Commit 040785d9 authored by Aleš Mrázek's avatar Aleš Mrázek

Merge branch 'kres-sysrepo-dev' into 'kres-sysrepo'

kres sysrepo dev

See merge request !3
parents 7503cb41 4ad11800
# Resolvers YANG - sysrepo
# Resolvers YANG - Knot Resolver
YANG modules and example configuration data for Knot Resolver.
YANG data model and example configuration data for Knot Resolver usage with sysrepo.
* [Knot Resolver](https://www.knot-resolver.cz/)
* [sysrepo](http://www.sysrepo.org/)
## YANG Modules
The data model is defined by the following two main YANG modules:
* **cznic-resolver-common**: The basic data model based on unified configuration of several open-source DNS resolver implementations.
* **cznic-resolver-knot**: YANG module that extends the common data model with configuration parameters specific for Knot Resolver.
## Installation
YANG modules are in `yang-modules/` directory.
The only module that need to be installed to `sysrepo` is `cznic-resolver-knot`.
Other modules will be imported or installed automatically.
All nessassary YANG modules are located in `yang-modules/` directory.
The only module that needs to be installed is `cznic-resolver-knot`.
This can be done by `sysrepoctl` utility.
Other modules from directory are imported or installed automatically.
```
cd yang-modules
sysrepoctl -i cznic-resolver-knot.yang
sysrepoctl -i yang-modules/cznic-resolver-knot.yang -s yang-modules
```
Show installed YANG modules.
......@@ -19,44 +29,33 @@ Show installed YANG modules.
sysrepoctl -l
```
## Import example configuration data
## Import data
Example configuration data are located in `examples/` directory.
Import `config-data.json` configuration file to `running` datastore for `cznic-resolver-common` module.
Example configuration data file `examples/example-data.json` is located in `examples` directory.
Import file as startup data for `cznic-resolver-common`.
```
sysrepocfg --import=examples/example-data.json --datastore startup --module cznic-resolver-common
sysrepocfg --import=examples/config-data.json --datastore running --module cznic-resolver-common
```
## sysrepo examples
Basic example scripts can be found on `sysrepo` [github](https://github.com/sysrepo/sysrepo/tree/devel/examples). Scripts should be compiled with `sysrepo`.
## Examples
To read and change values of configuration inside sysrepo datastores `sysrepocfg` utility can be used.
For example, folowing command will show full configuration in `running` datastore under `cznic-resolver-common` module.
### Read configuration
Get running configuration data
```basg
./sr_get_items_example /cznic-resolver-common:*//. running
```
Get operational data
```basg
./sr_get_items_example /cznic-resolver-common:*//. operational
```
Read cache garbage collector configuration.
```bash
./sr_get_items_example /cznic-resolver-common:dns-resolver/cache/cznic-resolver-knot:garbage-collector/*
sysrepocfg -X -m cznic-resolver-common -d running -f json
```
### Listen for changes
Listen for all `cznic-resolver-common` changes
```bash
./application_changes_example cznic-resolver-common
```
Configuration editing can be provided using arbitrary text editor.
### Change value
Change `cache/min-ttl` to `15`
```bash
./sr_set_item_example /cznic-resolver-common:dns-resolver/cache/min-ttl 15
```
sysrepocfg --edit=vim -m cznic-resolver-common -d running -f json
```
Change Garbage Collector `interval` to `2000` milliseconds.
```bash
./sr_set_item_example /cznic-resolver-common:dns-resolver/cache/cznic-resolver-knot:garbage-collector/interval 2000
```
\ No newline at end of file
By copying configuration from `running` datastore to `startup` make configuration persist during system reboots.
