knot-resolver-doc 2.1.1-1 / usr / share / doc / knot-resolver / daemon.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Knot DNS Resolver daemon &#8212; Knot DNS Resolver 2.1.1 documentation</title>
    <link rel="stylesheet" href="_static/nature.css" type="text/css" />
    <link rel="stylesheet" href="_static/pygments.css" type="text/css" />
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    './',
        VERSION:     '2.1.1',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true,
        SOURCELINK_SUFFIX: '.txt'
      };
    </script>
    <script type="text/javascript" src="_static/jquery.js"></script>
    <script type="text/javascript" src="_static/underscore.js"></script>
    <script type="text/javascript" src="_static/doctools.js"></script>
    <link rel="index" title="Index" href="genindex.html" />
    <link rel="search" title="Search" href="search.html" />
    <link rel="next" title="Knot DNS Resolver modules" href="modules.html" />
    <link rel="prev" title="Knot DNS Resolver" href="index.html" /> 
  </head>
  <body>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="genindex.html" title="General Index"
             accesskey="I">index</a></li>
        <li class="right" >
          <a href="modules.html" title="Knot DNS Resolver modules"
             accesskey="N">next</a> |</li>
        <li class="right" >
          <a href="index.html" title="Knot DNS Resolver"
             accesskey="P">previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="index.html">Knot DNS Resolver 2.1.1 documentation</a> &#187;</li> 
      </ul>
    </div>  

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body" role="main">
            
  <div class="section" id="knot-dns-resolver-daemon">
<h1>Knot DNS Resolver daemon<a class="headerlink" href="#knot-dns-resolver-daemon" title="Permalink to this headline">¶</a></h1>
<p>The server is in the <cite>daemon</cite> directory, it works out of the box without any configuration.</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ kresd -h <span class="c1"># Get help</span>
$ kresd -a ::1
</pre></div>
</div>
<div class="section" id="configuration">
<h2>Configuration<a class="headerlink" href="#configuration" title="Permalink to this headline">¶</a></h2>
<div class="contents local topic" id="contents">
<ul class="simple">
<li><a class="reference internal" href="#configuration-example" id="id3">Configuration example</a></li>
<li><a class="reference internal" href="#configuration-syntax" id="id4">Configuration syntax</a><ul>
<li><a class="reference internal" href="#dynamic-configuration" id="id5">Dynamic configuration</a></li>
<li><a class="reference internal" href="#asynchronous-events" id="id6">Asynchronous events</a></li>
</ul>
</li>
<li><a class="reference internal" href="#configuration-reference" id="id7">Configuration reference</a><ul>
<li><a class="reference internal" href="#environment" id="id8">Environment</a></li>
<li><a class="reference internal" href="#network-configuration" id="id9">Network configuration</a></li>
<li><a class="reference internal" href="#trust-anchors-and-dnssec" id="id10">Trust anchors and DNSSEC</a></li>
<li><a class="reference internal" href="#modules-configuration" id="id11">Modules configuration</a></li>
<li><a class="reference internal" href="#cache-configuration" id="id12">Cache configuration</a></li>
<li><a class="reference internal" href="#timers-and-events" id="id13">Timers and events</a></li>
<li><a class="reference internal" href="#asynchronous-function-execution" id="id14">Asynchronous function execution</a></li>
<li><a class="reference internal" href="#scripting-worker" id="id15">Scripting worker</a></li>
</ul>
</li>
</ul>
</div>
<p>In it’s simplest form it requires just a working directory in which it can set up persistent files like
cache and the process state. If you don’t provide the working directory by parameter, it is going to make itself
comfortable in the current working directory.</p>
<div class="highlight-sh"><div class="highlight"><pre><span></span>$ kresd /var/cache/knot-resolver
</pre></div>
</div>
<p>And you’re good to go for most use cases! If you want to use modules or configure daemon behavior, read on.</p>
<p>There are several choices on how you can configure the daemon, a RPC interface, a CLI, and a configuration file.
Fortunately all share common syntax and are transparent to each other.</p>
<div class="section" id="configuration-example">
<h3><a class="toc-backref" href="#id3">Configuration example</a><a class="headerlink" href="#configuration-example" title="Permalink to this headline">¶</a></h3>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- interfaces</span>
<span class="n">net</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;127.0.0.1&#39;</span><span class="p">,</span> <span class="s1">&#39;::1&#39;</span> <span class="p">}</span>
<span class="c1">-- load some modules</span>
<span class="n">modules</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;policy&#39;</span> <span class="p">}</span>
<span class="c1">-- 10MB cache</span>
<span class="n">cache</span><span class="p">.</span><span class="n">size</span> <span class="o">=</span> <span class="mi">10</span><span class="o">*</span><span class="n">MB</span>
</pre></div>
</div>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p class="last">There are more configuration examples in <cite>etc/</cite> directory for personal, ISP, company internal and resolver cluster use cases.</p>
</div>
</div>
<div class="section" id="configuration-syntax">
<h3><a class="toc-backref" href="#id4">Configuration syntax</a><a class="headerlink" href="#configuration-syntax" title="Permalink to this headline">¶</a></h3>
<p>The configuration is kept in the <code class="docutils literal"><span class="pre">config</span></code> file in the daemon working directory, and it’s going to get loaded automatically.
If there isn’t one, the daemon is going to start with sane defaults, listening on <cite>localhost</cite>.
The syntax for options is like follows: <code class="docutils literal"><span class="pre">group.option</span> <span class="pre">=</span> <span class="pre">value</span></code> or <code class="docutils literal"><span class="pre">group.action(parameters)</span></code>.
You can also comment using a <code class="docutils literal"><span class="pre">--</span></code> prefix.</p>
<p>A simple example would be to load static hints.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">modules</span> <span class="o">=</span> <span class="p">{</span>
        <span class="s1">&#39;hints&#39;</span> <span class="c1">-- no configuration</span>
<span class="p">}</span>
</pre></div>
</div>
<p>If the module accepts configuration, you can call the <code class="docutils literal"><span class="pre">module.config({...})</span></code> or provide options table.
The syntax for table is <code class="docutils literal"><span class="pre">{</span> <span class="pre">key1</span> <span class="pre">=</span> <span class="pre">value,</span> <span class="pre">key2</span> <span class="pre">=</span> <span class="pre">value</span> <span class="pre">}</span></code>, and it represents the unpacked <a class="reference external" href="http://json.org/example">JSON-encoded</a> string, that
the modules use as the <a class="reference internal" href="modules_api.html#mod-properties"><span class="std std-ref">input configuration</span></a>.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">modules</span> <span class="o">=</span> <span class="p">{</span>
        <span class="n">hints</span> <span class="o">=</span> <span class="s1">&#39;/etc/hosts&#39;</span>
<span class="p">}</span>
</pre></div>
</div>
<div class="admonition warning">
<p class="first admonition-title">Warning</p>
<p class="last">Modules specified including their configuration may not load exactly in the same order as specified.</p>
</div>
<p>Modules are inherently ordered by their declaration. Some modules are built-in, so it would be normally impossible to place for example <em>hints</em> before <em>cache</em>. You can enforce specific order by precedence operators <strong>&gt;</strong> and <strong>&lt;</strong>.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">modules</span> <span class="o">=</span> <span class="p">{</span>
   <span class="s1">&#39;hints  &gt; iterate&#39;</span><span class="p">,</span> <span class="c1">-- Hints AFTER iterate</span>
   <span class="s1">&#39;policy &gt; hints&#39;</span><span class="p">,</span>   <span class="c1">-- Policy AFTER hints</span>
   <span class="s1">&#39;view   &lt; cache&#39;</span>    <span class="c1">-- View BEFORE cache</span>
<span class="p">}</span>
<span class="n">modules</span><span class="p">.</span><span class="n">list</span><span class="p">()</span> <span class="c1">-- Check module call order</span>
</pre></div>
</div>
<p>This is useful if you’re writing a module with a layer, that evaluates an answer before writing it into cache for example.</p>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p class="last">The configuration and CLI syntax is Lua language, with which you may already be familiar with.
If not, you can read the <a class="reference external" href="http://tylerneylon.com/a/learn-lua/">Learn Lua in 15 minutes</a> for a syntax overview. Spending just a few minutes
will allow you to break from static configuration, write more efficient configuration with iteration, and
leverage events and hooks. Lua is heavily used for scripting in applications ranging from embedded to game engines,
but in DNS world notably in <a class="reference external" href="https://doc.powerdns.com/md/recursor/scripting/">PowerDNS Recursor</a>. Knot DNS Resolver does not simply use Lua modules, but it is
the heart of the daemon for everything from configuration, internal events and user interaction.</p>
</div>
<div class="section" id="dynamic-configuration">
<h4><a class="toc-backref" href="#id5">Dynamic configuration</a><a class="headerlink" href="#dynamic-configuration" title="Permalink to this headline">¶</a></h4>
<p>Knowing that the the configuration is a Lua in disguise enables you to write dynamic rules. It also helps you to avoid repetitive templating that is unavoidable with static configuration.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="kr">if</span> <span class="n">hostname</span><span class="p">()</span> <span class="o">==</span> <span class="s1">&#39;hidden&#39;</span> <span class="kr">then</span>
        <span class="n">net</span><span class="p">.</span><span class="n">listen</span><span class="p">(</span><span class="n">net</span><span class="p">.</span><span class="n">eth0</span><span class="p">,</span> <span class="mi">5353</span><span class="p">)</span>
<span class="kr">else</span>
        <span class="n">net</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;127.0.0.1&#39;</span><span class="p">,</span> <span class="n">net</span><span class="p">.</span><span class="n">eth1</span><span class="p">.</span><span class="n">addr</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="p">}</span>
<span class="kr">end</span>
</pre></div>
</div>
<p>Another example would show how it is possible to bind to all interfaces, using iteration.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="kr">for</span> <span class="n">name</span><span class="p">,</span> <span class="n">addr_list</span> <span class="kr">in</span> <span class="nb">pairs</span><span class="p">(</span><span class="n">net</span><span class="p">.</span><span class="n">interfaces</span><span class="p">())</span> <span class="kr">do</span>
        <span class="n">net</span><span class="p">.</span><span class="n">listen</span><span class="p">(</span><span class="n">addr_list</span><span class="p">)</span>
<span class="kr">end</span>
</pre></div>
</div>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p>Some users observed a considerable, close to 100%, performance gain in Docker containers when they bound the daemon to a single interface:ip address pair. One may expand the aforementioned example with browsing available addresses as:</p>
<div class="last highlight-lua"><div class="highlight"><pre><span></span><span class="n">addrpref</span> <span class="o">=</span> <span class="n">env</span><span class="p">.</span><span class="n">EXPECTED_ADDR_PREFIX</span>
<span class="kr">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="kr">in</span> <span class="nb">pairs</span><span class="p">(</span><span class="n">addr_list</span><span class="p">[</span><span class="s2">&quot;addr&quot;</span><span class="p">])</span> <span class="kr">do</span>
        <span class="kr">if</span> <span class="nb">string.sub</span><span class="p">(</span><span class="n">v</span><span class="p">,</span><span class="mi">1</span><span class="p">,</span><span class="nb">string.len</span><span class="p">(</span><span class="n">addrpref</span><span class="p">))</span> <span class="o">==</span> <span class="n">addrpref</span> <span class="kr">then</span>
                <span class="n">net</span><span class="p">.</span><span class="n">listen</span><span class="p">(</span><span class="n">v</span><span class="p">)</span>
<span class="p">...</span>
</pre></div>
</div>
</div>
<p>You can also use third-party packages (available for example through <a class="reference external" href="https://rocks.moonscript.org/">LuaRocks</a>) as on this example
to download cache from parent, to avoid cold-cache start.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="kd">local</span> <span class="n">http</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s1">&#39;socket.http&#39;</span><span class="p">)</span>
<span class="kd">local</span> <span class="n">ltn12</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s1">&#39;ltn12&#39;</span><span class="p">)</span>

