- knot-dns-users - lists.nic.cz

by Thomas

Hi, I have the requirement to re-sign my zones exactly every 24 hours. I'm not sure how to achieve this, because I'm not clear about the correlation of the following parameters: zsk-lifetime propagation-delay rrsig-lifetime rrsig-refresh rrsig-pre-refresh Can anybody give a hint what values I need to have an exact re-signing period of 24 hours? Thanks a lot, Thomas

4 roky, 10 měsíců

3
3
0 0

Is cds-cdnskey-publish doing too many publishes?

by Jan-Piet Mens

I have the following signing policy configured in a test environment: - id: rsadefault algorithm: RSASHA256 ksk-size: 2048 ksk-lifetime: 30m zsk-size: 1024 zsk-lifetime: 2h propagation-delay: 2s dnskey-ttl: 10s zone-max-ttl: 15s nsec3: on nsec3-iterations: 5 nsec3-salt-length: 8 nsec3-salt-lifetime: 100d cds-cdnskey-publish: always ksk-submission: ds_checker ds-push: hidden-primary I notice that every five minutes Knot is updating the DS in the parent zone hosted on a BIND server. It appears that every time Knot refreshes the secondary it also updates the DS in the parent. (Logs below.) Isn't that a bit much? I realize I've configured `cds-cdnskey-publish: always', but I was expecting "always if something changes" :-) I would prefer on CDS publishing on "rollover", but then the DS record isn't added to the parent when a zone is first signed. Is this expected behaviour, respectively, is there a different configuration I should set? Thank you, -JP zone aa.tm. has an SOA refresh of 300s (5 minutes) Knot console: Jul 15 14:38:14 ods knotd[14346]: info: [aa.tm.] refresh, remote 192.168.1.140@53, remote serial 20, zone is up-to-date Jul 15 14:38:14 ods knotd[14346]: info: [aa.tm.] DS push, outgoing, remote 192.168.1.140@53, success BIND console: 15-Jul-2020 16:38:23.946 client @0x7fd5bc7f8568 192.168.1.150#58386 (aa.tm): query: aa.tm IN SOA -E(0)T (192.168.1.140) 15-Jul-2020 16:38:23.947 client @0x7fd5bc7de168 192.168.1.150#58388/key k-signer (tm): query: tm IN SOA -SE(0)T (192.168.1.140) 15-Jul-2020 16:38:23.947 client @0x7fd5bc7de168 192.168.1.150#58388/key k-signer: signer "k-signer" approved 15-Jul-2020 16:38:23.947 client @0x7fd5bc7de168 192.168.1.150#58388/key k-signer: updating zone 'tm/IN': deleting rrset at 'aa.tm' DS 15-Jul-2020 16:38:23.947 client @0x7fd5bc7de168 192.168.1.150#58388/key k-signer: updating zone 'tm/IN': adding an RR at 'aa.tm' DS 54410 8 2 5EAF060C7F00846B82D66CAAB29542450383DDF99390151694CC2A95 8C78E648 ... after five minutes ... Knot console: Jul 15 14:43:14 ods knotd[14346]: info: [aa.tm.] refresh, remote 192.168.1.140@53, remote serial 20, zone is up-to-date Jul 15 14:43:14 ods knotd[14346]: info: [aa.tm.] DS push, outgoing, remote 192.168.1.140@53, success BIND console: 15-Jul-2020 16:43:24.016 client @0x7fd56c220d68 192.168.1.150#58390 (aa.tm): query: aa.tm IN SOA -E(0)T (192.168.1.140) 15-Jul-2020 16:43:24.017 client @0x7fd59c324768 192.168.1.150#58392/key k-signer (tm): query: tm IN SOA -SE(0)T (192.168.1.140) 15-Jul-2020 16:43:24.017 client @0x7fd59c324768 192.168.1.150#58392/key k-signer: signer "k-signer" approved 15-Jul-2020 16:43:24.017 client @0x7fd59c324768 192.168.1.150#58392/key k-signer: updating zone 'tm/IN': deleting rrset at 'aa.tm' DS 15-Jul-2020 16:43:24.017 client @0x7fd59c324768 192.168.1.150#58392/key k-signer: updating zone 'tm/IN': adding an RR at 'aa.tm' DS 54410 8 2 5EAF060C7F00846B82D66CAAB29542450383DDF99390151694CC2A95 8C78E648

4 roky, 11 měsíců

3
5
0 0

Revoking DNSSEC KSK (a la RFC 5011)

by Jan-Piet Mens

Hello! first of all, thank you for a wonderful authoritative DNS server; as mentioned a while back, I'm loving the automatic key management and DS push; both work a treat. I have a requirement for manual key management and that is to be able to roll KSK keys a la RFC 5011 for both BIND and Unbound instances to automatically change their trust anchors. In Knot I can retire a key and subsequently have it removed, but the key isn't revoked (a.k.a. key flags 257+128 == 385). keymgr . set 41155 active=+1mi retire=+5mi remove=+60mi As such, BIND will, when this particular KSK is removed from the DNSKEY RRset, (rightly) complain: managed-keys-zone: Active key 41155 for zone . unexpectedly missing managed-keys-zone: Key 30377 for zone . is now trusted (acceptance timer complete) I've not found the word 'revoke' in the documentation, and no flags I can set with keymgr(8) seem to indicate that I can revoke a key. Can you help me, please? As an aside, I've noticed that when keymgr's `remove' time is reached, the key is removed from the zone (which is expected), however the key itself remains in the key store. From there, I can delete it, but I can also set flags on it in such a way as that it's brought *back* into the zone. Is that expected behaviour? It's not a problem per se, I'd just like to know whether I've understood the system. Thank you and kind regards, -JP

4 roky, 11 měsíců

3
4
0 0

Log query

by Smile TV

Dear all, I am deploying a DNS system using the Knot DNS software. I have read in the document and I did not see any DNS query log. So let me ask DNS Knot software can collect DNS query log? If possible, what is the configuration? Best regards, Chinhlk.

4 roky, 11 měsíců

4
6
0 0

Manual Key Rollover - 2 ZSKs with same key id

by Thomas E.

Hi, I performed a manual key roll over with this command: $ knotc zone-key-rollover dnssec-test.xxx zsk The result is 2 different ZSK's with the same key id: dnssec-test.xxx. 3600 IN DNSKEY 256 3 8 ( AwEAAc5W..... ) ; ZSK; alg = RSASHA256; key id = 7030 dnssec-test.xxx. 3600 IN DNSKEY 256 3 8 ( AwEAAc7Q5U...... ) ; ZSK; alg = RSASHA256; key id = 7030 >From the log: 2020-07-03T14:52:59 info: [dnssec-test.xxx.] DNSSEC, key, tag 56464, algorithm RSASHA256, KSK, public, ready, active+ 2020-07-03T14:52:59 info: [dnssec-test.xxx.] DNSSEC, key, tag 7030, algorithm RSASHA256, public 2020-07-03T14:52:59 info: [dnssec-test.xxx.] DNSSEC, key, tag 7030, algorithm RSASHA256, public, active 2020-07-03T14:52:59 info: [dnssec-test.xxx.] DNSSEC, signing started 2020-07-03T14:52:59 info: [dnssec-test.xxx.] DNSSEC, zone is up-to-date Is it the indented behavior to have two ZSK's with the same key id? Thanks a lot, Thomas

4 roky, 11 měsíců

4
3
0 0

Knot DNS 2.9.5 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 2.9.5! It's a serious bugfix version for those how use Knot DNS 2.9.0-2.9.4 for DNSSEC zone signing with automatic DNSKEY management and who rely on automatic maximum zone TTL computation. We apologize for possible inconvenience! Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.9.5/NEWS Source code: https://secure.nic.cz/files/knot-dns/knot-2.9.5.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.9.5.tar.xz.asc Documentation: https://www.knot-dns.cz/docs/2.9/html Support and funding: https://www.knot-dns.cz/support Regards, Daniel

5 let, 1 měsíc

1
0
0 0

Knot DNS bug notification

by libor.peltan

Hi all, we'd like to inform you about recently found bug in Knot DNS 2.9.x. The bug affects automatic key roll-overs when automatic key management is configured https://www.knot-dns.cz/docs/2.9/singlehtml/index.html#automatic-dnssec-sig… The ZSK, CSK or algorithm roll-over might be finished too early, so that DNSKEY and RRSIG records in resolvers' caches get out of sync, leading to temporary DNSSEC validation failure. Affected versions are Knot DNS 2.9.0 -- 2.9.4. We will release fixing version 2.9.5 soon. In the meantime, we recommend to apply the workaround: set the configuration option zone-max-ttl https://www.knot-dns.cz/docs/2.9/singlehtml/index.html#zone-max-ttl explicitly to a value greater or equal to maximal TTL among all records in the zone. (Remove the workaround once upgraded to fixed version.) Many thanks to Anand Buddhdev from RIPE NCC for finding this bug. Caring regards, Libor Peltan CZ.NIC

