Hi ..
I'm trying out the dnstap support in Knot, and I seem to have an issue getting it to write to a socket instead of a file. If I give it a file to write to, things seem to work as expected. When I write to a socket, the socket file is not created, and there don't appear to be any errors.
Have I got something wrong?
My very basic config and startup log is included below.
---
server:
rundir: /home/matt/etc/knot
user: matt:staff
listen: 0.0.0.0@5353
log:
- target: /home/matt/etc/knot/logfile
server: info
zone: info
any: info
mod-dnstap:
- id: capture_all
sink: unix:/home/matt/etc/knot/capture.tap
template:
- id: default
storage: /home/matt/etc/knot/zones
kasp-db: /home/matt/etc/knot/kasp
module: mod-dnstap/capture_all
zone:
- domain: myzone.test
dnssec-signing: on
---
2016-02-23T18:09:47 info: Knot DNS 2.1.1 starting
2016-02-23T18:09:47 info: binding to interface '0.0.0.0@5353'
2016-02-23T18:09:47 info: changing GID to '60'
2016-02-23T18:09:47 info: changing UID to '1001'
2016-02-23T18:09:47 info: PID stored in '/home/matt/etc/knot/knot.pid'
2016-02-23T18:09:47 info: changed directory to /
2016-02-23T18:09:47 info: loading 1 zones
2016-02-23T18:09:47 info: [myzone.test] zone will be loaded, serial 0
2016-02-23T18:09:47 info: starting server
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, loaded key, tag 26654, algorithm 8, KSK yes, ZSK no, public no, active no
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, loaded key, tag 7468, algorithm 8, KSK no, ZSK yes, public yes, active yes
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, loaded key, tag 20456, algorithm 8, KSK yes, ZSK no, public yes, active yes
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, signing started
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, zone is up-to-date
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, next signing on 2016-02-29T23:43:54
2016-02-23T18:09:47 info: [myzone.test] loaded, serial 0 -> 2016022209
2016-02-23T18:09:47 info: server started as a daemon, PID 26600
2016-02-23T18:09:47 info: remote control, binding to '/home/matt/etc/knot/knot.sock'
2016-02-23T18:11:07 info: remote control, received command 'stop'
2016-02-23T18:11:07 info: stopping server
2016-02-23T18:11:07 info: updating zone timers database
2016-02-23T18:11:07 info: shutting down
Dear all,
knotc has a zone-check command. Is there a tool which can validate a
zone file directly?
I see that you have a DNS library which can load a zone file very fast
(https://github.com/vavrusa/luajit-kdns). However this is missing the
zone checker/validator.
The stand alone zone check command line tool I was looking for would
also verify DNSSEC signatures. Something like dnssec-verify (BIND).
Daniel
Hello everyone.
Knot DNS 2.1.1 by CZ.NIC Labs has been just declared stable. It mostly
contains bug fixes. The update is highly recommended as some of the
problems are quite critical.
- We have resolved the problem with source address selection for
UDP messages when the server is configured to listen on all
available addresses (i.e., 0.0.0.0 or ::0). Prior to this release
and depending on the networking configuration, the server could
choose a wrong source address.
- Duplicate private keys can be now imported into the KASP database.
This is practical if you have the same signing key in the legacy
format and share the key between multiple domains. Prior to this
release, sharing the key was possible only with some hacks.
- We have resolved a problem with duplicate NSEC record which had
been returned for Wildcard No Data answers. In the new version, the
record is inserted into the response only once.
- We have fixed a possible server crash, which could happen during
an incoming zone transfer when a server reload is requested.
- The fix of a crash with many configured interfaces and threads was
included in the previous release. However the fix was incomplete. We
have found another related problems which are addressed in the new
version.
Thank you for the feedback and bug reports. And we are looking forward
to hear back from you. :-)
The sources are available on our server as usual.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/raw/v2.1.1/NEWS
Sources:
https://secure.nic.cz/files/knot-dns/knot-2.1.1.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-dns/knot-2.1.1.tar.xz.asc
Best Regards,
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW: https://labs.nic.czhttps://www.nic.cz
Hello folks.
CZ.NIC Labs just released Knot DNS 1.6.7. This patch release contains
only a few improvements. Upgrade is not necessary but advised.
- The server newly logs the change in the zone serial after IXFR
transfers. Prior to this release, information about serial was logged
only for AXFR transfers. This modification unifies the logging
behavior.
- We have added the 'timer-db' configuration option, which allows
relocation of zone timer database. This is useful if you run multiple
daemon instances sharing the same zone storage directory.
- The RRL implementation newly supports zero value for the
'rate-limit-slip' option. With this setting, all responses for a flow
exceeding the configured limit will be dropped.
- The documentation for RRL was extended to include information about
expected operational impact of various settings.
As you can see, the changes are rather small. We will continue in this
trend with the LTS version of Knot DNS. If you run Knot DNS 1.6 and look
for a new features and improvements, please consider an early upgrade to
Knot DNS 2.x.