<span class="kr">if</span> <span class="n">cache</span><span class="p">.</span><span class="n">count</span><span class="p">()</span> <span class="o">==</span> <span class="mi">0</span> <span class="kr">then</span>
        <span class="c1">-- download cache from parent</span>
        <span class="n">http</span><span class="p">.</span><span class="n">request</span> <span class="p">{</span>
                <span class="n">url</span> <span class="o">=</span> <span class="s1">&#39;http://parent/cache.mdb&#39;</span><span class="p">,</span>
                <span class="n">sink</span> <span class="o">=</span> <span class="n">ltn12</span><span class="p">.</span><span class="n">sink</span><span class="p">.</span><span class="n">file</span><span class="p">(</span><span class="nb">io.open</span><span class="p">(</span><span class="s1">&#39;cache.mdb&#39;</span><span class="p">,</span> <span class="s1">&#39;w&#39;</span><span class="p">))</span>
        <span class="p">}</span>
        <span class="c1">-- reopen cache with 100M limit</span>
        <span class="n">cache</span><span class="p">.</span><span class="n">size</span> <span class="o">=</span> <span class="mi">100</span><span class="o">*</span><span class="n">MB</span>
<span class="kr">end</span>
</pre></div>
</div>
</div>
<div class="section" id="asynchronous-events">
<h4><a class="toc-backref" href="#id6">Asynchronous events</a><a class="headerlink" href="#asynchronous-events" title="Permalink to this headline">¶</a></h4>
<p>Lua supports a concept called <a class="reference external" href="https://www.lua.org/pil/6.1.html">closures</a>, this is extremely useful for scripting actions upon various events,
say for example - prune the cache within minute after loading, publish statistics each 5 minutes and so on.
Here’s an example of an anonymous function with <a class="reference internal" href="#c.event.recurrent" title="event.recurrent"><code class="xref c c-func docutils literal"><span class="pre">event.recurrent()</span></code></a>:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- every 5 minutes</span>
<span class="n">event</span><span class="p">.</span><span class="n">recurrent</span><span class="p">(</span><span class="mi">5</span> <span class="o">*</span> <span class="n">minute</span><span class="p">,</span> <span class="kr">function</span><span class="p">()</span>
        <span class="n">cache</span><span class="p">.</span><span class="n">prune</span><span class="p">()</span>
<span class="kr">end</span><span class="p">)</span>
</pre></div>
</div>
<p>Note that each scheduled event is identified by a number valid for the duration of the event,
you may cancel it at any time. You can do this with anonymous functions, if you accept the event
as a parameter, but it’s not very useful as you don’t have any <em>non-global</em> way to keep persistent variables.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- make a closure, encapsulating counter</span>
<span class="kr">function</span> <span class="nf">pruner</span><span class="p">()</span>
        <span class="kd">local</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span>
        <span class="c1">-- pruning function</span>
        <span class="kr">return</span> <span class="kr">function</span><span class="p">(</span><span class="n">e</span><span class="p">)</span>
                <span class="n">cache</span><span class="p">.</span><span class="n">prune</span><span class="p">()</span>
                <span class="c1">-- cancel event on 5th attempt</span>
                <span class="n">i</span> <span class="o">=</span> <span class="n">i</span> <span class="o">+</span> <span class="mi">1</span>
                <span class="kr">if</span> <span class="n">i</span> <span class="o">==</span> <span class="mi">5</span> <span class="kr">then</span>
                        <span class="n">event</span><span class="p">.</span><span class="n">cancel</span><span class="p">(</span><span class="n">e</span><span class="p">)</span>
                <span class="n">fi</span>
        <span class="kr">end</span>
<span class="kr">end</span>

<span class="c1">-- make recurrent event that will cancel after 5 times</span>
<span class="n">event</span><span class="p">.</span><span class="n">recurrent</span><span class="p">(</span><span class="mi">5</span> <span class="o">*</span> <span class="n">minute</span><span class="p">,</span> <span class="n">pruner</span><span class="p">())</span>
</pre></div>
</div>
<p>Another type of actionable event is activity on a file descriptor. This allows you to embed other
event loops or monitor open files and then fire a callback when an activity is detected.
This allows you to build persistent services like HTTP servers or monitoring probes that cooperate
well with the daemon internal operations. See <a class="reference internal" href="#c.event.socket" title="event.socket"><code class="xref c c-func docutils literal"><span class="pre">event.socket()</span></code></a></p>
<p>File watchers are possible with <a class="reference internal" href="#c.worker.coroutine" title="worker.coroutine"><code class="xref c c-func docutils literal"><span class="pre">worker.coroutine()</span></code></a> and <a class="reference external" href="https://25thandclement.com/~william/projects/cqueues.html">cqueues</a>, see the cqueues documentation for more information.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="kd">local</span> <span class="n">notify</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s1">&#39;cqueues.notify&#39;</span><span class="p">)</span>
<span class="kd">local</span> <span class="n">watcher</span> <span class="o">=</span> <span class="n">notify</span><span class="p">.</span><span class="n">opendir</span><span class="p">(</span><span class="s1">&#39;/etc&#39;</span><span class="p">)</span>
<span class="n">watcher</span><span class="p">:</span><span class="n">add</span><span class="p">(</span><span class="s1">&#39;hosts&#39;</span><span class="p">)</span>

<span class="c1">-- Watch changes to /etc/hosts</span>
<span class="n">worker</span><span class="p">.</span><span class="n">coroutine</span><span class="p">(</span><span class="kr">function</span> <span class="p">()</span>
  <span class="kr">for</span> <span class="n">flags</span><span class="p">,</span> <span class="n">name</span> <span class="kr">in</span> <span class="n">watcher</span><span class="p">:</span><span class="n">changes</span><span class="p">()</span> <span class="kr">do</span>
    <span class="kr">for</span> <span class="n">flag</span> <span class="kr">in</span> <span class="n">notify</span><span class="p">.</span><span class="n">flags</span><span class="p">(</span><span class="n">flags</span><span class="p">)</span> <span class="kr">do</span>
      <span class="nb">print</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">notify</span><span class="p">[</span><span class="n">flag</span><span class="p">])</span>
    <span class="kr">end</span>
  <span class="kr">end</span>
<span class="kr">end</span><span class="p">)</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="configuration-reference">
<h3><a class="toc-backref" href="#id7">Configuration reference</a><a class="headerlink" href="#configuration-reference" title="Permalink to this headline">¶</a></h3>
<p>This is a reference for variables and functions available to both configuration file and CLI.</p>
<div class="contents local topic" id="id1">
<ul class="simple">
<li><a class="reference internal" href="#environment" id="id16">Environment</a></li>
<li><a class="reference internal" href="#network-configuration" id="id17">Network configuration</a></li>
<li><a class="reference internal" href="#trust-anchors-and-dnssec" id="id18">Trust anchors and DNSSEC</a></li>
<li><a class="reference internal" href="#modules-configuration" id="id19">Modules configuration</a></li>
<li><a class="reference internal" href="#cache-configuration" id="id20">Cache configuration</a></li>
<li><a class="reference internal" href="#timers-and-events" id="id21">Timers and events</a></li>
<li><a class="reference internal" href="#asynchronous-function-execution" id="id22">Asynchronous function execution</a></li>
<li><a class="reference internal" href="#scripting-worker" id="id23">Scripting worker</a></li>
</ul>
</div>
<div class="section" id="environment">
<h4><a class="toc-backref" href="#id16">Environment</a><a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h4>
<dl class="envvar">
<dt id="envvar-env(table)">
<code class="descname">env (table)</code><a class="headerlink" href="#envvar-env(table)" title="Permalink to this definition">¶</a></dt>
<dd><p>Return environment variable.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">env</span><span class="p">.</span><span class="n">USER</span> <span class="c1">-- equivalent to $USER in shell</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.hostname">
<code class="descname">hostname</code><span class="sig-paren">(</span>[fqdn]<span class="sig-paren">)</span><a class="headerlink" href="#c.hostname" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body">Machine hostname.</td>
</tr>
</tbody>
</table>
<p>If called with a parameter, it will set kresd’s internal
hostname. If called without a parameter, it will return kresd’s
internal hostname, or the system’s POSIX hostname (see
gethostname(2)) if kresd’s internal hostname is unset.</p>
</dd></dl>

<dl class="function">
<dt id="c.moduledir">
<code class="descname">moduledir</code><span class="sig-paren">(</span>[dir]<span class="sig-paren">)</span><a class="headerlink" href="#c.moduledir" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body">Modules directory.</td>
</tr>
</tbody>
</table>
<p>If called with a parameter, it will change kresd’s directory for
looking up the dynamic modules.  If called without a parameter, it
will return kresd’s modules directory.</p>
</dd></dl>

<dl class="function">
<dt id="c.verbose">
<code class="descname">verbose</code><span class="sig-paren">(</span>true |<em>&nbsp;false</em><span class="sig-paren">)</span><a class="headerlink" href="#c.verbose" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body">Toggle verbose logging.</td>
</tr>
</tbody>
</table>
</dd></dl>

<dl class="function">
<dt id="c.mode">
<code class="descname">mode</code><span class="sig-paren">(</span>'strict' | 'normal' |<em>&nbsp;‘permissive’</em><span class="sig-paren">)</span><a class="headerlink" href="#c.mode" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body">Change resolver strictness checking level.</td>
</tr>
</tbody>
</table>
<p>By default, resolver runs in <em>normal</em> mode. There are possibly many small adjustments
hidden behind the mode settings, but the main idea is that in <em>permissive</em> mode, the resolver
tries to resolve a name with as few lookups as possible, while in <em>strict</em> mode it spends much
more effort resolving and checking referral path. However, if majority of the traffic is covered
by DNSSEC, some of the strict checking actions are counter-productive.</p>
<table border="1" class="docutils">
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Glue type</th>
<th class="head">Modes when it is accepted</th>
<th class="head">Example glue <a class="footnote-reference" href="#example-glue" id="id2">[1]</a></th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>mandatory glue</td>
<td>strict, normal, permissive</td>
<td>ns1.example.org</td>
</tr>
<tr class="row-odd"><td>in-bailiwick glue</td>
<td>normal, permissive</td>
<td>ns1.example2.org</td>
</tr>
<tr class="row-even"><td>any glue records</td>
<td>permissive</td>
<td>ns1.example3.net</td>
</tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="example-glue" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id2">[1]</a></td><td>The examples show glue records acceptable from servers
authoritative for <cite>org</cite> zone when delegating to <cite>example.org</cite> zone.
Unacceptable or missing glue records trigger resolution of names listed
in NS records before following respective delegation.</td></tr>
</tbody>
</table>
</dd></dl>