5 let, 1 měsíc

2
1
0 0

Re: [knot-dns-users] Knot DNS 2.9.4 release

by Daniel Salzman

Hello Roman, Thanks for asking! I have updated the images on Docker Hub :-) Best, Daniel On 5/5/20 9:31 AM, Roman Šafránek wrote: > Hello Daniel, > are you planning to update cznic/knot docker image on Docker HUB to latest version or i'm supposed > to use docker images from https://gitlab.labs.nic.cz/knot/knot-dns/container_registry ? > > Regards, > Roman > > > Dne 05.05.2020 v 9:09 Daniel Salzman napsal(a): >> Hello Knot DNS users, >> >> CZ.NIC has released Knot DNS 2.9.4! >> >> This version brings several bugfixes and improvements. >> See the changelog for more details. >> >> Changelog: >> https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.9.4/NEWS >> >> Source code: >> https://secure.nic.cz/files/knot-dns/knot-2.9.4.tar.xz >> https://secure.nic.cz/files/knot-dns/knot-2.9.4.tar.xz.asc >> >> Documentation: >> https://www.knot-dns.cz/docs/2.9/html >> >> Support and funding: >> https://www.knot-dns.cz/support >> >> Regards, >> Daniel >> >> >

5 let, 1 měsíc

1
0
0 0

Knot DNS 2.9.4 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 2.9.4! This version brings several bugfixes and improvements. See the changelog for more details. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.9.4/NEWS Source code: https://secure.nic.cz/files/knot-dns/knot-2.9.4.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.9.4.tar.xz.asc Documentation: https://www.knot-dns.cz/docs/2.9/html Support and funding: https://www.knot-dns.cz/support Regards, Daniel

5 let, 1 měsíc

1
0
0 0

How to move signed zones and keys to another server?

by Chris

We're consolidating servers, and as a result. I need to transfer some the IPs, zones && keys to other servers. I'm trying to find the least eventful way to accomplish this. I attempted to transfer (signed) zones and IPs once before. But the slaves wouldn't accept the zones and I ultimately had to purge the journals on all the servers I had control of, and re-key and re-sign the zones to make everything work as intended. All the zones are written/kept on disk (except changes that haven't already been flushed to disk from the DB). I'm wondering if it's enough to freeze all the zones on their current serves. Then shutdown the server(s), and transfer the zones, keys, and merge the configs onto the new servers would be the correct way to do this? If not. Please advise. Thank you for all your time, and consideration. --Chris

5 let, 1 měsíc

2
1
0 0

TCP resets during AXFR

by Petr Baloun

Hi, I've setup knot to AXFR 24 zones from our MS domain controllers but three zones fail mysteriously. After enabling debug logging knot adds additional line with the reason - 'trailing data'. In the pcap file created with tcpdump I see that our server starts to send TCP resets in the middle of the transfer. Each time resets are sent after downloading approximately the same amount of data, this amount differ for each zone (81kb for one, 49kb for the second). I am able to download the zone with dig or kdig. We also have a different server with powerdns which is able to download the zones without problems. I've also tried to setup different server (with bind9) serving one of the zones and have knot to download it from there. It worked just fine. I can send the log file snippet (with zone name and ip addresses) as well as the pcap file off the record. Could you, please, help me with solving this problem? Thank you, Petr Baloun Je dobré vědět, že tento e-mail a přílohy jsou důvěrné. Pokud spolu jednáme o uzavření obchodu, vyhrazujeme si právo naše jednání kdykoli ukončit. Pro fanoušky právní mluvy - vylučujeme tím ustanovení občanského zákoníku o předsmluvní odpovědnosti. Pravidla o tom, kdo u nás a jak vystupuje za společnost a kdo může co a jak podepsat naleznete zde<https://onas.seznam.cz/cz/podpisovy-rad-cz.html> You should know that this e-mail and its attachments are confidential. If we are negotiating on the conclusion of a transaction, we reserve the right to terminate the negotiations at any time. For fans of legalese—we hereby exclude the provisions of the Civil Code on pre-contractual liability. The rules about who and how may act for the company and what are the signing procedures can be found here<https://onas.seznam.cz/cz/podpisovy-rad-cz.html>.

5 let, 1 měsíc

2
2
0 0

Modules and CNAME chain resolution

by Conrad Hoffmann

Hi, I noticed that when using e.g the GeoIP module to return a CNAME, that CNAME does not get resolved, even if it is within the instances authority. That forces the client/recursor to issue another request. Perusing the code for a while, I noticed that there is a rather simple way to achieve this: the GeoIP module, if the result is a CNAME, _could_ set `qdata->name` to the CNAME target and return `KNOT_IN_STATE_FOLLOW` instead of `KNOT_IN_STATE_HIT`. While that does seem to work, I am not so sure if it might constitute an abuse of interfaces. Returning `KNOT_IN_STATE_FOLLOW` seems legit, but I wasn't so sure about modifying `qdata` (specifically, in the context of a module). As such, I would be interested if this has ever come up before, what possible approaches might look like, what you think of the above one, and if tackling this problem is of interest at all. If I have a better understanding and there is a good approach to this, I'd be happy to submit a patch. Thanks a lot, Conrad

5 let, 2 měsíce

2
1
0 0

Running GEOIP and weighted DNS

by Avinash Amin

Hello, OS: CentOS 7.6 Knot: knot-2.9.3-1.el7.x86_64 I am trying to run knot DNS using maxmind GeoIP and it works well. Now I also want it to be able to do weighted on those answers. E.g. If country US, it will provide 3 answers and those will be weighted. Is that correct and possible? Thanks Avinash

5 let, 2 měsíce

2
1
0 0

About the signing performance

by gao

Dear KNOT team, We're now considering an update on our zone signer and KNOT DNS seems to be a good choice. I looked through your documentation and do not see the performace data about signing big zones. When the zone has about 10 millions entries , how long will it take for KNOT DNS to sign it completely? I'll appreciate it if you can give me a feedback. Best Regards! Gao

5 let, 2 měsíce

4
5
0 0

Knot DNS 2.9.3 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 2.9.3! See the changelog for more details. Please note that the official package repository for CentOS, Fedora, and openSUSE is newly https://copr.fedorainfracloud.org/coprs/g/cznic/knot-dns-latest/ The previous one https://build.opensuse.org/package/show/home:CZ-NIC:knot-dns-latest/knot will not be updated. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.9.3/NEWS Source code: https://secure.nic.cz/files/knot-dns/knot-2.9.3.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.9.3.tar.xz.asc Documentation: https://www.knot-dns.cz/docs/2.9/html Support and funding: https://www.knot-dns.cz/support Regards, Daniel

5 let, 3 měsíce

1
0
0 0

DNSSEC, failed to initialize (not enough memory)

by aeris

Hi, I try to use knot 2.9.2 on a Raspiberry Pi 2 with 1Gb of RAM under Arch Linux. When I enable DNSSec (ecdsap256sha256 algorithm), I got mars 01 16:09:05 exegol knotd[3438]: error: [aeris.eu.org.] DNSSEC, failed to initialize (not enough memory) mars 01 16:09:05 exegol knotd[3438]: error: [aeris.eu.org.] zone event 'load' failed (not enough memory) mars 01 16:09:05 exegol knotd[3438]: error: [xxx.eu.org.] DNSSEC, failed to initialize (not enough memory) mars 01 16:09:05 exegol knotd[3438]: error: [xxx.eu.org.] zone event 'load' failed (not enough memory) mars 01 16:09:05 exegol knotd[3438]: error: [imirhil.fr.] DNSSEC, failed to initialize (not enough memory) mars 01 16:09:05 exegol knotd[3438]: error: [imirhil.fr.] zone event 'load' failed (not enough memory) Those 3 zones are quite damned small (286, 19 & 16 lines), 2 containing only minimalistic entries (1 SOA, 2 NS, 3 CAA, 2 CNAME & 1 TLSA). I try to activate zones one at a time, loading the 16 lines zone is ok but loading the 19 lines one too generate the same "not enough memory" for both zones. Loading only the 19 lines zone is ok. I don't understand how DNSSec requires so many memory to not be able to load such small zones. When zones are loaded without DNSSec, knot memory is under 80MB. How I can trace the memory usage of Knot to understand why this behavior? Is there any way to restrict Knot memory to be able to load such zones? Regards, -- aeris Individual crypto-terrorist group self-radicalized on the digital Internet https://imirhil.fr/ Protect your privacy, encrypt your communications GPG : EFB74277 ECE4E222 OTR : 5769616D 2D3DAC72 https://café-vie-privée.fr/

5 let, 3 měsíce

3
5
0 0

Knot RFC Compliance

by Thomas

Hi! Is there an overview about Knot's DNSSEC related RFC compliance or which RFCs have been implemented in Knot? Thanks, Thomas

