knot-dns-users Květen 2017

knot-dns-users@lists.nic.cz

5 participants
5 discussions

forcing minimal fragment size for IPv6 datagrams

by Jan Včelák

Hello guys, there has been a request in our issue tracker [1], to enable IPV6_USE_MIN_MTU socket option [2] for IPv6 UDP sockets in Knot DNS. This option makes the operating system to send the responses with a maximal fragment size of 1280 bytes (minimal MTU size required by IPv6 specification). The reasoning is based on the draft by Mark Andrews from 2012 [3]. I wonder if the reasoning is still valid in 2016. And I'm afraid that enabling this option could enlarge the window for possible DNS cache poisoning attacks. We would appreciate any feedback on your operational experience with DNS on IPv6 related to packet fragmentation. [1] https://gitlab.labs.nic.cz/labs/knot/issues/467 [2] https://tools.ietf.org/html/rfc3542#section-11.1 [3] https://tools.ietf.org/html/draft-andrews-dnsext-udp-fragmentation-01 Thanks and regards, Jan

7 let

problem with Knot 2.4.0 on FreeBSD 10.3 and 11.0 - i386

by Leo Vandewoestijne

Hi, I tried to install knot 2.4.0 on FreeBSD 10.3 & 11.0. On amd64 these complete fine, however on i386 they don't: https://dns.company/downloads/knot2/knot2-2.4.0_103i386.log https://dns.company/downloads/knot2/knot2-2.4.0_110i386.log Is there anything I can do better to prevent this? -- With kind regards, Leo Vandewoestijne

7 let, 5 měsíců

Is output that there is no http module

by Yoshihito Horigome

7 let, 6 měsíců

knot-resolver configure for localhost stub zone

by Jerry Lundström

Hi, I have the following configuration working for unbound, how can I get the same behavior working in knot-resolver? server: do-not-query-localhost: no domain-insecure: "stubzone" local-zone: "stubzone" nodefault stub-zone: name: "stubzone" stub-addr: 127.0.0.2 I run this for various testing and what I want is to redirect a zone to a local DNS server and I also what the resolver to follow any delegations it receives. Cheers, Jerry

7 let, 6 měsíců

DNSSEC ZSK Rollover information

by knot.dirk＠o.banes.ch

Dear all, I setup knot to do an automatic rollover of the zsk after 180 days policy: - id: policy keystore: keystore manual: off single-type-signing: off algorithm: rsasha256 ksk-size: 4096 zsk-size: 2048 zsk-lifetime: 180d propagation-delay: 1d However I can not see on which date this will be. root@vserver:~# keymgr zone key list yyy.ch - 28f58xx 6862 - 79fb61b77xx 63816 root@vserver:~# keymgr zone key list yyy.ch - 28f58xx 6862 - 79fb61b77xx 63816 root@vserver:~# keymgr zone key show yyy.ch Name of zone and key have to be specified. root@vserver:~# keymgr zone key show yyy.ch 28f58xx id 28f58xx keytag 6862 algorithm 8 size 4096 flags 257 publish 1491505038 active 1491505038 retire 0 remove 0 root@vserver:~# keymgr zone key show yyy.ch 79fb61b77xx id 79fb61b77xx keytag 63816 algorithm 8 size 2048 flags 256 publish 1491504999 active 1491504999 retire 0 remove 0 How do I know it is activated and when it will be ? I imported the keys - can this be the reason ? Thank you and best regards Dirk

7 let, 7 měsíců

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

knot-dns-users Květen 2017