datamodel: stabilize dns64 schema

alesmrazek · alesmrazek · commit 115c11b183d4 · 2025-04-14T22:27:01.000+02:00
diff --git a/NEWS b/NEWS
@@ -24,6 +24,8 @@ Incompatible changes
   - /workers-max
 - Renamed/moved options in the declarative configuration model (YAML).
   - /network/tls/files-watchdog -> /network/tls/watchdog
+  - /dns64: true -> /dns64/enabled: true
+  - /dns64/rev-ttl -> /dns64/reverse-ttl
   - /dnssec/keep-removed -> /dnssec/trust-anchors-keep-removed
   - /dnssec/trust-anchor-sentinel -> /dnssec/sentinel
   - /dnssec/trust-anchor-signal-query -> /dnssec/signal-query 
diff --git a/doc/_static/config.schema.json b/doc/_static/config.schema.json
@@ -1309,44 +1309,46 @@
             }
         },
         "dns64": {
-            "anyOf": [
-                {
-                    "type": "boolean"
+            "description": "DNS64 (RFC 6147) configuration.",
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean",
+                    "description": "Enable/disable DNS64.",
+                    "default": false
                 },
-                {
-                    "description": "DNS64 (RFC 6147) configuration.",
-                    "type": "object",
-                    "properties": {
-                        "prefix": {
-                            "type": "string",
-                            "description": "IPv6 prefix to be used for synthesizing AAAA records.",
-                            "default": "64:ff9b::/96"
-                        },
-                        "rev-ttl": {
-                            "type": [
-                                "string",
-                                "null"
-                            ],
-                            "pattern": "^(\\d+)(us|ms|s|m|h|d)$",
-                            "description": "TTL in CNAME generated in the reverse 'ip6.arpa.' subtree.",
-                            "default": null
-                        },
-                        "exclude-subnets": {
-                            "type": [
-                                "array",
-                                "null"
-                            ],
-                            "items": {
-                                "type": "string"
-                            },
-                            "description": "IPv6 subnets that are disallowed in answer.",
-                            "default": null
-                        }
-                    }
+                "prefix": {
+                    "type": "string",
+                    "description": "IPv6 prefix to be used for synthesizing AAAA records.",
+                    "default": "64:ff9b::/96"
+                },
+                "reverse-ttl": {
+                    "type": [
+                        "string",
+                        "null"
+                    ],
+                    "pattern": "^(\\d+)(us|ms|s|m|h|d)$",
+                    "description": "TTL in CNAME generated in the reverse 'ip6.arpa.' subtree.",
+                    "default": null
+                },
+                "exclude-subnets": {
+                    "type": [
+                        "array",
+                        "null"
+                    ],
+                    "items": {
+                        "type": "string"
+                    },
+                    "description": "IPv6 subnets that are disallowed in answer.",
+                    "default": null
                 }
-            ],
-            "description": "Disable DNS64 (RFC 6147), enable with defaults or set new configuration.",
-            "default": false
+            },
+            "default": {
+                "enabled": false,
+                "prefix": "64:ff9b::/96",
+                "reverse_ttl": null,
+                "exclude_subnets": null
+            }
         },
         "logging": {
             "description": "Logging and debugging configuration.",
diff --git a/python/knot_resolver/datamodel/config_schema.py b/python/knot_resolver/datamodel/config_schema.py
@@ -101,7 +101,7 @@ class Raw(ConfigSchema):
         forward: List of Forward Zones and its configuration.
         cache: DNS resolver cache configuration.
         dnssec: DNSSEC configuration.
-        dns64: Disable DNS64 (RFC 6147), enable with defaults or set new configuration.
+        dns64: DNS64 (RFC 6147) configuration.
         logging: Logging and debugging configuration.
         monitoring: Metrics exposisition configuration (Prometheus, Graphite)
         lua: Custom Lua configuration.
@@ -122,7 +122,7 @@ class Raw(ConfigSchema):
         forward: Optional[List[ForwardSchema]] = None
         cache: CacheSchema = lazy_default(CacheSchema, {})
         dnssec: DnssecSchema = DnssecSchema()
-        dns64: Union[bool, Dns64Schema] = False
+        dns64: Dns64Schema = Dns64Schema()
         logging: LoggingSchema = LoggingSchema()
         monitoring: MonitoringSchema = MonitoringSchema()
         rate_limiting: Optional[RateLimitingSchema] = None
@@ -143,7 +143,7 @@ class Raw(ConfigSchema):
     forward: Optional[List[ForwardSchema]]
     cache: CacheSchema
     dnssec: DnssecSchema
-    dns64: Union[Literal[False], Dns64Schema]
+    dns64: Dns64Schema
     logging: LoggingSchema
     monitoring: MonitoringSchema
     rate_limiting: Optional[RateLimitingSchema]
@@ -166,11 +166,6 @@ def _workers(self, obj: Raw) -> Any:
             )
         return obj.workers
 