5 let, 4 měsíce

3
2
0 0

reverse malformed data

by Bastien Durel

Hello, I have a problem with a new, small IPv6 reverse zone It's a small zone, configured like this : zone: - domain: "a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa." file: "a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa" notify: "corrin" acl: "acl_corrin" dnssec-signing: "off" module: mod-synthrecord/revovh2 There is data in the journal : root@arrakeen:/var/lib/knot/external# knotc zone-read a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa [a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa.] a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa. 2560 SOA ns.geekwu.org. hostmaster.a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa. 1580234956 16384 2048 1048576 2560 [a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa.] a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa. 259200 NS ns.geekwu.org. [a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa.] a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa. 259200 NS ns4.geekwu.org. [a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa.] 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa. 3600 PTR imperium.geekwu.org. [a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa.] 2.2.1.0.0.0.0.0.0.0.0.0.1.0.0.0.a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa. 3600 PTR git.geekwu.org. [a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa.] a.2.a.2.0.0.0.0.0.0.0.0.1.0.0.0.a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa. 3600 PTR corrin.geekwu.org. But if I change anything (like adding another host), on knotc reload I get this error : knotd[21892]: error: [a.8.1.a.8.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa.] zone event 'load' failed (malformed data) I've purged the zone with zone-purge, replaced the zone file with a copy of the dump, and got a new record on reload, but further edits fails the same way I'm using knot 2.9.2-1~cz.nic~buster1 for deb.knot-dns.cz/knot-latest Do you have an idea on what's going on ? Thanks, -- Bastien Durel

5 let, 4 měsíce

5
14
0 0

response rate limiting

by Thomas Krause

Hi all, I migrated from bind to knot. Everything works fine, except rrl. I "translated" the bind config rate-limit { responses-per-second 5; window 5; }; to mod-rrl: - id: default rate-limit: 5 slip: 2 # Every other response slips template: - id: default storage: "/etc/knot/zones" timer-db: "/var/lib/knot/timers" semantic-checks: on global-module: mod-rrl/default But the limiting doesn't work. I testet with for i in {1..20}; \ do dig @ns +short +tries=1 +time=1 mydomain.de a; \ done And got 20 answers quickly. Any ideas what's wrong here? (I'm unsing ver 2.7.6 @Debian 10) Best regards, Thomas.

5 let, 4 měsíce

2
1
0 0

fast keyrotation

by A. Schulze

Hello, I'm new to that list. Using NSD + DNSSEC + key rotation for many years. Now I like to check if and how KNOT's auto keyrotaton can safe me from my ugly script foo... https://lists.nic.cz/pipermail/knot-dns-users/2019-November/001721.html JP Mens mention "I'm rolling the KSK every five minutes for testing" instead I reinvent the wheel: could one post the relevant settings? Thanks, Andreas

5 let, 5 měsíců

4
4
0 0

No Usable Master

by Azzam S.A

After several successful attempts using the exact same configuration and steps mentioned in early question here <https://lists.nic.cz/pipermail/knot-dns-users/2020-January/001744.html> or here <https://gist.github.com/azzamsa/24dca2e201c3bea4f489a09f7a3a8716> (with better preview) I get stuck with no usable master The master side Jan 12 07:35:12 knot-master-1.novalocal knotd[12007]: info: [namadomain14.com.] zone file updated, serial 2018070410 Jan 12 07:35:12 knot-master-1.novalocal knotd[12007]: warning: [namadomain14.com.] notify, outgoing, remote slaveip@53, s...TAUTH' Jan 12 07:37:18 knot-master-1.novalocal knotd[12007]: info: [namadomain14.com.] control, received command 'zone-begin' Jan 12 07:37:32 knot-master-1.novalocal knotd[12007]: info: [namadomain14.com.] control, received command 'zone-set' Jan 12 07:37:37 knot-master-1.novalocal knotd[12007]: info: [namadomain14.com.] control, received command 'zone-commit' Jan 12 07:37:37 knot-master-1.novalocal knotd[12007]: info: [namadomain14.com.] zone file updated, serial 2018070410 -> 2018070412 Jan 12 07:37:37 knot-master-1.novalocal knotd[12007]: warning: [namadomain14.com.] notify, outgoing, remote slaveip@53, s...TAUTH' Jan 12 07:37:41 knot-master-1.novalocal knotd[12007]: info: control, received command 'zone-read' Jan 12 07:38:11 knot-master-1.novalocal knotd[12007]: info: [namadomain14.com.] control, received command 'zone-notify' Jan 12 07:38:11 knot-master-1.novalocal knotd[12007]: warning: [namadomain14.com.] notify, outgoing, remote slaveip@53, s...TAUTH' The slave side Jan 12 07:34:54 knot-slave-1 knotd: info: control, received command 'conf-read' Jan 12 07:35:19 knot-slave-1 systemd-logind: Removed session 2. Jan 12 07:35:20 knot-slave-1 knotd: info: control, received command 'conf-begin' Jan 12 07:35:20 knot-slave-1 knotd: notice: control, persistent configuration database not available Jan 12 07:35:20 knot-slave-1 knotd: info: control, received command 'conf-set' Jan 12 07:35:20 knot-slave-1 knotd: info: control, received command 'conf-set' Jan 12 07:35:20 knot-slave-1 knotd: info: control, received command 'conf-set' Jan 12 07:35:20 knot-slave-1 knotd: info: control, received command 'conf-commit' Jan 12 07:35:20 knot-slave-1 knotd: info: [namadomain14.com.] zone will be loaded Jan 12 07:35:20 knot-slave-1 knotd: info: [namadomain14.com.] failed to parse zone file (not exists) Jan 12 07:35:21 knot-slave-1 knotd: warning: [namadomain14.com.] refresh, remote master1 not usable Jan 12 07:35:21 knot-slave-1 knotd: error: [namadomain14.com.] refresh, failed (no usable master) Jan 12 07:35:23 knot-slave-1 knotd: warning: [namadomain14.com.] refresh, remote master1 not usable Jan 12 07:35:23 knot-slave-1 knotd: error: [namadomain14.com.] refresh, failed (no usable master) Jan 12 07:35:27 knot-slave-1 knotd: info: control, received command 'zone-read' Jan 12 07:35:29 knot-slave-1 knotd: info: control, received command 'zone-read' Jan 12 07:35:34 knot-slave-1 knotd: warning: [namadomain14.com.] refresh, remote master1 not usable Jan 12 07:35:34 knot-slave-1 knotd: error: [namadomain14.com.] refresh, failed (no usable master) Jan 12 07:36:31 knot-slave-1 knotd: warning: [namadomain14.com.] refresh, remote master1 not usable Jan 12 07:36:31 knot-slave-1 knotd: error: [namadomain14.com.] refresh, failed (no usable master) Jan 12 07:37:14 knot-slave-1 knotd: info: [namadomain14.com.] control, received command 'zone-begin' Jan 12 07:37:55 knot-slave-1 knotd: info: [namadomain14.com.] control, received command 'zone-abort' Jan 12 07:38:19 knot-slave-1 knotd: info: control, received command 'zone-read' Jan 12 07:39:12 knot-slave-1 knotd: warning: [namadomain14.com.] refresh, remote master1 not usable Jan 12 07:39:12 knot-slave-1 knotd: error: [namadomain14.com.] refresh, failed (no usable master) Problems Previously, even though I have ‘NO AUTH’ in master side. The zone in slave still crated, because I don’t get no usable master. But the sudden there is no usable master. I’ve tried: - sudo service knot restart - remove everything -> reinstall everything Both give me no luck. Thank you in advance.

5 let, 5 měsíců

1
1
0 0

Migrate Knot 1.6.5 to actual version (2.9.x)

by Josef Karliak

Good day, is there some tool to migrate configuration from 1.6.5 to actual version ? Keys, configuration, ... Thanks and best regards J.Karliak -- Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a DomainKeys/DKIM (s ADSP) a implementaci DMARC. Pokud mate problemy s dorucenim emailu, zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji. My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP) policy and implementation of the DMARC. If you've problem with sending emails to me, start using email origin methods mentioned above. Thank you.