<dl class="function">
<dt id="c.reorder_RR">
<code class="descname">reorder_RR</code><span class="sig-paren">(</span>[true |<em>&nbsp;false]</em><span class="sig-paren">)</span><a class="headerlink" href="#c.reorder_RR" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>value</strong> (<em>boolean</em>) – New value for the option <em>(optional)</em></li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last">The (new) value of the option</p>
</td>
</tr>
</tbody>
</table>
<p>If set, resolver will vary the order of resource records within RR-sets
every time when answered from cache.  It is disabled by default.</p>
</dd></dl>

<dl class="function">
<dt id="c.user">
<code class="descname">user</code><span class="sig-paren">(</span>name, [group]<span class="sig-paren">)</span><a class="headerlink" href="#c.user" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>name</strong> (<em>string</em>) – user name</li>
<li><strong>group</strong> (<em>string</em>) – group name (optional)</li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last">boolean</p>
</td>
</tr>
</tbody>
</table>
<p>Drop privileges and run as given user (and group, if provided).</p>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p>Note that you should bind to required network addresses before changing user. At the same time, you should open the cache <strong>AFTER</strong> you change the user (so it remains accessible). A good practice is to divide configuration in two parts:</p>
<div class="last highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- privileged</span>
<span class="n">net</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;127.0.0.1&#39;</span><span class="p">,</span> <span class="s1">&#39;::1&#39;</span> <span class="p">}</span>
<span class="c1">-- unprivileged</span>
<span class="n">cache</span><span class="p">.</span><span class="n">size</span> <span class="o">=</span> <span class="mi">100</span><span class="o">*</span><span class="n">MB</span>
<span class="n">trust_anchors</span><span class="p">.</span><span class="n">file</span> <span class="o">=</span> <span class="s1">&#39;root.key&#39;</span>
</pre></div>
</div>
</div>
<p>Example output:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="o">&gt;</span> <span class="n">user</span><span class="p">(</span><span class="s1">&#39;baduser&#39;</span><span class="p">)</span>
<span class="n">invalid</span> <span class="n">user</span> <span class="n">name</span>
<span class="o">&gt;</span> <span class="n">user</span><span class="p">(</span><span class="s1">&#39;knot-resolver&#39;</span><span class="p">,</span> <span class="s1">&#39;netgrp&#39;</span><span class="p">)</span>
<span class="kc">true</span>
<span class="o">&gt;</span> <span class="n">user</span><span class="p">(</span><span class="s1">&#39;root&#39;</span><span class="p">)</span>
<span class="n">Operation</span> <span class="ow">not</span> <span class="n">permitted</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.resolve">
<code class="descname">resolve</code><span class="sig-paren">(</span>name, type[, class =<em>&nbsp;kres.class.IN</em>, options =<em>&nbsp;{}</em>, finish =<em>&nbsp;nil]</em><span class="sig-paren">)</span><a class="headerlink" href="#c.resolve" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>name</strong> (<em>string</em>) – Query name (e.g. ‘com.’)</li>
<li><strong>type</strong> (<em>number</em>) – Query type (e.g. <code class="docutils literal"><span class="pre">kres.type.NS</span></code>)</li>
<li><strong>class</strong> (<em>number</em>) – Query class <em>(optional)</em> (e.g. <code class="docutils literal"><span class="pre">kres.class.IN</span></code>)</li>
<li><strong>options</strong> (<em>number</em>) – Resolution options (see query flags)</li>
<li><strong>finish</strong> (<em>function</em>) – Callback to be executed when resolution completes (e.g. <cite>function cb (pkt, req) end</cite>). The callback gets a packet containing the final answer and doesn’t have to return anything.</li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last">boolean</p>
</td>
</tr>
</tbody>
</table>
<p>The function can also be executed with a table of arguments instead. This is useful if you’d like to skip some arguments, for example:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">resolve</span> <span class="p">{</span>
   <span class="n">name</span> <span class="o">=</span> <span class="s1">&#39;example.com&#39;</span><span class="p">,</span>
   <span class="nb">type</span> <span class="o">=</span> <span class="n">kres</span><span class="p">.</span><span class="n">type</span><span class="p">.</span><span class="n">AAAA</span><span class="p">,</span>
   <span class="n">init</span> <span class="o">=</span> <span class="kr">function</span> <span class="p">(</span><span class="n">req</span><span class="p">)</span>
   <span class="kr">end</span><span class="p">,</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Example:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- Send query for root DNSKEY, ignore cache</span>
<span class="n">resolve</span><span class="p">(</span><span class="s1">&#39;.&#39;</span><span class="p">,</span> <span class="n">kres</span><span class="p">.</span><span class="n">type</span><span class="p">.</span><span class="n">DNSKEY</span><span class="p">,</span> <span class="n">kres</span><span class="p">.</span><span class="n">class</span><span class="p">.</span><span class="n">IN</span><span class="p">,</span> <span class="s1">&#39;NO_CACHE&#39;</span><span class="p">)</span>

<span class="c1">-- Query for AAAA record</span>
<span class="n">resolve</span><span class="p">(</span><span class="s1">&#39;example.com&#39;</span><span class="p">,</span> <span class="n">kres</span><span class="p">.</span><span class="n">type</span><span class="p">.</span><span class="n">AAAA</span><span class="p">,</span> <span class="n">kres</span><span class="p">.</span><span class="n">class</span><span class="p">.</span><span class="n">IN</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span>
<span class="kr">function</span> <span class="p">(</span><span class="n">answer</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span>
   <span class="c1">-- Check answer RCODE</span>
   <span class="kd">local</span> <span class="n">pkt</span> <span class="o">=</span> <span class="n">kres</span><span class="p">.</span><span class="n">pkt_t</span><span class="p">(</span><span class="n">answer</span><span class="p">)</span>
   <span class="kr">if</span> <span class="n">pkt</span><span class="p">:</span><span class="n">rcode</span><span class="p">()</span> <span class="o">==</span> <span class="n">kres</span><span class="p">.</span><span class="n">rcode</span><span class="p">.</span><span class="n">NOERROR</span> <span class="kr">then</span>
      <span class="c1">-- Print matching records</span>
      <span class="kd">local</span> <span class="n">records</span> <span class="o">=</span> <span class="n">pkt</span><span class="p">:</span><span class="n">section</span><span class="p">(</span><span class="n">kres</span><span class="p">.</span><span class="n">section</span><span class="p">.</span><span class="n">ANSWER</span><span class="p">)</span>
      <span class="kr">for</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">,</span> <span class="o">#</span><span class="n">records</span> <span class="kr">do</span>
         <span class="kd">local</span> <span class="n">rr</span> <span class="o">=</span> <span class="n">records</span><span class="p">[</span><span class="n">i</span><span class="p">]</span>
         <span class="kr">if</span> <span class="n">rr</span><span class="p">.</span><span class="n">type</span> <span class="o">==</span> <span class="n">kres</span><span class="p">.</span><span class="n">type</span><span class="p">.</span><span class="n">AAAA</span> <span class="kr">then</span>
            <span class="nb">print</span> <span class="p">(</span><span class="s1">&#39;record:&#39;</span><span class="p">,</span> <span class="n">kres</span><span class="p">.</span><span class="n">rr2str</span><span class="p">(</span><span class="n">rr</span><span class="p">))</span>
         <span class="kr">end</span>
      <span class="kr">end</span>
   <span class="kr">else</span>
      <span class="nb">print</span> <span class="p">(</span><span class="s1">&#39;rcode: &#39;</span><span class="p">,</span> <span class="n">pkt</span><span class="p">:</span><span class="n">rcode</span><span class="p">())</span>
   <span class="kr">end</span>
<span class="kr">end</span><span class="p">)</span>
</pre></div>
</div>
</dd></dl>

</div>
<div class="section" id="network-configuration">
<h4><a class="toc-backref" href="#id17">Network configuration</a><a class="headerlink" href="#network-configuration" title="Permalink to this headline">¶</a></h4>
<p>For when listening on <code class="docutils literal"><span class="pre">localhost</span></code> just doesn’t cut it.</p>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p>Use declarative interface for network.</p>
<div class="last highlight-lua"><div class="highlight"><pre><span></span><span class="n">net</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;127.0.0.1&#39;</span><span class="p">,</span> <span class="n">net</span><span class="p">.</span><span class="n">eth0</span><span class="p">,</span> <span class="n">net</span><span class="p">.</span><span class="n">eth1</span><span class="p">.</span><span class="n">addr</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="p">}</span>
<span class="n">net</span><span class="p">.</span><span class="n">ipv4</span> <span class="o">=</span> <span class="kc">false</span>
</pre></div>
</div>
</div>
<dl class="envvar">
<dt id="envvar-net.ipv6=true|false">
<code class="descname">net.ipv6 = true|false</code><a class="headerlink" href="#envvar-net.ipv6=true|false" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Return:</th><td class="field-body">boolean (default: true)</td>
</tr>
</tbody>
</table>
<p>Enable/disable using IPv6 for recursion.</p>
</dd></dl>

<dl class="envvar">
<dt id="envvar-net.ipv4=true|false">
<code class="descname">net.ipv4 = true|false</code><a class="headerlink" href="#envvar-net.ipv4=true|false" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Return:</th><td class="field-body">boolean (default: true)</td>
</tr>
</tbody>
</table>
<p>Enable/disable using IPv4 for recursion.</p>
</dd></dl>

<dl class="function">
<dt id="c.net.listen">
<code class="descname">net.listen</code><span class="sig-paren">(</span>addresses, [port =<em>&nbsp;53</em>, flags = {tls = (port ==<em>&nbsp;853)}]</em><span class="sig-paren">)</span><a class="headerlink" href="#c.net.listen" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body">boolean</td>
</tr>
</tbody>
</table>
<p>Listen on addresses; port and flags are optional.
The addresses can be specified as a string or device,
or a list of addresses (recursively).
The command can be given multiple times, but note that it silently skips
any addresses that have already been bound.</p>
<p>Examples:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">net</span><span class="p">.</span><span class="n">listen</span><span class="p">(</span><span class="s1">&#39;::1&#39;</span><span class="p">)</span>
<span class="n">net</span><span class="p">.</span><span class="n">listen</span><span class="p">(</span><span class="n">net</span><span class="p">.</span><span class="n">lo</span><span class="p">,</span> <span class="mi">5353</span><span class="p">)</span>
<span class="n">net</span><span class="p">.</span><span class="n">listen</span><span class="p">({</span><span class="n">net</span><span class="p">.</span><span class="n">eth0</span><span class="p">,</span> <span class="s1">&#39;127.0.0.1&#39;</span><span class="p">},</span> <span class="mi">53853</span><span class="p">,</span> <span class="p">{</span><span class="n">tls</span> <span class="o">=</span> <span class="kc">true</span><span class="p">})</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.net.close">
<code class="descname">net.close</code><span class="sig-paren">(</span>address, [port =<em>&nbsp;53]</em><span class="sig-paren">)</span><a class="headerlink" href="#c.net.close" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body">boolean</td>
</tr>
</tbody>
</table>
<p>Close opened address/port pair, noop if not listening.</p>
</dd></dl>