```
sysrepocfg -C running -d startup
```
{
"cznic-resolver-common:dns-resolver": {
"server": {
"cznic-resolver-knot:auto-start": true,
"cznic-resolver-knot:auto-cache-gc": true,
"cznic-resolver-knot:kresd-instances": 2
},
"network": {
"listen-interfaces": [
{
"id": 0,
"ip-address": "127.0.0.1"
},
{
"id": 1,
"ip-address": "::1"
}
],
"source-address": {
"ipv6": "2001:db8:0:2::1"
},
"client-transport": {
"l2-protocols": "ipv6"
},
"recursion-transport": {
"l2-protocols": "ipv4 ipv6"
},
"udp-payload-size": 4096
},
"resolver": {
"stub-zones": [
{
"domain": "stub.example.com",
"nameserver": "192.0.2.1",
"port": 53
},
{
"domain": "stub.example.net",
"nameserver": "198.51.100.1"
}
],
"hints": {
"cznic-resolver-knot:hint": [
{
"name": "localhost",
"canonical": true,
"values": [
"127.0.0.1",
"::1"
]
},
{
"name": "loopback",
"values": [
"127.0.0.1"
]
}
],
"cznic-resolver-knot:hosts-file": "/etc/hosts",
"root-hint": [
{
"name": "a.root-servers.net",
"values": [
"198.41.0.4",
"2001:503:ba3e::2:30"
]
}
],
"root-zone-file": "/etc/resolver/root.hints"
},
"options": {
"glue-checking": true,
"qname-minimisation": true,
"reorder-rrset": true,
"query-loopback": true
}
},
"dnssec": {
"trust-anchors": [
{
"domain": ".",
"auto-update": true,
"trust-anchor": [
{
"id": 0,
"ds": {
"algorithm": "RSASHA256",
"digest": "49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5",
"digest-type": "SHA-256",
"key-tag": 19036
}
},
{
"id": 1,
"ds": {
"algorithm": "RSASHA256",
"digest": "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D",
"digest-type": "SHA-256",
"key-tag": 20326
}
},
{
"id": 2,
"dnskey": {
"algorithm": "RSASHA256",
"flags": "ZONE SEP",
"protocol": 3,
"public-key": "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="
}
}
]
}
],
"negative-trust-anchors": [
"bad.example.com",
"worse.example.com"
]
},
"dns64": {
"prefix": "64:ff9b::/96"
},
"logging": {
"verbosity": 2
},
"cache": {
"cznic-resolver-knot:storage": "/var/cache/knot-resolver",
"max-size": 104857600,
"min-ttl": 50,
"max-ttl": 172800,
"cznic-resolver-knot:prefill": [
{
"origin": ".",
"url": "https://www.internic.net/domain/root.zone",
"ca-file": "/etc/pki/tls/certs/ca-bundle.crt"
}
],
"cznic-resolver-knot:garbage-collector": {
"interval": 1000,
"threshold": 90,
"release-percentage": 20,
"temporary-keys-space": 0,
"rw-items": 0,
"rw-duration": 0,
"rw-delay": 0,
"dry-run": false
}
},
"cznic-resolver-knot:instances": [
{
"name": "dot",
"network": {
"listen-interfaces": [
{
"id": 1,
"ip-address": "198.51.100.1",
"port": 553,
"cznic-resolver-knot:kind": "dot"
}
],
"tls": {
"cert": "server.crt",
"cert-key": "server.key",
"sticket-secret": "b4ZfPnEa"
}
},
"logging": {
"verbosity": 5
}
}
]
}
}
\ No newline at end of file
---
server:
auto-start: true
auto-cache-gc: true
kresd-instances: 2
network:
listen-interfaces:
- id: 0
ip-address: 127.0.0.1
- id: 1
ip-address: "::1"
source-address:
ipv6: 2001:db8:0:2::1
client-transport:
l2-protocols: ipv6
recursion-transport:
l2-protocols: ipv4 ipv6
udp-payload-size: 4096
resolver:
stub-zones:
- domain: stub.example.com
nameserver: 192.0.2.1
port: 53
- domain: stub.example.net
nameserver: 198.51.100.1
hints:
hint:
- name: localhost
canonical: true
values:
- 127.0.0.1
- "::1"
- name: loopback
values:
- 127.0.0.1
hosts-file: "/etc/hosts"
root-hint:
- name: a.root-servers.net
values:
- 198.41.0.4
- 2001:503:ba3e::2:30
root-zone-file: "/etc/resolver/root.hints"
options:
glue-checking: true
qname-minimisation: true
reorder-rrset: true
query-loopback: true
dnssec:
trust-anchors:
- domain: "."
auto-update: true
trust-anchor:
- id: 0
ds:
algorithm: RSASHA256
digest: 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
digest-type: SHA-256
key-tag: 19036
- id: 1
ds:
algorithm: RSASHA256
digest: E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
digest-type: SHA-256
key-tag: 20326
- id: 2
dnskey:
algorithm: RSASHA256
flags: ZONE SEP
protocol: 3
public-key: AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
negative-trust-anchors:
- bad.example.com
- worse.example.com
dns64:
prefix: 64:ff9b::/96
logging:
verbosity: 2
cache:
storage: "/var/cache/knot-resolver"
max-size: 104857600
min-ttl: 50
max-ttl: 172800
prefill:
- origin: "."
