- knot-dns-users - lists.nic.cz

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.4.3! This is a bugfix version with some improvements. Changelog: https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.4.3 Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

1 rok, 5 měsíců

1
0
0 0

Starting and stopping knotd

by Erik P. Ostlyngen

Hi, I'm running an instance of knotd for testing. It is installed with the official ubuntu debian package from kont-dns.cz. When I start the knot service, using systemctl, it takes a very long time to start up (sometimes 30 min). This seems to be related to the systemd unit which is set to type 'notify', and the fact that knot after starting up wants to re-sign all the zones which needs that before notifying. If I change the type to 'simple' or 'forked' (together with the knotd -d option), the start command returns more immediately. My test system has about 800 zonefiles in it. A large number of them want to be re-signed after each startup. My question is, what is the recommended way to start, stop and restart the server? Also, after starting I cannot find the /run/knot/knot.sock file, which is needed when stopping the service with 'knotc stop'. Knot version: 3.4.1-cznic.1~focal (debian package from knot-dns.cz) OS: Linux 5.4.0/Ubuntu 20.04 Focal amd64. Kind regards, Erik Østlyngen Norid

1 rok, 6 měsíců

2
4
0 0

EPEL Packages

by Günther J. Niederwimmer

Hello Daniel, Are the EPEL packages no longer available (?), I'm stuck at 3.3.9. There have been no updates since then. Or can you download the .rpm from somewhere else now? -- mit freundlichen Grüßen / best regards Günther J. Niederwimmer

1 rok, 6 měsíců

4
7
0 0

Knot DNS 3.4.2 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.4.2! This is a bugfix version with a few improvements. Upgrade from 3.4.0 and 3.4.1 is recommended. Changelog: https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.4.2 Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

1 rok, 6 měsíců

1
0
0 0

Knot DNS 3.4.1 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.4.1! This is a bugfix version with some new features. Changelog: https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.4.1 Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

1 rok, 7 měsíců

1
0
0 0

Knot DNS 3.4.0 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.4.0! This version brings DNS/XFR over TLS, DDNS over QUIC and TLS, continuous DNSSEC zone validation, XDP improvements, enhanced RRL, partially asynchronous processing of control commands, and more. See the changelog. Today, Knot DNS 3.2 reached its end-of-life! Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.4.0/NEWS Migration: https://www.knot-dns.cz/docs/latest/html/migration.html#upgrade-3-3-x-to-3-… Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

1 rok, 8 měsíců

5
10
0 0

Deny dynamic updates for certain owners/names

by Conrad Hoffmann

Hi all, we are using dynamic updates for solving ACME challenges. My goal is to restrict the key used for this as much as possible. However, I find it a bit difficult to do so while keeping the required flexibility. Maybe someone has some good recommendations for this? The key is already restricted to TXT records, so that's good. In a nutshell, I'd like to allow only "_acme-challenge.example.com" and "_acme-challenge.*.example.com". However, the latter cannot be expressed in the current config format. I would be fine allowing "*.example.com", if I could just deny a select few names (SPF, DKIM). But AFAICT, the "deny" option only works on action, key, and address, now owner matching. Is there any other way to achieve something like this? Thanks a lot, Conrad

1 rok, 8 měsíců

2
3
0 0

Knot DNS 3.3.9 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.3.9! This is a bugfix version with a few improvements. Since version 3.3.4, there has been a bug in 'keymgr pregenerate', where future timestamps of existing keys are cleared and new overlapping keys are generated instead. An upgrade is recommended if you use this function or offline KSK. Changelog: https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.3.9 Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

1 rok, 8 měsíců

1
0
0 0

$TTL default setting ignored for resource records without explicit TTL set

by Michael Grimm

Hi, I do have the following example zone files definitions: $ORIGIN example.tld. $INCLUDE ___TTL_SOA___ and so on My ___TTL_SOA___ looks as follows: $TTL 30m ; default expiration time of all resource records without their own TTL value ; @ IN SOA ns1.example.tld. hostmaster.example.tld. ( 2024042100 ; serial (increase after each change) 4h ; refresh (recommended >= 4h) 1h ; retry (recommended >= 1h) 14d ; expire (recommended between 7d and 14d) 600 ; negative caching (former minimum, recommended between 5m and 1d) ) Note: All of my subsequent $INCLUDDE files do *not* have TTL values set explicitly! But: I do end up in a mix of TTL values of 1800 and 3600 for my resource records. You can check that using my domain in my email address. I found the following thread about this issue at https://gitlab.nic.cz/knot/knot-dns/-/issues/751 and https://datatracker.ietf.org/doc/html/rfc2308#section-4 cited therein: "All resource records appearing after the directive, and which do not explicitly include a TTL value, have their TTL set to the TTL given in the $TTL directive." In my understanding Knot's behaviour has been set to follow this standard track. Thus, I do expect that all of my resource records should have a TTL set to my $TTL directive of 1800 seconds. I might have well overlooked something, though. Any feedback is highly appreciated, Michael

1 rok, 9 měsíců

5
13
0 0

Knot DNS 3.3.8 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.3.8! This version fixes a few bugs and brings some features. I would like to ask users with hardware HSMs to send us the output of `keymgr <hsm_keystore_id> keystore-test` along with a description of the HSM. This will allow us to update https://www.knot-dns.cz/docs/latest/html/appendices.html#compatible-pkcs-11… Thank you! Note that it's no longer possible to build packages for CentOS 7 using Copr! Changelog: https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.3.8 Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

1 rok, 9 měsíců

1
0
0 0

address lists

by Randy Bush

as yaml seems to vary widely, i worry that i may have over-induced knot yaml re address lists, see https://www.knot-dns.cz/docs/3.3/singlehtml/index.html#description remote: - id: foo address: 1.2.3.4 address: 2.3.4.5 address: 3.4.5.6 address: 6.7.8.9 is said to be the same as remote: - id: bar address: [1.2.3.4, 2.3.4.5, 3.4.5.6, 6.7.8.9] but is it also the same as remote: - id: feen address: [1.2.3.4, 2.3.4.5] address: [3.4.5.6, 6.7.8.9] feen does not result in a `knotc conf-check` syntax error, so i hope it is indeed equivalent. randy

1 rok, 10 měsíců

2
1
0 0

kasp database: how to find orphaned keys?

by Michael Grimm

Hi, is there a functionality that identifies orphaned key in the kasp database and optionally deletes those? I had had a couple of orphaned pem files. I managed to identify and remove those with the help of 'keymgr' and Unix little helpers, though. Thus I am asking just out of curiosity, because I might have missed such a functionality. Thanks and regards, Michael