<dl class="function">
<dt id="c.net.list">
<code class="descname">net.list</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#c.net.list" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body">Table of bound interfaces.</td>
</tr>
</tbody>
</table>
<p>Example output:</p>
<div class="highlight-none"><div class="highlight"><pre><span></span>[127.0.0.1] =&gt; {
    [port] =&gt; 53
    [tcp] =&gt; true
    [udp] =&gt; true
}
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.net.interfaces">
<code class="descname">net.interfaces</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#c.net.interfaces" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body">Table of available interfaces and their addresses.</td>
</tr>
</tbody>
</table>
<p>Example output:</p>
<div class="highlight-none"><div class="highlight"><pre><span></span>[lo0] =&gt; {
    [addr] =&gt; {
        [1] =&gt; ::1
        [2] =&gt; 127.0.0.1
    }
    [mac] =&gt; 00:00:00:00:00:00
}
[eth0] =&gt; {
    [addr] =&gt; {
        [1] =&gt; 192.168.0.1
    }
    [mac] =&gt; de:ad:be:ef:aa:bb
}
</pre></div>
</div>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p class="last">You can use <code class="docutils literal"><span class="pre">net.&lt;iface&gt;</span></code> as a shortcut for specific interface, e.g. <code class="docutils literal"><span class="pre">net.eth0</span></code></p>
</div>
</dd></dl>

<dl class="function">
<dt id="c.net.bufsize">
<code class="descname">net.bufsize</code><span class="sig-paren">(</span>[udp_bufsize]<span class="sig-paren">)</span><a class="headerlink" href="#c.net.bufsize" title="Permalink to this definition">¶</a></dt>
<dd><p>Get/set maximum EDNS payload available. Default is 4096.
You cannot set less than 512 (512 is DNS packet size without EDNS, 1220 is minimum size for DNSSEC) or more than 65535 octets.</p>
<p>Example output:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="o">&gt;</span> <span class="n">net</span><span class="p">.</span><span class="n">bufsize</span> <span class="mi">4096</span>
<span class="o">&gt;</span> <span class="n">net</span><span class="p">.</span><span class="n">bufsize</span><span class="p">()</span>
<span class="mi">4096</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.net.tcp_pipeline">
<code class="descname">net.tcp_pipeline</code><span class="sig-paren">(</span>[len]<span class="sig-paren">)</span><a class="headerlink" href="#c.net.tcp_pipeline" title="Permalink to this definition">¶</a></dt>
<dd><p>Get/set per-client TCP pipeline limit, i.e. the number of outstanding queries that a single client connection can make in parallel.  Default is 100.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="o">&gt;</span> <span class="n">net</span><span class="p">.</span><span class="n">tcp_pipeline</span><span class="p">()</span>
<span class="mi">100</span>
<span class="o">&gt;</span> <span class="n">net</span><span class="p">.</span><span class="n">tcp_pipeline</span><span class="p">(</span><span class="mi">50</span><span class="p">)</span>
<span class="mi">50</span>
</pre></div>
</div>
</dd></dl>

<span class="target" id="tls-server-config"></span><dl class="function">
<dt id="c.net.tls">
<code class="descname">net.tls</code><span class="sig-paren">(</span>[cert_path], [key_path]<span class="sig-paren">)</span><a class="headerlink" href="#c.net.tls" title="Permalink to this definition">¶</a></dt>
<dd><p>Get/set path to a server TLS certificate and private key for DNS/TLS.</p>
<p>Example output:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="o">&gt;</span> <span class="n">net</span><span class="p">.</span><span class="n">tls</span><span class="p">(</span><span class="s2">&quot;/etc/knot-resolver/server-cert.pem&quot;</span><span class="p">,</span> <span class="s2">&quot;/etc/knot-resolver/server-key.pem&quot;</span><span class="p">)</span>
<span class="o">&gt;</span> <span class="n">net</span><span class="p">.</span><span class="n">tls</span><span class="p">()</span>
<span class="p">(</span><span class="s2">&quot;/etc/knot-resolver/server-cert.pem&quot;</span><span class="p">,</span> <span class="s2">&quot;/etc/knot-resolver/server-key.pem&quot;</span><span class="p">)</span>
<span class="o">&gt;</span> <span class="n">net</span><span class="p">.</span><span class="n">listen</span><span class="p">(</span><span class="s2">&quot;::&quot;</span><span class="p">,</span> <span class="mi">853</span><span class="p">)</span>
<span class="o">&gt;</span> <span class="n">net</span><span class="p">.</span><span class="n">listen</span><span class="p">(</span><span class="s2">&quot;::&quot;</span><span class="p">,</span> <span class="mi">443</span><span class="p">,</span> <span class="p">{</span><span class="n">tls</span> <span class="o">=</span> <span class="kc">true</span><span class="p">})</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.net.tls_padding">
<code class="descname">net.tls_padding</code><span class="sig-paren">(</span>[padding]<span class="sig-paren">)</span><a class="headerlink" href="#c.net.tls_padding" title="Permalink to this definition">¶</a></dt>
<dd><p>Get/set EDNS(0) padding of answers to queries that arrive over TLS
transport.  If set to <cite>true</cite> (the default), it will use a sensible
default padding scheme, as implemented by libknot if available at
compile time.  If set to a numeric value &gt;= 2 it will pad the
answers to nearest <em>padding</em> boundary, e.g. if set to <cite>64</cite>, the
answer will have size of a multiple of 64 (64, 128, 192, …).  If
set to <cite>false</cite> (or a number &lt; 2), it will disable padding entirely.</p>
</dd></dl>

<dl class="function">
<dt id="c.net.outgoing_v4">
<code class="descname">net.outgoing_v4</code><span class="sig-paren">(</span>[string<em>&nbsp;address]</em><span class="sig-paren">)</span><a class="headerlink" href="#c.net.outgoing_v4" title="Permalink to this definition">¶</a></dt>
<dd><p>Get/set the IPv4 address used to perform queries.  There is also <code class="docutils literal"><span class="pre">net.outgoing_v6</span></code> for IPv6.
The default is <code class="docutils literal"><span class="pre">nil</span></code>, which lets the OS choose any address.</p>
</dd></dl>

</div>
<div class="section" id="trust-anchors-and-dnssec">
<span id="dnssec-config"></span><h4><a class="toc-backref" href="#id18">Trust anchors and DNSSEC</a><a class="headerlink" href="#trust-anchors-and-dnssec" title="Permalink to this headline">¶</a></h4>
<dl class="function">
<dt id="c.trust_anchors.config">
<code class="descname">trust_anchors.config</code><span class="sig-paren">(</span>keyfile, readonly<span class="sig-paren">)</span><a class="headerlink" href="#c.trust_anchors.config" title="Permalink to this definition">¶</a></dt>
<dd><p>Alias for <cite>add_file</cite>.  It is also equivalent to CLI parameter <code class="docutils literal"><span class="pre">-k</span> <span class="pre">&lt;keyfile&gt;</span></code>
and <code class="docutils literal"><span class="pre">trust_anchors.file</span> <span class="pre">=</span> <span class="pre">keyfile</span></code>.</p>
</dd></dl>

<dl class="function">
<dt id="c.trust_anchors.add_file">
<code class="descname">trust_anchors.add_file</code><span class="sig-paren">(</span>keyfile, readonly<span class="sig-paren">)</span><a class="headerlink" href="#c.trust_anchors.add_file" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first last simple">
<li><strong>keyfile</strong> (<em>string</em>) – path to the file.</li>
<li><strong>readonly</strong> – if true, do not attempt to update the file.</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>The format is standard zone file, though additional information may be persisted in comments.
Either DS or DNSKEY records can be used for TAs.
If the file does not exist, bootstrapping of <em>root</em> TA will be attempted.</p>
<p>Each file can only contain records for a single domain.
The TAs will be updated according to <span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5011.html"><strong>RFC 5011</strong></a> and persisted in the file (if allowed).</p>
<p>Example output:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="o">&gt;</span> <span class="n">trust_anchors</span><span class="p">.</span><span class="n">add_file</span><span class="p">(</span><span class="s1">&#39;root.key&#39;</span><span class="p">)</span>
<span class="p">[</span> <span class="n">ta</span> <span class="p">]</span> <span class="n">new</span> <span class="n">state</span> <span class="n">of</span> <span class="n">trust</span> <span class="n">anchors</span> <span class="kr">for</span> <span class="n">a</span> <span class="n">domain</span><span class="p">:</span>
<span class="p">.</span>                       <span class="mi">165488</span>  <span class="n">DS</span>      <span class="mi">19036</span> <span class="mi">8</span> <span class="mi">2</span> <span class="mi">49</span><span class="n">AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5</span>
<span class="kc">nil</span>

<span class="p">[</span> <span class="n">ta</span> <span class="p">]</span> <span class="n">key</span><span class="p">:</span> <span class="mi">19036</span> <span class="n">state</span><span class="p">:</span> <span class="n">Valid</span>
</pre></div>
</div>
</dd></dl>

<dl class="envvar">
<dt id="envvar-trust_anchors.hold_down_time=30*day">
<code class="descname">trust_anchors.hold_down_time = 30 * day</code><a class="headerlink" href="#envvar-trust_anchors.hold_down_time=30*day" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Return:</th><td class="field-body">int (default: 30 * day)</td>
</tr>
</tbody>
</table>
<p>Modify RFC5011 hold-down timer to given value. Example: <code class="docutils literal"><span class="pre">30</span> <span class="pre">*</span> <span class="pre">sec</span></code></p>
</dd></dl>

<dl class="envvar">
<dt id="envvar-trust_anchors.refresh_time=nil">
<code class="descname">trust_anchors.refresh_time = nil</code><a class="headerlink" href="#envvar-trust_anchors.refresh_time=nil" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Return:</th><td class="field-body">int (default: nil)</td>
</tr>
</tbody>
</table>
<p>Modify RFC5011 refresh timer to given value (not set by default), this will force trust anchors
to be updated every N seconds periodically instead of relying on RFC5011 logic and TTLs.
Example: <code class="docutils literal"><span class="pre">10</span> <span class="pre">*</span> <span class="pre">sec</span></code></p>
</dd></dl>

<dl class="envvar">
<dt id="envvar-trust_anchors.keep_removed=0">
<code class="descname">trust_anchors.keep_removed = 0</code><a class="headerlink" href="#envvar-trust_anchors.keep_removed=0" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Return:</th><td class="field-body">int (default: 0)</td>
</tr>
</tbody>
</table>
<p>How many <code class="docutils literal"><span class="pre">Removed</span></code> keys should be held in history (and key file) before being purged.
Note: all <code class="docutils literal"><span class="pre">Removed</span></code> keys will be purged from key file after restarting the process.</p>
</dd></dl>