The sources are available on our server as usual.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/raw/1.6/NEWS
Source archives:
https://secure.nic.cz/files/knot-dns/knot-1.6.7.tar.xzhttps://secure.nic.cz/files/knot-dns/knot-1.6.7.tar.gz
GPG signatures:
https://secure.nic.cz/files/knot-dns/knot-1.6.7.tar.xz.aschttps://secure.nic.cz/files/knot-dns/knot-1.6.7.tar.gz.asc
Best Regards,
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW: https://labs.nic.czhttps://www.nic.cz
Hello list,
this is just a quick note that we plan to do an ordinary bug fix release
of Knot DNS 1.6.7 and Knot DNS 2.1.1 the next week.
As for 2.1.1, we did some changes in the networking code and we want to
make sure that everything is working correctly. If you can help us with
testing we would be very happy. The tarball with sources for testing is
available on our server:
https://secure.nic.cz/files/knot-dns/knot-2.1.1-test.tar.xz
Thank you.
Cheers,
Jan
Hi,
I’m trying to compile Knot 2.1, but it fails. Here is the error part:
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../src -include
../../src/config.h -I./shared -I./lib -I./lib/dnssec -I../../src
-I/usr/include/p11-kit-1 -fvisibility=hidden -D_FORTIFY_SOURCE=2
-march=native -O2 -pipe -fstack-protector-strong -fstack-check -Wall
-Werror=format-security -Werror=implicit -fpredictive-commoning -MT
lib/event/action/libdnssec_la-initial_key.lo -MD -MP -MF
lib/event/action/.deps/libdnssec_la-initial_key.Tpo -c
lib/event/action/initial_key.c -fPIC -DPIC -o
lib/event/action/.libs/libdnssec_la-initial_key.o
lib/binary.c: In function 'base64_decode_raw':
lib/binary.c:47:2: warning: statement with no effect [-Wunused-value]
nettle_len dst_size = dst_max_size;
^
lib/binary.c:47:13: error: expected ';' before 'dst_size'
nettle_len dst_size = dst_max_size;
^
lib/binary.c:48:50: error: 'dst_size' undeclared (first use in this
function)
int result = nettle_base64_decode_update(&ctx, &dst_size, dst,
src_len, src);
^
lib/binary.c:48:50: note: each undeclared identifier is reported only
once for each function it appears in
lib/binary.c:54:1: warning: control reaches end of non-void function
[-Wreturn-type]
}
^
I suppose this has to do with the flags used on my system (Arch Linux) ?
Thanks,
Bruno
Hi,
I’ve installed knot 2.0.2 on one of my server.
It’s configured with three IPv6 and I manage their reliability with some
source-specifi routing:
alarig@bulbizarre ~ $ ip -6 route list | grep default
default from 2001:470:1f13:138:715d:2fa0:b591:532f via fe80::20d:b9ff:fe3a:1fa1 dev eth0 metric 1024
default from 2a00:5881:4008:400::1 dev tun0 metric 1024
default from 2a01:240:fe00:82af:764f:b47e:d131:85e4 via fe80::20d:b9ff:fe3a:1fa1 dev eth0 metric 1024
default via fe80::20d:b9ff:fe3a:1fa1 dev eth0 metric 4
It works fine as I can ping those three IP from the same machine at the
same moment.
But, knot don’t take care of this and answer with the “nearest” IPv6
(like the IP source is calculated when you have several ones).
bulbizarre ~ # tcpdump -i any host mc.swordarmor.fr
23:13:07.276493 IP6 2001:41d0:a:27e4::1.52203 > florizarre.swordarmor.fr.domain: 59831+ SOA? swordarmor.fr. (31)
23:13:07.276647 IP6 bulbizarre.swordarmor.fr.domain > 2001:41d0:a:27e4::1.52203: 59831*- 1/0/0 SOA (86)
You can see that knot answer with 2001:470:1f13:138:715d:2fa0:b591:532f, which
is the one chosen if I’m the initiator of the connection.
Indeed, it works with my IRCd:
23:14:17.684155 IP6 2001:41d0:a:27e4::1.36490 > florizarre.swordarmor.fr.6697: Flags [P.], seq 53:106, ack 106, win 331, options [nop,nop,TS val 4047617704 ecr 1587664633], length 53
23:14:17.684301 IP6 florizarre.swordarmor.fr.6697 > 2001:41d0:a:27e4::1.36490: Flags [P.], seq 106:211, ack 106, win 240, options [nop,nop,TS val 1587724598 ecr 4047617704], length 105
23:14:22.555891 IP6 2001:41d0:a:27e4::1.34822 > bulbizarre.swordarmor.fr.6697: Flags [P.], seq 1:62, ack 61, win 331, options [nop,nop,TS val 4047618922 ecr 1587729432], length 61
23:14:22.555928 IP6 bulbizarre.swordarmor.fr.6697 > 2001:41d0:a:27e4::1.34822: Flags [.], ack 62, win 274, options [nop,nop,TS val 1587729469 ecr 4047618922], length 0
Is it a known bug?
--
alarig