1 rok, 10 měsíců

2
2
0 0

idn in axfr

by Randy Bush

knot fails to keep this zone updated. so i tested by hand ``` rip.psg.com:/home/randy# dig f.e.e.b.d.a.e.d.1.3.0.0.8.9.8.0.2.0.a.2.ip6.arpa @94.142.241.91 axfr ; <<>> DiG 9.18.24-1-Debian <<>> f.e.e.b.d.a.e.d.1.3.0.0.8.9.8.0.2.0.a.2.ip6.arpa @94.142.241.91 axfr ;; global options: +cmd ;; Warning: cannot represent 'xn--center-dla.test.globnix.net.' in the current localedig: Cannot represent 'xn--ls8h.test.globnix.net.' in the current locale nor ascii (string contains a disallowed character), use +noidnout or a different locale ``` `+noidnout` does fix it, but i am not sure i can get knot's axfr to do that the owner of the primary says Okay, this is the zone with a whole bunch of records designed to stress-test DNS implementations with things which are technically allowed in DNS at the protocol level but which apps might not handle well. Zonefile top comment: ; This is the /80 reverse DNS used for test entries which should never be ; assigned to hosts. This is </48-prefix>:DEAD:BEEF::/80 Those particular records were added on 2013-04-05 per `git blame`: 233c7992 (Phil Pennock 2013-04-05 00:08:22 +0000 64) 0.6 PTR mid\194\183dle.test.globnix.net. 233c7992 (Phil Pennock 2013-04-05 00:08:22 +0000 65) 1.6 PTR xn--center-dla.test.globnix.net. 233c7992 (Phil Pennock 2013-04-05 00:08:22 +0000 66) 2.6 PTR \240\159\146\169.test.globnix.net. 233c7992 (Phil Pennock 2013-04-05 00:08:22 +0000 67) 3.6 PTR xn--ls8h.test.globnix.net. so, `noidnout` is not in knot doc html file. clue bat, please. randy

1 rok, 10 měsíců

4
5
0 0

Knot DNS 3.3.7 and 3.2.13 releases

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.3.7 This version primarily fixes an old bug in the journal where some SOA serial values are incorrectly evaluated, which can corrupt the journal. Upgrade is recommended. Version 3.2.13 backports this and some older bug fixes. Changelogs: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.3.7/NEWS https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.2.13/NEWS Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

1 rok, 10 měsíců

3
5
0 0

question about unixtime

by Randy Bush

i have had a fun day chasing diags of the form ``` 2024-06-22T18:32:57.305472+00:00 ns knotd[24354]: info: [foo.com.] control, received command 'zone-reload' 2024-06-22T18:32:57.307532+00:00 ns knotd[24354]: info: [foo.com.] zone file parsed, serial 1719081134 2024-06-22T18:32:57.307669+00:00 ns knotd[24354]: warning: [foo.com.] zone file changed with decreased SOA serial 2024-06-22T18:32:57.307828+00:00 ns knotd[24354]: error: [foo.com.] zone event 'load' failed (value is out of range) ``` i have the following hypothesis: - `serial-policy: unixtime` is configured in `/etc/knot/knot.conf`. - emacs dns-mode sets the SOA serial to the current unixtime when one saves the zone file - a few seconds later, i do `knotc zone sign` and `knotc zone-reload` - knot then says "you have manually specified a new serial, but it is less than the current unixtime; i.e. you are trying to go backward. bad geek!" - i.e. knot did not like me mucking with the SOA serial in the zone file when `serial-policy: unixtime` was configured. i tested this hypothesis by putting the serial from the server's current SOA in the zone file and doing sign & reload. it succeeded, and the new zone in all servers is the unixtime of the signing, not of the zone file. my current conclusion is: do not have both emacs dns-mode with `serial-policy: unixtime`; use only one or t'other. especially if doing RFC 1982 serial stepping, remember to first turn off `serial-policy: unixtime` and `knotc reload`. does this make sense? randy

1 rok, 10 měsíců

2
3
0 0

tcp ddos

by Randy Bush

so, school is out and the children are on the loose 2024-06-10T21:27:24.199750+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 2620:171:c2::49@33322 2024-06-10T21:27:24.200561+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 167.99.160.10@14871 2024-06-10T21:27:24.200642+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 34.223.46.240@53392 2024-06-10T21:27:24.201218+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 167.99.160.10@2011 2024-06-10T21:27:24.201422+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 81.106.125.151@54192 2024-06-10T21:27:24.203263+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 34.223.46.240@53398 2024-06-10T21:27:24.203643+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 139.99.166.37@42942 2024-06-10T21:27:25.199585+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 3.228.173.229@34084 2024-06-10T21:27:25.199678+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 76.93.200.106@10371 2024-06-10T21:27:25.200951+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 2a02:6b8:c04:262:0:433f:1:3@33586 2024-06-10T21:27:25.201029+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 2600:3c09::f03c:93ff:fea9:4de0@54166 2024-06-10T21:27:25.201207+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 118.99.2.29@33170 2024-06-10T21:27:25.201385+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 213.187.92.252@40559 2024-06-10T21:27:26.200340+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 2a02:6b8:c04:262:0:433f:1:3@33594 2024-06-10T21:27:26.200529+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 40.79.144.82@59683 2024-06-10T21:27:26.203837+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 103.85.93.93@60578 2024-06-10T21:27:26.205102+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 13.244.33.51@33812 2024-06-10T21:27:27.208589+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 18.139.204.179@46824 2024-06-10T21:27:27.210062+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 20.125.201.35@63627 2024-06-10T21:27:27.331742+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 172.217.37.144@64719 2024-06-10T21:27:27.332050+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 191.233.201.73@61718 2024-06-10T21:27:27.391797+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 81.106.125.151@50624 like tens of thousands. some children are like that. so, we take this as an opportunity to learn a bit more about knot tuning we shortened `tcp-idle-timeout: 2` we set `tcp-max-clients: 20` rate limiting seems unlikely to improve things as it is many sources, a DDos what else are we missing? btw, it also whacked knot enough that it failed a resign cycle and we had to add `unsafe-operation: no-check-keyset` to get back to signing. clues appreciated. this can't be the only neighborhood with children. randy

