enum": [ + "dns", + "xdp", + "dot", + "doh-legacy", + "doh2" + ], + "description": "Specifies DNS query transport protocol.", + "default": "dns" + }, + "freebind": { + "type": "boolean", + "description": "Used for binding to non-local address.", + "default": false + } + } + }, + "description": "List of interfaces to listen to and its configuration.", + "default": [ + { + "interface": [ + "127.0.0.1" + ], + "unix_socket": null, + "port": 53, + "kind": "dns", + "freebind": false + }, + { + "interface": [ + "::1" + ], + "unix_socket": null, + "port": 53, + "kind": "dns", + "freebind": true + } + ] + } + }, + "default": { + "do_ipv4": true, + "do_ipv6": true, + "out_interface_v4": null, + "out_interface_v6": null, + "tcp_pipeline": 100, + "edns_tcp_keepalive": true, + "edns_buffer_size": { + "upstream": "1232B", + "downstream": "1232B" + }, + "address_renumbering": null, + "tls": { + "cert_file": null, + "key_file": null, + "sticket_secret": null, + "sticket_secret_file": null, + "auto_discovery": false, + "padding": true + }, + "proxy_protocol": false, + "listen": [ + { + "interface": [ + "127.0.0.1" + ], + "unix_socket": null, + "port": 53, + "kind": "dns", + "freebind": false + }, + { + "interface": [ + "::1" + ], + "unix_socket": null, + "port": 53, + "kind": "dns", + "freebind": true + } + ] + } + }, + "views": { + "type": [ + "array", + "null" + ], + "items": { + "description": "Configuration parameters that allow you to create personalized policy rules and other.", + "type": "object", + "properties": { + "subnets": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Identifies the client based on his subnet. Rule with more precise subnet takes priority." + }, + "dst-subnet": { + "type": [ + "string", + "null" + ], + "description": "Destination subnet, as an additional condition.", + "default": null + }, + "protocols": { + "type": [ + "array", + "null" + ], + "items": { + "type": "string", + "enum": [ + "udp53", + "tcp53", + "dot", + "doh", + "doq" + ] + }, + "description": "Transport protocol, as an additional condition.", + "default": null + }, + "tags": { + "type": [ + "array", + "null" + ], + "items": { + "type": "string", + "pattern": "^(?!-)[a-z0-9-]*[a-z0-9]+$" + }, + "description": "Tags to link with other policy rules.", + "default": null + }, + "answer": { + "type": [ + "string", + "null" + ], + "enum": [ + "allow", + "refused", + "noanswer" + ], + "description": "Direct approach how to handle request from clients identified by the view.", + "default": null + }, + "options": { + "description": "Configuration options for clients identified by the view.", + "type": "object", + "properties": { + "minimize": { + "type": "boolean", + "description": "Send minimum amount of information in recursive queries to enhance privacy.", + "default": true + }, + "dns64": { + "type": "boolean", + "description": "Enable/disable DNS64.", + "default": true + } + }, + "default": { + "minimize": true, + "dns64": true + } + } + } + }, + "description": "List of views and its configuration.", + "default": null + }, + "local-data": { + "description": "Local data for forward records (A/AAAA) and reverse records (PTR).", + "type": "object", + "properties": { + "ttl": { + "type": [ + "string", + "null" + ], + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "description": "Default TTL value used for added local data/records.", + "default": null + }, + "nodata": { + "type": "boolean", + "description": "Use NODATA synthesis. NODATA will be synthesised for matching name, but mismatching type(e.g. AAAA query when only A exists).", + "default": true + }, + "root-fallback-addresses": { + "type": [ + "object", + "null" + ], + "additionalProperties": { + "anyOf": [ + { + "type": "array", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + } + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "description": "Direct replace of root hints.", + "default": null + }, + "root-fallback-addresses-files": { + "type": [ + "array", + "null" + ], + "items": { + "type": "string" + }, + "description": "Direct replace of root hints from a zonefile.", + "default": null + }, + "addresses": { + "type": [ + "object", + "null" + ], + "additionalProperties": { + "anyOf": [ + { + "type": "array", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + } + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "description": "Direct addition of hostname and IP addresses pairs.", + "default": null + }, + "addresses-files": { + "type": [ + "array", + "null" + ], + "items": { + "type": "string" + }, + "description": "Direct addition of hostname and IP addresses pairs from files in '/etc/hosts' like format.", + "default": null + }, + "records": { + "type": [ + "string", + "null" + ], + "description": "Direct addition of records in DNS zone file format.", + "default": null + }, + "rules": { + "type": [ + "array", + "null" + ], + "items": { + "description": "Local data advanced rule configuration.", + "type": "object", + "properties": { + "name": { + "anyOf": [ + { + "type": "null" + }, + { + "anyOf": [ + { + "type": "array", + "items": { + "type": "string", + "pattern": "(?=^.{,253}\\.?$)(^(?!\\.)((?!-)\\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\\.?$)|^\\.$" + } + }, + { + "type": "string", + "pattern": "(?=^.{,253}\\.?$)(^(?!\\.)((?!-)\\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\\.?$)|^\\.$" + } + ] + } + ], + "description": "Hostname(s).", + "default": null + }, + "subtree": { + "type": [ + "string", + "null" + ], + "enum": [ + "empty", + "nxdomain", + "redirect" + ], + "description": "Type of subtree.", + "default": null + }, + "address": { + "anyOf": [ + { + "type": "null" + }, + { + "anyOf": [ + { + "type": "array", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + } + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + } + ], + "description": "Address(es) to pair with hostname(s).", + "default": null + }, + "file": { + "anyOf": [ + { + "type": "null" + }, + { + "anyOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "type": "string" + } + ] + } + ], + "description": "Path to file(s) with hostname and IP address(es) pairs in '/etc/hosts' like format.", + "default": null + }, + "records": { + "type": [ + "string", + "null" + ], + "description": "Direct addition of records in DNS zone file format.", + "default": null + }, + "tags": { + "type": [ + "array", + "null" + ], + "items": { + "type": "string", + "pattern": "^(?!-)[a-z0-9-]*[a-z0-9]+$" + }, + "description": "Tags to link with other policy rules.", + "default": null + }, + "ttl": { + "type": [ + "string", + "null" + ], + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "description": "Optional, TTL value used for these answers.", + "default": null + }, + "nodata": { + "type": [ + "boolean", + "null" + ], + "description": "Optional, use NODATA synthesis. NODATA will be synthesised for matching name, but mismatching type(e.g. AAAA query when only A exists).", + "default": null + } + } + }, + "description": "Local data rules.", + "default": null + }, + "rpz": { + "type": [ + "array", + "null" + ], + "items": { + "description": "Configuration or Response Policy Zone (RPZ).", + "type": "object", + "properties": { + "file": { + "type": "string", + "description": "Path to the RPZ zone file." + }, + "tags": { + "type": [ + "array", + "null" + ], + "items": { + "type": "string", + "pattern": "^(?!-)[a-z0-9-]*[a-z0-9]+$" + }, + "description": "Tags to link with other policy rules.", + "default": null + } + } + }, + "description": "List of Response Policy Zones and its configuration.", + "default": null + } + }, + "default": { + "ttl": null, + "nodata": true, + "root_fallback_addresses": null, + "root_fallback_addresses_files": null, + "addresses": null, + "addresses_files": null, + "records": null, + "rules": null, + "rpz": null + } + }, + "forward": { + "type": [ + "array", + "null" + ], + "items": { + "description": "Configuration of forward subtree.", + "type": "object", + "properties": { + "subtree": { + "anyOf": [ + { + "type": "array", + "items": { + "type": "string", + "pattern": "(?=^.{,253}\\.?$)(^(?!\\.)((?!-)\\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\\.?$)|^\\.$" + } + }, + { + "type": "string", + "pattern": "(?=^.{,253}\\.?$)(^(?!\\.)((?!-)\\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\\.?$)|^\\.