5 let, 5 měsíců

2
1
0 0

Setting up slave zone (slave DNS server)

by Azzam S.A

Setting up slave zone (slave DNS server) I’ve asked the previous question Setting up slave zone (slave DNS server) <https://gitlab.labs.nic.cz/knot/knot-dns/issues/667>. And I’ve followed Libor Peltan’s advice to also configure the zone in the slave side. But It still didn’t work for me. Config knot.conf in *master* server # This is a sample of a minimal configuration file for Knot DNS. # See knot.conf(5) or refer to the server documentation. server: rundir: "/run/knot" user: knot:knot listen: [ 127.0.0.1@53, ::1@53 ] log: - target: syslog any: info database: storage: "/var/lib/knot" remote: - id: slave1 address: 111.11.11.111@53 acl: - id: slave1_acl address: 111.11.11.111 action: transfer template: - id: default storage: "/var/lib/knot" file: "%s.zone" zone: # # Master zone # - domain: example.com # notify: slave # acl: acl_slave # # Slave zone # - domain: example.net # master: master # acl: acl_master knot.conf in my *slave* server # This is a sample of a minimal configuration file for Knot DNS. # See knot.conf(5) or refer to the server documentation. server: rundir: "/run/knot" user: knot:knot listen: [ 127.0.0.1@53, ::1@53 ] log: - target: syslog any: info database: storage: "/var/lib/knot" remote: - id: master1 address: 222.22.22.222@53 acl: - id: master1_acl address: 222.22.22.2222 action: notify template: - id: default storage: "/var/lib/knot" file: "%s.zone" zone: # # Master zone # - domain: example.com # notify: slave # acl: acl_slave # # Slave zone # - domain: example.net # master: master # acl: acl_master conf-read result conf-read in *master* server [root@knot-master-1 centos]# knotc conf-read server.rundir = /run/knot server.user = knot:knot server.listen = 127.0.0.1@53 ::1@53 log.target = syslog log[syslog].any = info database.storage = /var/lib/knotacl.id = slave1_acl acl[slave1_acl].address = 222.22.22.222 acl[slave1_acl].action = transferremote.id = slave1 remote[slave1].address = 222.22.22.222(a)53template.id = default template[default].storage = /var/lib/knot template[default].file = %s.zone zone.domain = namadomain.com. zone[namadomain.com.].file = namadomain.com.zone zone[namadomain.com.].notify = slave1 zone[namadomain.com.].acl = slave1_acl conf-read in *slave* server [root@knot-slave-1 centos]# knotc conf-read server.rundir = /run/knot server.user = knot:knot server.listen = 127.0.0.1@53 ::1@53 log.target = syslog log[syslog].any = info database.storage = /var/lib/knotacl.id = master1_acl acl[master1_acl].address = 111.11.11.111 acl[master1_acl].action = notifyremote.id = master1 remote[master1].address = 111.11.11.111(a)53template.id = default template[default].storage = /var/lib/knot template[default].file = %s.zone zone.domain = namadomain.com. zone[namadomain.com.].master = master1 zone[namadomain.com.].acl = master1_acl Zone Read zone-read in *master* server [root@knot-master-1 centos]# knotc zone-read -- [namadomain.com.] namadomain.com. 86400 TXT "hello" [namadomain.com.] namadomain.com. 86400 SOA ns1.biz.net.id. hostmaster.biz.net.id. 2018070411 3600 3600 604800 38400 zone-read in *slave* server [root@knot-slave-1 centos]# knotc zone-read -- [namadomain.com.] namadomain.com. 86400 SOA ns1.biz.net.id. hostmaster.biz.net.id. 2018070410 3600 3600 604800 38400 Steps I use to create a zone in *master* server knotc conf-begin knotc conf-set 'zone[namadomain.com]' knotc conf-set 'zone[namadomain.com].file' 'namadomain.com.zone' knotc conf-set 'zone[namadomain.com].notify' 'slave1' knotc conf-set 'zone[namadomain.com].acl' 'slave1_acl' knotc conf-commit knotc zone-begin namadomain.com knotc zone-set namadomain.com. @ 86400 SOA ns1.biz.net.id. hostmaster.biz.net.id. 2018070410 3600 3600 604800 38400 knotc zone-set namadomain.com. @ 86400 TXT "hello" knotc zone-commit namadomain.com in *slave* server knotc conf-begin knotc conf-set 'zone[namadomain.com]' knotc conf-set 'zone[namadomain.com].master' 'master1' knotc conf-set 'zone[namadomain.com].acl' 'master1_acl' knotc conf-commit knotc zone-begin namadomain.com knotc zone-set namadomain.com. @ 86400 SOA ns1.biz.net.id. hostmaster.biz.net.id. 2018070410 3600 3600 604800 38400 knotc zone-commit namadomain.com Problems If we look closely. I’ve crated the configuration of namadomain.com in *both* master and slave servers. Also I’ve created the SOA record of of namadomain.com in *both* master and slave servers. But I only create file config in *master* server and TXT record in *master* server (to test if AXFR zone transfer worked). Unfortunately, the file config and the TXT record is not created by slave, even though I’ve waited for more than hour (1 day actually). Am I missing something here? (I never put the zone directly in zone: section of knot.conf, I always use knotc since I will use libknot control.py to manage zones with our app <https://github.com/BiznetGIO/RESTKnot>) Also am I able to see if the knot in master emit the transfer ‘signal’ and check if knot in slave receive that signal? So It will make me easier to debug. I’ve tried to trigger knotc zone-notify namadomain.com in *master* side, and knotc zone-retransfer namadomain.com in *slave* side. But nothing changed. [root@knot-master-1 centos]# knotc zone-notify namadomain.com OK [root@knot-master-1 centos]# knotc zone-read -- [namadomain.com.] namadomain.com. 86400 TXT "hello" [namadomain.com.] namadomain.com. 86400 SOA ns1.biz.net.id. hostmaster.biz.net.id. 2018070411 3600 3600 604800 38400 [root@knot-slave-1 centos]# knotc zone-retransfer namadomain.com OK [root@knot-slave-1 centos]# knotc zone-read -- [namadomain.com.] namadomain.com. 86400 SOA ns1.biz.net.id. hostmaster.biz.net.id. 2018070410 3600 3600 604800 38400 Machine # knotc --version knotc (Knot DNS), version 2.9.1 OS: CentOS 7.5 Thank you in advance.

5 let, 5 měsíců

2
1
0 0

Knot DNS 2.8.5 release

by daniel.salzman＠nic.cz

Hello Knot DNS users, CZ.NIC has released Knot DNS 2.8.5! This version contains only some bugfixes backported from the 2.9 branch. Please note that the official package repository for CentOS, Fedora, and openSUSE is newly https://copr.fedorainfracloud.org/coprs/g/cznic/knot-dns/ . The previous one https://build.opensuse.org/package/show/home:CZ-NIC:knot-dns/knot will not be updated. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.8.5/NEWS Source code: https://secure.nic.cz/files/knot-dns/knot-2.8.5.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.8.5.tar.xz.asc Documentation: https://www.knot-dns.cz/docs/2.8/html Support and funding: https://www.knot-dns.cz/support Regards, Daniel

5 let, 5 měsíců

1
0
0 0

Issue encountered during a migration from FreeBSD to Gentoo

by Alarig Le Lay

Hi, Today I migrated my knot from FreeBSD to Gentoo (because it take too much time to stay on a supported release of FreeBSD) I rsynced my knot.conf (and changed the paths) and /var/db/knot to /var/lib/knot However, daemon failed to start because it wasn’t able to bind to /var/run/knot/knot.sock, and the permissions where good. I had to remove /var/db/knot and rsync only zones and keys. I don’t get the link from files in /var/lib and a denied permission on /var/run/knot/knot.sock, so I think that there is a bug here. Regards, -- Alarig

5 let, 6 měsíců

6
17
0 0

Knot DNS 2.9.2 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 2.9.2! This version fixes several 2.9-specific and some persistent bugs. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.9.2/NEWS Source code: https://secure.nic.cz/files/knot-dns/knot-2.9.2.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.9.2.tar.xz.asc Documentation: https://www.knot-dns.cz/docs/2.9/html Support and funding: https://www.knot-dns.cz/support Regards, Daniel

5 let, 6 měsíců

1
0
0 0

question

by ali jaberansari

Dear all, I have 2 servers and one of them I installed dnsblast. I read many time your DNS-benchmarking <https://gitlab.labs.nic.cz/knot/dns-benchmarking> project and get it from gitlab but I can't send packet more than 500K. please help. Best Regards.

5 let, 6 měsíců

1
0
0 0

automating DS submission and logging

by Jan-Piet Mens

Hello! after reading and rereading the documentation (release 2.9) section on automatic KSK management, and rereading it again, I finally understood the part which says "the user shall propagate [the DS] to the parent". In particular due to the log entry info: DS check, outgoing, remote 127.0.0.1@53, KSK submission attempt: negative and the phrasing of the "submission:" configuration stanza, I thought Knot would attempt to do so itself via dynamic update. I think I was injecting too much wishful thinking into the text. :) Now to my two questions: Is it envisioned to have Knot launch an executable in order to perform the submission? I'm thinking along the lines of Knot running at every `check-interval': ./ds-submitter zone "<cds>" "<cdnskey>" upon which the ds-submitter program could (e.g. via RFC2136) add DS RRset to the parent zone. Might be nice to have ... (I did see the bit about journald and using that to trigger DS submission, but using journald frightens me a bit.) I notice that a dynamic update on 2.9 logs info: [zone.] DDNS, processing 1 updates is there any way to get more details logged (what the update actually was)? My configuration contains: log: - target: syslog server: debug control: debug zone: debug any: debug Thank you. -JP

5 let, 7 měsíců

2
4
0 0

Knot DNS 2.9.1 release

by daniel.salzman＠nic.cz

Hello Knot DNS users, CZ.NIC has released Knot DNS 2.9.1! This version primarily fixes some issues relating zone updates or compatibility with previous versions. It's recommended to update from 2.9.0. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.9.1/NEWS Source code: https://secure.nic.cz/files/knot-dns/knot-2.9.1.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.9.1.tar.xz.asc Documentation: https://www.knot-dns.cz/docs/2.9/html Support and funding: https://www.knot-dns.cz/support Regards, Daniel