<dl class="function">
<dt id="c.trust_anchors.set_insecure">
<code class="descname">trust_anchors.set_insecure</code><span class="sig-paren">(</span>nta_set<span class="sig-paren">)</span><a class="headerlink" href="#c.trust_anchors.set_insecure" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first last simple">
<li><strong>nta_list</strong> (<em>table</em>) – List of domain names (text format) representing NTAs.</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>When you use a domain name as an NTA, DNSSEC validation will be turned off at/below these names.
Each function call replaces the previous NTA set. You can find the current active set in <code class="docutils literal"><span class="pre">trust_anchors.insecure</span></code> variable.</p>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p class="last">Use the <cite>trust_anchors.negative = {}</cite> alias for easier configuration.</p>
</div>
<p>Example output:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="o">&gt;</span> <span class="n">trust_anchors</span><span class="p">.</span><span class="n">negative</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;bad.boy&#39;</span><span class="p">,</span> <span class="s1">&#39;example.com&#39;</span> <span class="p">}</span>
<span class="o">&gt;</span> <span class="n">trust_anchors</span><span class="p">.</span><span class="n">insecure</span>
<span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="n">bad</span><span class="p">.</span><span class="n">boy</span>
<span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="n">example</span><span class="p">.</span><span class="n">com</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.trust_anchors.add">
<code class="descname">trust_anchors.add</code><span class="sig-paren">(</span>rr_string<span class="sig-paren">)</span><a class="headerlink" href="#c.trust_anchors.add" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first last simple">
<li><strong>rr_string</strong> (<em>string</em>) – DS/DNSKEY records in presentation format (e.g. <code class="docutils literal"><span class="pre">.</span> <span class="pre">3600</span> <span class="pre">IN</span> <span class="pre">DS</span> <span class="pre">19036</span> <span class="pre">8</span> <span class="pre">2</span> <span class="pre">49AAC11...</span></code>)</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>Inserts DS/DNSKEY record(s) into current keyset. These will not be managed or updated, use it only for testing
or if you have a specific use case for not using a keyfile.</p>
<p>Example output:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="o">&gt;</span> <span class="n">trust_anchors</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="s1">&#39;. 3600 IN DS 19036 8 2 49AAC11...&#39;</span><span class="p">)</span>
</pre></div>
</div>
</dd></dl>

</div>
<div class="section" id="modules-configuration">
<h4><a class="toc-backref" href="#id19">Modules configuration</a><a class="headerlink" href="#modules-configuration" title="Permalink to this headline">¶</a></h4>
<p>The daemon provides an interface for dynamic loading of <a class="reference internal" href="modules.html#modules-implemented"><span class="std std-ref">daemon modules</span></a>.</p>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p>Use declarative interface for module loading.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">modules</span> <span class="o">=</span> <span class="p">{</span>
        <span class="n">hints</span> <span class="o">=</span> <span class="p">{</span><span class="n">file</span> <span class="o">=</span> <span class="s1">&#39;/etc/hosts&#39;</span><span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Equals to:</p>
<div class="last highlight-lua"><div class="highlight"><pre><span></span><span class="n">modules</span><span class="p">.</span><span class="n">load</span><span class="p">(</span><span class="s1">&#39;hints&#39;</span><span class="p">)</span>
<span class="n">hints</span><span class="p">.</span><span class="n">config</span><span class="p">({</span><span class="n">file</span> <span class="o">=</span> <span class="s1">&#39;/etc/hosts&#39;</span><span class="p">})</span>
</pre></div>
</div>
</div>
<dl class="function">
<dt id="c.modules.list">
<code class="descname">modules.list</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#c.modules.list" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body">List of loaded modules.</td>
</tr>
</tbody>
</table>
</dd></dl>

<dl class="function">
<dt id="c.modules.load">
<code class="descname">modules.load</code><span class="sig-paren">(</span>name<span class="sig-paren">)</span><a class="headerlink" href="#c.modules.load" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>name</strong> (<em>string</em>) – Module name, e.g. “hints”</li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last">boolean</p>
</td>
</tr>
</tbody>
</table>
<p>Load a module by name.</p>
</dd></dl>

<dl class="function">
<dt id="c.modules.unload">
<code class="descname">modules.unload</code><span class="sig-paren">(</span>name<span class="sig-paren">)</span><a class="headerlink" href="#c.modules.unload" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>name</strong> (<em>string</em>) – Module name</li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last">boolean</p>
</td>
</tr>
</tbody>
</table>
<p>Unload a module by name.</p>
</dd></dl>

</div>
<div class="section" id="cache-configuration">
<h4><a class="toc-backref" href="#id20">Cache configuration</a><a class="headerlink" href="#cache-configuration" title="Permalink to this headline">¶</a></h4>
<p>The default cache in Knot DNS Resolver is persistent with LMDB backend, this means that the daemon doesn’t lose
the cached data on restart or crash to avoid cold-starts. The cache may be reused between cache
daemons or manipulated from other processes, making for example synchronised load-balanced recursors possible.</p>
<dl class="envvar">
<dt id="envvar-cache.size(number)">
<code class="descname">cache.size (number)</code><a class="headerlink" href="#envvar-cache.size(number)" title="Permalink to this definition">¶</a></dt>
<dd><p>Set the cache maximum size in bytes. Note that this is only a hint to the backend,
which may or may not respect it. See <a class="reference internal" href="#c.cache.open" title="cache.open"><code class="xref c c-func docutils literal"><span class="pre">cache.open()</span></code></a>.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">cache</span><span class="p">.</span><span class="n">size</span> <span class="o">=</span> <span class="mi">100</span> <span class="o">*</span> <span class="n">MB</span> <span class="c1">-- equivalent to `cache.open(100 * MB)`</span>
</pre></div>
</div>
</dd></dl>

<dl class="envvar">
<dt id="envvar-cache.current_size(number)">
<code class="descname">cache.current_size (number)</code><a class="headerlink" href="#envvar-cache.current_size(number)" title="Permalink to this definition">¶</a></dt>
<dd><p>Get the maximum size in bytes.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="nb">print</span><span class="p">(</span><span class="n">cache</span><span class="p">.</span><span class="n">current_size</span><span class="p">)</span>
</pre></div>
</div>
</dd></dl>

<dl class="envvar">
<dt id="envvar-cache.storage(string)">
<code class="descname">cache.storage (string)</code><a class="headerlink" href="#envvar-cache.storage(string)" title="Permalink to this definition">¶</a></dt>
<dd><p>Set the cache storage backend configuration, see <a class="reference internal" href="#c.cache.backends" title="cache.backends"><code class="xref c c-func docutils literal"><span class="pre">cache.backends()</span></code></a> for
more information. If the new storage configuration is invalid, it is not set.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">cache</span><span class="p">.</span><span class="n">storage</span> <span class="o">=</span> <span class="s1">&#39;lmdb://.&#39;</span>
</pre></div>
</div>
</dd></dl>

<dl class="envvar">
<dt id="envvar-cache.current_storage(string)">
<code class="descname">cache.current_storage (string)</code><a class="headerlink" href="#envvar-cache.current_storage(string)" title="Permalink to this definition">¶</a></dt>
<dd><p>Get the storage backend configuration.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="nb">print</span><span class="p">(</span><span class="n">cache</span><span class="p">.</span><span class="n">storage</span><span class="p">)</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.cache.backends">
<code class="descname">cache.backends</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#c.cache.backends" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body">map of backends</td>
</tr>
</tbody>
</table>
<p>The cache supports runtime-changeable backends, using the optional <span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc3986.html"><strong>RFC 3986</strong></a> URI, where the scheme
represents backend protocol and the rest of the URI backend-specific configuration. By default, it
is a <code class="docutils literal"><span class="pre">lmdb</span></code> backend in working directory, i.e. <code class="docutils literal"><span class="pre">lmdb://</span></code>.</p>
<p>Example output:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">lmdb</span><span class="p">:</span><span class="o">//</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="kc">true</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.cache.stats">
<code class="descname">cache.stats</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#c.cache.stats" title="Permalink to this definition">¶</a></dt>
<dd><blockquote>
<div><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">return:</th><td class="field-body">table of cache counters</td>
</tr>
</tbody>
</table>
</div></blockquote>
<p>The cache collects counters on various operations (hits, misses, transactions, …). This function call returns a table of
cache counters that can be used for calculating statistics.</p>
</dd></dl>

<dl class="function">
<dt id="c.cache.open">
<code class="descname">cache.open</code><span class="sig-paren">(</span>max_size[, config_uri]<span class="sig-paren">)</span><a class="headerlink" href="#c.cache.open" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>max_size</strong> (<em>number</em>) – Maximum cache size in bytes.</li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last">boolean</p>
</td>
</tr>
</tbody>
</table>
<p>Open cache with size limit. The cache will be reopened if already open.
Note that the max_size cannot be lowered, only increased due to how cache is implemented.</p>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p class="last">Use <code class="docutils literal"><span class="pre">kB,</span> <span class="pre">MB,</span> <span class="pre">GB</span></code> constants as a multiplier, e.g. <code class="docutils literal"><span class="pre">100*MB</span></code>.</p>
</div>
<p>The cache supports runtime-changeable backends, see <a class="reference internal" href="#c.cache.backends" title="cache.backends"><code class="xref c c-func docutils literal"><span class="pre">cache.backends()</span></code></a> for mor information and
default. Refer to specific documentation of specific backends for configuration string syntax.</p>
<ul class="simple">
<li><code class="docutils literal"><span class="pre">lmdb://</span></code></li>
</ul>
<p>As of now it only allows you to change the cache directory, e.g. <code class="docutils literal"><span class="pre">lmdb:///tmp/cachedir</span></code>.</p>
</dd></dl>

<dl class="function">
<dt id="c.cache.count">
<code class="descname">cache.count</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#c.cache.count" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body">Number of entries in the cache or nil on error.</td>
</tr>
</tbody>
</table>
</dd></dl>

<dl class="function">
<dt id="c.cache.close">
<code class="descname">cache.close</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#c.cache.close" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body">boolean</td>
</tr>
</tbody>
</table>
<p>Close the cache.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">This may or may not clear the cache, depending on the used backend. See <a class="reference internal" href="#c.cache.clear" title="cache.clear"><code class="xref c c-func docutils literal"><span class="pre">cache.clear()</span></code></a>.</p>
</div>
</dd></dl>

