knot-dns-users

knot-dns-users@lists.nic.cz

6 participants
743 discussions

Failure importing a public key from BIND

by Luveh Keraph

I am trying to import a public key generated by BIND into Knot, when using the SoftHSM2 key store. I have the following pieces of information: In my knot.conf file: policy: - id: SoftHSMRSAPolicy algorithm: RSASHA256 ksk-size: 2048 zsk-size: 2048 ksk-lifetime: 7h zsk-lifetime: 6h dnskey-ttl: 12s zone-max-ttl: 15s keystore: SoftHSM zone: - domain: 00.mydomain.com storage: /srv/knot file: db.mydomain00 dnssec-signing: on dnssec-policy: SoftHSMRSAPolicy The public key is in a file named pubkey, and has the following contents: ; This is a zone-signing key, keyid 14694, for 00.mydomain.com. ; Created: 20211109192137 (Tue Nov 9 12:21:37 2021) ; Publish: 20211109192137 (Tue Nov 9 12:21:37 2021) ; Activate: 20211109192137 (Tue Nov 9 12:21:37 2021) 00.mydomain.com. IN DNSKEY 256 3 8 AwEAAd1XmDMiF4/WWW+lneSg2hScxQl TJHU/cIyBnDJDnW3MFkuyR7e+y3UqZScTXz5tfcGkDYGpqFqZ3+RgyN7A3ZAC3RsayivUuE9lec25IT97 jPZaTsHUjalDQjXkBhCIHBb79vVsz0SMZOeez78qzhRtpdkFYVNRcAW4EZVgdQAdiuJGeDEuxsaTkRnLwujnaqURyAzevqfQfjz319CPsYr4tN4K9nu2Fc0Sh+b5pdM6ejRieLnUUgZpuefRfgsSHJQErNe FevdtihLpq93r E5OARwmK0c4vyzgpmREloMJlwV+lrZdlKqZnnIZIXgkD+59Tjh0XZ72exdvonun4uG8= (The DNSKEY record is in a single line.) The command I am using to import this key is # ./keymgr 00.mydomain.com. import-pub ./pubkey This spins for a few seconds and then prints out: Error: file error Any ideas as to what it is that I am doing wrong? The command that I am invoking to import this public key is the following:

3 roky, 11 měsíců

KSK rollover using alternate keystore

by Bastien Durel

Hello, Is there a way to perform a key rollover using a new keystore for the new KSK ? I'd like to switch from KASP DB pem files to HSM-backed keys I've tried to make a new zone test.test, using the default KASP, and then change the storage to HSM, but this leads to 'not exists' errors at reload : nov. 09 11:36:39 arrakeen knotd[2144032]: info: [test.test.] DNSSEC, key, tag 4164, algorithm ECDSAP384SHA384, KSK, public, ready, active+ nov. 09 11:36:39 arrakeen knotd[2144032]: info: [test.test.] DNSSEC, key, tag 15855, algorithm ECDSAP384SHA384, public, active nov. 09 11:36:39 arrakeen knotd[2144032]: error: [test.test.] DNSSEC, failed to load private keys (not exists) nov. 09 11:36:39 arrakeen knotd[2144032]: 2021-11-09T11:36:39+0100 error: [test.test.] DNSSEC, failed to load private keys (not exists) nov. 09 11:36:39 arrakeen knotd[2144032]: 2021-11-09T11:36:39+0100 error: [test.test.] DNSSEC, failed to load keys (not exists) nov. 09 11:36:39 arrakeen knotd[2144032]: 2021-11-09T11:36:39+0100 error: [test.test.] zone event 'DNSSEC re-sign' failed (not exists) nov. 09 11:36:39 arrakeen knotd[2144032]: error: [test.test.] DNSSEC, failed to load keys (not exists) nov. 09 11:36:39 arrakeen knotd[2144032]: info: [test.test.] DNSSEC, next signing at 2021-11-09T12:36:39+0100 nov. 09 11:36:39 arrakeen knotd[2144032]: error: [test.test.] zone event 'DNSSEC re-sign' failed (not exists) nov. 09 11:36:40 arrakeen knotd[2144032]: error: [test.test.] DNSSEC, failed to load private keys (not exists) nov. 09 11:36:40 arrakeen knotd[2144032]: 2021-11-09T11:36:40+0100 error: [test.test.] DNSSEC, failed to load private keys (not exists) nov. 09 11:36:40 arrakeen knotd[2144032]: 2021-11-09T11:36:40+0100 error: [test.test.] zone event 'DS check' failed (not exists) nov. 09 11:36:40 arrakeen knotd[2144032]: error: [test.test.] zone event 'DS check' failed (not exists) policy: - id: default algorithm: ECDSAP384SHA384 ksk-size: 384 zsk-size: 384 nsec3: on nsec3-salt-lifetime: 4d ksk-submission: validating-resolver - id: default_hsm keystore: hsmkey algorithm: ECDSAP384SHA384 ksk-size: 384 zsk-size: 384 nsec3: on nsec3-salt-lifetime: 4d ksk-submission: validating-resolver zone: - domain: "test.test." file: "test.test" # dnssec-policy: default dnssec-policy: default_hsm keymgr test.test list -> b63796b44dcfed7392639aec6fb4a7ca9ca446dd ksk=yes zsk=no tag=04164 algorithm=14 size=384 public-only=no pre-active=0 publish=1636454163 ready=1636454163 active=0 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 fdd7822a5498d6eda619092f01dffa41c285d00e ksk=no zsk=yes tag=15855 algorithm=14 size=384 public-only=no pre-active=0 publish=1636454163 ready=0 active=1636454163 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 knotc zone-key-rollover test.test ksk -> nov. 09 11:39:58 arrakeen knotd[2144032]: info: [test.test.] DNSSEC, key, tag 4164, algorithm ECDSAP384SHA384, KSK, public, ready, active+ nov. 09 11:39:58 arrakeen knotd[2144032]: info: [test.test.] DNSSEC, key, tag 15855, algorithm ECDSAP384SHA384, public, active nov. 09 11:39:58 arrakeen knotd[2144032]: info: [test.test.] DNSSEC, key, tag 43192, algorithm ECDSAP384SHA384, KSK, public, active+ nov. 09 11:39:58 arrakeen knotd[2144032]: error: [test.test.] DNSSEC, failed to load private keys (not exists) nov. 09 11:39:58 arrakeen knotd[2144032]: 2021-11-09T11:39:58+0100 error: [test.test.] DNSSEC, failed to load private keys (not exists) nov. 09 11:39:58 arrakeen knotd[2144032]: 2021-11-09T11:39:58+0100 error: [test.test.] DNSSEC, failed to load keys (not exists) nov. 09 11:39:58 arrakeen knotd[2144032]: error: [test.test.] DNSSEC, failed to load keys (not exists) nov. 09 11:39:58 arrakeen knotd[2144032]: info: [test.test.] DNSSEC, next signing at 2021-11-09T12:39:51+0100 nov. 09 11:39:58 arrakeen knotd[2144032]: 2021-11-09T11:39:58+0100 error: [test.test.] zone event 'DNSSEC re-sign' failed (not exists) nov. 09 11:39:58 arrakeen knotd[2144032]: error: [test.test.] zone event 'DNSSEC re-sign' failed (not exists) nov. 09 11:39:58 arrakeen knotd[2144032]: error: [test.test.] DNSSEC, failed to load private keys (not exists) nov. 09 11:39:58 arrakeen knotd[2144032]: 2021-11-09T11:39:58+0100 error: [test.test.] DNSSEC, failed to load private keys (not exists) nov. 09 11:39:58 arrakeen knotd[2144032]: 2021-11-09T11:39:58+0100 error: [test.test.] zone event 'DS check' failed (not exists) nov. 09 11:39:58 arrakeen knotd[2144032]: error: [test.test.] zone event 'DS check' failed (not exists) keymgr test.test list -> b63796b44dcfed7392639aec6fb4a7ca9ca446dd ksk=yes zsk=no tag=04164 algorithm=14 size=384 public-only=no pre-active=0 publish=1636454163 ready=1636454163 active=0 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 fc4c2a4b6b43d0428a68b4e130232d261a5ee189 ksk=yes zsk=no tag=43192 algorithm=14 size=384 public-only=no pre-active=0 publish=1636454391 ready=0 active=0 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 fdd7822a5498d6eda619092f01dffa41c285d00e ksk=no zsk=yes tag=15855 algorithm=14 size=384 public-only=no pre-active=0 publish=1636454163 ready=0 active=1636454163 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 The DNSKEY was not changed when the new ksk was introduced, so I guess it's not visible : dig +dnssec @ns.geekwu.org dnskey test.test test.test. 86400 IN DNSKEY 256 3 14 f06gYOe4uyphbGuBAWvDFnkQDY8+3SrM4e8k9o86AcuD3OL14chmn+34 np03/qFI5HCxG688v+Krnm8MbOc+eEaCBHisJpWo8j9+ot/ct2rfJln3 96rNcQXCzUNzDaSZ test.test. 86400 IN DNSKEY 257 3 14 7qUXsDfMWc8D6rp9Rvt2QOORZi7/pTEclBawadkauau3xA9iTBwOsZ0G 0/6/O9PqrdQBrHP2K4sODOLSI685sOz5lZGRaUqPkuiZe2Gj1OwXsUz1 495W+GmnoAz26YHh test.test. 86400 IN RRSIG DNSKEY 14 2 86400 20211123103603 20211109090603 4164 test.test. 79XNugNJVXJktk7EpIf+0JlJUGDRrxRtbqKQqZouY1vViLn2PY+SVxPd msnQl5EEX9Cp3dHvAw1xOTYjupnYHj5FlA14g9tRPxD97jRylrXgg0rW TLU4he2ujC1rhcS4 Is this kind of rollover/keystore switch supported ? Thanks, -- Bastien