5 let, 7 měsíců

1
0
0 0

KASP sharing

by Bastien Durel

Hello, Is KASP directory sharing possible between different knot instances ? (I have a "public" instance and a "private" one, with internal addresses, using different storage: directories, but the same kasp-db:) The internal one sometimes returns invalid DNSSEC data for non-existant names until I restart it. Is it to be expected in this setup ? Thanks, -- Bastien

5 let, 7 měsíců

2
1
0 0

slave strange behaviour

by Bastien Durel

Hello. I found another strange behaviour on my slave : it kept old RRSIG's for SOA entries. I fixed it by running zone-purge, then zone-retransfer ; <<>> DiG 9.11.5-P1-1~bpo9+1-Debian <<>> +dnssec @87.98.180.13 caa www.geekwu.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12546 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 19, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;www.geekwu.org. IN CAA ;; AUTHORITY SECTION: geekwu.org. 86400 IN SOA ns.geekwu.org. hostmaster.geekwu.org. 2019101730 3600 1200 2419200 10000 geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20181118054714 20181104041714 54076 geekwu.org. 8b6lzlyI1fZUxwtCt9GHsRu1Ist1CtDFm+NifSTTESoMK3XAnW8gyZzp UIEmNiIRKdYnze+FsW+oEw4hm9pkW/lwgIls3tBvLKCwRseUwrj5jIbh rPK9fYuWM0RP1HBj geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20181118054719 20181104041719 54076 geekwu.org. uoRZZ4jV2jaubsH7W3VIpIdu9iVKYnz9q+GpNHSnEDv4Mt5JcVnLChLk /eeRKSK9U7h8yFSOmxdcTBIyITlbGGBeeVbZFdQYsSshpN1Fa7YME9JU ttr5tISHoPnHlM2y geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20181118054723 20181104041723 54076 geekwu.org. /2EY2DNqeX0GqK0eDcg3dFIqgH0346fP1XuIHM3oswRMnFMtCEDuD325 jpqByKlOkl4Edlv/GyJlJXohrdlWyTzE2xCM6ad2ordYHu0eCO8npfEi OOPc2HhtBYQUM+TU geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20181118054727 20181104041727 54076 geekwu.org. OwfeorMdvR3Q4XvkSfNxruYJfcPRPIhsnDrrYk41L1gIYMRwEfapO/Te tza5M07CGx0rQPvFejXHRr7vzlatxvI9k9Vqrs12CR1q7ak+NVhxcM53 syCJVN/z8iKu5uYV geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20181118054731 20181104041731 54076 geekwu.org. DpyZ6MCWuEA025ghGRJBISd0Lp7qXWb3R27+R/+FWnIytoLrIIzgRLI5 TEojx/k6hlbwFszH024T5CP5vQ1WXjIVyF9ZwNjseJ+skZgPx5ySzqrI R8WXgdpKYi4+SrYs geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20181118054738 20181104041738 54076 geekwu.org. nNr2vNwLQSlDE7UXQWxGCiTTKb3wyx5VSzhoB8W8ovkSD9EHbcAr3QuP cR3ICASDhnWySB4NEB7i+qncT90+JEccuxvT8fBCoMHJtMy0YjNqsTLd tOOSitLogl4h8the geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20181118054741 20181104041741 54076 geekwu.org. /28OcE9l7MXN9wKl2vpI5fxNpu6Ia1i4ku3V61Pix2JPKKJ4YhYG1BDw aBnpncgso71CiJyVz1Rsp1X50V6tGdibtP/ckRdqvl9f+W+KeCvcrcaS 8u4a5BjeqDFokrfY geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20181118054743 20181104041743 54076 geekwu.org. GA4eFm1u4jxa+Jhu4vWa+UoucY7OES/8bKxkaIMte0AsC7bPovWdS8Qx 6zrrS9u1PEXS4dDy+PeCxPQFSefaPfiEY44J8JILTaf4OfiL+ij7RI2m MrN1e428veGFFfrY geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20181118054746 20181104041746 54076 geekwu.org. MnF6nqK/UV+Q68Lf6mV80E4FcClEARc9gclqH4jP0gaxco/DpqGhWEgG yKM/E8ePIPOaUyRqdoiRKfWS2xcQExhqbeS+orcUjKx04BxDbp8rpCFG lRhR+QLEO4SpTrKo geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20181118054749 20181104041749 54076 geekwu.org. MygQqAnclUn//WxI3gi04Fjkcim/7C4rusz0pj0RXOwl5yAQZMj5gFl7 v5WtUdxbysOhGiiJeHHpWWepD46E2DIlpAp/vKC8hw/DGNRSk6gT6cWl UqylhEIgKrekqVb4 geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20181125063021 20181111050021 54076 geekwu.org. h1vHar/cdzpfTbVPhP6UW11aW6pB+1sfagKMBIPDif8mDjvLOP1KsTvI LuAUUNHaQgcYaoYwc9MrSQ+/se6CweK80B+O7pk+GFSWfqygyHhEvHZt YOHX183eKtYyjFix geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20181125063028 20181111050028 54076 geekwu.org. hDTZuOOKCCWEYlWApA/g+RdSOKxfEGmttto8/BwUNYGBs/2dHziAIQlD y4SQh2ST1crUeHOTL7d8o+naqbt2lT7pMNqrUQy6XXYdVZ4gQ6aIjVkG Yi7kRgdG8Nksm31N geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20181213181717 20181129164717 63974 geekwu.org. 6BspV1velFjzJQqmGejOSyV6A9NOg3n486/mAx4llB4d+S1KF3j7dzzX TmMalQN2QufP7NDCVaV4kmtoOgUwS/XcfAQeDJ/b5/bYNa1ERf/tV6bJ 3Z4by5PlXdqoPte5 geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20190113191717 20181230174717 21289 geekwu.org. 2+WLMBHmrc2hygRoGtZbtgxikv6aHRv5xDg07nKldKKk/oR9l2GtjpUt yaMtgu+x/5Uk02eCwea+Vs41wq7BfzcZlL5SNqud9vFqCWAH3izikfLL mngKO3HHBvzxmqgy geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20190213201717 20190130184717 63065 geekwu.org. 8xL2eX4atI6Z+CxwZaF4cwGmNKXY389Qsnz9qZZkXdGcnmzYct5UVBl1 LM0bR/e3D5ZCAhdFR8NynhUKPwCKaSgivjzKNmLunqDFUJgM/4fZFAP8 pXce50jpYXVMBmhm geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20190316211717 20190302194717 19071 geekwu.org. FdHJKayUYfLsXu9ct9Mfvo1nVRei8xExluWbOfD9wbe/ZDqFQKyBvWKr hMrdUvSgCQ52iaTWl88cdPtho8YgGXRC+qse5rzqK+9toKbFryg/jFAX 18xJSYrntilYJm1u geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20190416221717 20190402204717 14519 geekwu.org. kIBe1/zzEbX09gKk0R6MbAicxfoGjL1ojWvR/8oQBdld1yVtyMtLWKic NhkellgCaXIb7cluj/SAUQC2lr9tJxZp31oG+DhQBAG2arQAVtphxJ0p yUwD7klvUweJM49Y geekwu.org. 86400 IN RRSIG SOA 14 2 86400 20191109090028 20191026073028 47945 geekwu.org. 9tmNQt48ZT3aTV/WkcfPpLQ3/3rpKXaDlasT9+EnRyniLrLuuHgQtRfw uxvJpillbGVn15uy9aoMDADV9K5DfdaNOgskK1v3QYgMpGtao+soydi/ Y9MyfDFUQNmSUIKD Therefore, let's encrypt checks failed when querying it with "detail": "DNS problem: SERVFAIL looking up CAA for arrakeen.geekwu.org" ; I guess their validating resolver did not picked the correct RRSIG, and failed to validate. If you want to investigate, I have another zone which have the same problem, and a bit more time before certificate expiration, for which I can provide details, journal, etc. Regards, -- Bastien Durel