<dl class="function">
<dt>
<code class="descname">cache.stats</code><span class="sig-paren">(</span><span class="sig-paren">)</span></dt>
<dd><p>Return table of statistics, note that this tracks all operations over cache, not just which
queries were answered from cache or not.</p>
<p>Example:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Insertions:&#39;</span><span class="p">,</span> <span class="n">cache</span><span class="p">.</span><span class="n">stats</span><span class="p">().</span><span class="n">insert</span><span class="p">)</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.cache.max_ttl">
<code class="descname">cache.max_ttl</code><span class="sig-paren">(</span>[ttl]<span class="sig-paren">)</span><a class="headerlink" href="#c.cache.max_ttl" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>ttl</strong> (<em>number</em>) – maximum cache TTL (default: 6 days)</li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last">current maximum TTL</p>
</td>
</tr>
</tbody>
</table>
<p>Get or set maximum cache TTL.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">The <cite>ttl</cite> value must be in range <cite>(min_ttl, 4294967295)</cite>.</p>
</div>
<div class="admonition warning">
<p class="first admonition-title">Warning</p>
<p class="last">This settings applies only to currently open cache, it will not persist if the cache is closed or reopened.</p>
</div>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- Get maximum TTL</span>
<span class="n">cache</span><span class="p">.</span><span class="n">max_ttl</span><span class="p">()</span>
<span class="mi">518400</span>
<span class="c1">-- Set maximum TTL</span>
<span class="n">cache</span><span class="p">.</span><span class="n">max_ttl</span><span class="p">(</span><span class="mi">172800</span><span class="p">)</span>
<span class="mi">172800</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.cache.min_ttl">
<code class="descname">cache.min_ttl</code><span class="sig-paren">(</span>[ttl]<span class="sig-paren">)</span><a class="headerlink" href="#c.cache.min_ttl" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>ttl</strong> (<em>number</em>) – minimum cache TTL (default: 0)</li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last">current maximum TTL</p>
</td>
</tr>
</tbody>
</table>
<p>Get or set minimum cache TTL. Any entry inserted into cache with TTL lower than minimal will be overriden to minimum TTL. Forcing TTL higher than specified violates DNS standards, use with care.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">The <cite>ttl</cite> value must be in range <cite>&lt;0, max_ttl)</cite>.</p>
</div>
<div class="admonition warning">
<p class="first admonition-title">Warning</p>
<p class="last">This settings applies only to currently open cache, it will not persist if the cache is closed or reopened.</p>
</div>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- Get minimum TTL</span>
<span class="n">cache</span><span class="p">.</span><span class="n">min_ttl</span><span class="p">()</span>
<span class="mi">0</span>
<span class="c1">-- Set minimum TTL</span>
<span class="n">cache</span><span class="p">.</span><span class="n">min_ttl</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span>
<span class="mi">5</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.cache.prune">
<code class="descname">cache.prune</code><span class="sig-paren">(</span>[max_count]<span class="sig-paren">)</span><a class="headerlink" href="#c.cache.prune" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>max_count</strong> (<em>number</em>) – maximum number of items to be pruned at once (default: 65536)</li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last"><code class="docutils literal"><span class="pre">{</span> <span class="pre">pruned:</span> <span class="pre">int</span> <span class="pre">}</span></code></p>
</td>
</tr>
</tbody>
</table>
<p>Prune expired/invalid records.</p>
</dd></dl>

<dl class="function">
<dt id="c.cache.get">
<code class="descname">cache.get</code><span class="sig-paren">(</span>[domain]<span class="sig-paren">)</span><a class="headerlink" href="#c.cache.get" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body">list of matching records in cache</td>
</tr>
</tbody>
</table>
<p>Fetches matching records from cache. The <strong>domain</strong> can either be:</p>
<ul class="simple">
<li>a domain name (e.g. <code class="docutils literal"><span class="pre">&quot;domain.cz&quot;</span></code>)</li>
<li>a wildcard (e.g. <code class="docutils literal"><span class="pre">&quot;*.domain.cz&quot;</span></code>)</li>
</ul>
<p>The domain name fetches all records matching this name, while the wildcard matches all records at or below that name.</p>
<p>You can also use a special namespace <code class="docutils literal"><span class="pre">&quot;P&quot;</span></code> to purge NODATA/NXDOMAIN matching this name (e.g. <code class="docutils literal"><span class="pre">&quot;domain.cz</span> <span class="pre">P&quot;</span></code>).</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">This is equivalent to <code class="docutils literal"><span class="pre">cache['domain']</span></code> getter.</p>
</div>
<p>Examples:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- Query cache for &#39;domain.cz&#39;</span>
<span class="n">cache</span><span class="p">[</span><span class="s1">&#39;domain.cz&#39;</span><span class="p">]</span>
<span class="c1">-- Query cache for all records at/below &#39;insecure.net&#39;</span>
<span class="n">cache</span><span class="p">[</span><span class="s1">&#39;*.insecure.net&#39;</span><span class="p">]</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.cache.clear">
<code class="descname">cache.clear</code><span class="sig-paren">(</span>[domain]<span class="sig-paren">)</span><a class="headerlink" href="#c.cache.clear" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body"><code class="docutils literal"><span class="pre">bool</span></code></td>
</tr>
</tbody>
</table>
<p>Purge cache records. If the domain isn’t provided, whole cache is purged. See <em>cache.get()</em> documentation for subtree matching policy.</p>
<p>Examples:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- Clear records at/below &#39;bad.cz&#39;</span>
<span class="n">cache</span><span class="p">.</span><span class="n">clear</span><span class="p">(</span><span class="s1">&#39;*.bad.cz&#39;</span><span class="p">)</span>
<span class="c1">-- Clear packet cache</span>
<span class="n">cache</span><span class="p">.</span><span class="n">clear</span><span class="p">(</span><span class="s1">&#39;*. P&#39;</span><span class="p">)</span>
<span class="c1">-- Clear whole cache</span>
<span class="n">cache</span><span class="p">.</span><span class="n">clear</span><span class="p">()</span>
</pre></div>
</div>
</dd></dl>

</div>
<div class="section" id="timers-and-events">
<h4><a class="toc-backref" href="#id21">Timers and events</a><a class="headerlink" href="#timers-and-events" title="Permalink to this headline">¶</a></h4>
<p>The timer represents exactly the thing described in the examples - it allows you to execute closures
after specified time, or event recurrent events. Time is always described in milliseconds,
but there are convenient variables that you can use - <code class="docutils literal"><span class="pre">sec,</span> <span class="pre">minute,</span> <span class="pre">hour</span></code>.
For example, <code class="docutils literal"><span class="pre">5</span> <span class="pre">*</span> <span class="pre">hour</span></code> represents five hours, or 5*60*60*100 milliseconds.</p>
<dl class="function">
<dt id="c.event.after">
<code class="descname">event.after</code><span class="sig-paren">(</span>time, function<span class="sig-paren">)</span><a class="headerlink" href="#c.event.after" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body">event id</td>
</tr>
</tbody>
</table>
<p>Execute function after the specified time has passed.
The first parameter of the callback is the event itself.</p>
<p>Example:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">event</span><span class="p">.</span><span class="n">after</span><span class="p">(</span><span class="mi">1</span> <span class="o">*</span> <span class="n">minute</span><span class="p">,</span> <span class="kr">function</span><span class="p">()</span> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Hi!&#39;</span><span class="p">)</span> <span class="kr">end</span><span class="p">)</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.event.recurrent">
<code class="descname">event.recurrent</code><span class="sig-paren">(</span>interval, function<span class="sig-paren">)</span><a class="headerlink" href="#c.event.recurrent" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body">event id</td>
</tr>
</tbody>
</table>
<p>Similar to <a class="reference internal" href="#c.event.after" title="event.after"><code class="xref c c-func docutils literal"><span class="pre">event.after()</span></code></a>, periodically execute function after <code class="docutils literal"><span class="pre">interval</span></code> passes.</p>
<p>Example:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">msg_count</span> <span class="o">=</span> <span class="mi">0</span>
<span class="n">event</span><span class="p">.</span><span class="n">recurrent</span><span class="p">(</span><span class="mi">5</span> <span class="o">*</span> <span class="n">sec</span><span class="p">,</span> <span class="kr">function</span><span class="p">(</span><span class="n">e</span><span class="p">)</span>
   <span class="n">msg_count</span> <span class="o">=</span> <span class="n">msg_count</span> <span class="o">+</span> <span class="mi">1</span>
   <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Hi #&#39;</span><span class="o">..</span><span class="n">msg_count</span><span class="p">)</span>
<span class="kr">end</span><span class="p">)</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.event.reschedule">
<code class="descname">event.reschedule</code><span class="sig-paren">(</span>event_id, timeout<span class="sig-paren">)</span><a class="headerlink" href="#c.event.reschedule" title="Permalink to this definition">¶</a></dt>
<dd><p>Reschedule a running event, it has no effect on canceled events.
New events may reuse the event_id, so the behaviour is undefined if the function
is called after another event is started.</p>
<p>Example:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="kd">local</span> <span class="n">interval</span> <span class="o">=</span> <span class="mi">1</span> <span class="o">*</span> <span class="n">minute</span>
<span class="n">event</span><span class="p">.</span><span class="n">after</span><span class="p">(</span><span class="mi">1</span> <span class="o">*</span> <span class="n">minute</span><span class="p">,</span> <span class="kr">function</span> <span class="p">(</span><span class="n">ev</span><span class="p">)</span>
   <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Good morning!&#39;</span><span class="p">)</span>
   <span class="c1">-- Halven the interval for each iteration</span>
   <span class="n">interval</span> <span class="o">=</span> <span class="n">interval</span> <span class="o">/</span> <span class="mi">2</span>
   <span class="n">event</span><span class="p">.</span><span class="n">reschedule</span><span class="p">(</span><span class="n">ev</span><span class="p">,</span> <span class="n">interval</span><span class="p">)</span>
<span class="kr">end</span><span class="p">)</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.event.cancel">
<code class="descname">event.cancel</code><span class="sig-paren">(</span>event_id<span class="sig-paren">)</span><a class="headerlink" href="#c.event.cancel" title="Permalink to this definition">¶</a></dt>
<dd><p>Cancel running event, it has no effect on already canceled events.
New events may reuse the event_id, so the behaviour is undefined if the function
is called after another event is started.</p>
<p>Example:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">e</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="n">after</span><span class="p">(</span><span class="mi">1</span> <span class="o">*</span> <span class="n">minute</span><span class="p">,</span> <span class="kr">function</span><span class="p">()</span> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Hi!&#39;</span><span class="p">)</span> <span class="kr">end</span><span class="p">)</span>
<span class="n">event</span><span class="p">.</span><span class="n">cancel</span><span class="p">(</span><span class="n">e</span><span class="p">)</span>
</pre></div>
</div>
</dd></dl>

<p>Watch for file descriptor activity. This allows embedding other event loops or simply
firing events when a pipe endpoint becomes active. In another words, asynchronous
notifications for daemon.</p>
<dl class="function">
<dt id="c.event.socket">
<code class="descname">event.socket</code><span class="sig-paren">(</span>fd, cb<span class="sig-paren">)</span><a class="headerlink" href="#c.event.socket" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>fd</strong> (<em>number</em>) – file descriptor to watch</li>
<li><strong>cb</strong> – closure or callback to execute when fd becomes active</li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last">event id</p>
</td>
</tr>
</tbody>
</table>
<p>Execute function when there is activity on the file descriptor and calls a closure
with event id as the first parameter, status as second and number of events as third.</p>
<p>Example:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">e</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="n">socket</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="kr">function</span><span class="p">(</span><span class="n">e</span><span class="p">,</span> <span class="n">status</span><span class="p">,</span> <span class="n">nevents</span><span class="p">)</span>
   <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;activity detected&#39;</span><span class="p">)</span>
<span class="kr">end</span><span class="p">)</span>
<span class="n">e</span><span class="p">.</span><span class="n">cancel</span><span class="p">(</span><span class="n">e</span><span class="p">)</span>
</pre></div>
</div>
</dd></dl>

