datamodel: move dnssec bogus logging from 'logging' section to 'dnssec' section

alesmrazek · alesmrazek · commit b06cc25ababa · 2025-04-14T22:27:01.000+02:00
diff --git a/NEWS b/NEWS
@@ -22,11 +22,12 @@ Incompatible changes
   - /network/tls/auto-discovery
   - /webmgmt
   - /workers-max
-- Renamed options in the declarative configuration model (YAML).
+- Renamed/moved options in the declarative configuration model (YAML).
   - /network/tls/files-watchdog -> /network/tls/watchdog
   - /dnssec/keep-removed -> /dnssec/trust-anchors-keep-removed
   - /dnssec/trust-anchor-sentinel -> /dnssec/sentinel
   - /dnssec/trust-anchor-signal-query -> /dnssec/signal-query 
+  - /logging/dnssec-bogus -> /dnssec/logging-bogus
 
 
 Knot Resolver 6.0.11 (2025-02-26)
diff --git a/doc/_static/config.schema.json b/doc/_static/config.schema.json
@@ -1229,6 +1229,11 @@
                     "description": "Enable/disable DNSSEC.",
                     "default": true
                 },
+                "logging-bogus": {
+                    "type": "boolean",
+                    "description": "Enable logging for each DNSSEC validation failure if '/logging/level' is set to at least 'notice'.",
+                    "default": false
+                },
                 "sentinel": {
                     "type": "boolean",
                     "description": "Allows users of DNSSEC validating resolver to detect which root keys are configured in resolver's chain of trust. (RFC 8509)",
@@ -1294,6 +1299,7 @@
             },
             "default": {
                 "enabled": true,
+                "logging_bogus": false,
                 "sentinel": true,
                 "signal_query": true,
                 "trust_anchors_keep_removed": 0,
@@ -1442,11 +1448,6 @@
                     "description": "List of groups for which 'debug' logging level is set.",
                     "default": null
                 },
-                "dnssec-bogus": {
-                    "type": "boolean",
-                    "description": "Logging a message for each DNSSEC validation failure.",
-                    "default": false
-                },
                 "dnstap": {
                     "anyOf": [
                         {
@@ -1489,7 +1490,6 @@
                 "level": "notice",
                 "target": "stdout",
                 "groups": null,
-                "dnssec_bogus": false,
                 "dnstap": false
             }
         },
diff --git a/doc/user/config-logging-bogus.rst b/doc/user/config-logging-bogus.rst
@@ -13,8 +13,8 @@ Add following line to your configuration file to enable it:
 
 .. code-block:: yaml
 
-   logging:
-      dnssec-bogus: true
+   dnssec:
+      logging-bogus: true
 
 Example of error message logged:
 
diff --git a/python/knot_resolver/datamodel/dnssec_schema.py b/python/knot_resolver/datamodel/dnssec_schema.py
@@ -24,6 +24,7 @@ class DnssecSchema(ConfigSchema):
 
     ---
     enabled: Enable/disable DNSSEC.
+    logging_bogus: Enable logging for each DNSSEC validation failure if '/logging/level' is set to at least 'notice'.
     sentinel: Allows users of DNSSEC validating resolver to detect which root keys are configured in resolver's chain of trust. (RFC 8509)
     signal_query: Signaling Trust Anchor Knowledge in DNSSEC Using Key Tag Query, according to (RFC 8145#section-5).
     trust_anchors_keep_removed: How many removed keys should be held in history (and key file) before being purged.
@@ -34,6 +35,7 @@ class DnssecSchema(ConfigSchema):
     """
 
     enabled: bool = True
+    logging_bogus: bool = False
     sentinel: bool = True
     signal_query: bool = True
     trust_anchors_keep_removed: IntNonNegative = IntNonNegative(0)
diff --git a/python/knot_resolver/datamodel/logging_schema.py b/python/knot_resolver/datamodel/logging_schema.py
@@ -89,22 +89,19 @@ class Raw(ConfigSchema):
         level: Global logging level.
         target: Global logging stream target. "from-env" uses $KRES_LOGGING_TARGET and defaults to "stdout".
         groups: List of groups for which 'debug' logging level is set.
-        dnssec_bogus: Logging a message for each DNSSEC validation failure.
         dnstap: Logging DNS requests and responses to a unix socket.
         """
 
         level: LogLevelEnum = "notice"
         target: Union[LogTargetEnum, Literal["from-env"]] = "from-env"
         groups: Optional[List[LogGroupsEnum]] = None
-        dnssec_bogus: bool = False
         dnstap: Union[Literal[False], DnstapSchema] = False
 
     _LAYER = Raw
 
     level: LogLevelEnum
     target: LogTargetEnum
     groups: Optional[List[LogGroupsEnum]]
-    dnssec_bogus: bool
     dnstap: Union[Literal[False], DnstapSchema]
 
     def _target(self, raw: Raw) -> LogTargetEnum:
diff --git a/python/knot_resolver/datamodel/templates/dnssec.lua.j2 b/python/knot_resolver/datamodel/templates/dnssec.lua.j2
@@ -2,6 +2,13 @@
 
 {% if cfg.dnssec.enabled %}
 
+-- dnssec.logging-bogus
+{% if cfg.dnssec.logging_bogus %}
+modules.load('bogus_log')
+{% else %}
+-- modules.unload('bogus_log')
+{% endif %}
+
 -- dnssec.sentinel
 {% if cfg.dnssec.sentinel %}
 modules.load('ta_sentinel')
diff --git a/python/knot_resolver/datamodel/templates/logging.lua.j2 b/python/knot_resolver/datamodel/templates/logging.lua.j2
@@ -19,10 +19,6 @@ log_groups({
 })
 {% endif %}
 
-{% if cfg.logging.dnssec_bogus %}
-modules.load('bogus_log')
-{% endif %}
-
 {% if cfg.logging.dnstap -%}
 -- logging.dnstap
 modules.load('dnstap')