5 let, 7 měsíců

2
2
0 0

no usable master

by Bastien Durel

Hello, I have a problem with a knot slave instance, which does not refresh anymore. When doing a retransfer, I have a "no usable master" error, with this error log: oct. 21 11:02:16 corrin knotd[32453]: info: [geekwu.org.] control, received command 'zone-retransfer' oct. 21 11:02:16 corrin knotd[32453]: 2019-10-21T11:02:16 info: [geekwu.org.] control, received command 'zone-retransfer' oct. 21 11:02:17 corrin knotd[32453]: info: [geekwu.org.] AXFR, incoming, remote 10.42.42.6@53, starting oct. 21 11:02:17 corrin knotd[32453]: 2019-10-21T11:02:17 info: [geekwu.org.] AXFR, incoming, remote 10.42.42.6@53, starting oct. 21 11:02:18 corrin knotd[32453]: debug: [geekwu.org.] refresh, remote master, address 10.42.42.6@53, failed (connection reset) oct. 21 11:02:18 corrin knotd[32453]: 2019-10-21T11:02:18 debug: [geekwu.org.] refresh, remote master, address 10.42.42.6@53, failed (connection reset) oct. 21 11:02:18 corrin knotd[32453]: 2019-10-21T11:02:18 warning: [geekwu.org.] refresh, remote master not usable oct. 21 11:02:18 corrin knotd[32453]: 2019-10-21T11:02:18 error: [geekwu.org.] refresh, failed (no usable master) oct. 21 11:02:18 corrin knotd[32453]: warning: [geekwu.org.] refresh, remote master not usable oct. 21 11:02:18 corrin knotd[32453]: error: [geekwu.org.] refresh, failed (no usable master) On master, I have this error log: oct. 21 11:02:16 arrakeen knotd[20289]: info: [geekwu.org.] AXFR, outgoing, remote 10.120.42.42@33435, started, serial 2019100808 oct. 21 11:02:16 arrakeen knotd[20289]: 2019-10-21T11:02:16 info: [geekwu.org.] AXFR, outgoing, remote 10.120.42.42@33435, started, serial 2019100808 oct. 21 11:02:16 arrakeen knotd[20289]: debug: TCP, send, address 10.120.42.42@33435 (connection timeout) oct. 21 11:02:16 arrakeen knotd[20289]: 2019-10-21T11:02:16 debug: TCP, send, address 10.120.42.42@33435 (connection timeout) tcpdump shows a TCP connection from 10.120.42.42 to 10.42.42.6, which is closed with a TCP FIN by 10.42.42.6 after 1.2s Do you have hints about that ? Thanks, -- Bastien Durel

5 let, 8 měsíců

2
3
0 0

[2.9] DDNS failure

by Bastien Durel

Hello, Since I upgraded to 2.9 (2.9.0-1~cz.nic~buster1), DDNS update fails: oct. 14 11:10:25 arrakeen knotd[15543]: info: [durel.org.] DDNS, processing 1 updates oct. 14 11:10:25 arrakeen knotd[15543]: error: [durel.org.] DNSSEC, failed to fix NSEC3 chain (invalid parameter) oct. 14 11:10:25 arrakeen knotd[15543]: 2019-10-14T11:10:25 error: [durel.org.] DNSSEC, failed to fix NSEC3 chain (invalid parameter) oct. 14 11:10:25 arrakeen knotd[15543]: 2019-10-14T11:10:25 error: [durel.org.] DDNS, processing failed (invalid parameter) oct. 14 11:10:25 arrakeen knotd[15543]: error: [durel.org.] DDNS, processing failed (invalid parameter) DDNS are generated with knsupdate: knsupdate -k /etc/letsencrypt.sh/hooks/tsig.key $file Is there a config change that can explain that ? Thanks, -- Bastien Durel

5 let, 8 měsíců

4
6
0 0

KSK automated rollover: New KSK generation

by Sakirnth (BFH)

Hello, I am using knot version 2.7 with automated keyrollover for DNSSEC. I am trying to understand the rollover process so that I can exactly predict when a rollover is in progress. So far I have understood this: KSK (1) [created and published] ---(progapagtion delay + DNSKEY TTL)--> KSK (1) [ready] ---(submitted in parent zone)--> ---((KSK-TTL) - (DNSKEY TTL + propagation delay + DS parent TTL + x))-> KSK (2) [created and published] KSK (2) [ready] ---(submitted in parent zone)--> KSK (1) [retire-active], KSK (2) [active] ---(propagation delay + DNSKEY TTL)-> KSK (1) [removed] My observartions during the rollover: Knot configuration: DNSKEY-TTL: 12h Propagation-delay: 2h Zone TTL default: 1h KSK-lifetime: 3d ZSK lifetime: 0 Parent configuration: DS-TTL on parent: 1h KSK (1) [created and published] ---(progapagtion delay + DNSKEY TTL)--> KSK (1) [ready] ---(submitted in parent zone)--> ---((3d) - (12h + 2h + 1h + x))-> KSK (2) [created and published] KSK (2) [ready] ---(submitted in parent zone)--> KSK (1) [retire-active], KSK (2) [active] ---(2h + 12h)-> KSK (1) [removed] The new key was created 19 hours before the KSK-lifetime ends. When I substract DNSKEY TTL, propagation delay and DS parent TTL its still 4 hours too early. Somebody knows why? References: https://www.knot-dns.cz/docs/2.7/html/reference.html https://tools.ietf.org/html/rfc6781.html#section-4.1.2 Thanks and Cheers, Sakirnth

5 let, 8 měsíců

2
1
0 0

Re: [knot-dns-users] 2.9.0 fails to start after upgrade

by Lukáš Kocourek

So problem is solved for me, I've tried to start with just one zone which didn’t helped, but removing journal did. Many thanks to Daniel Salzman for kind help, maybe he will post some other details after analyzing our journal records. -- Lukas Kocourek > On 2019-10-15, at 12:27, knot-dns-users-request(a)lists.nic.cz wrote: > > Message: 5 > Date: Tue, 15 Oct 2019 11:56:26 +0200 > From: Lukáš Kocourek <kocour(a)direcat.net> > To: knot-dns-users(a)lists.nic.cz > Subject: [knot-dns-users] 2.9.0 fails to start after upgrade > Message-ID: <110451DC-3CC1-419D-9066-EF784FDDAC00(a)direcat.net> > Content-Type: text/plain; charset=utf-8 > > Hi, > > I’ve upgraded from 2.8.4 to 2.9.0 (Ubuntu 18.04, using ppa:cz.nic-labs/knot-dns-latest) and now knotd fail to start. > After dispatching "service knot start" command knotd process immediately goes to 100% CPU and after 3 minutes it’s killed by systemd because "Start operation timed out”. > > Here log from service start... > > Oct 15 11:37:04 ns1-u18 knotc[4972]: Configuration is valid > Oct 15 11:37:04 ns1-u18 knotd[4984]: info: Knot DNS 2.9.0 starting > Oct 15 11:37:04 ns1-u18 knotd[4984]: info: loaded configuration file '/etc/knot/knot.conf' > Oct 15 11:37:04 ns1-u18 knotd[4984]: info: using reuseport for UDP > Oct 15 11:37:04 ns1-u18 knotd[4984]: info: binding to interface X.X.X.X@53 > Oct 15 11:37:04 ns1-u18 knotd[4984]: info: binding to interface ::@53 > Oct 15 11:37:04 ns1-u18 knotd[4984]: info: loading 199 zones > > [cut] - info that all zones will be loaded > Oct 15 11:37:04 ns1-u18 knotd[4984]: info: [xxx.yyy.] zone will be loaded > [/cut] > > Oct 15 11:37:04 ns1-u18 knotd[4984]: info: starting server > Oct 15 11:38:34 ns1-u18 systemd[1]: knot.service: Start operation timed out. Terminating. > Oct 15 11:40:04 ns1-u18 systemd[1]: knot.service: State 'stop-sigterm' timed out. Killing. > Oct 15 11:40:04 ns1-u18 systemd[1]: knot.service: Killing process 4984 (knotd) with signal SIGKILL. > Oct 15 11:40:04 ns1-u18 systemd[1]: knot.service: Main process exited, code=killed, status=9/KILL > Oct 15 11:40:04 ns1-u18 systemd[1]: knot.service: Failed with result 'timeout'. > > Any advice what to do? > > Thank very much > > -- > Lukas Kocourek > > > > ------------------------------ > > Message: 6 > Date: Tue, 15 Oct 2019 12:27:34 +0200 > From: Daniel Salzman <daniel.salzman(a)nic.cz> > To: knot-dns-users(a)lists.nic.cz > Subject: Re: [knot-dns-users] 2.9.0 fails to start after upgrade > Message-ID: <99813b76-c350-442f-35c7-2447cb07acce(a)nic.cz> > Content-Type: text/plain; charset=utf-8 > > Hi Lukáš, > > Could you try to temporarily disable some zones? We have no idea at the moment :-( > > Would it be possible to show me a snippet of your configuration? > > Daniel > > On 10/15/19 11:56 AM, Lukáš Kocourek wrote: >> Hi, >> >> I’ve upgraded from 2.8.4 to 2.9.0 (Ubuntu 18.04, using ppa:cz.nic-labs/knot-dns-latest) and now knotd fail to start. >> After dispatching "service knot start" command knotd process immediately goes to 100% CPU and after 3 minutes it’s killed by systemd because "Start operation timed out”. >> >> Here log from service start... >> >> Oct 15 11:37:04 ns1-u18 knotc[4972]: Configuration is valid >> Oct 15 11:37:04 ns1-u18 knotd[4984]: info: Knot DNS 2.9.0 starting >> Oct 15 11:37:04 ns1-u18 knotd[4984]: info: loaded configuration file '/etc/knot/knot.conf' >> Oct 15 11:37:04 ns1-u18 knotd[4984]: info: using reuseport for UDP >> Oct 15 11:37:04 ns1-u18 knotd[4984]: info: binding to interface X.X.X.X@53 >> Oct 15 11:37:04 ns1-u18 knotd[4984]: info: binding to interface ::@53 >> Oct 15 11:37:04 ns1-u18 knotd[4984]: info: loading 199 zones >> >> [cut] - info that all zones will be loaded >> Oct 15 11:37:04 ns1-u18 knotd[4984]: info: [xxx.yyy.] zone will be loaded >> [/cut] >> >> Oct 15 11:37:04 ns1-u18 knotd[4984]: info: starting server >> Oct 15 11:38:34 ns1-u18 systemd[1]: knot.service: Start operation timed out. Terminating. >> Oct 15 11:40:04 ns1-u18 systemd[1]: knot.service: State 'stop-sigterm' timed out. Killing. >> Oct 15 11:40:04 ns1-u18 systemd[1]: knot.service: Killing process 4984 (knotd) with signal SIGKILL. >> Oct 15 11:40:04 ns1-u18 systemd[1]: knot.service: Main process exited, code=killed, status=9/KILL >> Oct 15 11:40:04 ns1-u18 systemd[1]: knot.service: Failed with result 'timeout'. >> >> Any advice what to do? >> >> Thank very much >> >> -- >> Lukas Kocourek >>