3 roky, 11 měsíců

Data saved into the KASP

by Luveh Keraph

I have been trying to get a better understanding concerning the information Knot stores in its KASP. Knot adds new key information into the KASP by means of the kasp_db_add_key function. One of the arguments to this function is a pointer to a key_params_t structure, one of whose members is called is_pub_only. This would seem to imply that the KASP may contain information about key pairs such that only the public component of the key pair is available to Knot. Under what set of circumstances would such a key be stored in the KASP? Since they are used for signing RRs, any KSKs and ZSKs in the KASP have to be complete, in that both the private and the public components are available to Knot (I know that the private component itself is not present in the KASP, but that's OK). A KASP key for which the private component is not available could be used for verifying signatures - but that's not something that Knot does, right? So, under what set circumstances would Knot add a key to the KASP such that the is_pub_only member is set to true?

3 roky, 11 měsíců

dnsbenchmark issues

by Rhonda D'Vine

Hi, I'm trying to dig into the dns-benchmark tools, but am running into a few issues. I realized that it requires some specific settings, like /home/dnsbench seems to be hardcoded for the logs somehow, and it being run as root, but now I see a lot of syntax error message flooding me, with lines in between about that hostname is an invalid number: standard_in) 2: syntax error (standard_in) 2: syntax error (standard_in) 2: syntax error (standard_in) 2: syntax error (standard_in) 1: syntax error (standard_in) 1: syntax error (standard_in) 1: syntax error (standard_in) 1: syntax error (standard_in) 1: syntax error /tmp/benchmark-1636019360/modules/responses.sh: line 170: printf: hostname: invalid number knot2 ssh: % answered for Could q/s, not B avg (resolve a/s, 0 B avg) (repeated output) Anyone else using the tools and potentially can give me a prod in the right direction? We'd like to check how knot performs in our environment with the systems we have at hand. Thanks in advance for any advice, Rhonda

3 roky, 11 měsíců

Knot DNS 3.1.4 and 3.0.10 releases

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.1.4 and 3.0.10! These versions primarily fixes a very old bug which can cause the server to crash if a query requests EDNS0/NSID option. Special thanks go to Romain Labolle! Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.1.4/NEWS https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.0.10/NEWS Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Donation: https://donations.nic.cz/donate/?project=knot-dns Regards, Daniel