</div>
<div class="section" id="asynchronous-function-execution">
<h4><a class="toc-backref" href="#id22">Asynchronous function execution</a><a class="headerlink" href="#asynchronous-function-execution" title="Permalink to this headline">¶</a></h4>
<p>The <cite>event</cite> package provides a very basic mean for non-blocking execution - it allows running code when activity on a file descriptor is detected, and when a certain amount of time passes. It doesn’t however provide an easy to use abstraction for non-blocking I/O. This is instead exposed through the <cite>worker</cite> package (if <cite>cqueues</cite> Lua package is installed in the system).</p>
<dl class="function">
<dt id="c.worker.coroutine">
<code class="descname">worker.coroutine</code><span class="sig-paren">(</span>function<span class="sig-paren">)</span><a class="headerlink" href="#c.worker.coroutine" title="Permalink to this definition">¶</a></dt>
<dd><p>Start a new coroutine with given function (closure). The function can do I/O or run timers without blocking the main thread. See <a class="reference external" href="https://25thandclement.com/~william/projects/cqueues.html">cqueues</a> for documentation of possible operations and synchronisation primitives. The main limitation is that you can’t wait for a finish of a coroutine from processing layers, because it’s not currently possible to suspend and resume execution of processing layers.</p>
<p>Example:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">worker</span><span class="p">.</span><span class="n">coroutine</span><span class="p">(</span><span class="kr">function</span> <span class="p">()</span>
  <span class="kr">for</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">10</span> <span class="kr">do</span>
    <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;executing&#39;</span><span class="p">,</span> <span class="n">i</span><span class="p">)</span>
    <span class="n">worker</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
  <span class="kr">end</span>
<span class="kr">end</span><span class="p">)</span>
</pre></div>
</div>
</dd></dl>

<dl class="function">
<dt id="c.worker.sleep">
<code class="descname">worker.sleep</code><span class="sig-paren">(</span>seconds<span class="sig-paren">)</span><a class="headerlink" href="#c.worker.sleep" title="Permalink to this definition">¶</a></dt>
<dd><p>Pause execution of current function (asynchronously if running inside a worker coroutine).</p>
</dd></dl>

<p>When daemon is running in forked mode, each process acts independently. This is good because it reduces software complexity and allows for runtime scaling, but not ideal because of additional operational burden.
For example, when you want to add a new policy, you’d need to add it to either put it in the configuration, or execute command on each process independently. The daemon simplifies this by promoting process group leader which is able to execute commands synchronously over forks.</p>
<blockquote>
<div><p>Example:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">worker</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
</pre></div>
</div>
</div></blockquote>
<dl class="function">
<dt id="c.map">
<code class="descname">map</code><span class="sig-paren">(</span>expr<span class="sig-paren">)</span><a class="headerlink" href="#c.map" title="Permalink to this definition">¶</a></dt>
<dd><p>Run expression synchronously over all forks, results are returned as a table ordered as forks. Expression can be any valid expression in Lua.</p>
<p>Example:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- Current instance only</span>
<span class="n">hostname</span><span class="p">()</span>
<span class="n">localhost</span>
<span class="c1">-- Mapped to forks</span>
<span class="n">map</span> <span class="s1">&#39;hostname()&#39;</span>
<span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="n">localhost</span>
<span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="n">localhost</span>
<span class="c1">-- Get worker ID from each fork</span>
<span class="n">map</span> <span class="s1">&#39;worker.id&#39;</span>
<span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="mi">0</span>
<span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="mi">1</span>
<span class="c1">-- Get cache stats from each fork</span>
<span class="n">map</span> <span class="s1">&#39;cache.stats()&#39;</span>
<span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="p">{</span>
    <span class="p">[</span><span class="n">hit</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="mi">0</span>
    <span class="p">[</span><span class="n">delete</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="mi">0</span>
    <span class="p">[</span><span class="n">miss</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="mi">0</span>
    <span class="p">[</span><span class="n">insert</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="mi">0</span>
<span class="p">}</span>
<span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="p">{</span>
    <span class="p">[</span><span class="n">hit</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="mi">0</span>
    <span class="p">[</span><span class="n">delete</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="mi">0</span>
    <span class="p">[</span><span class="n">miss</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="mi">0</span>
    <span class="p">[</span><span class="n">insert</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="mi">0</span>
<span class="p">}</span>
</pre></div>
</div>
</dd></dl>

</div>
<div class="section" id="scripting-worker">
<h4><a class="toc-backref" href="#id23">Scripting worker</a><a class="headerlink" href="#scripting-worker" title="Permalink to this headline">¶</a></h4>
<p>Worker is a service over event loop that tracks and schedules outstanding queries,
you can see the statistics or schedule new queries. It also contains information about
specified worker count and process rank.</p>
<dl class="envvar">
<dt id="envvar-worker.count">
<code class="descname">worker.count</code><a class="headerlink" href="#envvar-worker.count" title="Permalink to this definition">¶</a></dt>
<dd><p>Return current total worker count (e.g. <cite>1</cite> for single-process)</p>
</dd></dl>

<dl class="envvar">
<dt id="envvar-worker.id">
<code class="descname">worker.id</code><a class="headerlink" href="#envvar-worker.id" title="Permalink to this definition">¶</a></dt>
<dd><p>Return current worker ID (starting from <cite>0</cite> up to <cite>worker.count - 1</cite>)</p>
</dd></dl>

<dl class="envvar">
<dt id="envvar-pid(number)">
<code class="descname">pid (number)</code><a class="headerlink" href="#envvar-pid(number)" title="Permalink to this definition">¶</a></dt>
<dd><p>Current worker process PID.</p>
</dd></dl>

<dl class="function">
<dt id="c.worker.stats">
<code class="descname">worker.stats</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#c.worker.stats" title="Permalink to this definition">¶</a></dt>
<dd><p>Return table of statistics.</p>
<ul class="simple">
<li><code class="docutils literal"><span class="pre">udp</span></code> - number of outbound queries over UDP</li>
<li><code class="docutils literal"><span class="pre">tcp</span></code> - number of outbound queries over TCP</li>
<li><code class="docutils literal"><span class="pre">ipv6</span></code> - number of outbound queries over IPv6</li>
<li><code class="docutils literal"><span class="pre">ipv4</span></code> - number of outbound queries over IPv4</li>
<li><code class="docutils literal"><span class="pre">timeout</span></code> - number of timeouted outbound queries</li>
<li><code class="docutils literal"><span class="pre">concurrent</span></code> - number of concurrent queries at the moment</li>
<li><code class="docutils literal"><span class="pre">queries</span></code> - number of inbound queries</li>
<li><code class="docutils literal"><span class="pre">dropped</span></code> - number of dropped inbound queries</li>
</ul>
<p>Example:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="nb">print</span><span class="p">(</span><span class="n">worker</span><span class="p">.</span><span class="n">stats</span><span class="p">().</span><span class="n">concurrent</span><span class="p">)</span>
</pre></div>
</div>
</dd></dl>

