Just to clarify some semantics of the config format.
Is each individual 'remote' ID considered to be a single server,
regardless of the number of addresses it has?
For the notify case, it looks like knot will send to each address in a
remote ID in serial, and stop as soon as one replies. That suggests
the above semantics, but I wanted to make sure I'm interpreting this
behaviour correctly before I complicate my config by adding a lot more
remotes. I am currently treating each remote as an organisation,
lumping all of that organisation's servers together under a single ID.
Hi,
i have knot dns setup with dns cookie module enabled but if i check with
dnsviz.net i always get:
The server appears to support DNS cookies but did not return a COOKIE
option.
Relevant parts of my knot.conf:
template:
- id: default storage: "/var/lib/knot"
dnssec-signing: on
dnssec-policy: rsa2048
global-module: [ "mod-cookies", "mod-rrl/default" ]
mod-rrl:
- id: default
rate-limit: 200
slip: 2
- domain: mydomain.de
file: "/etc/knot/zones/mydomain.de.zone"
notify: secondary
acl: acl_secondary
zonefile-load: difference
I thought about maybe it's the slip: 2, but that didn't change anything
if set to 1
Do you guys see anything obvious causing this "issue"?
Thanks for your time
Juergen
Hi,
For many months now, we've been preparing new signers for our internal
zones and eventually .is.
We've got the first of our test zones live on the production signers,
but some things are troubling us.
This is the config we're using for zones:
template:
- id: default
semantic-checks: on
storage: "/usr/local/etc/knot"
file: "zones/unsigned/%s/%s-soa"
serial-policy: dateserial
zonefile-sync: -1
zonefile-load: difference-no-serial
journal-content: all
notify: hidden_primary
acl: hidden_primary_acl
policy:
- id: isnic
algorithm: RSASHA256
ksk-size: 4096
zsk-size: 2048
ksk-lifetime: 365d
zsk-lifetime: 30d
propagation-delay: 1h
rrsig-lifetime: 14d
rrsig-refresh: 7d
rrsig-pre-refresh: 1h
---
zones/unsigned is stored in a git repo and changes are deployed by an
ansible playbook that checks out the latest revision and reloads the zones.
Someone pointed out that zonefile-load: difference-no-serial was risky
for something as important as a TLD, but what is the alternative when
doing automatic DNSSEC signing on zone data from git? Also, we turned
off zonefile-sync, since our current deployment script overwrites the
zonefile. Is there a way to load initial zone data from one file, but do
zonefile-sync to another?
We're seeing this in our logs:
Jan 20 09:32:06 ht-signer01 knot[49715]: info: [pp.is.] zone file
parsed, serial corrected 1970010100 -> 2022012000
Jan 20 09:32:06 ht-signer01 knot[49715]: info: [pp.is.] loaded, serial
2022011900 -> 2022012000 -> 2022011900, 3830 bytes
Any idea what's happening on the second line? It's like knot wants to
increment the serial, but then changes it's mind :)
.einar