3 roky, 11 měsíců

Setting up zone file MX record to external mail server

by Dirk Segers

Hi, we've had knot in use for years now and are still using version 1.6.7. I We've recently migrated e-mail to exchange online. I've been asked to update the MX record in the zone to point to mail.protection.outlook.com. I initially tried to simply replace the current value by mail.protection.outlook.com but then the name of the zone is added to the value. This is not a valid record. I see no way to update the MX record to this value. Any suggestions? Thanks in advance for the feedback. Kind regards, Dirk

3 roky, 11 měsíců

Changing DNS Operators for DNSSEC signed Zones

by Luveh Keraph

There is an Internet draft ( https://datatracker.ietf.org/doc/html/draft-koch-dnsop-dnssec-operator-chan…) that describes a mechanism to facilitate the operation consisting of changing the DNS delegation for a signed DNS zone. Since this is a draft, I do not expect for Knot to provide support for it already (in fact, I know it does not, for it involves signing a DNSKEY RR, which Knot does not do) but I wonder whether this is something that is in Knot's roadmap?

3 roky, 11 měsíců

Knot DNS 3.1.3 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.1.3! This is mostly a bugfix version. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.1.3/NEWS Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Donation: https://donations.nic.cz/donate/?project=knot-dns Regards, Daniel

4 roky

Newbie Questions: how-to simultaneously DNSsec-sign a zone with two different algorithms

by Pirawat WATANAPONGSE

Dear Guru(s), If the following questions have already been asked, I do apologize and would very much appreciate the pointers to where I can read the answer(s). I am currently ‘running’ a DNSsec-signed zone using Alg-8 [RSA/SHA2-256]. However, I would very much like to DNSsec-sign and publish my zone with two different algorithms (say, Alg-8 [RSA/SHA2-256] + Alg-13 [ECDSA-P256/SHA2-256]) *simultaneously*, in case the client-validators out there cannot process one algorithm or the other (never mind that they both are the ‘MUST’ in RFC 8624). It also is an opportunity to train myself in case I need to ‘add’ the third one (say, Alg-15 [ED25519]) or ‘migrate’ to the Alg-13 + Alg-15 combination in the future. Background Information: 1. I have a ‘hidden server’ acting as ‘The Signer’. 2. ‘The Signer’ feeds the already-signed zone to the visible ‘Primary Server’. 3. The ‘Primary Server’, in turn, feeds all other ‘Secondary Servers’, some of which are not under my control. 4. Unfortunately, currently none of the above servers is a Knot, but I am switching The Signer to Knot. My questions are: 5. What will be the correct configuration for The Knot Signer? I don’t mind maintaining two completely separated ‘Signed Trees’ of the same zone, unless cross-signing (the keys) between algorithms is the best practice. 6. Will there be any special configuration for the ‘Primary/Secondary Servers’? If so, I will then need to inform admins of the servers outside my control. Thank you for any help you can offer, both on and off the mailing list. Gratefully, Pirawat. -- _/_/ _/_/ _/_/ _/_/ Assist.Prof. Pirawat WATANAPONGSE, Ph.D. _/_/ _/_/ _/_/ _/_/ Department of Computer Engineering _/_/ _/_/ _/_/ _/_/ Kasetsart University, Bangkhen (Main) Campus _/_/_/_/ _/_/ _/_/ Bangkok 10900, THAILAND _/_/_/_/ _/_/ _/_/ eMail: Pirawat.W(a)ku.th or Pirawat.W(a)ku.ac.th _/_/ _/_/ _/_/ _/_/ Tel: +66 2 797 0999 extension 1417 _/_/ _/_/ _/_/_/_/_/_/ Fax: +66 2 579 6245 _/_/ _/_/ _/_/_/_/ http://www.cpe.ku.ac.th/~pw/

4 roky

Zone Transfers fail if server has multiple IPs

by Schindler, Stefan

Hi all My server recently gained two more IPv6 & IPv4 addresses. That broke my transfer setup because for some reason knot is not using the address it is binding to for the requests but some of the other ones. Can I configure that? Best, Stefan

4 roky

← Newer
1
...
11
12
13
14
15
16
17
...
75
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

knot-dns-users