url: https://www.internic.net/domain/root.zone
ca-file: "/etc/pki/tls/certs/ca-bundle.crt"
garbage-collector:
interval: 1000
threshold: 90
release-percentage: 20
temporary-keys-space: 0
rw-items: 0
rw-duration: 0
rw-delay: 0
dry-run: false
instances:
- name: dot
network:
listen-interfaces:
- id: 1
ip-address: 198.51.100.1
port: 553
kind: dot
tls:
cert: server.crt
cert-key: server.key
sticket-secret: b4ZfPnEa
logging:
verbosity: 5
{
"cznic-resolver-common:dns-resolver": {
"server": {
"cznic-resolver-knot:auto-start": true,
"cznic-resolver-knot:auto-cache-gc": true,
"cznic-resolver-knot:kresd-instances": 3
},
"network": {
"listen-interfaces": [
{
"id": 0,
"ip-address": "127.0.0.1"
},
{
"id": 1,
"ip-address": "::1"
},
{
"id": 2,
"ip-address": "198.51.100.1",
"port": 553,
"cznic-resolver-knot:kind": "dot"
}
],
"tls": {
"cert": "server.crt",
"key": "server.key",
"cznic-resolver-knot:sticket-secret": "b4ZfPnEa"
}
},
"dnss64": {
"prefix": "64:ff9b::/96"
},
"logging": {
"verbosity": 2
},
"cache": {
"cznic-resolver-knot:storage": "/var/cache/knot-resolver",
"max-size": 104857600,
"min-ttl": 50,
"max-ttl": 172800,
"cznic-resolver-knot:garbage-collector": {
"interval": 1000,
"threshold": 90,
"release-percentage": 20,
"temporary-keys-space": 0,
"rw-items": 0,
"rw-duration": 0,
"rw-delay": 0,
"dry-run": false
}
}
}
}
......@@ -18,6 +18,10 @@ module cznic-resolver-common {
prefix rdata;
}
import ietf-yang-types {
prefix yang;
}
organization
"CZ.NIC, z. s. p. o.";
......@@ -31,13 +35,20 @@ module cznic-resolver-common {
description
"This YANG module defines the common part of a data model for DNS resolvers.";
revision 2020-04-07 {
revision 2020-05-11 {
description
"";
reference
"";
}
/* Features */
feature set-group {
description
"This feature indicates support for setting the group.";
}
/* Type definitions */
typedef fs-path {
......@@ -49,8 +60,63 @@ module cznic-resolver-common {
rules of the underlying operating system.";
}
typedef l2-protocol-selection {
type bits {
bit ipv4 {
description
"Enable/disable IPv4.";
}
bit ipv6 {
description
"Enable/disable IPv6.";
}
}
default "ipv4 ipv6";
}
/* Grouping definitions */
grouping static-hint {
description
"This grouping defines the content of a static hint.";
leaf name {
type inet:domain-name;
description
"Domain name of a root server.";
}
leaf-list values {
type inet:ip-address-no-zone;
min-elements "1";
description
"One or more IPv4/IPv6 addresses of the root server.";
}
}
grouping trust-anchor-spec {
description
"Specification of a trust anchor.";
choice trust-anchor-rdata {
description
"A trust anchor is specified by a DS or DNSKEY resource
record data.";
container ds {
description
"A trust anchor defined using DS RDATA.";
uses rdata:ds;
}
container dnskey {
description
"A trust anchor defined using DS RDATA.";
uses rdata:dnskey;
}
}
}
grouping server-spec {
leaf package-version {
......@@ -59,6 +125,21 @@ module cznic-resolver-common {
description
"Vesion of the DNS resolver package.";
}
leaf user-name {
type string;
description
"After binding the network socket, drop the privileges and
run with effective user ID of this user.";
}
leaf group-name {
if-feature "set-group";
type string;
description
"After binding the network socket, drop the privileges and
run with effective group ID of this group.";
}
}
grouping network-spec {
......@@ -90,6 +171,67 @@ module cznic-resolver-common {
}
}
container source-address {
leaf ipv4 {
type inet:ipv4-address-no-zone;
description
"IPv4 address to use as the source address in outgoing
queries.
If not configured, the resolver uses any address
provided by the operationg system.";
}
leaf ipv6 {
type inet:ipv6-address-no-zone;
description
"IPv6 address to use as the source address in outgoing
queries.
If not configured, the resolver uses any address
provided by the operationg system.";
}
}
container client-transport {
description
"Specify L2 and L3 protocols used for receiving and
answering client queries.";
leaf l2-protocols {
type l2-protocol-selection;
description
"L2 protocols used for receiving and answering client
queries.";
}
}
container recursion-transport {
description
"Specify L2 and L3 protocols used for recursive queries.";
leaf l2-protocols {
type l2-protocol-selection;
description
"L2 protocols used for recursive queries.";
}
}
leaf udp-payload-size {
type uint16 {
range "512..max";
}
units "octets";
default "4096";
description
"Largest UDP payload that the resolver can accept.
This value is advertized in EDNS0.";
reference
"RFC 2671: Extension Mechanisms for DNS (EDNS0)";
}