Managing DNSSEC Trust Anchors in the Lua Configuration

The DNSSEC Trust Anchors and Negative Trust Anchors must be stored in the Lua Configuration file. See the DNSSEC in the PowerDNS Recursor for all information about DNSSEC in the PowerDNS Recursor. This page only documents the Lua functions for DNSSEC configuration

addTA(name, dscontent)

Added in version 4.2.0.

Added in version 5.1.0: Alternative equivalent YAML setting: dnssec.trustanchors.

Adds Trust Anchor to the list of DNSSEC anchors.

Parameters:

  • name (str) – The name in the DNS tree from where this Trust Anchor should be used

  • dsrecord (str) – The DS Record content associated with name

clearTA([name])

Added in version 4.2.0.

Remove Trust Anchors for a name from the list of configured trust anchors. When name is not given, remove all trust anchors instead.

Parameters:

name (str) – The name in the DNS tree for which the Trust Anchors should be removed.

addNTA(name[, reason])

Added in version 5.1.0: Alternative equivalent YAML setting: dnssec.negative_trustanchors.

Adds a Negative Trust Anchor for name to the configuration. Please read Negative Trust Anchors for operational information on NTAs.

Parameters:

  • name (str) – The name in the DNS tree from where this NTA should be used

  • reason (str) – An optional comment to add to this NTA

clearNTA([name])

Remove Negative Trust Anchor for name from the list of configured trust anchors. When name is not given, remove all negative trust anchors instead.

Parameters:

name (str) – The name in the DNS tree from where this NTA should be removed

readTrustAnchorsFromFile(fname[, interval])

Added in version 4.2.0.

Added in version 5.1.0: Alternative equivalent YAML setting: dnssec.trustanchorfile and dnssec.trustanchorfile_interval.

Reads all DS and DNSKEY records from fname (a BIND zone file) and adds these to the Trust Anchors. This function can be used to read distribution provided trust anchors, as for instance /usr/share/dns/root.key from Debian’s dns-root-data package.

Parameters:

  • fname (str) – Path to a zone file with Trust Anchors

  • interval (int) – Re-read this file every interval hours. By default this is set to 24. Set to 0 to disable automatic re-reads.