datamodel: move dnssec bogus logging from 'logging' section to 'dnssec' section

alesmrazek · alesmrazek · commit 2971b3ada91e · 2025-04-09T15:01:11.000+02:00
diff --git a/NEWS b/NEWS
@@ -21,8 +21,9 @@ Incompatible changes
   - /network/tls/auto-discovery
   - /webmgmt
   - /workers-max
-- Renamed options in the declarative configuration model (YAML).
+- Renamed/moved options in the declarative configuration model (YAML).
   - /network/tls/files-watchdog -> /network/tls/watchdog
+  - /logging/dnssec-bogus -> /dnssec/logging-bogus
 
 
 Knot Resolver 6.0.11 (2025-02-26)
diff --git a/doc/_static/config.schema.json b/doc/_static/config.schema.json
@@ -1295,6 +1295,11 @@
                             },
                             "description": "List of zone-files where trust-anchors are stored.",
                             "default": null
+                        },
+                        "logging-bogus": {
+                            "type": "boolean",
+                            "description": "Enable logging for each DNSSEC validation failure if '/logging/level' is set to at least 'notice'.",
+                            "default": false
                         }
                     }
                 }
@@ -1442,11 +1447,6 @@
                     "description": "List of groups for which 'debug' logging level is set.",
                     "default": null
                 },
-                "dnssec-bogus": {
-                    "type": "boolean",
-                    "description": "Logging a message for each DNSSEC validation failure.",
-                    "default": false
-                },
                 "dnstap": {
                     "anyOf": [
                         {
@@ -1489,7 +1489,6 @@
                 "level": "notice",
                 "target": "stdout",
                 "groups": null,
-                "dnssec_bogus": false,
                 "dnstap": false
             }
         },
diff --git a/doc/user/config-logging-bogus.rst b/doc/user/config-logging-bogus.rst
@@ -13,8 +13,8 @@ Add following line to your configuration file to enable it:
 
 .. code-block:: yaml
 
-   logging:
-      dnssec-bogus: true
+   dnssec:
+      logging-bogus: true
 
 Example of error message logged:
 
diff --git a/python/knot_resolver/datamodel/dnssec_schema.py b/python/knot_resolver/datamodel/dnssec_schema.py
@@ -30,6 +30,7 @@ class DnssecSchema(ConfigSchema):
     trust_anchors: List of trust-anchors in DS/DNSKEY records format.
     negative_trust_anchors: List of domain names representing negative trust-anchors. (RFC 7646)
     trust_anchors_files: List of zone-files where trust-anchors are stored.
+    logging_bogus: Enable logging for each DNSSEC validation failure if '/logging/level' is set to at least 'notice'.
     """
 
     trust_anchor_sentinel: bool = True
@@ -39,3 +40,4 @@ class DnssecSchema(ConfigSchema):
     trust_anchors: Optional[List[EscapedStr]] = None
     negative_trust_anchors: Optional[List[DomainName]] = None
     trust_anchors_files: Optional[List[TrustAnchorFileSchema]] = None
+    logging_bogus: bool = False
diff --git a/python/knot_resolver/datamodel/logging_schema.py b/python/knot_resolver/datamodel/logging_schema.py
@@ -89,22 +89,19 @@ class Raw(ConfigSchema):
         level: Global logging level.
         target: Global logging stream target. "from-env" uses $KRES_LOGGING_TARGET and defaults to "stdout".
         groups: List of groups for which 'debug' logging level is set.
-        dnssec_bogus: Logging a message for each DNSSEC validation failure.
         dnstap: Logging DNS requests and responses to a unix socket.
         """
 
         level: LogLevelEnum = "notice"
         target: Union[LogTargetEnum, Literal["from-env"]] = "from-env"
         groups: Optional[List[LogGroupsEnum]] = None
-        dnssec_bogus: bool = False
         dnstap: Union[Literal[False], DnstapSchema] = False
 
     _LAYER = Raw
 
     level: LogLevelEnum
     target: LogTargetEnum
     groups: Optional[List[LogGroupsEnum]]
-    dnssec_bogus: bool
     dnstap: Union[Literal[False], DnstapSchema]
 
     def _target(self, raw: Raw) -> LogTargetEnum:
diff --git a/python/knot_resolver/datamodel/templates/dnssec.lua.j2 b/python/knot_resolver/datamodel/templates/dnssec.lua.j2
@@ -47,4 +47,10 @@ trust_anchors.set_insecure({
 {% for taf in cfg.dnssec.trust_anchors_files %}
 trust_anchors.add_file('{{ taf.file }}',  readonly = {{ boolean(taf.read_only) }})
 {% endfor %}
-{% endif %}
+{% endif %}
+
+{% if cfg.dnssec.logging_bogus %}
+modules.load('bogus_log')
+{% else %}
+modules.unload('bogus_log')
+{% endif %}
diff --git a/python/knot_resolver/datamodel/templates/logging.lua.j2 b/python/knot_resolver/datamodel/templates/logging.lua.j2
@@ -19,10 +19,6 @@ log_groups({
 })
 {% endif %}
 
-{% if cfg.logging.dnssec_bogus %}
-modules.load('bogus_log')
-{% endif %}
-
 {% if cfg.logging.dnstap -%}
 -- logging.dnstap
 modules.load('dnstap')