$" + } + ], + "description": "Subtree(s) to forward." + }, + "servers": { + "anyOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "type": "array", + "items": { + "description": "Forward server configuration.", + "type": "object", + "properties": { + "address": { + "anyOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "type": "string" + } + ], + "description": "IP address(es) of a forward server." + }, + "transport": { + "type": [ + "string", + "null" + ], + "enum": [ + "tls" + ], + "description": "Transport protocol for a forward server.", + "default": null + }, + "pin-sha256": { + "anyOf": [ + { + "type": "null" + }, + { + "anyOf": [ + { + "type": "array", + "items": { + "type": "string", + "pattern": "^[A-Za-z\\d+/]{43}=$" + } + }, + { + "type": "string", + "pattern": "^[A-Za-z\\d+/]{43}=$" + } + ] + } + ], + "description": "Hash of accepted CA certificate.", + "default": null + }, + "hostname": { + "type": [ + "string", + "null" + ], + "pattern": "(?=^.{,253}\\.?$)(^(?!\\.)((?!-)\\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\\.?$)|^\\.$", + "description": "Hostname of the Forward server.", + "default": null + }, + "ca-file": { + "type": [ + "string", + "null" + ], + "description": "Path to CA certificate file.", + "default": null + } + } + } + } + ], + "description": "Forward servers configuration." + }, + "options": { + "description": "Subtree(s) forward options.", + "type": "object", + "properties": { + "authoritative": { + "type": "boolean", + "description": "The forwarding target is an authoritative server.", + "default": false + }, + "dnssec": { + "type": "boolean", + "description": "Enable/disable DNSSEC.", + "default": true + } + }, + "default": { + "authoritative": false, + "dnssec": true + } + } + } + }, + "description": "List of Forward Zones and its configuration.", + "default": null + }, + "cache": { + "description": "DNS resolver cache configuration.", + "type": "object", + "properties": { + "storage": { + "type": "string", + "description": "Cache storage of the DNS resolver.", + "default": "/var/cache/knot-resolver" + }, + "size-max": { + "type": "string", + "pattern": "^(\\d+)(B|K|M|G)$", + "description": "Maximum size of the cache.", + "default": "100M" + }, + "garbage-collector": { + "anyOf": [ + { + "description": "Configuration options of the cache garbage collector (kres-cache-gc).", + "type": "object", + "properties": { + "interval": { + "type": "string", + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "description": "Time interval how often the garbage collector will be run.", + "default": "1s" + }, + "threshold": { + "type": "integer", + "minimum": 0, + "maximum": 100, + "description": "Cache usage in percent that triggers the garbage collector.", + "default": 80 + }, + "release": { + "type": "integer", + "minimum": 0, + "maximum": 100, + "description": "Percent of used cache to be freed by the garbage collector.", + "default": 10 + }, + "temp-keys-space": { + "type": "string", + "pattern": "^(\\d+)(B|K|M|G)$", + "description": "Maximum amount of temporary memory for copied keys (0 = unlimited).", + "default": "0M" + }, + "rw-deletes": { + "type": "integer", + "minimum": 0, + "description": "Maximum number of deleted records per read-write transaction (0 = unlimited).", + "default": 100 + }, + "rw-reads": { + "type": "integer", + "minimum": 0, + "description": "Maximum number of readed records per read-write transaction (0 = unlimited).", + "default": 200 + }, + "rw-duration": { + "type": "string", + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "description": "Maximum duration of read-write transaction (0 = unlimited).", + "default": "0us" + }, + "rw-delay": { + "type": "string", + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "description": "Wait time between two read-write transactions.", + "default": "0us" + }, + "dry-run": { + "type": "boolean", + "description": "Run the garbage collector in dry-run mode.", + "default": false + } + } + }, + { + "type": "string", + "enum": [ + false + ] + } + ], + "description": "Use the garbage collector (kres-cache-gc) to periodically clear cache.", + "default": { + "interval": "1s", + "threshold": 80, + "release": 10, + "temp_keys_space": "0M", + "rw_deletes": 100, + "rw_reads": 200, + "rw_duration": "0us", + "rw_delay": "0us", + "dry_run": false + } + }, + "ttl-min": { + "type": "string", + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "description": "Minimum time-to-live for the cache entries.", + "default": "5s" + }, + "ttl-max": { + "type": "string", + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "description": "Maximum time-to-live for the cache entries.", + "default": "1d" + }, + "ns-timeout": { + "type": "string", + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "description": "Time interval for which a nameserver address will be ignored after determining that it does not return (useful) answers.", + "default": "1000ms" + }, + "prefill": { + "type": [ + "array", + "null" + ], + "items": { + "description": "Prefill the cache periodically by importing zone data obtained over HTTP.", + "type": "object", + "properties": { + "origin": { + "type": "string", + "pattern": "(?=^.{,253}\\.?$)(^(?!\\.)((?!-)\\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\\.?$)|^\\.$", + "description": "Origin for the imported data. Cache prefilling is only supported for the root zone ('.')." + }, + "url": { + "type": "string", + "description": "URL of the zone data to be imported." + }, + "refresh-interval": { + "type": "string", + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "description": "Time interval between consecutive refreshes of the imported zone data.", + "default": "1d" + }, + "ca-file": { + "type": [ + "string", + "null" + ], + "description": "Path to the file containing a CA certificate bundle that is used to authenticate the HTTPS connection.", + "default": null + } + } + }, + "description": "Prefill the cache periodically by importing zone data obtained over HTTP.", + "default": null + }, + "prefetch": { + "description": "These options help keep the cache hot by prefetching expiring records or learning usage patterns and repetitive queries.", + "type": "object", + "properties": { + "expiring": { + "type": "boolean", + "description": "Prefetch expiring records.", + "default": false + }, + "prediction": { + "description": "Prefetch record by predicting based on usage patterns and repetitive queries.", + "type": [ + "object", + "null" + ], + "properties": { + "window": { + "type": "string", + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "description": "Sampling window length.", + "default": "15m" + }, + "period": { + "type": "integer", + "minimum": 1, + "description": "Number of windows that can be kept in memory.", + "default": 24 + } + }, + "default": null + } + }, + "default": { + "expiring": false, + "prediction": null + } + } + }, + "default": { + "storage": "/var/cache/knot-resolver", + "size_max": "100M", + "garbage_collector": { + "interval": "1s", + "threshold": 80, + "release": 10, + "temp_keys_space": "0M", + "rw_deletes": 100, + "rw_reads": 200, + "rw_duration": "0us", + "rw_delay": "0us", + "dry_run": false + }, + "ttl_min": "5s", + "ttl_max": "1d", + "ns_timeout": "1000ms", + "prefill": null, + "prefetch": { + "expiring": false, + "prediction": null + } + } + }, + "dnssec": { + "anyOf": [ + { + "type": "boolean" + }, + { + "description": "DNSSEC configuration.", + "type": "object", + "properties": { + "trust-anchor-sentinel": { + "type": "boolean", + "description": "Allows users of DNSSEC validating resolver to detect which root keys are configured in resolver's chain of trust. (RFC 8509)", + "default": true + }, + "trust-anchor-signal-query": { + "type": "boolean", + "description": "Signaling Trust Anchor Knowledge in DNSSEC Using Key Tag Query, according to (RFC 8145#section-5).", + "default": true + }, + "time-skew-detection": { + "type": "boolean", + "description": "Detection of difference between local system time and expiration time bounds in DNSSEC signatures for '. NS' records.", + "default": true + }, + "keep-removed": { + "type": "integer", + "minimum": 0, + "description": "How many removed keys should be held in history (and key file) before being purged.", + "default": 0 + }, + "refresh-time": { + "type": [ + "string", + "null" + ], + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "description": "Force trust-anchors to be updated every defined time periodically instead of relying on (RFC 5011) logic and TTLs. Intended only for testing purposes.", + "default": null + }, + "hold-down-time": { + "type": "string", + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "description": "Modify hold-down timer (RFC 5011). Intended only for testing purposes.", + "default": "30d" + }, + "trust-anchors": { + "type": [ + "array", + "null" + ], + "items": { + "type": "string" + }, + "description": "List of trust-anchors in DS/DNSKEY records format.", + "default": null + }, + "negative-trust-anchors": { + "type": [ + "array", + "null" + ], + "items": { + "type": "string", + "pattern": "(?