-    def _dns64(self, obj: Raw) -> Any:
-        if obj.dns64 is True:
-            return Dns64Schema()
-        return obj.dns64
-
     def _validate(self) -> None:
         # warn about '/management/unix-socket' not located in '/rundir'
         if self.management.unix_socket and self.management.unix_socket.to_path().parent != self.rundir.to_path():
diff --git a/python/knot_resolver/datamodel/dns64_schema.py b/python/knot_resolver/datamodel/dns64_schema.py
@@ -9,11 +9,13 @@ class Dns64Schema(ConfigSchema):
     DNS64 (RFC 6147) configuration.
 
     ---
+    enabled: Enable/disable DNS64.
     prefix: IPv6 prefix to be used for synthesizing AAAA records.
-    rev_ttl: TTL in CNAME generated in the reverse 'ip6.arpa.' subtree.
+    reverse_ttl: TTL in CNAME generated in the reverse 'ip6.arpa.' subtree.
     exclude_subnets: IPv6 subnets that are disallowed in answer.
     """
 
+    enabled: bool = False
     prefix: IPv6Network96 = IPv6Network96("64:ff9b::/96")
-    rev_ttl: Optional[TimeUnit] = None
+    reverse_ttl: Optional[TimeUnit] = None
     exclude_subnets: Optional[List[IPv6Network]] = None
diff --git a/python/knot_resolver/datamodel/templates/dns64.lua.j2 b/python/knot_resolver/datamodel/templates/dns64.lua.j2
@@ -1,17 +1,24 @@
 {% from 'macros/common_macros.lua.j2' import string_table %}
 
-{% if cfg.dns64 %}
--- load dns64 module
+{% if cfg.dns64.enabled %}
+
+-- Enable DNS64 by loading module
 modules.load('dns64')
 
--- dns64.prefix
+-- Configure DNS64 module
 dns64.config({
     prefix = '{{ cfg.dns64.prefix.to_std().network_address|string }}',
-{% if cfg.dns64.rev_ttl %}
-    rev_ttl = {{ cfg.dns64.rev_ttl.seconds() }},
+{% if cfg.dns64.reverse_ttl %}
+    rev_ttl = {{ cfg.dns64.reverse_ttl.seconds() }},
 {% endif %}
 {% if cfg.dns64.exclude_subnets %}
     exclude_subnets = {{ string_table(cfg.dns64.exclude_subnets) }},
 {% endif %}
 })
+
+{% else %}
+
+-- Disable DNS64 by unloading module
+-- modules.unload('dns64')
+
 {% endif %}
diff --git a/tests/manager/datamodel/test_config_schema.py b/tests/manager/datamodel/test_config_schema.py
@@ -50,7 +50,7 @@ def test_config_defaults():
     config = KresConfig()
 
     # DNS64 default
-    assert config.dns64 == False
+    assert config.dns64.enabled == False
 
 
 def test_dnssec_false():
@@ -73,7 +73,10 @@ def test_dnssec_default_true():
 
 
 def test_dns64_prefix_default():
-    assert str(KresConfig({"dns64": True}).dns64.prefix) == "64:ff9b::/96"
+    config = KresConfig({ "dns64": { "enabled": True } })
+
+    assert config.dns64.enabled == True
+    assert str(config.dns64.prefix) == "64:ff9b::/96"
 
 
 def test_config_json_schema():