1 rok, 11 měsíců

6
16
0 0

DNSSEC debugging help wanted

by Korry Luke

Hi folks, Forwarding on behalf of Randy Bush since his mail server/DNS are being DDoSed right now. Trying to troubleshoot, but any knot DNS expertise would be greatly appreciated. Regards > debian 12 > knotc (Knot DNS), version 3.2.6 > (aside: the server is under serious TCP and UDP DDoS) > > all looks reasonable > > Jun 12 03:36:17 rip.psg.com knotd[22495]: info: [psg.com.] control, received command 'zone-sign' > Jun 12 03:36:17 rip.psg.com knotd[22495]: info: [psg.com.] DNSSEC, dropping previous signatures, re-signing zone > Jun 12 03:36:17 rip.psg.com knotd[22495]: info: [psg.com.] DNSSEC, key, tag 53567, algorithm RSASHA256, KSK, public, active > Jun 12 03:36:17 rip.psg.com knotd[22495]: info: [psg.com.] DNSSEC, key, tag 25843, algorithm RSASHA256 > Jun 12 03:36:17 rip.psg.com knotd[22495]: info: [psg.com.] DNSSEC, key, tag 59161, algorithm RSASHA256 > Jun 12 03:36:17 rip.psg.com knotd[22495]: info: [psg.com.] DNSSEC, key, tag 5489, algorithm RSASHA256, KSK, public, active+ > Jun 12 03:36:17 rip.psg.com knotd[22495]: info: [psg.com.] DNSSEC, key, tag 22090, algorithm RSASHA256, public > Jun 12 03:36:17 rip.psg.com knotd[22495]: info: [psg.com.] DNSSEC, signing started > Jun 12 03:36:17 rip.psg.com knotd[22495]: info: [psg.com.] DNSSEC, successfully signed > Jun 12 03:36:17 rip.psg.com knotd[22495]: info: [psg.com.] DNSSEC, next signing at 2024-06-25T02:36:17+0000 > > # keymgr psg.com list > 649b0d43d1493dd4ad30f8043ca4561c33c38b5a 53567 KSK RSASHA256/2048 publish=1078099200 active=1078099200 > 173597db4b4f2f072b568cb637710e891ac52246 25843 ZSK RSASHA256/2048 publish=1709251200 active=1709251200 retire=1717977600 remove=1717977600 > 3194d896f2a64f10b103991e5018b72cd3f1cd28 59161 ZSK RSASHA256/2048 publish=1709251200 active=1709251200 retire=1717977600 remove=1717977600 > 7b1bf414b34f605c68f9ddb7b52c32c6b53da8d3 5489 KSK RSASHA256/2048 publish=1718161132 > 902b8e02a5e75754bd69791735e76cb11c3e37af 22090 ZSK RSASHA256/2048 publish=1718161132 > > > but no rrsig > > # dig @localhost +vc +dnssec +norec -t dnskey psg.com > > ; <<>> DiG 9.18.24-1-Debian <<>> @localhost +vc +dnssec +norec -t dnskey psg.com > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42269 > ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1232 > ; COOKIE: 7f45da4f7305fdd5010000006669234c9ce14bdf78917f58 (good) > ;; QUESTION SECTION: > ;psg.com. IN DNSKEY > > ;; ANSWER SECTION: > psg.com. 86400 IN DNSKEY 256 3 8 AwEAAZfG8Y++ZmGXwa1sgmHpruUSPljDwMR2pY5bUjjOaJNyUBeLlEAP Fyya3MNAKryW26yTxFmwYmyt0UtXyc4L7Ib5/J/Ew+putYpjRfslwPlS 5TWblvnbiqGcY/ZMuGrtLeZkvK/o39vXM+Hy5y3xbG4Qu4ySiuW03xMM pN50cr8+VcM2RDQn6/W6kESdiY8WaXyD1DT9eIgIyi5zTaOfhSB7u/g7 H+7LltCAiCZIcIF08CGbS1VEh0YUyw3Th1I6jiQmYeGG6OSGaci5SkjV fGTDpHrJOjFlCnUVfg+cYc1YPEojbmo90qO/nG+VB5I+qDYtkU1IR8EB +qXNi7ZbBt8= > psg.com. 86400 IN DNSKEY 257 3 8 AwEAAaCgMhvfatdo1jeqr0AsHJY+QB/QVv2O+9W62Sfj+xKCbV5nGgvu XqPq2A8tXKT1lG1YF0pe3/ABH2iYNZs7v/a6QAb1wEAYasNz6ZlvRca2 bDs6KXz/n2B/Oeb2JoWBJ6OqdNtzkDl6CYEOkQoDWRnbR9jlyINOQ0mN xfTu2wbXMngSIz78yTadpieyuG/B/TsLQ1SlTUSf436G5NMdxzQ8r7j4 5nW7mEORzvvk5Z1mGtfX8v8taw4qFfoIlaf226N06lZ90jpnEHTOGSTA T/ii5WVqjBZGFWFYWrNcHR51zHm4QAGKlZ5hzr6lrGZaXqgY7jE3GaOc 86mZhSlyYIs= > psg.com. 86400 IN DNSKEY 257 3 8 AwEAAcXR1VhQRarToAaewor9xoQhrXbmUd9Ob0ruqOpDs5TO/jZLTOFE W/g4V1yllr9t7tyLVJWA5jdZyJZO3otyu6S+OKvSLD8er3alStkgqI2Q bLF3gUjtGxmcd/yIci4srWj401tv/6uWigN50+9Df0ClgUpmdjQ/ePq8 51DKtK51qGgc4vHwSYoWKQaGTofELiMDDXpzZSkQqAUveZYRzVTScUCQ woVjQANSmio/u6JZtkwRnnUF9bChN51ydUY+uVH9NuoY6jEKJ27ZlIAP 4UgQ0h9epWy5JYV9bNQlhV+qpW1G3Zg/l58Yz5mWwh107HQIUefCgVP+ TTIusTwWH0E= > > ;; Query time: 0 msec > ;; SERVER: ::1#53(localhost) (TCP) > ;; WHEN: Wed Jun 12 04:25:48 UTC 2024 > ;; MSG SIZE rcvd: 892 > > maybe 35 zones with same policy and tenplate. one has RRSIGs no others > do. > > mod-rrl: > - id: default > rate-limit: 12 # Allow 200 resp/s for each flow > slip: 2 # Approximately every other response slips > table-size: 900241 > > mod-cookies: > - id: default > secret-lifetime: 30h > badcookie-slip: 6 > Wrong Cookie > > Policy: > - Id: Pol-256-256 > Algorithm: Rsasha256 # Was Ecdsap256sha256 Sra Uses Ecdsap384sha384 > Manual: On > Delete-Delay: 30d > Unsafe-Operation: No-Check-Keyset > ... > template: > - id: default > storage: /var/lib/knot/primary > semantic-checks: on > file: %s > global-module: mod-rrl/default > global-module: mod-cookies/default > - id: signed > storage: /var/lib/knot/signed > dnssec-signing: on > dnssec-policy: pol-256-256 > semantic-checks: on > zonefile-sync: -1 > zonefile-load: difference > journal-content: all > serial-policy: unixtime > > sra and i have been beating our heads on this for two days. and there > are significant zones breaking > > randy -- Korry Luke ルーク,　コリー koluke(a)wide.ad.jp Graduate School of Media and Governance Keio University Shonan Fujisawa Campus 慶應義塾大学湘南藤沢キャンパス政策・メディア研究科

1 rok, 11 měsíců

3
3
0 0

Knot DNS 3.3.6 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.3.6! This is mostly a maintenance version with some improvements. Please note that Knot DNS 3.3 is the last major version officially supported on CentOS 7 (and similar), Debian 10, and Ubuntu 18.04. Version 3.4.0, which will be released in August, will not support them. Changelog: https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.3.6 Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

1 rok, 11 měsíců

1
0
0 0

Knot DNS serverupgrade tool (2.2.x->3.3.x)

by Josef Karliak

Good morning, is there some tool to migrate configuration from Knot 2.2 to actual 3.3.x ? There are some configuration changes, they're so far so good, but I'm stuck on migrating DNSSEC keys now. Thanks and best regards. J.Karliak

1 rok, 11 měsíců

2
1
0 0

install package to freebsd

by André Cruz

Hi, When i try to install knot via ports as your documentation sayshttps://www.knot-dns.cz/docs/2.4/html/installation.html [cid:f31a0a83-7640-46e7-8586-d353f8c3d8f0] it points me to a verison of 2015 https://www.freshports.org/dns/knot Can you guys change the line to # cd /usr/ports/dns/knot3 just to be more clear for a new user of freebsd https://www.freshports.org/dns/knot3 Com os meus melhores cumprimentos, André Cruz

