I'd like to manage the directory holding all the zonefiles in git to have a
workflow like "git push -> webhook -> zonefiles git pull -> knotc reload".
With Knot versions <2 this was working great because Knot did not change
anything in this directory. But when using Knot 2.x with DNSSEC enabled, Knot
rewrites the zonefiles of DNSSEC enabled zones, creates a timers subdirectory
and puts some *.db files into the zones directory. Are there any configuration
parameters to change this behaviour? So that the timers subdirectory is
created outside the directory holding zonefiles (preferably configurable), the
*.db files are also written into a dedicated directory and signed zonefiles are
saved into a different subdirectory.
Or are there any proposals how I could manage the zonefiles directory with git
when using Knot 2.x with DNSSEC enabled?
Thanks a lot for all input.
Cheers and happy new year!
The Knot Puppet module is now fully Knot 2.x compatible. It can be found on
Puppet forge: https://forge.puppetlabs.com/tobru/knot
Any feedback and all pull requests are highly appreciated.
Have you been good this year? CZ.NIC Labs just released a Christmas
present for all Knot DNS users — a new and shiny release candidate.
This version contains a bunch of new features, quite a lot of
improvements and also some bug fixes. Let's start with the features:
- If you run Linux, you will get a higher packet throughput for UDP
thanks to the SO_REUSEPORT socket option. In some cases, we have seen
100% packet rate increase.
- As an alternative to the textual configuration file, we now support
a binary configuration database. This is primarily intended for users
with many zones who need to reconfigure their servers quickly. For
this purpose, the knotc utility adds new conf-* commands, which can
be used to query and modify the server configuration on-the-fly.
- DNSSEC newly implements an interface to access cryptographic tokens
via the PKCS #11. This means, that you can store the private key
material for DNSSEC keys more securely than before.
- We have also included an experimental module for DNSSEC online
signing. This can be used for instance with the other modules
synthesizing records on-the-fly.
As for various improvements:
- The zone file name can now include formatters, which will be later
substituted. For example, if you have many zones and want to sort
them into directories based on their TLD, you can use '%l/%s.zone'
as the 'file' config option, and the zone 'example.com' will be loaded
- We have added the 'timer-db' option to customize path to the database
with persistent zone timers. This is useful if you have multiple
knotd instances sharing a zone storage directory.
- After the recent DDoS attacks, we have improved the RRL documentation
to include details about the effect of the individual rate-limit-slip
configuration values. We also made this option to accept zero value
which will make the server drop all responses exceeding the limit.
- Other small changes in the server include improved networking code
so we can better handle connection timeouts. The ACL failures are now
logged. And some of the critical configuration values are cached for
- The kdig utility now prints a warning instead of failing with an
error when a TSIG validation failure is encountered.
- We've also performed some cleanup of the support libraries: libknot,
libzscanner, and libdnssec. So if you are developing your own
DNS application, take a look at these.
And that's it. Please, refer to the documentation for more information.
And if something is not clear, just ask on the mailing list and we will
try to clarify any ambiguities.
You will find your present under our Christmas tree.
On behalf of our development team, I wish you a merry Christmas and
happy New Year.
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
Milešovská 5, 130 00 Praha 3, Czech Republic