Unverified Commit 92ecdf55 authored by Pavel Spirek's avatar Pavel Spirek
Browse files

Merged to master, resolved merge issues

parent c0a5fbd9
module knot-dns {
yang-version "1.1";
namespace "http://www.nic.cz/ns/yang/knot-dns";
prefix "knot";
import ietf-inet-types {
prefix "inet";
}
import ietf-yang-types {
prefix "yang";
}
import dns-server {
prefix "dnss";
}
import dnssec-signing {
prefix "dnssec";
}
organization
"CZ.NIC, z. s. p. o.";
contact
"Editor:   Ladislav Lhotka
          <mailto:lhotka@nic.cz>";
description
"This YANG module augments the 'dns-server' module with
parameters specific for the Knot-DNS server.";
reference
"https://www.knot-dns.cz/docs/2.0/html/";
revision 2016-08-03 {
description
"Initial revision.";
reference
"TODO: put git tag here";
}
/* Identities */
identity dnstap {
base dnss:query-module-type;
description
"Query module of this type performs query and response
logging.";
}
identity synth-record {
base dnss:query-module-type;
description
"Query module of this type is able to synthesize forward or
reverse records.";
}
identity dnsproxy {
base dnss:query-module-type;
description
"Query module of this type catches all unsatisfied queries and
forwards them to another server.";
}
identity rosedb {
base dnss:query-module-type;
description
"Query module of this type allows for overriding responses to
certain queries before they are looked up in a zone.";
}
/* Groupings */
grouping zone-options {
description
"Knot-specific zone options that are added to generic zone
options.";
leaf semantic-checks {
type boolean;
description
"Enable additional checks of zone data semantics (failures
are logged):
- missing NS record at the zone apex,
- missing glue A or AAAA records,
- broken or non-cyclic NSEC(3) chain,
- wrong NSEC(3) type bitmap,
- multiple NSEC records at the same node,
- missing NSEC records at authoritative nodes,
- extra record types under the same name as NSEC3 record
(this is valid but Knot will not serve such a zone
correctly),
- NSEC3-unsecured delegation that is not part of Opt-out
span,
- wrong original TTL value in NSEC3 records,
- wrong RDATA TTL value in RRSIG record.
- signer name in RRSIG RR not the same as in DNSKEY,
- signed RRSIG,
- not all RRs in node are signed,
- wrong key flags or wrong key in RRSIG record (not the same
as ZSK).";
}
}
grouping dnssec-sign-options {
description
"Knot-specific options for automatic DNSSEC signing.";
leaf kasp-db {
type string;
description
"Path to Key and Signing Policy (KASP) database directory.
Default: 'keys' subdirectory of the directory specified in
'zones-dir'.";
}
}
/* State data */
augment "/dnss:dns-server-state/dnss:zone" {
description
"Knot-specific zone state data.";
container next-event {
description
"Information about the next event scheduled for the zone.";
choice next-event {
description
"Next event details or none, if no event is scheduled.";
leaf none {
type empty;
description
"No event scheduled for the zone.";
}
case scheduled-event {
description
"An event is scheduled.";
leaf event-type {
type enumeration {
enum load {
description
"load event";
}
enum refresh {
description
"refresh event";
}
enum transfer {
description
"transfer event";
}
enum update {
description
"update event";
}
enum expiration {
description
"expiration event";
}
enum journal-flush {
description
"journal flush event";
}
enum notify {
description
"notify event";
}
enum dnssec-resign {
description
"dnssec resign event";
}
}
description
"Type of the event.";
}
choice event-time {
description
"Information about scheduled event time, or that it is
already pending.\"";
leaf pending {
type empty;
description
"The event is already pending.";
}
leaf time {
type yang:date-and-time;
description
"Date and time for which the event is scheduled.";
}
}
}
}
}
}
/* Configuration data */
augment "/dnss:dns-server" {
description
"Knot-specific configuration data.";
list log {
key "target";
description
"List of log options.
If no entry is present, messages with severity 'warning' or
higher are logged to syslog and standard error.";
typedef severity {
type enumeration {
enum critical {
description
"critical severity level";
}
enum error {
description
"error severity level";
}
enum warning {
description
"warning severity level";
}
enum notice {
description
"notice severity level";
}
enum info {
description
"info severity level";
}
enum debug {
description
"debug severity level";
}
}
default "warning";
description
"Severity levels.";
}
leaf target {
type string;
description
"Destination of log messages. The value can be either a
file name, or one of the following special strings:
- stdout: log messages are sent to standard output,
- stderr: log messages are sent to standard error,
- syslog: log messages are passed to the syslog
facility.";
}
uses dnss:description;
leaf server {
type severity;
description
"Severity threshold for server-related messages.";
}
leaf zone {
type severity;
description
"Severity threshold for zone-related messages.";
}
leaf any {
type severity;
description
"Severity threshold for all messages.";
}
}
container control-socket {
description
"Configuration of Knot DNS control socket.";
choice socket-type {
default "unix";
description
"The control socket can be either Unix domain socket
(default) or TCP/IP endpoint.";
leaf unix {
type dnss:fs-path;
default "knot.sock";
description
"Filename of the Unix domain socket.