1 rok, 11 měsíců

3
3
0 0

module 'mod-onlinesign/authsignal', incompatible with automatic signing

by Erwin Lansing

Howdy, I’m trying to get Knot 3.3.5 to use authenticated DNSSEC bootstrapping following the blog article and docs. However, I’m getting an error for the signalling zones, but I fail to figure out what I may have overlooked. error: [_signal.ns2.droso.dk <http://signal.ns2.droso.dk/>.] module 'mod-onlinesign/authsignal', incompatible with automatic signing Relevant knot.conf snippets (in order): policy: - id: ecc algorithm: ecdsap256sha256 nsec3: on rrsig-refresh: 7d mod-onlinesign: - id: authsignal nsec-bitmap: [CDS, CDNSKEY] policy: ecc template: - id: default … dnssec-signing: on dnssec-policy: ecc … zone: - domain: _signal.ns2.droso.dk <http://signal.ns2.droso.dk/> module: [mod-authsignal, mod-onlinesign/authsignal] Any hint appreciated Best Erwin

1 rok, 11 měsíců

3
3
0 0

KNOT resolver and NS serverers with CNAME

by Josef Karliak

Good morning, ISC bind is strict about CNAME of NS server: skipping nameserver 'aa.bb.cz' because it is a CNAME, while resolving '9.4/4.3.2.1.in-addr.arpa/PTR'. How about Knot resolver ? Thanks and best regards J.Karliak

1 rok, 12 měsíců

4
3
0 0

Remotely adding zones

by Einar Bjarni Halldórsson

Hi, I have a use case, where today we’re running BIND and a daemon uses rndc to create/remove/update zones on secondary servers. According to `man knotc` knotc only supports UNIX sockets (old ubuntu man page showed ‘-p’ parameter to specify port). I know I could use a catalog zone, but that would be a bigger change than I prefer right now. The primary server is running BIND+DLZ with a PostgreSQL backend. Replacing the primary is on the roadmap, but for now, I just want to replace the secondaries. Is there a good way to remotely add zones to a knot secondary? .einar

2 roky

3
3
0 0

knotc reload after updates to knot.conf

by Angus Clarke

Hello, When doing something quite dramatic in knot.conf like adding and/or removing a zone, is "knotc reload" a suitable approach to honour those changes or would you recommend restarting the whole process? "knotc reload" seems to work just fine in test, I'm just looking for some further confidence I suppose. Thanks Angus

2 roky

2
1
0 0

kzonecheck for bookworm

by Randy Bush

a bit confused here. knot package for bookworm does not seem to include kzonecheck. nor does knot-dnsutils. where/how to get? thanks randy

2 roky, 1 měsíc

2
2
0 0

AXFR sender FINs 10% of the way through transfer

by Randy Bush

debian 12 # uname -a Linux rip.psg.com 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux # knotc --version knotc (Knot DNS), version 3.2.6 AXFR of a 750k zone from seattle to, lebanon, europe, iceland, southern africa, ...) fails over v5 and v6, i.e. somewhat larger rtt same AXFR seattle seattle or seattle to ashburn works v4 and v6. seattle to dallas v4 good, v6 fails, but it smells of an HE.net hop. when it fails, it is always within a hundred or so mytes of the same place, approximately 10% through the file. pcap of seattle->beirut at https://archive.psg.com/240323.beirut.pcap the last payload is in frame 217. at 219, seattle (b) sends a FIN/PSH/ACK. then at 251, after acking everything, beirut (nabil) FIN/ACKs seattle's FIN and we're dead. i am not positive this is the key question as my tcp fu is a bit rusty. but why did seattle send the FIN at 219, 10% through the file? randy

2 roky, 1 měsíc

3
7
0 0

silly nit

by Randy Bush

in address: [185.91.97.18, 2a05:e380:2:4::2] # nabil.beirutix.net if this is a tab character ^ # knotc conf-check error: config, file '/etc/knot/knot.conf', line 324, item 'address', value '2a05:e380:2:4::2' (tabulator character is not allowed) blanks are ok # knotc --version knotc (Knot DNS), version 3.2.6 yes, that is the latest on debian 12 randy

2 roky, 1 měsíc

1
0
0 0

bitw signing as secondary

by Randy Bush

server runs a tld as primary, but slds are hidden primaries which the server pulls as a secondary, wants to sign bump-in-the-wire, and then make available to public secondaries. i think that the doc says this is doable, but instructions are insufficiently explicit for this idjit. i am fetching the slds into policy: - id: pol-256-256 algorithm: rsasha256 # was ecdsap256sha256 sra uses ecdsap384sha384 manual: on ... template: - id: signed storage: /var/lib/knot/sec-sign dnssec-signing: on dnssec-policy: pol-256-256 zonefile-sync: -1 zonefile-load: difference journal-content: all serial-policy: unixtime ... zone: - domain: sld.tld file: tld.sld # sorry, i like alpha sort in `ls` :) master: hidden-fetch template: signed acl: [allow-local, secondaries-push] the policy and template are those from signing primary zone; which i suspect is ill advised. i did generate keying as i would when signing a primary zone # keymgr sld.tld generate algorithm=rsasha256 ksk=yes zsk=yes 7a618eaf94ea1d903233cb547faa24bae8cb49a5 # knotc zone-reload sld.tld OK # keymgr sld.tld ds sld.tld. DS 63562 8 2 2d25e465f131900413d7e8a90ad1b96c75ba835de63dfee08610b113a779d41f sld.tld. DS 63562 8 4 ed9c31c495703ec354f1a1835c9878339224cc06ac3001151c2ebb89524b25190efa424348c999b0c4df940edffa8409 any kind soul(s) care to whack me with a clue bat? randy