5 let, 8 měsíců

2
1
0 0

2.9.0 fails to start after upgrade

by Lukáš Kocourek

Hi, I’ve upgraded from 2.8.4 to 2.9.0 (Ubuntu 18.04, using ppa:cz.nic-labs/knot-dns-latest) and now knotd fail to start. After dispatching "service knot start" command knotd process immediately goes to 100% CPU and after 3 minutes it’s killed by systemd because "Start operation timed out”. Here log from service start... Oct 15 11:37:04 ns1-u18 knotc[4972]: Configuration is valid Oct 15 11:37:04 ns1-u18 knotd[4984]: info: Knot DNS 2.9.0 starting Oct 15 11:37:04 ns1-u18 knotd[4984]: info: loaded configuration file '/etc/knot/knot.conf' Oct 15 11:37:04 ns1-u18 knotd[4984]: info: using reuseport for UDP Oct 15 11:37:04 ns1-u18 knotd[4984]: info: binding to interface X.X.X.X@53 Oct 15 11:37:04 ns1-u18 knotd[4984]: info: binding to interface ::@53 Oct 15 11:37:04 ns1-u18 knotd[4984]: info: loading 199 zones [cut] - info that all zones will be loaded Oct 15 11:37:04 ns1-u18 knotd[4984]: info: [xxx.yyy.] zone will be loaded [/cut] Oct 15 11:37:04 ns1-u18 knotd[4984]: info: starting server Oct 15 11:38:34 ns1-u18 systemd[1]: knot.service: Start operation timed out. Terminating. Oct 15 11:40:04 ns1-u18 systemd[1]: knot.service: State 'stop-sigterm' timed out. Killing. Oct 15 11:40:04 ns1-u18 systemd[1]: knot.service: Killing process 4984 (knotd) with signal SIGKILL. Oct 15 11:40:04 ns1-u18 systemd[1]: knot.service: Main process exited, code=killed, status=9/KILL Oct 15 11:40:04 ns1-u18 systemd[1]: knot.service: Failed with result 'timeout'. Any advice what to do? Thank very much -- Lukas Kocourek

5 let, 8 měsíců

2
1
0 0

Knot DNS 2.9.0 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 2.9.0! This powerful version is full of new features, improvements, and code cleanups. Please, look at the changelog. Also note that today Knot DNS 2.7 reached its End-of-life and in the following days the official repositories will be upgraded to reflect currently supported versions (current stable -> 2.9.0, previous stable -> 2.8.4). Special thanks go to Christian Petrasch, Manuel Domke, and Jürgen Geinitz for their continuous testing! Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.9.0/NEWS Benchmark: https://www.knot-dns.cz/benchmark/ Source code: https://secure.nic.cz/files/knot-dns/knot-2.9.0.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.9.0.tar.xz.asc Documentation: https://www.knot-dns.cz/docs/2.9/html Support and funding: https://www.knot-dns.cz/support Regards, Daniel

5 let, 8 měsíců

2
1
0 0

Knot DNS 2.8.4 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 2.8.4! Besides various fixes and improvements, this version brings new DS push mechanism for automatic DS record uploading to parent zone during KSK rollover. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.8.4/NEWS Source code: https://secure.nic.cz/files/knot-dns/knot-2.8.4.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.8.4.tar.xz.asc Documentation: https://www.knot-dns.cz/docs/2.8/html Support and funding: https://www.knot-dns.cz/support Regards, Daniel

5 let, 9 měsíců

1
0
0 0

Quick Survey

by Daniel Salzman

Hello Knot DNS users, I would like to ask you if anybody uses request-edns-option configuration option? See https://www.knot-dns.cz/docs/2.8/singlehtml/index.html#request-edns-option for more info. Thank you, Daniel

5 let, 9 měsíců

1
0
0 0

Feature Request: expose knotc and keymgr API in a library

by Ray Hunter (v6ops)

Hi. Firstly, a big thank-you for knotd. I've been writing some code for automatic configuration of DNS delegations, including dnssec. It's been very straightforward with knot. The code is very clean, and the documentation extensive. Now my request: Your control programs seem to assume that the user is running knotc or keymgr and generating commands interactively or via a script. Would it be possible to expose all of the knotc and the keymgr API functions into a separate library, like libknotd-ctrl, plus a set of header files? At the moment I'm forking off external shell scripts from my program, and that works fine, but if I could call and link these control functions direct from my own code it would be great. It's probably possible already with some automake magic, but it's not easy for someone of my limited skills level. The code already exists, it'd just be some additional build steps AFAICS. -- regards, RayH <https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campai…>

5 let, 10 měsíců

1
0
0 0

prometheus exporter

by Gert Doering

Hiya, trying to get our knot dns server (FreeBSD pkg, 2.8.1) to export prometheus statistics. I found https://github.com/ghedo/knot_exporter, which looks promising (and I found that knot-resolver has this all built in, but this doesn't help me :-/ ). So, I've installed the required python modules, and when I start the knot_exporter (with the right paths and everything) it complains to me: $ /tmp/knot_exporter --web-listen-port 4041 --knot-library-path ... Traceback (most recent call last): File "/tmp/knot_exporter", line 489, in <module> args.knot_socket_timeout, File "/usr/local/lib/python3.6/site-packages/prometheus_client/registry.py", line 24, in register names = self._get_names(collector) File "/usr/local/lib/python3.6/site-packages/prometheus_client/registry.py", line 64, in _get_names for metric in desc_func(): File "/tmp/knot_exporter", line 434, in collect for zone, zone_data in zone_stats["zone"].items(): KeyError: 'zone' so, I read the manual, and it says that this should be sufficient: template: - id: default storage: /usr/local/etc/dnsmgmt/data/CA/knot disable-any: true acl: [ acl_transfer, acl_notify ] global-module: mod-stats with or without mod-stats: - id: default request-protocol: on server-operation: on edns-presence: on flag-presence: on response-code: on reply-nodata: on query-type: on ... but it does not seem to make a difference. So - if one of you has a working knot-server knot.conf that exports data to prometheus, can you share it? thanks, Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

5 let, 10 měsíců

3
4
0 0

Specify wildcard subdomain static hints

by Balakrishnan B

I am trying to add wildcard static hints to catch all local domains like below. But does not seem to work. hints['nextcloud.local'] = '127.0.0.1' # This works fine hints['*.local'] = '127.0.0.1' hints['.local'] = '127.0.0.1' DNSMasq supports this like https://stackoverflow.com/a/22551303 Is there way to do this in knot? Thanks, Bala

5 let, 11 měsíců

1
0
0 0

Knot DNS 2.8.3 and 2.7.8 releases

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 2.8.3 and Knot DNS 2.7.8! The most important fix relates to excessive server load when maximum TCP clients limit is reached. It's also recommended to increase https://www.knot-dns.cz/docs/2.8/singlehtml/index.html#max-tcp-clients if TCP traffic is high. Changelogs: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.8.3/NEWS https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.7.8/NEWS Source code: https://secure.nic.cz/files/knot-dns/knot-2.8.3.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.8.3.tar.xz.asc https://secure.nic.cz/files/knot-dns/knot-2.7.8.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.7.8.tar.xz.asc Documentation: https://www.knot-dns.cz/docs/2.8/html https://www.knot-dns.cz/docs/2.7/html Support and funding: https://www.knot-dns.cz/support Regards, Daniel

5 let, 11 měsíců

1
0
0 0

Knot DNS 2.8.2 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 2.8.2! This version mainly fixes some Offline-KSK and geoip issues, and brings a few new features. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.8.2/NEWS Source code: https://secure.nic.cz/files/knot-dns/knot-2.8.2.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.8.2.tar.xz.asc Documentation: https://www.knot-dns.cz/docs/2.8/html Support and funding: https://www.knot-dns.cz/support Regards, Daniel