=^.{,253}\\.?$)(^(?!\\.)((?!-)\\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\\.?$)|^\\.$" + }, + "description": "List of domain names representing negative trust-anchors. (RFC 7646)", + "default": null + }, + "trust-anchors-files": { + "type": [ + "array", + "null" + ], + "items": { + "description": "Trust-anchor zonefile configuration.", + "type": "object", + "properties": { + "file": { + "type": "string", + "description": "Path to the zonefile that stores trust-anchors." + }, + "read-only": { + "type": "boolean", + "description": "Blocks zonefile updates according to RFC 5011.", + "default": false + } + } + }, + "description": "List of zonefiles where trust-anchors are stored.", + "default": null + } + } + } + ], + "description": "Disable DNSSEC, enable with defaults or set new configuration.", + "default": true + }, + "dns64": { + "anyOf": [ + { + "type": "boolean" + }, + { + "description": "DNS64 (RFC 6147) configuration.", + "type": "object", + "properties": { + "prefix": { + "type": "string", + "description": "IPv6 prefix to be used for synthesizing AAAA records.", + "default": "64:ff9b::/96" + }, + "rev-ttl": { + "type": [ + "string", + "null" + ], + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "description": "TTL in CNAME generated in the reverse 'ip6.arpa.' subtree.", + "default": null + }, + "exclude-subnets": { + "type": [ + "array", + "null" + ], + "items": { + "type": "string" + }, + "description": "IPv6 subnets that are disallowed in answer.", + "default": null + } + } + } + ], + "description": "Disable DNS64 (RFC 6147), enable with defaults or set new configuration.", + "default": false + }, + "logging": { + "description": "Logging and debugging configuration.", + "type": "object", + "properties": { + "level": { + "type": "string", + "enum": [ + "crit", + "err", + "warning", + "notice", + "info", + "debug" + ], + "description": "Global logging level.", + "default": "notice" + }, + "target": { + "anyOf": [ + { + "type": "string", + "enum": [ + "syslog", + "stderr", + "stdout" + ] + }, + { + "type": "string", + "enum": [ + "from-env" + ] + } + ], + "description": "Global logging stream target. \"from-env\" uses $KRES_LOGGING_TARGET and defaults to \"stdout\".", + "default": "from-env" + }, + "groups": { + "type": [ + "array", + "null" + ], + "items": { + "type": "string", + "enum": [ + "manager", + "supervisord", + "cache-gc", + "system", + "cache", + "io", + "net", + "ta", + "tasent", + "tasign", + "taupd", + "tls", + "gnutls", + "tls_cl", + "xdp", + "doh", + "dnssec", + "hint", + "plan", + "iterat", + "valdtr", + "resolv", + "select", + "zoncut", + "cookie", + "statis", + "rebind", + "worker", + "policy", + "daf", + "timejm", + "timesk", + "graphi", + "prefil", + "primin", + "srvstl", + "wtchdg", + "nsid", + "dnstap", + "tests", + "dotaut", + "http", + "contrl", + "module", + "devel", + "renum", + "exterr", + "rules", + "prlayr" + ] + }, + "description": "List of groups for which 'debug' logging level is set.", + "default": null + }, + "dnssec-bogus": { + "type": "boolean", + "description": "Logging a message for each DNSSEC validation failure.", + "default": false + }, + "dnstap": { + "anyOf": [ + { + "type": "string", + "enum": [ + false + ] + }, + { + "description": "Logging DNS queries and responses to a unix socket.", + "type": "object", + "properties": { + "unix-socket": { + "type": "string", + "description": "Path to unix domain socket where dnstap messages will be sent." + }, + "log-queries": { + "type": "boolean", + "description": "Log queries from downstream in wire format.", + "default": true + }, + "log-responses": { + "type": "boolean", + "description": "Log