2 roky, 1 měsíc

3
5
0 0

Possible signing bug? Missing wildcard NSEC for RCODE 3 subdomains

by Matthew Pounsett

I got a report of an NSEC error from someone who tried to connect to a mistyped hostname. I've done a bit of poking, and it looks like we're seeing a missing wildcard NSEC for domain names that are two subdomains down from the apex, but not for subdomains of the apex. Though, I admit I can't see the problem myself. Querying by hand I see what looks like an identical response, but resolvers and DNSViz report problems with the deeper name. For example, nonexistent.dns-oarc.net and nonexistent.sjc.dns-oarc.net ( sjc.dns-oarc.net is a real subdomain with hosts in it, not an ENT)... kdig output and DNSViz results below. We're running knot/unknown,now 3.3.5-cznic.1~bullseye from deb.knot-dns.cz, and this is the relevant policy statement for the zone: policy: - id: ecdsa algorithm: ecdsap256sha256 ksk-lifetime: 365d ksk-submission: parent_zone_sbm zsk-lifetime: 30d rrsig-lifetime: 14d rrsig-refresh: 7d We are mid-KSK-roll, waiting on the DS submission check. Have I misconfigured something here, or is there a signing bug, or is this something else? Thanks! Matt --- nonexistent.sjc.dns-oarc.net: DNSviz reports this is fine. <https://dnsviz.net/d/nonexistent.dns-oarc.net/ZfNH1w/dnssec/> ;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 9380 ;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR ;; QUESTION SECTION: ;; nonexistent.dns-oarc.net. IN A ;; AUTHORITY SECTION: dns-oarc.net. 3600 IN SOA ns1.dns-oarc.net. hostmaster.dns-oarc.net. 2024031400 300 60 604800 3600 nfsen.dns-oarc.net. 3600 IN NSEC ns.dns-oarc.net. A AAAA RRSIG NSEC dns-oarc.net. 3600 IN NSEC fs1.10g.dns-oarc.net. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY CDS CDNSKEY CAA dns-oarc.net. 3600 IN RRSIG SOA 13 2 14400 20240328021935 20240314004935 6048 dns-oarc.net. [omitted] nfsen.dns-oarc.net. 3600 IN RRSIG NSEC 13 3 3600 20240326215132 20240312202132 6048 dns-oarc.net. [omitted] dns-oarc.net. 3600 IN RRSIG NSEC 13 2 3600 20240322045130 20240308032130 6048 dns-oarc.net. [omitted] ;; Received 518 B ;; Time 2024-03-14 18:57:33 UTC ;; From 64.191.0.128@53(UDP) in 0.3 ms nonexistent.sjc.dns-oarc.net: resolvers and DNSViz report a missing wildcard NSEC <https://dnsviz.net/d/nonexistent.sjc.dns-oarc.net/ZfNH6w/dnssec/> ;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 660 ;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR ;; QUESTION SECTION: ;; nonexistent.sjc.dns-oarc.net. IN A ;; AUTHORITY SECTION: dns-oarc.net. 3600 IN SOA ns1.dns-oarc.net. hostmaster.dns-oarc.net. 2024031400 300 60 604800 3600 newmail.sjc.dns-oarc.net. 3600 IN NSEC pdu-7301.sjc.dns-oarc.net. A AAAA RRSIG NSEC shin-cubes.dns-oarc.net. 3600 IN NSEC an1.10g.sjc.dns-oarc.net. A AAAA RRSIG NSEC dns-oarc.net. 3600 IN RRSIG SOA 13 2 14400 20240328021935 20240314004935 6048 dns-oarc.net. [omitted] newmail.sjc.dns-oarc.net. 3600 IN RRSIG NSEC 13 4 3600 20240326215132 20240312202132 6048 dns-oarc.net. [omitted] shin-cubes.dns-oarc.net. 3600 IN RRSIG NSEC 13 3 3600 20240326215132 20240312202132 6048 dns-oarc.net. [omitted] ;; Received 544 B ;; Time 2024-03-14 18:57:33 UTC ;; From 64.191.0.128@53(UDP) in 0.3 ms

2 roky, 2 měsíce

4
4
0 0

Chained catalog zones

by Martin Huněk

Hi folks, Is it possible to chain multiple upstream catalog zones into one downstream one? I do have the following topology: Multiple DNS hidden masters <-> DNS signer / DNS master for public facing slaves <-> public facing slaves Can I define catalog zones on hidden masters and use them on public-facing signer/master to compose a catalog zone for the slaves? Best Regards, Martin Hunek Freenet Liberec, z.s.

2 roky, 2 měsíce

4
6
0 0

Knot DNS 3.3.5 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.3.5! This is a bugfix version with a few new features and enhancements. For those who use dnssec-validation, upgrade is recommended. Changelog: https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.3.5 Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

2 roky, 2 měsíce

2
3
0 0

zone lost its KSK

by Bastien Durel

Hello, today I had a long power outage that stopped my primary server for a dozen hours When I re-started the server, some zones refused to start : Feb 12 21:55:17 arrakeen knotd[20728]: info: [geekwu.org.] DNSSEC, signing zone Feb 12 21:55:17 arrakeen knotd[20728]: error: [geekwu.org.] zone event 're-sign' failed (invalid parameter) the invalid parameter was there was no active KSK for these zones, as a keymgr list show b37b6c2[...] 39945 KSK ECDSAP384SHA384 publish=1636966605 active=1637053005 7cc8622[...] 20799 ZSK ECDSAP384SHA384 created=1706695010 After manually setting published & active status in keygmr, reloading these zones succeeded, and knot restarted to serve them. Do you know how these zone could has failed as this ? They run fine on auto-sign for years now. should I monitor closely the ones that need a re-sign tomorrow ? Regards, -- Bastien

2 roky, 2 měsíce

4
9
0 0

error: [ellael.org.] zone event 'refresh' failed (operation not supported)

by Michael Grimm

Hi, after successful migration of my hidden primary NSD and OpenDNSSEC signer to Knot DNS, I started to migrate my secondary NSDs to Knot DNS as well. Thanks to excellent documentation this migration went more or less flawless as well. BUT: I am somehow irritated about the following error messages at my hidden primary like: 2024-02-16T10:54:08+0100 debug: [ellael.org.] ACL, allowed, action transfer, remote 10.1.1.201@27919, key primary-secondary. 2024-02-16T10:54:08+0100 info: [ellael.org.] AXFR, outgoing, remote 10.1.1.201@27919 TCP, started, serial 2024021331 2024-02-16T10:54:08+0100 info: [ellael.org.] AXFR, outgoing, remote 10.1.1.201@27919 TCP, finished, 0.00 seconds, 1 messages, 7774 bytes 2024-02-16T10:54:09+0100 debug: [ellael.org.] ACL, allowed, action notify, remote 10.1.1.201@40884, key primary-secondary. 2024-02-16T10:54:09+0100 info: [ellael.org.] notify, incoming, remote 10.1.1.201@40884 TCP, serial 2024021331 >>>! 2024-02-16T10:54:09+0100 error: [ellael.org.] zone event 'refresh' failed (operation not supported) The log files at both secondary are identical, here one example: 2024-02-16T10:54:08+0100 info: [ellael.org.] AXFR, incoming, remote 10.2.2.203@5333 TCP, finished, 0.00 seconds, 1 messages, 7774 bytes 2024-02-16T10:54:08+0100 info: [ellael.org.] refresh, remote 10.2.2.203@5333, zone updated, 0.03 seconds, serial none -> 2024021331,\ expires in 1209600 seconds 2024-02-16T10:54:08+0100 info: [ellael.org.] zone file updated, serial 2024021331 >>>! 2024-02-16T10:54:09+0100 info: [ellael.org.] notify, outgoing, remote 10.2.2.203@5333 TCP, serial 2024021331 FYI: Those errors are only logged when a zone gets updated or using "knotc zone-notify" at the secondary site. Here are my essential config excerpts: Primary: acl: - id: aclTRANSACTIONS key: primary-secondary action: [notify, transfer] remote: - id: secondaryKBN key: primary-secondary address: 10.1.1.201 # KBN secondary via: 10.2.2.203 # outgoing interface Secondary: acl: - id: aclTRANSACTIONS key: primary-secondary action: [notify, transfer] remote: - id: primaryMWN key: primary-secondary address: 10.2.2.203@5333 # MWN hidden primary via: 10.2.2.201 # outgoing interface block-notify-after-transfer: on FYI: Only adding "block-notify-after-transfer: on" at secondary sites stopped those error messages. I found https://www.mail-archive.com/knot-dns-users@lists.nic.cz/msg01812.html : "I recommend not using this option unless you really know what you're doing and why this option is essential for you." Questions: #) I do have to admit, I don't understand what is going on without "block-notify-after-transfer: on"? #) Am I save in using "block-notify-after-transfer: on"? #) Or is the another config option? Thanks in advance and regards, Michael

