Contents

Previous topic

Advanced Configuration Using Lua

Next topic

Logging DNS messages with Protocol Buffers

This Page

  1. Docs
  2. Advanced Configuration Using Lua
  3. Managing DNSSEC Trust Anchors in the Lua Configuration

Managing DNSSEC Trust Anchors in the Lua Configuration

The DNSSEC Trust Anchors and Negative Trust Anchors must be stored in the Lua Configuration file. See the DNSSEC in the PowerDNS Recursor for all information about DNSSEC in the PowerDNS Recursor. This page only documents the Lua functions for DNSSEC configuration

addTA(name, dscontent)

New in version 4.2.0.

New in version 5.1.0: Alternative equivalent YAML setting: dnssec.trustanchors.

Adds Trust Anchor to the list of DNSSEC anchors.

Parameters:
  • name (str) – The name in the DNS tree from where this Trust Anchor should be used
  • dsrecord (str) – The DS Record content associated with name
clearTA([name])

New in version 4.2.0.

Remove Trust Anchors for a name from the list of configured trust anchors. When name is not given, remove all trust anchors instead.

Parameters:name (str) – The name in the DNS tree for which the Trust Anchors should be removed.
addDS(name, dscontent)

Deprecated since version 4.2.0: Please use addTA() instead

Adds a DS record (Trust Anchor) to the configuration

Parameters:
  • name (str) – The name in the DNS tree from where this Trust Anchor should be used
  • dsrecord (str) – The DS Record content associated with name
clearDS([name])

Deprecated since version 4.2.0: Please use clearTA() instead

Remove Trust Anchors for a name from the list of configured trust anchors. When name is not given, remove all trust anchors instead.

Parameters:name (str) – The name in the DNS tree for which the Trust Anchors should be removed.
addNTA(name[, reason])

New in version 5.1.0: Alternative equivalent YAML setting: dnssec.negative_trustanchors.

Adds a Negative Trust Anchor for name to the configuration. Please read Negative Trust Anchors for operational information on NTAs.

Parameters:
  • name (str) – The name in the DNS tree from where this NTA should be used
  • reason (str) – An optional comment to add to this NTA
clearNTA([name])

Remove Negative Trust Anchor for name from the list of configured trust anchors. When name is not given, remove all negative trust anchors instead.

Parameters:name (str) – The name in the DNS tree from where this NTA should be removed
readTrustAnchorsFromFile(fname[, interval])

New in version 4.2.0.

New in version 5.1.0: Alternative equivalent YAML setting: dnssec.trustanchorfile and dnssec.trustanchorfile_interval.

Reads all DS and DNSKEY records from fname (a BIND zone file) and adds these to the Trust Anchors. This function can be used to read distribution provided trust anchors, as for instance /usr/share/dns/root.key from Debian’s dns-root-data package.

Parameters:
  • fname (str) – Path to a zone file with Trust Anchors
  • interval (int) – Re-read this file every interval hours. By default this is set to 24. Set to 0 to disable automatic re-reads.
Advanced Configuration Using Lua
Logging DNS messages with Protocol Buffers
© Copyright PowerDNS.COM BV. Created using Sphinx.