responses to downstream in wire format.", + "default": true + }, + "log-tcp-rtt": { + "type": "boolean", + "description": "Log TCP RTT (Round-trip time).", + "default": true + } + } + } + ], + "description": "Logging DNS requests and responses to a unix socket.", + "default": false + }, + "debugging": { + "description": "Advanced debugging parameters for kresd (Knot Resolver daemon).", + "type": "object", + "properties": { + "assertion-abort": { + "type": "boolean", + "description": "Allow the process to be aborted in case it encounters a failed assertion.", + "default": false + }, + "assertion-fork": { + "type": "string", + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "description": "Fork and abord child kresd process to obtain a coredump, while the parent process recovers and keeps running.", + "default": "5m" + } + }, + "default": { + "assertion_abort": false, + "assertion_fork": "5m" + } + } + }, + "default": { + "level": "notice", + "target": "stdout", + "groups": null, + "dnssec_bogus": false, + "dnstap": false, + "debugging": { + "assertion_abort": false, + "assertion_fork": "5m" + } + } + }, + "monitoring": { + "description": "Metrics exposisition configuration (Prometheus, Graphite)", + "type": "object", + "properties": { + "enabled": { + "type": "string", + "enum": [ + "manager-only", + "lazy", + "always" + ], + "description": "configures, whether statistics module will be loaded into resolver", + "default": "lazy" + }, + "graphite": { + "anyOf": [ + { + "type": "string", + "enum": [ + false + ] + }, + { + "type": "object", + "properties": { + "host": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string", + "pattern": "(?=^.{,253}\\.?$)(^(?!\\.)((?!-)\\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\\.?$)|^\\.$" + } + ] + }, + "port": { + "type": "integer", + "minimum": 1, + "maximum": 65535, + "default": 2003 + }, + "prefix": { + "type": "string", + "default": "" + }, + "interval": { + "type": "string", + "pattern": "^(\\d+)(us|ms|s|m|h|d)$", + "default": "5s" + }, + "tcp": { + "type": "boolean", + "default": false + } + } + } + ], + "description": "optionally configures where should graphite metrics be sent to", + "default": false + } + }, + "default": { + "enabled": "lazy", + "graphite": false + } + }, + "lua": { + "description": "Custom Lua configuration.", + "type": "object", + "properties": { + "script-only": { + "type": "boolean", + "description": "Ignore declarative configuration and use only Lua script or file defined in this section.", + "default": false + }, + "script": { + "type": [ + "string", + "null" + ], + "description": "Custom Lua configuration script.", + "default": null + }, + "script-file": { + "type": [ + "string", + "null" + ], + "description": "Path to file that contains Lua configuration script.", + "default": null + } + }, + "default": { + "script_only": false, + "script": null, + "script_file": null + } + } + } +} diff --git a/python/knot_resolver/client/commands/schema.py b/python/knot_resolver/client/commands/schema.py index f55384247..0c63f398e 100644 --- a/python/knot_resolver/client/commands/schema.py +++ b/python/knot_resolver/client/commands/schema.py @@ -4,7 +4,7 @@ from typing import List, Optional, Tuple, Type from knot_resolver.client.command import Command, CommandArgs, CompWords, register_command -from knot_resolver.datamodel.config_schema import KresConfig +from knot_resolver.datamodel import kres_config_json_schema from knot_resolver.utils.requests import request @@ -46,7 +46,7 @@ def run(self, args: CommandArgs) -> None: sys.exit(1) schema = response.body else: - schema = json.dumps(KresConfig.json_schema(), indent=4) + schema = json.dumps(kres_config_json_schema(), indent=4) if self.file: with open(self.file, "w") as f: diff --git a/python/knot_resolver/datamodel/__init__.py b/python/knot_resolver/datamodel/__init__.py index a0174acc5..81fd1ee99 100644 --- a/python/knot_resolver/datamodel/__init__.py +++ b/python/knot_resolver/datamodel/__init__.py @@ -1,3 +1,3 @@ -from .config_schema import KresConfig +from .config_schema import KresConfig, kres_config_json_schema -__all__ = ["KresConfig"] +__all__ = ["KresConfig", "kres_config_json_schema"] diff --git