2 roky, 3 měsíce

3
14
0 0

Secondary zones with some primary servers unreachable log interesting errors

by Juha Suhonen

Hello fellow Knot users, We're using Knot on some of our public authoritative servers. We operate a hidden primary configuration where there are two internal primary servers sending notifies to publicly accessible servers whenever zones change (ofc internal servers allow zone transfers & queries from the knot servers). By design, our hidden internal primary servers operate in a hot/cold setup - one of them is answering to zone transfers / sending out notifies and the other one is not (dns server software is not running on the cold server). This configuration causes knot to log alarming errors: Feb 1 17:28:45 ns2 knotd[624]: info: [zone.fi.] refresh, remote 10.54.54.1@8054, remote serial 2021083015, zone is up-to-date, expires in 864000 seconds Feb 1 17:28:45 ns2 knotd[624]: info: [zone.fi.] refresh, remote hidden-ns-2.internal, address 10.54.54.2@8054, failed (connection reset) Feb 1 17:28:45 ns2 knotd[624]: info: [zone.fi.] refresh, remote hidden-ns-2.internal, address [ipv6_address]@8054, failed (connection reset) Feb 1 17:28:45 ns2 knotd[624]: warning: [zone.fi.] refresh, remote hidden-ns-2.internal not usable Feb 1 17:28:45 ns2 knotd[624]: error: [zone.fi.] refresh, failed (no usable master), next retry at 2024-02-01T17:58:45+0200 Feb 1 17:28:45 ns2 knotd[624]: error: [zone.fi.] zone event 'refresh' failed (no usable master) Specifically, error "(no usable master)" is worrying - knot is able to reach hidden-ns-1.internal and verify that the zone it has is up-to-date. Also zone updates work normally and the zones don't seem to expire away (as zones should do if no master is reachable for an extended period of time). Looks like this error appeared in version 3.3.0. 3.2.9 did not log similar errors (except in cases where all primaries really were unreachable). Has there been some design change in 3.3.0 (ie is this intentional) or could this be a bug? Or could it be related to our configuration? Our configuration relies heavily on templates. These should be the important bits from knot's config, with ipv6 addresses hidden: acl: - id: "hidden-ns-1.internal" address: [ 10.54.54.1, ipv6_address ] action: notify - id: "hidden-ns-2.internal" address: [ 10.54.54.2, ipv6_address ] action: notify remote: - id: "hidden-ns-1.internal" address: [ 10.54.54.1@8054, ipv6_address@8054 ] via: [ x.x.x.x, ipv6_address ] - id: "hidden-ns-2.internal" address: [ 10.54.54.2@8054, ipv6_address@8054 ] via: [ x.x.x.x, ipv6_address ] template: - id: default storage: /var/lib/knot/zones master: hidden-ns-1.internal master: hidden-ns-2.internal acl: hidden-ns-1.internal acl: hidden-ns-2.internal semantic-checks: false global-module: mod-rrl/default zone: - domain: zone.fi -- Juha Suhonen Senior Systems Specialist CSC - Tieteen tietotekniikan keskus Oy juha.suhonen(a)csc.fi

2 roky, 3 měsíce

2
1
0 0

Set propagation-delay based on multiples of SOA TTL, doable?

by Michael Grimm

Hi, I wonder if it would be possible that one may use arithmetics in knot.conf such as: propagation-delay: 5 * dnskey-ttl I'd like to set a propagation-delay safety net during ZSK rotations depending on SOA TTL set for any given zone. As dnskey-ttl defaults to zone SOA TTL that would allow for propagation-delay definitions as multiples of SOA TTLs. As I couldn't find that in the documentation, I do assume that this cannot be done, right? Are there alternatives at hand I overlooked? Regards, Michael

2 roky, 3 měsíce

2
2
0 0

keymgr segmentation fault

by Erik P. Ostlyngen

Hi, I'm evaluating the Knot DNS server as a DNSSEC signer engine. I'm currently running version 3.2.6 together with SoftHSM version 2.6.1 on an Ubuntu 20.04 linux server. Now I have a problem with keymgr crashing with a segmentation fault and dumping core. This happens with some of the commands of keymgr, but not all (the command keymgr -l runs fine). The commands 'keymgr trondheim.no list' produces the correct output, but then crashes. /var/log/apport.log indicates that a dbus session is missing in the environment: ERROR: apport (pid 811054) Tue Jun 13 07:56:00 2023: called for pid 811052, signal 11, core limit 0, dump mode 2 ERROR: apport (pid 811054) Tue Jun 13 07:56:00 2023: not creating core for pid with dump mode of 2 ERROR: apport (pid 811054) Tue Jun 13 07:56:00 2023: executable: /usr/sbin/keymgr (command line "keymgr trondheim.no list") ERROR: apport (pid 811054) Tue Jun 13 07:56:00 2023: is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment ERROR: apport (pid 811054) Tue Jun 13 07:56:00 2023: apport: report /var/crash/_usr_sbin_keymgr.0.crash already exists and unseen, skipping to avoid disk usage DoS Running the command as 'dbus-run-session keymgr trondheim.no list' gives: ERROR: apport (pid 811174) Tue Jun 13 08:01:04 2023: called for pid 811173, signal 11, core limit 0, dump mode 2 ERROR: apport (pid 811174) Tue Jun 13 08:01:04 2023: not creating core for pid with dump mode of 2 ERROR: apport (pid 811174) Tue Jun 13 08:01:04 2023: executable: /usr/sbin/keymgr (command line "keymgr trondheim.no list") ERROR: apport (pid 811174) Tue Jun 13 08:01:04 2023: is_closing_session(): Could not determine DBUS socket. ERROR: apport (pid 811174) Tue Jun 13 08:01:04 2023: apport: report /var/crash/_usr_sbin_keymgr.0.crash already exists and unseen, skipping to avoid disk usage DoS I've tried to run the command as root and as the knot user, and I have to admit that I'm not very familiar with how to manage dbus sessions. I want to run the keymgr command from cron or from some other system shell, for periodically monitoring the keys. However, I'm unsure why keymgr wants to communicate on the dbus. Is it possible to disable this? Regards, Erik Østlyngen

2 roky, 3 měsíce

2
2
0 0

DDNS not working as expected

by JeeF Software spol. s r.o.

