knot-dns-users Srpen 2023

knot-dns-users@lists.nic.cz

4 participants
4 discussions

by Erik P. Ostlyngen

Hi, I'm evaluating the Knot DNS server as a DNSSEC signer engine. I'm currently running version 3.2.6 together with SoftHSM version 2.6.1 on an Ubuntu 20.04 linux server. Now I have a problem with keymgr crashing with a segmentation fault and dumping core. This happens with some of the commands of keymgr, but not all (the command keymgr -l runs fine). The commands 'keymgr trondheim.no list' produces the correct output, but then crashes. /var/log/apport.log indicates that a dbus session is missing in the environment: ERROR: apport (pid 811054) Tue Jun 13 07:56:00 2023: called for pid 811052, signal 11, core limit 0, dump mode 2 ERROR: apport (pid 811054) Tue Jun 13 07:56:00 2023: not creating core for pid with dump mode of 2 ERROR: apport (pid 811054) Tue Jun 13 07:56:00 2023: executable: /usr/sbin/keymgr (command line "keymgr trondheim.no list") ERROR: apport (pid 811054) Tue Jun 13 07:56:00 2023: is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment ERROR: apport (pid 811054) Tue Jun 13 07:56:00 2023: apport: report /var/crash/_usr_sbin_keymgr.0.crash already exists and unseen, skipping to avoid disk usage DoS Running the command as 'dbus-run-session keymgr trondheim.no list' gives: ERROR: apport (pid 811174) Tue Jun 13 08:01:04 2023: called for pid 811173, signal 11, core limit 0, dump mode 2 ERROR: apport (pid 811174) Tue Jun 13 08:01:04 2023: not creating core for pid with dump mode of 2 ERROR: apport (pid 811174) Tue Jun 13 08:01:04 2023: executable: /usr/sbin/keymgr (command line "keymgr trondheim.no list") ERROR: apport (pid 811174) Tue Jun 13 08:01:04 2023: is_closing_session(): Could not determine DBUS socket. ERROR: apport (pid 811174) Tue Jun 13 08:01:04 2023: apport: report /var/crash/_usr_sbin_keymgr.0.crash already exists and unseen, skipping to avoid disk usage DoS I've tried to run the command as root and as the knot user, and I have to admit that I'm not very familiar with how to manage dbus sessions. I want to run the keymgr command from cron or from some other system shell, for periodically monitoring the keys. However, I'm unsure why keymgr wants to communicate on the dbus. Is it possible to disable this? Regards, Erik Østlyngen

10 měsíců, 1 týden

GUI Frontends for Knot DNS Server

by Turritopsis Dohrnii Teo En Ming

Subject: GUI Frontends for Knot DNS Server Good day from Singapore, Are there any GUI frontends for configuring Knot DNS Server? I prefer GUI configuration interface. It is more efficient than command line interface (CLI). Thank you. Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individual in Singapore Blogs: https://tdtemcerts.blogspot.com https://tdtemcerts.wordpress.com

10 měsíců, 1 týden

Knot DNS 3.3.0 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.3.0! This version brings full DNS/XFR over QUIC support, multi-signer operation mode, and many more. See the changelog. Debian and Ubuntu users can download the packages from a new repository https://pkg.labs.nic.cz/doc/?project=knot-dns This repository is common to both distributions and Knot versions (older versions must be pinned). Additionally, the repository will contain some historical Knot versions. Prometheus exporter https://github.com/salzmdan/knot_exporter (a fork of https://github.com/ghedo/knot_exporter) has been replaced with https://pypi.org/project/knot-exporter/ and distribution package knot-exporter (currently for Debian and Ubuntu). Today Knot DNS 3.1 reached its End-of-life! Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.3.0/NEWS Migration: https://www.knot-dns.cz/docs/latest/html/migration.html#upgrade-3-2-x-to-3-… Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

1 rok, 3 měsíce

Understanding block-notify-after-transfer

by Jan-Piet Mens

Hello! I have a Knot 3.2.5 server running here which, for most zones, acts as a bump-in-the-wire signer, and it's doing exactly what I expect it to do. The same server carries a few secondary zones which are not signed, and I notice that when Knot transfers these zones in, it doesn't NOTIFY its secondaries, something which works fine for DNSSEC signed zones. The following configuration is in place: remote: - id: pdns address: 192.168.25.45@53 key: dsupload block-notify-after-transfer: on # <------- automatic-acl: on template: - id: default zonefile-load: difference file: "%s" serial-policy: dateserial master: pdns catalog-role: member catalog-zone: katz1 acl: [ xfr, notify_from_pdns, xfer_to_bind ] notify: [ s1, s2, s3 ] policy: - id: manualHSM manual: on keystore: thales cds-cdnskey-publish: rollover ksk-submission: ds_checker ds-push: pdns zone: - domain: sig.example dnssec-policy: manualHSM dnssec-signing: on - domain: notsig.example dnssec-signing: off When sig.example is transferred in, Knot signs it, NOTIFYs its secondaries (s1--s3), they XFR the zone and all's well. When the unsigned notsig.example is transferred in, the logs indicate Knot is seeing the new serial, and that's it; the secondaries are not NOTIFYd. (I can manually `knotc notify', but that's not the point.) Setting `block-notify-after-transfer: off' on the remote remediates this. Knot then does NOTIFY its secondaries for the unsigned zone (and for the signed zone). The documentation states: "When incoming AXFR/IXFR from this remote (as a primary server), suppress sending NOTIFY messages to all configured secondary servers." However, if I swich it off (i.e. enable notification), I do not see the NOTIFY when knot initially transfers the unsigned zone which is then signed and hence then notified. Is this behavior expected, and have I interpreted it correctly? Thanks & best regards, -JP

1 rok, 4 měsíce

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

knot-dns-users Srpen 2023