a/python/knot_resolver/datamodel/config_schema.py b/python/knot_resolver/datamodel/config_schema.py index fa108e79c..fe18516b6 100644 --- a/python/knot_resolver/datamodel/config_schema.py +++ b/python/knot_resolver/datamodel/config_schema.py @@ -3,11 +3,12 @@ import socket from typing import Any, Dict, List, Literal, Optional, Tuple, Union -from knot_resolver.constants import API_SOCK_PATH_DEFAULT, RUN_DIR_DEFAULT, WORKERS_MAX_DEFAULT +from knot_resolver.constants import API_SOCK_PATH_DEFAULT, RUN_DIR_DEFAULT, VERSION, WORKERS_MAX_DEFAULT from knot_resolver.datamodel.cache_schema import CacheSchema from knot_resolver.datamodel.dns64_schema import Dns64Schema from knot_resolver.datamodel.dnssec_schema import DnssecSchema from knot_resolver.datamodel.forward_schema import ForwardSchema +from knot_resolver.datamodel.globals import Context, get_global_validation_context, set_global_validation_context from knot_resolver.datamodel.local_data_schema import LocalDataSchema, RPZSchema, RuleSchema from knot_resolver.datamodel.logging_schema import LoggingSchema from knot_resolver.datamodel.lua_schema import LuaSchema @@ -37,7 +38,7 @@ def _cpu_count() -> Optional[int]: return cpus -def _default_max_worker_count() -> int: +def _workers_max_count() -> int: c = _cpu_count() if c: return c * 10 @@ -110,7 +111,7 @@ class Raw(ConfigSchema): hostname: Optional[EscapedStr] = None rundir: WritableDir = lazy_default(WritableDir, str(RUN_DIR_DEFAULT)) workers: Union[Literal["auto"], IntPositive] = IntPositive(1) - max_workers: IntPositive = IntPositive(_default_max_worker_count()) + max_workers: IntPositive = IntPositive(WORKERS_MAX_DEFAULT) management: ManagementSchema = lazy_default(ManagementSchema, {"unix-socket": str(API_SOCK_PATH_DEFAULT)}) webmgmt: Optional[WebmgmtSchema] = None options: OptionsSchema = OptionsSchema() @@ -174,8 +175,11 @@ def _dns64(self, obj: Raw) -> Any: def _validate(self) -> None: # enforce max-workers config - if int(self.workers) > int(self.max_workers): - raise ValueError(f"can't run with more workers then the configured maximum {self.max_workers}") + workers_max = _workers_max_count() + if int(self.workers) > workers_max: + raise ValueError( + f"can't run with more workers then the recommended maximum {workers_max} or hardcoded {WORKERS_MAX_DEFAULT}" + ) # sanity check cpu_count = _cpu_count() @@ -234,3 +238,25 @@ def get_rundir_without_validation(data: Dict[str, Any]) -> WritableDir: """ return WritableDir(data["rundir"] if "rundir" in data else RUN_DIR_DEFAULT, object_path="/rundir") + + +def kres_config_json_schema() -> Dict[str, Any]: + """ + At this moment, to create any instance of 'ConfigSchema' even with default values, it is necessary to set the global context. + In the case of generating a JSON schema, strict validation must be turned off, otherwise it may happen that the creation of the JSON schema fails, + It may fail due to non-existence of the directory/file or their rights. + This should be fixed in the future. For more info, see 'datamodel.globals.py' module. + """ + + context = get_global_validation_context() + set_global_validation_context(Context(None, False)) + + schema = KresConfig.json_schema( + schema_id=f"https://www.knot-resolver.cz/documentation/v{VERSION}/_static/config.schema.json", + title="Knot Resolver configuration JSON schema", + description=f"Version Knot Resolver {VERSION}", + ) + # setting back to previous values + set_global_validation_context(context) + + return schema diff --git a/python/knot_resolver/datamodel/globals.py b/python/knot_resolver/datamodel/globals.py index 610323fa0..88f95c2a4 100644 --- a/python/knot_resolver/datamodel/globals.py +++ b/python/knot_resolver/datamodel/globals.py @@ -38,6 +38,10 @@ def set_global_validation_context(context: Context) -> None: _global_context = context +def get_global_validation_context() -> Context: + return _global_context + + def reset_global_validation_context() -> None: global _global_context _global_context = Context(None) diff --git a/python/knot_resolver/manager/server.py b/python/knot_resolver/manager/server.py index d9f7f9eea..ea2b419c0 100644 --- a/python/knot_resolver/manager/server.py +++ b/python/knot_resolver/manager/server.py @@ -21,6 +21,7 @@ from knot_resolver.controller import get_best_controller_implementation from knot_resolver.controller.exceptions import SubprocessControllerExecException from knot_resolver.controller.registered_workers import command_single_registered_worker +from knot_resolver.datamodel import kres_config_json_schema from knot_resolver.datamodel.cache_schema import CacheClearRPCSchema from knot_resolver.datamodel.config_schema import KresConfig, get_rundir_without_validation from knot_resolver.datamodel.globals import Context, set_global_validation_context @@ -282,7 +283,7 @@ async def _handler_cache_clear(self, request: web.Request) -> web.Response: async def _handler_schema(self, _request: web.Request) -> web.Response: return web.json_response( - KresConfig.json_schema(), headers={"Access-Control-Allow-Origin": "*"}, dumps=partial(json.dumps, indent=4) + kres_config_json_schema(), headers={"Access-Control-Allow-Origin": "*"}, dumps=partial(json.dumps, indent=4) ) async def _handle_view_schema(self, _request: web.Request) -> web.Response: diff --git a/python/knot_resolver/utils/modeling/base_schema.py b/python/knot_resolver/utils/modeling/base_schema.py index aca3be05f..13539fe04 100644 --- a/python/knot_resolver/utils/modeling/base_schema.py +++ b/python/knot_resolver/utils/modeling/base_schema.py @@ -754,14 +754,31 @@ def __eq__(self, o: object) -> bool: return True @classmethod - def json_schema(cls: Type["BaseSchema"], include_schema_definition: bool = True) -> Dict[Any, Any]: + def json_schema( + cls: Type["BaseSchema"], + schema_id: Optional[str] = None, + title: Optional[str] = None, + description: Optional[str] = None, + include_schema_definition: bool = True, + ) -> Dict[Any, Any]: if cls._LAYER is not None: - return cls._LAYER.json_schema(include_schema_definition=include_schema_definition) + return cls._LAYER.json_schema( + schema_id=schema_id, + title=title, + description=description, + include_schema_definition=include_schema_definition, + ) schema: Dict[Any, Any] = {} if include_schema_definition: schema["$schema"] = "https://json-schema.org/draft/2020-12/schema" - if cls.__doc__ is not None: + if schema_id is not None: + schema["$id"] = schema_id + if title is not None: + schema["title"] = title + if description is not None: + schema["description"] = description + elif cls.__doc__ is not None: schema["description"] = _split_docstring(cls.__doc__)[0] schema["type"] = "object" schema["properties"] = _get_properties_schema(cls) diff --git a/scripts/meson/make-doc.sh b/scripts/meson/make-doc.sh index 787b8a379..1bea3df98 100755 --- a/scripts/meson/make-doc.sh +++ b/scripts/meson/make-doc.sh @@ -3,10 +3,7 @@ set -o errexit -o nounset cd "$(dirname "${0}")/../.." -# generate JSON schema for the manager's declarative config -## the following python command should hopefully run without any dependencies except for standard python -mkdir -p doc/_static/ -python3 -m python.knot_resolver.client schema > doc/_static/config.schema.json +# convert JSON schema to html generate-schema-doc --config expand_buttons=true doc/_static/config.schema.json doc/_static/schema_doc.html # generating the user documentation diff --git a/scripts/poe-tasks/check b/scripts/poe-tasks/check index 7628b1fba..9cd529e97 100755 --- a/scripts/poe-tasks/check +++ b/scripts/poe-tasks/check @@ -68,6 +68,12 @@ python setup.py --help > /dev/null check_rv $? echo +# check that doc/_static/config.schema.json is the latest +echo -e "${yellow}Checking doc/_static/config.schema.json${reset}" +python -m knot_resolver.client schema | diff - doc/_static/config.schema.json +check_rv $? +echo + # fancy messages at the end :) if test "$aggregate_rv" -eq "0"; then echo -e "${green}Everything looks great!${reset}" diff --git a/tests/packaging/interactive/schema.sh b/tests/packaging/interactive/schema.sh new file mode 100755 index 000000000..3ea45d522 --- /dev/null +++ b/tests/packaging/interactive/schema.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +kresctl schema +if [ "$?" -ne "0" ]; then + echo "Failed to generate JSON schema with 'kresctl'" + exit 1 +fi + +kresctl schema --live +if [ "$?" -ne "0" ]; then + echo "Failed to get JSON schema from the running resolver" + exit 1 +fi