Hi Knot-DNS Support, I'm trying simple DDNS scenario (no keys, no DNSSEC) with failing result. Knot-DNS is installed from docker image. Could you let me know what is the issue (NOAUTH) and how can I solve it or if this scenario is not supported what exactly is required by DDNS? ------------------------------------------- knot.conf: server: rundir: "/rundir" user: knot:knot automatic-acl: on listen: 0.0.0.0@53 log: - target: stdout server: debug zone: debug any: debug database: storage: "/storage" acl: - id: acl_update action: update - id: acl_transfer action: transfer template: - id: default storage: "/storage" file: "%s.zone" zone: # Primary zone - domain: example.com acl: [acl_update, acl_transfer] ---------------------------------------------- update: server 10.2.0.88 zone exmaple.com update add _acme-challenge.example.com. 300 TXT "aaaaa" send -------------------------------------------- knsupdate -d < update ;; DEBUG: cmd_server: lp='10.2.0.88' ;; DEBUG: parse_host: parsed addr: 10.2.0.88 ;; DEBUG: cmd_zone: lp='exmaple.com' ;; DEBUG: cmd_update: lp='add _acme-challenge.example.com. 300 TXT "aaaaa"' ;; DEBUG: cmd_add: lp='_acme-challenge.example.com. 300 TXT "aaaaa"' ;; DEBUG: cmd_send: lp='' ;; DEBUG: sending packet ;; DEBUG: pkt_sendrecv: send_msg = 3 ;; DEBUG: pkt_sendrecv: receive_msg = 29 ;; ->>HEADER<<- opcode: UPDATE; status: NOTAUTH; id: 27029 ;; Flags: qr; ZONE: 1; PREREQ: 0; UPDATE: 0; ADDITIONAL: 0 ;; ZONE SECTION: ;; exmaple.com. IN SOA ;; ERROR: update failed with error 'NOTAUTH' ;; DEBUG: operation 'send' failed (failed) on line 'send' ;; DEBUG: srv_info_free: null parameter ----------------------------------------- knotd log 2023-09-05T17:16:35+0000 info: Knot DNS 3.3.0 starting 2023-09-05T17:16:35+0000 info: loaded configuration file '/config/knot.conf', mapsize 500 MiB 2023-09-05T17:16:35+0000 info: using UDP reuseport, incoming TCP Fast Open 2023-09-05T17:16:35+0000 info: binding to interface 0.0.0.0@53 2023-09-05T17:16:35+0000 info: changing GID to 8521 2023-09-05T17:16:35+0000 info: changing UID to 9396 2023-09-05T17:16:35+0000 info: loading 1 zones 2023-09-05T17:16:35+0000 info: [example.com.] zone will be loaded 2023-09-05T17:16:35+0000 info: starting server 2023-09-05T17:16:35+0000 info: [example.com.] zone file parsed, serial 2010111213 2023-09-05T17:16:35+0000 info: [example.com.] loaded, serial none -> 2010111213, 465 bytes 2023-09-05T17:16:35+0000 info: control, binding to '/rundir/knot.sock' 2023-09-05T17:16:35+0000 info: server started in the foreground, PID 8 2023-09-05T17:18:03+0000 info: [example.com.] control, received command 'zone-status' 2023-09-05T17:18:40+0000 info: [example.com.] control, received command 'zone-sign' 2023-09-05T17:18:40+0000 error: [example.com.] control, error (operation not supported) 2023-09-05T17:18:52+0000 info: [example.com.] control, received command 'zone-read' 2023-09-05T17:18:56+0000 info: [example.com.] control, received command 'zone-read' 2023-09-05T17:18:56+0000 error: [example.com.] control, error (no such node in zone found) 2023-09-05T17:19:00+0000 info: [example.com.] control, received command 'zone-read' 2023-09-05T17:19:45+0000 info: [example.com.] control, received command 'zone-set' 2023-09-05T17:19:45+0000 error: [example.com.] control, error (no active transaction) 2023-09-05T17:22:57+0000 info: [example.com.] control, received command 'zone-set' 2023-09-05T17:22:57+0000 error: [example.com.] control, error (no active transaction) 2023-09-05T17:23:49+0000 info: [example.com.] control, received command 'zone-begin' 2023-09-05T17:23:54+0000 info: [example.com.] control, received command 'zone-set' 2023-09-05T17:24:02+0000 info: [example.com.] control, received command 'zone-commit' 2023-09-05T17:24:02+0000 info: [example.com.] zone file updated, serial 2010111213 -> 2010111214 btw. no info positive/negative regarding the DDNS -------------------------------------- example.com.zone example.com. 3600 SOA dns1.example.com. hostmaster.example.com. 2010111214 21600 3600 604800 86400 example.com. 3600 A 1.2.3.4 example.com. 3600 NS dns1.example.com. example.com. 3600 NS dns2.example.com. example.com. 3600 MX 10 mail.example.com. dns1.example.com. 3600 A 192.0.2.1 dns1.example.com. 3600 AAAA 2001:db8::1 dns2.example.com. 3600 A 192.0.2.2 dns2.example.com. 3600 AAAA 2001:db8::2 mail.example.com. 3600 A 192.0.2.3 mail.example.com. 3600 AAAA 2001:db8::3 Thanks. Best Regards, JohnF

2 roky, 3 měsíce

2
1
0 0

NSEC3 RR not generated, dunno why.

by Michael Grimm

Hi, I am still very new to knot ;-) FYI: This is Knot DNS 3.3.3 because 3.3.4 hasn't been shown up in FreeBSD's ports collectioon, yet. Here are my settings regarding dnssec policy: policy: - id: ecdsa algorithm: ecdsap256sha256 ksk-lifetime: 3650d zsk-lifetime: 330d propagation-delay: 1d nsec3: on cds-cdnskey-publish: rollover Whatever I tell nsec3, either "on" or "true", only NSEC RR are generated, no NSEC3. dns> grep -i nsec3 zones/ellael.org dns> dns> grep -i nsec zones/ellael.org 3600 IN RRSIG NSEC 13 2 3600 20240226084528 20240212071528 9562 ellael.org. fkpFcgkVq8ZRZT0GX5kVcfPZBB5S/2Gvh4XqrkrywbZXFKiCttYqCX7rBdJSbyem5G8Bxg1LKaxu7LrIoxtyVA== 3600 IN NSEC _dmarc.ellael.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY CAA 3600 IN RRSIG NSEC 13 3 3600 20240226084528 20240212071528 9562 ellael.org. R7Pz2JuKi7vQDe0KMt29NHGtKvuEnH2LPKcxTWLP9HyfuMxJx4BEyPE6i+JAw8RxfSIqWAcV/KMyCHaLgFtXXw== 3600 IN NSEC _token._dnswl.ellael.org. TXT RRSIG NSEC 3600 IN RRSIG NSEC 13 4 3600 20240226084528 20240212071528 9562 ellael.org. 3oUCWWTH2s9oH/Ea0b+MDrrQcOEuTbwx1iEuXaLq7wFribrnIGY8JeeiE3TO59n1lckKm4hia+2ox324xoxCzA== [snip] What am I doing wrong? Thanks in advance and kind regards, Michael

2 roky, 3 měsíce

2
4
0 0

How to check for next KSK or ZSK rollover dates?