A relative name is prepended with the directory
specified in 'dnss:run-time-dir'.";
}
case network {
description
"Address of the network socket.";
uses dnss:endpoint-address {
refine "port" {
default "5553";
}
}
}
}
uses dnss:acls {
description
"ACLs for the control socket.";
}
}
}
augment "/dnss:dns-server/dnss:server-options/dnss:resources" {
description
"Configuration of Knot-specific server resources.";
leaf tcp-workers {
type uint8 {
range "1..max";
}
description
"Number of workers (threads) handling TCP queries.
Default: auto-selected value based on the number of
available CPU cores.";
}
leaf udp-workers {
type uint8 {
range "1..max";
}
description
"Number of workers (threads) handling UDP queries.
Default: auto-selected value based on the number of
available CPU cores.";
}
leaf background-workers {
type uint8 {
range "1..max";
}
description
"Number of workers (threads) performing background operations
(zone loading, zone updates etc.).
Default: auto-selected value based on the number of
available CPU cores.";
}
leaf tcp-idle-timeout {
type uint32;
units "seconds";
default "20";
description
"Maximum idle time between requests on a TCP connection.";
}
leaf tcp-handshake-timeout {
type uint32;
units "seconds";
default "5";
description
"Maximum delay of the first query after a TCP connection is
established.";
}
leaf tcp-reply-timeout {
type uint32;
units "seconds";
default "10";
description
"Maximum time to wait for a reply to an SOA query.";
}
}
augment "/dnss:dns-server/dnss:server-options" {
description
"Configuration of Knot-specific server options.";
leaf async-start {
type boolean;
default "false";
description
"Instructs the server to start asynchronously. Until zones
are loaded, queries are responded with SERVFAIL.";
}
}
augment "/dnss:dns-server/dnss:zones/dnss:template" {
description
"Knot-specific configuration of a zone template.";
uses knot:zone-options;
}
augment "/dnss:dns-server/dnss:zones/dnss:template/"
+ "dnssec:dnssec-signing" {
description
"Knot-specific DNSSEC signing configuration of a zone
template.";
uses dnssec-sign-options;
}
augment "/dnss:dns-server/dnss:query-module" {
when "derived-from-or-self(dnss:type, 'knot:dnstap')";
description
"Configuration of 'dnstap' query module.";
container dnstap {
presence "dnstap query module";
description
"Configuration data for the 'dnstap' query module.
This module performs query and response logging via the
dnstap library.";
reference
"http://dnstap.info";
choice sink {
mandatory "true";
description
"Destination for query/response logs, can be a file or Unix
domain socket.";
leaf file {
type dnss:fs-path;
description
"File path.";
}
leaf unix-socket {
type dnss:fs-path;
description
"Unix domain socket path.";
}
}
}
}
augment "/dnss:dns-server/dnss:query-module" {
when "derived-from-or-self(dnss:type, 'knot:synth-record')";
description
"Configuration of 'synth-record' query module.";
container synth-record {
presence "synth-record query module";
description
"Configuration data for the 'synth-record' query module.
This module allows for synthesizing forward or reverse
records for a given prefix and subnet.";
leaf record-type {
type enumeration {
enum forward {
description
"Forward records.";
}
enum reverse {
description
"Reverse records.";
}
}
mandatory "true";
description
"Type of the synthesized records.";
}
leaf prefix {
type string;
mandatory "true";
description
"A prefix of the record owner.
Dots are not allowed, parts of a synthetic name must be
dash-separated.
TODO: regex pattern?";
}
leaf origin {
type inet:domain-name;
must "../record-type = 'reverse'" {
error-message "origin is only valid for reverse records";
description
"This parameter is only valid for reverse records.";
}
description
"Zone origin.";
}
leaf ttl {
type uint16;
units "seconds";
default "3600";
description
"Time-to-live value of the generated records.";
}
leaf network {
type inet:ip-prefix;
description
"Network subnet.";
}
}
}
augment "/dnss:dns-server/dnss:query-module" {
when "derived-from-or-self(dnss:type, 'knot:dnsproxy')";
description
"Configuration of 'dnsproxy' query module.";
container dnsproxy {
presence "dnsproxy query module";
description
"Configuration data for the 'dnsproxy' query module.
This module catches all unsatisfied queries and forwards
them to another server.";
container remote-server {
description
"Address of the remote server.";
uses dnss:endpoint-address;
}
}
}
augment "/dnss:dns-server/dnss:query-module" {
when "derived-from-or-self(dnss:type, 'knot:rosedb')";
description
"Configuration of 'rosedb' query module.";
container rosedb {
presence "rosedb query module";
description
"Configuration data for the 'rosedb' query module.
This module allows for answering certain queries from a
database.";
leaf db-dir {
type dnss:fs-path;
description
"Path to the database directory.";
}
}
}
augment "/dnss:dns-server/dnss:zones/dnss:zone" {
description
"Knot-specific zone configuration.";
uses knot:zone-options;
}
augment
"/dnss:dns-server/dnss:zones/dnss:zone/dnssec:dnssec-signing" {
description
"Knot-specific DNSSEC-signing configuration for a zone.";
uses dnssec-sign-options;
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment