knot-dns-users

knot-dns-users@lists.nic.cz

689 discussions

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.0.6! This version fixes KSK rollover, zone file load with HTTPS/SVCB records, zone backup/restore, and more. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.0.6/NEWS Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support Donation: https://donations.nic.cz/donate/?project=knot-dns Regards, Daniel

3 roky

Re: [knot-dns-users] keymgr and keystores

by Full Name

Thanks. You are right - once the keymgr operation is launched on a zone that is defined in knot.conf so that the SoftHSM policy applies to it, the keys involved are managed by the softhsm module. I have verified that such is the case for keymgr when using the generate command, and it stands to reason that the same would apply to other commands supported by keymgr. I haven't tried modifying the template section, as you suggest, but I am sure it works as expected. This all also explains and justifies why an option to specify a keystore for keymgr to work with, present in older versions, has been removed - it is not necessary. Thanks for your help/ -----Original Message----- From: "Daniel Salzman" [daniel.salzman(a)nic.cz] Date: 05/03/2021 01:57 AM To: "Full Name" <nuncestbibendum(a)excite.com>, knot-dns-users(a)lists.nic.cz Subject: Re: [knot-dns-users] keymgr and keystores If you don't specify any configuration or kaspdb explicitly, keymgr uses default Knot configuration (file or database). So the problem probably is that you are generating keys for zones with default dnssec policy, which doesn't use the softhsm keystore. Try setting: template: - id: default ... dnssec-policy: RSAPol On 5/2/21 3:46 PM, Full Name wrote: > Thanks for your reply. Please see my comments below. > > -----Original Message----- > From: "Daniel Salzman" [daniel.salzman(a)nic.cz] > Date: 05/02/2021 04:51 AM > To: knot-dns-users(a)lists.nic.cz > Subject: Re: [knot-dns-users] keymgr and keystores > > > On 4/30/21 7:47 PM, Full Name wrote: >> I am evaluating version 2.9.5 of Knot, in particular in what concerns key management. This examination has resulted in the following issues/questions, which I would like to bring up to this forum for discussion/clarification: >> >> 1. I have been testing with the default Knot out-of-the-box setup, with the following knot.conf file: >> >> server: >> listen: [10.0.0.1 ] >> >> log: >> - target: syslog >> any: info >> >> template: >> - id: default >> global-module: mod-stats >> >> mod-stats: >> - id: default >> >> policy: >> - id: RSAPol >> algorithm: RSASHA256 >> ksk-size: 2048 >> zsk-size: 1024 >> >> zone: >> - domain: s0.mydomain.com >> storage: /var/lib/MyZones/db >> file: db.s0 >> dnssec-signing: on >> dnssec-policy: RSAPol >> >> On launching Knot, this works as expected: >> >> - The necessary key pairs are generated and stored in /var/lib/knot/keys in the clear, with files data.db and lock.db created in /var/lib/knot. >> - The appropriate zone is signed, with the file containing the signed data under /var/lib/MyZones/db. >> >> 2. I next tried with SoftHSM for the low-level cryptographic support. The knot.conf file is the same as above, with the following changes: >> >> - I added a keystore section: >> >> keystore: >> - id: SoftHSM >> backend: pkcs11 >> config: "pkcs11:token=KNOT;pin-value=112233 libsofthsm2.so" >> >> - I modified the zone section to use SoftHSM: > > [DS] I expect you modified the policy section! > > Yes, I added a line > > keystore: SoftHSM > > I.e. the policy section reads > > policy: > - id: RSAPol > algorithm: RSASHA256 > ksk-size: 2048 > zsk-size: 1024 > keystore: SoftHSM > > I should have pointed this out explicitly - my mistake. > > >> >> zone: >> - domain: s0.mydomain.com >> storage: /var/lib/MyZones/db >> file: db.s0 >> dnssec-signing: on >> dnssec-policy: RSAPol >> keystore: SoftHMS >> > > Notice it should read keystore: SoftHSM. This is just a transcription error on my side - it is correct in the actual knot.conf file that I am using. > >> Before proceeding, I removed everything from /var/lib/knot. On launching knot again, this is what happens: >> >> - data.db and lock.db are created under /var/lib/knot, but no key pairs are created under /var/lib/knot/keys. >> - Key pairs are created under /var/lib/softhsm/tokens/adf76cd6-5411-843e-6036-b8523580ef94. >> - The appropriate zone is signed, with the file containing the signed data under /var/lib/MyZones/db. >> >> This is all pretty much as expected, in that the signing keys have been generated in the space set aside by SoftHSM, and the signatures have been computed by the SoftHSM module. >> >> Now what I was wondering is whether keymgr can be used to manage keys in SofHSM? By default, it would seem to be the case that whenever I generate a key pair with keymgr, the key pair is stored under /var/lib/knot/keys, in the clear. Nothing seems to change under /var/lib/softhsm/tokens as a result of such a keymgr command. This is the case no matter what version of the knot.conf files described above I use. > > [DS] What are your parameters to keymgr? Don't you use default configuration (-d parameter)? > > No parameters. I just invoke it as > > keymgr mydomain.com. generate algorithm=RSASHA256 > > Specifying -d /tmp will create db files under /tmp, and a keys directory under /tmp containing the actual keys in the clear. The essence of the issue remains the same though: the private keys are in the clear, and don't seem to have been generated by SoftHSM. > > >> Here is my question: >> >> Is keymgr capable of managing keys in some separate device - SoftHSM, or a real, hardware HSM - or is it limited to keys generated by the default mechanism, with no HSM? > > [DS] Keymgr follows the zone's policy. So it uses the keystore which is configured for the zone. > > That's what I thought. Here's the thing though: in the knot.conf file above I changed the config entry in the keystore section, so that the wrong user PIN is supplied when attempting to access the services of the SoftHSM module. However, when using the keymgr command above, key pairs are are still generated without error, and stored outside the disk area allocated for SoftHSM. This makes me think that SoftHSM is not being used for this operation. This conclusion is reinforced by the fact that when I launch knot with that incorrect PIN in knot.conf, signatures are not computed and I get errors in syslog to that effect. > > The bottom line is that, although key pairs are definitely created by SoftHSM, and stored in the disk area for SoftHSM, when the automatic key generation process, as driven by knot.conf, kicks in, when using keymgr I have yet to be able to get SoftHSM to generate key pairs and store them in its disk area. What am I doing wrong? > > > >> >> I notice that in previous versions of Knot, the keymgr utility supported options to use different keystores. Such options seem to be gone from keymgr as distributed with Knot 2.9.5. Can anybody elaborate on why they were removed, and whether some other utility is provided to achieve the same goals? >> >> Ultimately, what I am interested in is to have all of my keys so that they are available to the HSM alone, and I want to find out what tools does Knot provide - if any - to manage those keys, bearing in mind that they will have to be protected in permanent storage until such time that they are meant to be loaded into the HSM to be used. This is crucial, for most HSMs won't keep any keys across power cycles, and even when they do, they number that they can keep will in general be too small for my needs. >> >> >> >>

3 roky, 1 měsíc

Re: [knot-dns-users] keymgr and keystores

by Full Name

Thanks for your reply. Please see my comments below. -----Original Message----- From: "Daniel Salzman" [daniel.salzman(a)nic.cz] Date: 05/02/2021 04:51 AM To: knot-dns-users(a)lists.nic.cz Subject: Re: [knot-dns-users] keymgr and keystores On 4/30/21 7:47 PM, Full Name wrote: > I am evaluating version 2.9.5 of Knot, in particular in what concerns key management. This examination has resulted in the following issues/questions, which I would like to bring up to this forum for discussion/clarification: > > 1. I have been testing with the default Knot out-of-the-box setup, with the following knot.conf file: > > server: > listen: [10.0.0.1 ] > > log: > - target: syslog > any: info > > template: > - id: default > global-module: mod-stats > > mod-stats: > - id: default > > policy: > - id: RSAPol > algorithm: RSASHA256 > ksk-size: 2048 > zsk-size: 1024 > > zone: > - domain: s0.mydomain.com > storage: /var/lib/MyZones/db > file: db.s0 > dnssec-signing: on > dnssec-policy: RSAPol > > On launching Knot, this works as expected: > > - The necessary key pairs are generated and stored in /var/lib/knot/keys in the clear, with files data.db and lock.db created in /var/lib/knot. > - The appropriate zone is signed, with the file containing the signed data under /var/lib/MyZones/db. > > 2. I next tried with SoftHSM for the low-level cryptographic support. The knot.conf file is the same as above, with the following changes: > > - I added a keystore section: > > keystore: > - id: SoftHSM > backend: pkcs11 > config: "pkcs11:token=KNOT;pin-value=112233 libsofthsm2.so" > > - I modified the zone section to use SoftHSM: [DS] I expect you modified the policy section! Yes, I added a line keystore: SoftHSM I.e. the policy section reads policy: - id: RSAPol algorithm: RSASHA256 ksk-size: 2048 zsk-size: 1024 keystore: SoftHSM I should have pointed this out explicitly - my mistake. > > zone: > - domain: s0.mydomain.com > storage: /var/lib/MyZones/db > file: db.s0 > dnssec-signing: on > dnssec-policy: RSAPol > keystore: SoftHMS > Notice it should read keystore: SoftHSM. This is just a transcription error on my side - it is correct in the actual knot.conf file that I am using. > Before proceeding, I removed everything from /var/lib/knot. On launching knot again, this is what happens: > > - data.db and lock.db are created under /var/lib/knot, but no key pairs are created under /var/lib/knot/keys. > - Key pairs are created under /var/lib/softhsm/tokens/adf76cd6-5411-843e-6036-b8523580ef94. > - The appropriate zone is signed, with the file containing the signed data under /var/lib/MyZones/db. > > This is all pretty much as expected, in that the signing keys have been generated in the space set aside by SoftHSM, and the signatures have been computed by the SoftHSM module. > > Now what I was wondering is whether keymgr can be used to manage keys in SofHSM? By default, it would seem to be the case that whenever I generate a key pair with keymgr, the key pair is stored under /var/lib/knot/keys, in the clear. Nothing seems to change under /var/lib/softhsm/tokens as a result of such a keymgr command. This is the case no matter what version of the knot.conf files described above I use. [DS] What are your parameters to keymgr? Don't you use default configuration (-d parameter)? No parameters. I just invoke it as keymgr mydomain.com. generate algorithm=RSASHA256 Specifying -d /tmp will create db files under /tmp, and a keys directory under /tmp containing the actual keys in the clear. The essence of the issue remains the same though: the private keys are in the clear, and don't seem to have been generated by SoftHSM. > Here is my question: > > Is keymgr capable of managing keys in some separate device - SoftHSM, or a real, hardware HSM - or is it limited to keys generated by the default mechanism, with no HSM? [DS] Keymgr follows the zone's policy. So it uses the keystore which is configured for the zone. That's what I thought. Here's the thing though: in the knot.conf file above I changed the config entry in the keystore section, so that the wrong user PIN is supplied when attempting to access the services of the SoftHSM module. However, when using the keymgr command above, key pairs are are still generated without error, and stored outside the disk area allocated for SoftHSM. This makes me think that SoftHSM is not being used for this operation. This conclusion is reinforced by the fact that when I launch knot with that incorrect PIN in knot.conf, signatures are not computed and I get errors in syslog to that effect. The bottom line is that, although key pairs are definitely created by SoftHSM, and stored in the disk area for SoftHSM, when the automatic key generation process, as driven by knot.conf, kicks in, when using keymgr I have yet to be able to get SoftHSM to generate key pairs and store them in its disk area. What am I doing wrong? > > I notice that in previous versions of Knot, the keymgr utility supported options to use different keystores. Such options seem to be gone from keymgr as distributed with Knot 2.9.5. Can anybody elaborate on why they were removed, and whether some other utility is provided to achieve the same goals? > > Ultimately, what I am interested in is to have all of my keys so that they are available to the HSM alone, and I want to find out what tools does Knot provide - if any - to manage those keys, bearing in mind that they will have to be protected in permanent storage until such time that they are meant to be loaded into the HSM to be used. This is crucial, for most HSMs won't keep any keys across power cycles, and even when they do, they number that they can keep will in general be too small for my needs. > > > > -- https://lists.nic.cz/mailman/listinfo/knot-dns-user

3 roky, 1 měsíc

keymgr and keystores

by Full Name

I am evaluating version 2.9.5 of Knot, in particular in what concerns key management. This examination has resulted in the following issues/questions, which I would like to bring up to this forum for discussion/clarification: 1. I have been testing with the default Knot out-of-the-box setup, with the following knot.conf file: server: listen: [10.0.0.1 ] log: - target: syslog any: info template: - id: default global-module: mod-stats mod-stats: - id: default policy: - id: RSAPol algorithm: RSASHA256 ksk-size: 2048 zsk-size: 1024 zone: - domain: s0.mydomain.com storage: /var/lib/MyZones/db file: db.s0 dnssec-signing: on dnssec-policy: RSAPol On launching Knot, this works as expected: - The necessary key pairs are generated and stored in /var/lib/knot/keys in the clear, with files data.db and lock.db created in /var/lib/knot. - The appropriate zone is signed, with the file containing the signed data under /var/lib/MyZones/db. 2. I next tried with SoftHSM for the low-level cryptographic support. The knot.conf file is the same as above, with the following changes: - I added a keystore section: keystore: - id: SoftHSM backend: pkcs11 config: "pkcs11:token=KNOT;pin-value=112233 libsofthsm2.so" - I modified the zone section to use SoftHSM: zone: - domain: s0.mydomain.com storage: /var/lib/MyZones/db file: db.s0 dnssec-signing: on dnssec-policy: RSAPol keystore: SoftHMS Before proceeding, I removed everything from /var/lib/knot. On launching knot again, this is what happens: - data.db and lock.db are created under /var/lib/knot, but no key pairs are created under /var/lib/knot/keys. - Key pairs are created under /var/lib/softhsm/tokens/adf76cd6-5411-843e-6036-b8523580ef94. - The appropriate zone is signed, with the file containing the signed data under /var/lib/MyZones/db. This is all pretty much as expected, in that the signing keys have been generated in the space set aside by SoftHSM, and the signatures have been computed by the SoftHSM module. Now what I was wondering is whether keymgr can be used to manage keys in SofHSM? By default, it would seem to be the case that whenever I generate a key pair with keymgr, the key pair is stored under /var/lib/knot/keys, in the clear. Nothing seems to change under /var/lib/softhsm/tokens as a result of such a keymgr command. This is the case no matter what version of the knot.conf files described above I use. Here is my question: Is keymgr capable of managing keys in some separate device - SoftHSM, or a real, hardware HSM - or is it limited to keys generated by the default mechanism, with no HSM? I notice that in previous versions of Knot, the keymgr utility supported options to use different keystores. Such options seem to be gone from keymgr as distributed with Knot 2.9.5. Can anybody elaborate on why they were removed, and whether some other utility is provided to achieve the same goals? Ultimately, what I am interested in is to have all of my keys so that they are available to the HSM alone, and I want to find out what tools does Knot provide - if any - to manage those keys, bearing in mind that they will have to be protected in permanent storage until such time that they are meant to be loaded into the HSM to be used. This is crucial, for most HSMs won't keep any keys across power cycles, and even when they do, they number that they can keep will in general be too small for my needs.

3 roky, 1 měsíc

Re: [knot-dns-users] Fwd: [knot-resolver-users] Any "gothcas" going from 2.65 to 3.04 I should know about?

by libor.peltan

Hi Chris, first of all, you seem to be talking about Knot DNS, so it's proper to switch to correct mailing list, instead of Knot Resolver's one. I assume you have read all the single-version migration guides below https://www.knot-dns.cz/docs/3.0/singlehtml/index.html#upgrade-2-6-x-to-2-7… . It's clear that when migrating over multiple versions, you need to take care about all the notes at once. What databases exactly are you talking about? Knot DNS uses multiple databases for different purposes, e.g. journal or KASP DB. The good news is, their format does not change much, and when it does, it's usually backwards-compatible, with some exceptions. I would strongly recommend that you clone your environment, perform the migration in some "playground" setup first, and observe if everything went well; all before migration your production setup ;) Should you encounter any issues, please contact us on our mailing-list. Anyway, you might consider a multi-step migration, so that you would migrate by just one (major) version at once, like this: 2.6.5 -> 2.7.8 -> 2.8.5 -> 2.9.9 -> 3.0.5. Thanks! Libor Dne 09. 04. 21 v 8:13 Daniel Salzman napsal(a): > > > -------- Forwarded Message -------- > Subject: [knot-resolver-users] Any "gothcas" going from 2.65 to 3.04 I should know about? > Date: Thu, 08 Apr 2021 23:03:54 -0700 > From: Chris <knot(a)tacomawireless.net> > Reply-To: Knot Resolver Users List <knot-resolver-users(a)lists.nic.cz> > To: knot-resolver-users <knot-resolver-users(a)lists.nic.cz> > > Hi. Moving a couple of our servers to new hardware, and > taking that opportunity to upgrade some of the services > at the same time. The main one being knot. Moving from > a 2.65 context to 3.04. I've read the upgrade doc, and > while there isn't a 2.65 --> 3.04. It appears for our > environment that the changed/removed stanzas won't > have much of an impact *except* as they relate to the > database. That is; it appears that it isn't going to > be a smooth transition, as they appear to be incompatible. > Is that right? Do I need to rewrite all the keys && > serials, and start from scratch? If so, as we have > a huge number of domains, this will be an enormous task. > Is this avoidable? > > Thank you for any and all insight into this transition. > > --Chris

3 roky, 1 měsíc

Preventing changes to zone files

by Matthew Pounsett

Is there a way to configure Knot to avoid overwriting a zone file when it's doing automatic signing? I was hoping some combination of zonefile-load and journal-content would tell Knot to store its internally managed data in the journal instead of in the zone file, but I haven't found that combination. I don't see any other likely candidates in the config options, but hoping I've missed something...

3 roky, 1 měsíc

Knot DNS 2.9.9 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 2.9.9! This version only backports some fixes from 3.0.5 version. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.9.9/NEWS Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support Donation: https://donations.nic.cz/donate/?project=knot-dns Regards, Daniel

3 roky, 2 měsíce

Knot DNS 3.0.5 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.0.5! This version primarily fixes issues relating zone journal, zone backup, and DNSSEC key handling. The most serious bug might cause malformed zone journal if 'journal-contents: all' or 'zonefile-sync: -1' is configured. Besides the fix, an additional detection of this state is introduced. So if "malformed data" error appears after the upgrade, the journal data are already broken and there is unfortunately no better way than purging the journal (e.g. knotc -f zone-purge +journal affected.zone.net.). Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.0.5/NEWS Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support Donation: https://donations.nic.cz/donate/?project=knot-dns Regards, Daniel

3 roky, 2 měsíce

Change journal-content changes to all

by André Keller

Good afternoon, in preparation for Knot 3.1, I wanted to update our template that uses zonefile-load: difference-no-serial from journal-content: changes to journal-content: all. However, it seems that we somehow have to update the existing journal. Otherwise it seems the first change to a zone after that change, will lead to the following error (running knot 3.0.4): error: [example.net.] zone event 'load' failed (semantic check) Subsequent changes seem to be applied just fine. What is the proposed strategy to change this setting? Regards André

3 roky, 2 měsíce

Extended expiration of Knot DNS Packaging GPG key

by Daniel Salzman

Hello Knot DNS users, I would like to inform users of our Debian packages (https://deb.knot-dns.cz/knot and https://deb.knot-dns.cz/knot-latest) that the initial Knot DNS Packaging GPG key 8A0EFB02C84B1E9B expired on 2021-03-13. Its expiration time had already been extended to 2022-11-11 a few months ago. But still you can get a GPG error when refreshing the repository. Please update your apt.gpg file from https://deb.knot-dns.cz/knot/apt.gpg or https://deb.knot-dns.cz/knot-latest/apt.gpg. Thank you, Daniel

3 roky, 2 měsíce

← Newer
1
...
9
10
11
12
13
14
15
...
69
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

knot-dns-users