</div>
</div>
</div>
<div class="section" id="running-supervised">
<h2>Running supervised<a class="headerlink" href="#running-supervised" title="Permalink to this headline">¶</a></h2>
<p>Knot Resolver can run under a supervisor to allow for graceful restarts, watchdog process and socket activation. This way the supervisor binds to sockets and lends them to the resolver daemon. If the resolver terminates or is killed, the sockets remain open and no queries are dropped.</p>
<p>The watchdog process must notify kresd about active file descriptors, and kresd will automatically determine the socket type and bound address, thus it will appear as any other address. You should have a look at <a class="reference external" href="http://blog.crocodoc.com/post/48703468992/process-managers-the-good-the-bad-and-the-ugly">real process managers</a>.</p>
<p>The daemon also supports <a class="reference external" href="http://0pointer.de/blog/projects/socket-activation.html">systemd socket activation</a>, it is automatically detected and requires no configuration on users’s side.</p>
<p>See <code class="docutils literal"><span class="pre">kresd.systemd(7)</span></code> for details.</p>
</div>
<div class="section" id="enabling-dnssec">
<h2>Enabling DNSSEC<a class="headerlink" href="#enabling-dnssec" title="Permalink to this headline">¶</a></h2>
<p>The resolver supports DNSSEC including <span class="target" id="index-2"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5011.html"><strong>RFC 5011</strong></a> automated DNSSEC TA updates and <span class="target" id="index-3"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc7646.html"><strong>RFC 7646</strong></a> negative trust anchors.
To enable it, you need to provide trusted root keys. Bootstrapping of the keys is automated, and kresd fetches root trust anchors set <a class="reference external" href="http://jpmens.net/2015/01/21/opendnssec-rfc-5011-bind-and-unbound/">over a secure channel</a> from IANA. From there, it can perform <span class="target" id="index-4"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5011.html"><strong>RFC 5011</strong></a> automatic updates for you.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">Automatic bootstrap requires <a class="reference external" href="https://luarocks.org/modules/luarocks/luasocket">luasocket</a> and <a class="reference external" href="https://luarocks.org/modules/brunoos/luasec">luasec</a> installed.</p>
</div>
<div class="highlight-none"><div class="highlight"><pre><span></span>$ kresd -k root-new.keys # File for root keys
[ ta ] keyfile &#39;root-new.keys&#39;: doesn&#39;t exist, bootstrapping
[ ta ] Root trust anchors bootstrapped over https with pinned certificate.
       You SHOULD verify them manually against original source:
       https://www.iana.org/dnssec/files
[ ta ] Current root trust anchors are:
. 0 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
. 0 IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
[ ta ] next refresh for . in 24 hours
</pre></div>
</div>
<p>Alternatively, you can set it in configuration file with <code class="docutils literal"><span class="pre">trust_anchors.file</span> <span class="pre">=</span> <span class="pre">'root.keys'</span></code>. If the file doesn’t exist, it will be automatically populated with root keys validated using root anchors retrieved over HTTPS.</p>
<p>This is equivalent to <a class="reference external" href="https://www.unbound.net/documentation/howto_anchor.html">using unbound-anchor</a>:</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ unbound-anchor -a <span class="s2">&quot;root.keys&quot;</span> <span class="o">||</span> <span class="nb">echo</span> <span class="s2">&quot;warning: check the key at this point&quot;</span>
$ <span class="nb">echo</span> <span class="s2">&quot;auto-trust-anchor-file: \&quot;root.keys\&quot;&quot;</span> &gt;&gt; unbound.conf
$ unbound -c unbound.conf
</pre></div>
</div>
<div class="admonition warning">
<p class="first admonition-title">Warning</p>
<p class="last">Bootstrapping of the root trust anchors is automatic, you are however <strong>encouraged to check</strong> the key over <strong>secure channel</strong>, as specified in <a class="reference external" href="https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html#sigs">DNSSEC Trust Anchor Publication for the Root Zone</a>. This is a critical step where the whole infrastructure may be compromised, you will be warned in the server log.</p>
</div>
<p>Configuration is described in <a class="reference internal" href="#dnssec-config"><span class="std std-ref">Trust anchors and DNSSEC</span></a>.</p>
<div class="section" id="manually-providing-root-anchors">
<h3>Manually providing root anchors<a class="headerlink" href="#manually-providing-root-anchors" title="Permalink to this headline">¶</a></h3>
<p>The root anchors bootstrap may fail for various reasons, in this case you need to provide IANA or alternative root anchors. The format of the keyfile is the same as for Unbound or BIND and contains DS/DNSKEY records.</p>
<ol class="arabic simple">
<li>Check the current TA published on <a class="reference external" href="https://data.iana.org/root-anchors/root-anchors.xml">IANA website</a></li>
<li>Fetch current keys (DNSKEY), verify digests</li>
<li>Deploy them</li>
</ol>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ kdig DNSKEY . @k.root-servers.net +noall +answer <span class="p">|</span> grep <span class="s2">&quot;DNSKEY[[:space:]]257&quot;</span> &gt; root.keys
$ ldns-key2ds -n root.keys <span class="c1"># Only print to stdout</span>
... verify that digest matches TA published by IANA ...
$ kresd -k root.keys
</pre></div>
</div>
<p>You’ve just enabled DNSSEC!</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">Bootstrapping and automatic update need write access to keyfile direcory. If you want to manage root anchors manually you should use <code class="docutils literal"><span class="pre">trust_anchors.add_file('root.keys',</span> <span class="pre">true)</span></code>.</p>
</div>
</div>
</div>
<div class="section" id="cli-interface">
<h2>CLI interface<a class="headerlink" href="#cli-interface" title="Permalink to this headline">¶</a></h2>
<p>The daemon features a CLI interface, type <code class="docutils literal"><span class="pre">help()</span></code> to see the list of available commands.</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ kresd /var/cache/knot-resolver
<span class="o">[</span>system<span class="o">]</span> started in interactive mode, <span class="nb">type</span> <span class="s1">&#39;help()&#39;</span>
&gt; cache.count<span class="o">()</span>
<span class="m">53</span>
</pre></div>
</div>
<div class="section" id="verbose-output">
<h3>Verbose output<a class="headerlink" href="#verbose-output" title="Permalink to this headline">¶</a></h3>
<p>If the verbose logging is compiled in, i.e. not turned off by <code class="docutils literal"><span class="pre">-DNOVERBOSELOG</span></code>, you can turn on verbose tracing of server operation with the <code class="docutils literal"><span class="pre">-v</span></code> option.
You can also toggle it on runtime with <code class="docutils literal"><span class="pre">verbose(true|false)</span></code> command.</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ kresd -v
</pre></div>
</div>
<p>To run the daemon by hand, such as under <code class="docutils literal"><span class="pre">nohup</span></code>, use <code class="docutils literal"><span class="pre">-f</span> <span class="pre">1</span></code> to start a single fork. For example:</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ nohup ./daemon/kresd -a <span class="m">127</span>.0.0.1 -f <span class="m">1</span> -v <span class="p">&amp;</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="scaling-out">
<h2>Scaling out<a class="headerlink" href="#scaling-out" title="Permalink to this headline">¶</a></h2>
<p>The server can clone itself into multiple processes upon startup, this enables you to scale it on multiple cores.
Multiple processes can serve different addresses, but still share the same working directory and cache.
You can add, start and stop processes during runtime based on the load.</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ kresd -f <span class="m">4</span> rundir &gt; kresd.log <span class="p">&amp;</span>
$ kresd -f <span class="m">2</span> rundir &gt; kresd_2.log <span class="p">&amp;</span> <span class="c1"># Extra instances</span>
$ pstree <span class="nv">$$</span> -g
bash<span class="o">(</span><span class="m">3533</span><span class="o">)</span>─┬─kresd<span class="o">(</span><span class="m">19212</span><span class="o">)</span>─┬─kresd<span class="o">(</span><span class="m">19212</span><span class="o">)</span>
           │              ├─kresd<span class="o">(</span><span class="m">19212</span><span class="o">)</span>
           │              └─kresd<span class="o">(</span><span class="m">19212</span><span class="o">)</span>
           ├─kresd<span class="o">(</span><span class="m">19399</span><span class="o">)</span>───kresd<span class="o">(</span><span class="m">19399</span><span class="o">)</span>
           └─pstree<span class="o">(</span><span class="m">19411</span><span class="o">)</span>
$ <span class="nb">kill</span> <span class="m">19399</span> <span class="c1"># Kill group 2, former will continue to run</span>
bash<span class="o">(</span><span class="m">3533</span><span class="o">)</span>─┬─kresd<span class="o">(</span><span class="m">19212</span><span class="o">)</span>─┬─kresd<span class="o">(</span><span class="m">19212</span><span class="o">)</span>
           │              ├─kresd<span class="o">(</span><span class="m">19212</span><span class="o">)</span>
           │              └─kresd<span class="o">(</span><span class="m">19212</span><span class="o">)</span>
           └─pstree<span class="o">(</span><span class="m">19460</span><span class="o">)</span>
</pre></div>
</div>
<div class="admonition note" id="daemon-reuseport">
<p class="first admonition-title">Note</p>
<p class="last">On recent Linux supporting <code class="docutils literal"><span class="pre">SO_REUSEPORT</span></code> (since 3.9, backported to RHEL 2.6.32) it is also able to bind to the same endpoint and distribute the load between the forked processes. If your OS doesn’t support it, use only one daemon process.</p>
</div>
<p>Notice the absence of an interactive CLI. You can attach to the the consoles for each process, they are in <code class="docutils literal"><span class="pre">rundir/tty/PID</span></code>.</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ nc -U rundir/tty/3008 <span class="c1"># or socat - UNIX-CONNECT:rundir/tty/3008</span>
&gt; cache.count<span class="o">()</span>
<span class="m">53</span>
</pre></div>
</div>
<p>The <em>direct output</em> of the CLI command is captured and sent over the socket, while also printed to the daemon standard outputs (for accountability). This gives you an immediate response on the outcome of your command.
Error or debug logs aren’t captured, but you can find them in the daemon standard outputs.</p>
<p>This is also a way to enumerate and test running instances, the list of files in <code class="docutils literal"><span class="pre">tty</span></code> corresponds to the list
of running processes, and you can test the process for liveliness by connecting to the UNIX socket.</p>
</div>
<div class="section" id="using-cli-tools">
<span id="daemon-supervised"></span><h2>Using CLI tools<a class="headerlink" href="#using-cli-tools" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li><code class="docutils literal"><span class="pre">kresd-host.lua</span></code> - a drop-in replacement for <em>host(1)</em> utility</li>
</ul>
<p>Queries the DNS for information.
The hostname is looked up for IP4, IP6 and mail.</p>
<p>Example:</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ kresd-host.lua -f root.key -v nic.cz
nic.cz. has address <span class="m">217</span>.31.205.50 <span class="o">(</span>secure<span class="o">)</span>
nic.cz. has IPv6 address <span class="m">2001</span>:1488:0:3::2 <span class="o">(</span>secure<span class="o">)</span>
nic.cz. mail is handled by <span class="m">10</span> mail.nic.cz. <span class="o">(</span>secure<span class="o">)</span>
nic.cz. mail is handled by <span class="m">20</span> mx.nic.cz. <span class="o">(</span>secure<span class="o">)</span>
nic.cz. mail is handled by <span class="m">30</span> bh.nic.cz. <span class="o">(</span>secure<span class="o">)</span>
</pre></div>
</div>
<ul class="simple">
<li><code class="docutils literal"><span class="pre">kresd-query.lua</span></code> - run the daemon in zero-configuration mode, perform a query and execute given callback.</li>
</ul>
<p>This is useful for executing one-shot queries and hooking into the processing of the result,
for example to check if a domain is managed by a certain registrar or if it’s signed.</p>
<p>Example:</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ kresd-query.lua www.sub.nic.cz <span class="s1">&#39;assert(kres.dname2str(req:resolved().zone_cut.name) == &quot;nic.cz.&quot;)&#39;</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">&quot;yes&quot;</span>
yes
$ kresd-query.lua -C <span class="s1">&#39;trust_anchors.config(&quot;root.keys&quot;)&#39;</span> nic.cz <span class="s1">&#39;assert(req:resolved().flags.DNSSEC_WANT)&#39;</span>
$ <span class="nb">echo</span> <span class="nv">$?</span>
<span class="m">0</span>
</pre></div>
</div>
</div>
</div>


          </div>
        </div>
      </div>
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="index.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Knot DNS Resolver daemon</a><ul>
<li><a class="reference internal" href="#configuration">Configuration</a><ul>
<li><a class="reference internal" href="#configuration-example">Configuration example</a></li>
<li><a class="reference internal" href="#configuration-syntax">Configuration syntax</a><ul>
<li><a class="reference internal" href="#dynamic-configuration">Dynamic configuration</a></li>
<li><a class="reference internal" href="#asynchronous-events">Asynchronous events</a></li>
</ul>
</li>
<li><a class="reference internal" href="#configuration-reference">Configuration reference</a><ul>
<li><a class="reference internal" href="#environment">Environment</a></li>
<li><a class="reference internal" href="#network-configuration">Network configuration</a></li>
<li><a class="reference internal" href="#trust-anchors-and-dnssec">Trust anchors and DNSSEC</a></li>
<li><a class="reference internal" href="#modules-configuration">Modules configuration</a></li>
<li><a class="reference internal" href="#cache-configuration">Cache configuration</a></li>
<li><a class="reference internal" href="#timers-and-events">Timers and events</a></li>
<li><a class="reference internal" href="#asynchronous-function-execution">Asynchronous function execution</a></li>
<li><a class="reference internal" href="#scripting-worker">Scripting worker</a></li>
</ul>
</li>
</ul>
</li>
<li><a class="reference internal" href="#running-supervised">Running supervised</a></li>
<li><a class="reference internal" href="#enabling-dnssec">Enabling DNSSEC</a><ul>
<li><a class="reference internal" href="#manually-providing-root-anchors">Manually providing root anchors</a></li>
</ul>
</li>
<li><a class="reference internal" href="#cli-interface">CLI interface</a><ul>
<li><a class="reference internal" href="#verbose-output">Verbose output</a></li>
</ul>
</li>
<li><a class="reference internal" href="#scaling-out">Scaling out</a></li>
<li><a class="reference internal" href="#using-cli-tools">Using CLI tools</a></li>
</ul>
</li>
</ul>

  <h4>Previous topic</h4>
  <p class="topless"><a href="index.html"
                        title="previous chapter">Knot DNS Resolver</a></p>
  <h4>Next topic</h4>
  <p class="topless"><a href="modules.html"
                        title="next chapter">Knot DNS Resolver modules</a></p>
  <div role="note" aria-label="source link">
    <h3>This Page</h3>
    <ul class="this-page-menu">
      <li><a href="_sources/daemon.rst.txt"
            rel="nofollow">Show Source</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>Quick search</h3>
    <form class="search" action="search.html" method="get">
      <div><input type="text" name="q" /></div>
      <div><input type="submit" value="Go" /></div>
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="genindex.html" title="General Index"
             >index</a></li>
        <li class="right" >
          <a href="modules.html" title="Knot DNS Resolver modules"
             >next</a> |</li>
        <li class="right" >
          <a href="index.html" title="Knot DNS Resolver"
             >previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="index.html">Knot DNS Resolver 2.1.1 documentation</a> &#187;</li> 
      </ul>
    </div>
    <div class="footer" role="contentinfo">
        &#169; Copyright 2014-2018 CZ.NIC labs.
      Created using <a href="http://sphinx-doc.org/">Sphinx</a> 1.6.7.
    </div>
  </body>
</html>