Hi,
I am trying to use nsupdate from knot 1.6.1. I have generated key files using dnssec-keygen from BIND 9.9.5. i.e.
dnssec-keygen -a HMAC-MD5 -b 256 -n HOST -C host.example.com
Whenever I try to use the files with nsupdate -k <file> though I get:
; Error: failed to read key file: public key file is invalid
I have also tried without the “-C” to dnssec-keygen.
Are there different flags I need? Or does someone have an example of the file format required?
Thanks,
Andrew
Hello everyone,
on behalf of CZ.NIC Labs, I would like to announce Knot DNS 1.6.2. The
patch release contains one new feature and a few small bug fixes.
With the new version, a number of concurrent TCP clients connected to
the server can be limited. The limit is set using the 'max-tcp-clients'
configuration option in the 'system' section. Purpose of this setting is
to avoid resource exhaustion when the server is under a load. And the
default value for the option is 100.
When the limit is hit, new connections are not being accepted for a few
seconds. Active connections are not affected. Please note, that we have
also slightly lowered defaults for TCP idling timeouts.
As for the bug fixes: A possible file descriptor leak when terminating
inactive TCP clients was fixed. Scheduled events for zones switched from
slave mode to master mode are handled correctly. And compilation of
Dnstap features on FreeBSD works now.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/blob/v1.6.2/NEWS
Sources:
https://secure.nic.cz/files/knot-dns/knot-1.6.2.tar.xzhttps://secure.nic.cz/files/knot-dns/knot-1.6.2.tar.gz
GPG signatures:
https://secure.nic.cz/files/knot-dns/knot-1.6.2.tar.xz.aschttps://secure.nic.cz/files/knot-dns/knot-1.6.2.tar.gz.asc
Thank you for using Knot DNS.
Best Regards,
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW: https://labs.nic.czhttps://www.nic.cz
Hello everyone!
After months of keeping our secrets, we would like to share with you a preview
of a new DNSSEC implementation in Knot DNS. The new DNSSEC will be one of the
key features for the upcoming Knot DNS 2.0.
If you are watching our source repository, you may have noticed a tag v1.99.0
appearing silently at the end of 2014. At that time, Knot DNS was already
using the newly implemented DNSSEC, but the only visible change was a
different key format. And internally, GnuTLS/Nettle was replaced OpenSSL for
cryptographic operations.
Today, CZ.NIC Labs releases Knot DNS 1.99.1. The next step towards the 2.0.
Knot DNS 1.99.1 adds initial support for DNSSEC KASP (Key And Signature
Policy). This is our vision of real-world DNSSEC deployment. Essentially, you
define a policy (used algorithm, key sizes, key lifetime, signature lifetime,
etc.) and the server will do the heavy lifting. It will generate keys and
publish/roll them correctly, so you don't have to compute and set timing
meta-data on private keys manually.
At the moment, the KASP support is quite limited: Single algorithm, single
KSK, and single ZSK can be specified in the policy. The server is able to
generate initial keys and perform ZSK rollovers (key pre-publish method).
More features are coming soon.
A documentation on KASP [1] is currently available on the project wiki,
including the reference manual for a new management utility keymgr [2].
[1] https://gitlab.labs.nic.cz/labs/knot/wikis/kasp-setup
[2] https://gitlab.labs.nic.cz/labs/knot/wikis/kasp-keymgr-reference
Source archives are available as usual:
https://secure.nic.cz/files/knot-dns/knot-1.99.1.tar.xzhttps://secure.nic.cz/files/knot-dns/knot-1.99.1.tar.gz
Please note, that Knot DNS 1.99.1 is not ready to replace Knot DNS 1.6.x.
We are looking forward to hear some feedback from you. And we are happy to
answer all your questions and concerns.
Best regards,
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW: https://labs.nic.czhttps://www.nic.cz
Good evening,
I don't seem to be able to configure Knot 1.6.1 to sign a zone it slaves
in:
example.com {
file "/usr/local/etc/knot/aa/example.com.zone";
xfr-in home;
dnssec-keydir "/usr/local/etc/knot/aa";
dnssec-enable on;
}
If I omit the two 'dnssec-*' parameters, the zone is slaved in. Adding
them, however, results in no transfer; log shows:
notice: [example.com] automatic DNSSEC signing enabled, disabling incoming XFRs
Is it currently possible with Knot to sign a slaved zone?
Regards,
-JP