6 let

1
0
0 0

Problems with serial when using knot as standalone DNSSEC signer

by Sebastian Wiesinger

Hi, we're using knot as a bump-in-the-wire DNSSEC Signer. The setup is as follows: BIND9(unsigned) -> AXFR -> knot(signing) -> AXFR -> BIND9(signed) The zone starts out with a low serial like 10 or 11. knot has a serial-policy: unixtime for the zones. Problem is, whenever an update is pushed the serial number is decreased again from unixtime back to the original serial which prevents the zone from propagating to the slaves. Example (test zone): template: - id: slave-dnssec-ecdsap256 storage: "/var/lib/knot/slave" file: "%s.zone" zonefile-load: difference dnssec-signing: on dnssec-policy: ecdsap256 master: ns1_signer notify: ns1 acl: acl_ns1 zone: - domain: xn--78jubwhb.xn--q9jyb4c template: slave-dnssec-ecdsap256 serial-policy: unixtime Here is an example where first a manual "zone-sign" is done to update the serial to current unixtime (12 -> 1559298292) and after that the zone is transferred in again which results in a serial decrease (1559298292 -> 13). [xn--78jubwhb.xn--q9jyb4c.] control, received command 'zone-sign' [xn--78jubwhb.xn--q9jyb4c.] DNSSEC, dropping previous signatures, re-signing zone [xn--78jubwhb.xn--q9jyb4c.] DNSSEC, key, tag 49852, algorithm ECDSAP256SHA256, KSK, public, active [xn--78jubwhb.xn--q9jyb4c.] DNSSEC, key, tag 55142, algorithm ECDSAP256SHA256, public, active [xn--78jubwhb.xn--q9jyb4c.] DNSSEC, signing started [xn--78jubwhb.xn--q9jyb4c.] DNSSEC, successfully signed [xn--78jubwhb.xn--q9jyb4c.] DNSSEC, next signing at 2019-06-07T12:24:52 [xn--78jubwhb.xn--q9jyb4c.] zone file updated, serial 12 -> 1559298292 [xn--78jubwhb.xn--q9jyb4c.] notify, outgoing, remote 176.9.75.248@53, serial 1559298292 [xn--78jubwhb.xn--q9jyb4c.] AXFR, outgoing, remote 176.9.75.248@60025, started, serial 1559298292 [xn--78jubwhb.xn--q9jyb4c.] AXFR, outgoing, remote 176.9.75.248@60025, finished, 0.00 seconds, 1 messages, 1819 bytes [xn--78jubwhb.xn--q9jyb4c.] notify, incoming, remote 176.9.75.248@9104, received, serial 13 [xn--78jubwhb.xn--q9jyb4c.] refresh, remote 176.9.75.248@53, remote serial 13, zone is outdated [xn--78jubwhb.xn--q9jyb4c.] IXFR, incoming, remote 176.9.75.248@53, receiving AXFR-style IXFR [xn--78jubwhb.xn--q9jyb4c.] AXFR, incoming, remote 176.9.75.248@53, starting [xn--78jubwhb.xn--q9jyb4c.] AXFR, incoming, remote 176.9.75.248@53, finished, 0.00 seconds, 1 messages, 321 bytes [xn--78jubwhb.xn--q9jyb4c.] DNSSEC, key, tag 49852, algorithm ECDSAP256SHA256, KSK, public, active [xn--78jubwhb.xn--q9jyb4c.] DNSSEC, key, tag 55142, algorithm ECDSAP256SHA256, public, active [xn--78jubwhb.xn--q9jyb4c.] DNSSEC, signing started [xn--78jubwhb.xn--q9jyb4c.] DNSSEC, successfully signed [xn--78jubwhb.xn--q9jyb4c.] DNSSEC, next signing at 2019-06-07T12:25:21 [xn--78jubwhb.xn--q9jyb4c.] refresh, remote 176.9.75.248@53, zone updated, 0.10 seconds, serial 12 -> 13 [xn--78jubwhb.xn--q9jyb4c.] zone file updated, serial 1559298292 -> 13 [xn--78jubwhb.xn--q9jyb4c.] notify, outgoing, remote 176.9.75.248@53, serial 13 How to prevent this? We want knot to always use the current unixtime for the zone. Best Regards Sebastian -- GPG Key: 0x58A2D94A93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant

6 let

2
1
0 0

Knot není dostupný na UDP

by Ondřej Budín

Dobrý den, zkouším rozjet Knot DNS, ovšem narazil jsem na problém - knotd mi neposlouchá na UDP portu. Upozornil mě na to nástroj http://dnsviz.net. Poradí mi někdo prosím, co by mohlo být špatně a jak z toho ven? Mám podezření na modul *noudp*, ovšem marně se snažím dohledat nějaké podrobnější informace, popisující jak vůbec moduly fungují a jak se s nimi pracuje. Knot jsem instaloval z repositáře https://deb.knot-dns.cz/knot-latest. knotd (Knot DNS), version 2.8.1; Debian 9 Děkuji. -- S pozdravem Ondřej Budín

6 let

2
1
0 0

Unexpect results with geoip subnet mode

by Conrad Hoffmann

Hi there, while trying to understand the algorithm employed in the `find_best_view` function in the geoip module, I started wondering whether this line is in there intentionally: https://gitlab.labs.nic.cz/knot/knot-dns/blob/4015475b0d3e11c0bd6fcac8aceb6… I am still trying to understand how this works with the actual geo data, but here is a test case using the subnet mode that yields slightly surprising results: Using a geoip config like this for zone example.com: bar.example.com: - net: 127.0.0.0/8 A: 9.9.9.9 - net: 192.0.0.0/8 A: 1.1.1.1 - net: 192.168.0.0/16 A: 4.4.4.4 - net: 192.168.1.0/24 A: 8.8.8.8 If I query bar.example.com from 192.168.1.X, I get 4.4.4.4, which is suprising because it is neither the most nor the least specific item. The binary search returns the most specific one (8.8.8.8), which is sort of what I would expect. However, above line immediately takes the `prev` item without checking for `view_strictly_in_view`. Without the above line, the whole function returns the most specific item, as I would expect. Please note that this is mostly an intuition atm, as I have not yet had the time to set up a similar test case for real geo data (which uses the same algorithm). But I figured that someone more familiar with the code might have enough context to tell whether this is correct or not or what a suitable fix might look like. Thanks a bunch, Conrad

6 let

2
2
0 0

Open Build Service package repositories update

by Tomas Krizek

Hi, I have a quick update about the upstream package repositories in Open Build Service (OBS) for Knot DNS. New repositories ---------------- - CentOS_7_EPEL - aarch64 - Fedora_30 - x86_64, armv7l, aarch64 - xUbuntu_19.04 - x86_64 - Debian_Next - x86_64 (Debian unstable rolling release) New repositories for Debian 10 and CentOS 8 should be available shortly after these distros are released, depending on their buildroot availability in OBS. Deprecated repositories ----------------------- - Arch - x86_64 Due to many issues with Arch packaging in OBS (invalid package size, incorrect signatures) and the fast pace of Arch updates, please consider this repository deprecated in favor of the knot package in Arch Community repo [1]. The Arch OBS repository will most likely be removed in the future. Also, please note I'll be periodically deleting repositories for distros that reach their official end of life. In the coming months, this concerns Ubuntu 18.10 and Fedora 28. [1] - https://www.archlinux.org/packages/community/x86_64/knot/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

6 let, 1 měsíc

1
0
0 0

knsupdate refused after some time

by Bjoern Franke

Hi, I'm using a script to dynamically update an IPv4. After some time, the update gets refused. Script: KNOT_SERVER='194.59.205.151' KNOT_KEY='hmac-sha256:dyndns:somerandomkey' croot='schafweide.org' domain='home.schafweide.org' knsupdate -y "${KNOT_KEY}" <<EOF server ${KNOT_SERVER} zone ${croot}. update delete $domain 60 A update add $domain 60 A $1 send quit EOF Error message: ;; ->>HEADER<<- opcode: UPDATE; status: REFUSED; id: 61622 ;; Flags: qr; ZONE: 1; PREREQ: 0; UPDATE: 0; ADDITIONAL: 1 ;;schafweide.org. IN SOA dyndns. 0 ANY TSIG hmac-sha256. 1556969992 300 32 21LTowPMGditU419LSHez6CRtRblLLZZcxtu89RCocI= 61622 NOERROR 0 ;; ERROR: update failed with error 'REFUSED' After "systemctl restart knot" the update just runs fine. I'm wondering what's wrong there. Regards Bjoern

6 let, 1 měsíc

2
2
0 0

Packages for Debian Jessie

by Danilo

Hello Knot team I have just noticed that there are no more Debian packages for Debian 8 (Jessie) at https://deb.knot-dns.cz/knot/dists/. Debian 8 is in LTS until June 30, 2020 (see https://wiki.debian.org/LTS). Is the dropping of packages for Jessie intended or not? (I plan to migrate this summer, but for now it would be good to still get security fixes for Knot.) Might be related to the PGP revocation? Danilo

6 let, 2 měsíce

2
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

knot-dns-users