by Michael Grimm

Hi, I am very new to Knot [1]. Excerpts from my knot.conf: policy: ... ksk-lifetime: 3650d zsk-lifetime: 330d propagation-delay: 1d ... dns> knotc zone-status ellael.org [ellael.org.] role: master | serial: 2024021201 | re-sign: +12D8h42m21s I am a bit puzzled by that "re-sign: +12D8h42m21s". Does that mean "time until newly issued signatures" and becomes triggered by default "rrsig-lifetime: 14d" value? If so, I am very much relieved, if not, what is going on, then? Here is my question: How can I find out the dates for upcoming KSK or ZSK rollovers? This I couldn't find in the documentation, sorry. Thanks and regards, Michael [1] I've been bitten by that subtle bug in mailing list processing system ;-) My questions regarding migration strategy has become obsolete in the meantime, because I managed to migrate successfully. Thanks to the great documentation of Knot I could help myself ;-)

2 roky, 3 měsíce

2
2
0 0

GUI Frontends for Knot DNS Server

by Turritopsis Dohrnii Teo En Ming

Subject: GUI Frontends for Knot DNS Server Good day from Singapore, Are there any GUI frontends for configuring Knot DNS Server? I prefer GUI configuration interface. It is more efficient than command line interface (CLI). Thank you. Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individual in Singapore Blogs: https://tdtemcerts.blogspot.com https://tdtemcerts.wordpress.com

2 roky, 3 měsíce

2
1
0 0

kresd not starting with lua error

by Mike Wright

Hello, Running knot-resolver 5.6.0-1 amd64 (latest available via apt) on debian-12 bookworm, fully upgraded. systemctl start kresd@1 fails to run. systemctl status kresd@1 shows the following errors: [system] error while loading config: ...b/x86_64-linux-gnu/knot-resolver/kres_modules/policy.lua:378: bad argument #1 to 'create' (table expected, got nil) (workdir '/var/lib/knot-resolver') Here is my kresd.conf. It had been running ok for a long time ( I don't recall making any changes) : - Default empty Knot DNS Resolver configuration in -*- lua -*- -- Bind ports as privileged user (root) -- net = { '127.0.53.0' } -- Switch to unprivileged user -- user('knot-resolver','knot-resolver') -- Unprivileged -- cache.size = 100*MB policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), internalDomains)) policy.add(policy.suffix(policy.STUB({'127.53.0.0'}), internalDomains)) policy.TLS_FORWARD({ -- multiple servers can be specified for a single slice -- the one with lowest round-trip time will be used {'9.9.9.9', hostname='dns.quad9.net'}, {'149.112.112.112', hostname='dns.quad9.net'}, }) All help is greatly appreciated, Mike Wright

2 roky, 3 měsíce

2
1
0 0

warning - a few lost e-mails to the mailing list

by David Vasek

Dear mailing list subscribers, due to a subtle bug in our mailing list processing system, a few emails sent to the mailing list <knot-dns-users(a)lists.nic.cz> over the past two years were blocked and awaiting approval without our knowledge. After filtering out spam, we will review what we believe is still relevant and reach out to the senders directly in the coming days. If your email did not pass through the moderation phase, please resend it to the list after the middle of next week. We are sorry for this issue. Our thanks go to Juha Suhonen who helped us discover the problem by pointing out that his email is still waiting. Thank you, Juha. Best regards, David Vašek, Knot DNS team

2 roky, 3 měsíce

1
0
0 0

Knot DNS 3.3.4 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.3.4! This is a bugfix version with some enhancements. Changelog: https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.3.4 Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

2 roky, 3 měsíce

1
0
0 0

TSIG key in remote and acl

by Einar Bjarni Halldórsson

Hi, I’m updating our config files and I’m wondering if we need to set ‘key’ in remotes section, and in acl section? If I have this in my config: remote: - id: remote01 address: 127.0.0.1 key: my_key acl: - id: allow_transfer address: 127.0.0.1 key: my_key action: transfer zone: - domain: example.com acl: [ allow_transfer ] notify: [ remote01 ] Couldn’t I just remove key attribute from the remote, since the acl declares the address and key that are allowed to transfer the zone? .einar

2 roky, 4 měsíce

4
6
0 0

Knot DNS 3.2.12 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.2.12! This version only backports some fixes from 3.3.3. Changelog: https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.2.12 Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

2 roky, 4 měsíce

1
0
0 0

Knot DNS 3.3.3 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.3.3! This is mostly a bugfix version. Upgrade is recommended for QUIC and TCP/XDP users. Changelog: https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.3.3 Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

2 roky, 5 měsíců

1
0
0 0

Knot DNS 3.2.11 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.2.11! This version only backports some fixes from 3.3.2. Changelog: https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.2.11 Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

2 roky, 6 měsíců

1
0
0 0

Message compression (was: Re: Knot DNS 3.3.2 release)

by Robert Edmonds

Daniel Salzman wrote: > Hello Knot DNS users, > > CZ.NIC has released Knot DNS 3.3.2! > > This version fixes various issues and introduces some features regarding IXFR. > Users of PKCS #11 keystore might appreciate improved signing performance using more thread. > > Note that the offline KSK mode requires explicit setting of `rrsig-refresh` on the KSK side! > > Changelog: > https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.3.2/NEWS Hi, I'm interested in this change: - knotd: failed to sign RRSet that fits to 64k only if compressed Which seems to be this commit: https://gitlab.nic.cz/knot/knot-dns/-/commit/f55037f6f39d0ddf6debac47fe168d… "libknot/knot: allow uncompressed wire conversion of rrset that fits to 64k only when compressed" It's not totally clear to me, but it seems like this would allow an RRset (or individual RR, if the number of RRs in the RRset is 1?) that, exceeds 64K, if name compression would reduce the size on the wire to <64K? (And the 64K isn't measured by just the RDATA/RDLEN fields, but rather the whole wire serialization of the record set, including owner name, type, class, TTL, etc.) If so, is this a safe and/or interoperable thing to do? DNS implementations are required to implement decompression, but compression is optional (RFC 1035 § 4.1.4). So a resolver might receive a compressed RRset, decompress it, and then be unable to represent that RRset to clients if it doesn't implement compression, or, more likely, implements compression but uses an algorithm that generates less optimal compression targets than the one used by the original nameserver. Or am I misunderstanding what this commit is doing? Thanks! -- Robert Edmonds edmonds(a)debian.org

2 roky, 6 měsíců

2
1
0 0

Knot DNS 3.3.2 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.3.2! This version fixes various issues and introduces some features regarding IXFR. Users of PKCS #11 keystore might appreciate improved signing performance using more thread. Note that the offline KSK mode requires explicit setting of `rrsig-refresh` on the KSK side! Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.3.2/NEWS Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

2 roky, 6 měsíců

1
0
0 0

Knot DNS 3.3.1 and 3.2.10 releases

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.3.1 and 3.2.10! These versions fix several bugs. Upgrade is recommended. Changelogs: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.3.1/NEWS https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.2.10/NEWS Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

2 roky, 8 měsíců

1
0
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

knot-dns-users