Hello Knot DNS users.
Our deb package signing key may have been compromised and has been
revoked. Open Build Service repositories are not affected.
The affected systems (https://deb.knot-dns.cz/knot-latest and
https://deb.knot-dns.cz/knot) now contain a new Debian repository. The
packages were re-built and re-signed with a new GPG key
rsa4096/0x8A0EFB02C84B1E9B.
We thank to security researcher calling himself "p3n73st3r" who notified
us earlier today.
Regards
Your Knot DNS team
Hello community,
can I somehow convert stored certificates for a signed zone to BIND format?
My use case is to change used topology for authoritative servers. I´m manage
existing zones in Knot, now I would like to transfer it to BIND and use
existing certificates for signing it on BIND due to DS records in parent
zones. The knot will be reconfigured as a slave.
Is it possible to achieve it?
Thanks.
--
Smil Milan Jeskyňka Kazatel
Hello, community,
could someone more describe the On-slave signing on both sides - slave and
master in the case where the master server runs on bind and slave is Knot
DNS?
I would like to achieve signing for "hidden master" configuration.
I found in Knot DNS documentation:
***
It is possible to enable automatic DNSSEC zone signing even on a slave
server. If enabled, the zone is signed after every AXFR/IXFR transfer from
master, so that the slave always serves a signed up-to-date version of the
zone.
It is strongly recommended to block any outside access to the master server,
so that only the slave’s signed version of the zone is served.
Enabled on-slave signing introduces events when the slave zone changes while
the master zone remains unchanged, such as a key rollover or refreshing of
RRSIG records, which cause inequality of zone SOA serial between master and
slave. The slave server handles this by saving the master’s SOA serial in a
special variable inside KASP DB and appropriately modifiying AXFR/IXFR
queries/answers to keep the communication with master consistent while
applying the changes with a different serial.
It is recommended to use UNIX time serial policy on master and incremental
serial policy on slave so that their SOA serials are equal most of the time.
***
Thanks for any advice.
Regards,
kaza
Hello all,
we want to migrate to a state of the art nameserver software.
Our startingpoint is djbdns/tinydns.
Our first step should be to to use zone transfer from tinydns to knot-dns
(2.7.6).
I configure the knot-dns a slave:
# knotc conf-read
…
acl.id = master
acl[master].address = 5.28.40.220
acl[master].action = notify
remote.id = master
remote[master].address = 5.28.40.220
…
zone.domain = vtnx.net.
zone[vtnx.net.].master = master
zone[vtnx.net.].acl = master
and add a initial soa rr for that domain:
vtnx.net. 0 SOA ns1.vtnx.net. hostmaster.vtnx.net. 1 16384 2048 1048576 2560
This the exact soa of the running vtnx.net domain, but a diffrent serial.
After triggering the notification from the master, i got this logging:
Jan 24 07:53:19 ns1-neu knotd[26299]: info: [vtnx.net.] notify, incoming, 5.28.40.220@38668: received, serial none
Jan 24 07:53:19 ns1-neu knotd[26299]: info: [vtnx.net.] refresh, outgoing, 5.28.40.220@53: remote serial 1548307450, zone is outdated
Jan 24 07:53:19 ns1-neu knotd[26299]: warning: [vtnx.net.] IXFR, incoming, 5.28.40.220@53: malformed response SOA
Jan 24 07:53:19 ns1-neu knotd[26299]: warning: [vtnx.net.] refresh, remote master not usable
Jan 24 07:53:19 ns1-neu knotd[26299]: error: [vtnx.net.] refresh, failed (no usable master)
What about "malformed response SOA"?
Why is this an IXFR and no AXFR?
- Frank
--
Frank Matthieß Mail: frank.matthiess(a)virtion.de
GnuPG: 9F81 BD57 C898 6059 86AA 0E9B 6B23 DE93 01BB 63D1
virtion GmbH Stapenhorster Straße 42b, DE 33615 Bielefeld
Geschäftsführer: Michael Kutzner
Handelsregister HRB 40374, Amtsgericht Bielefeld, USt-IdNr.: DE278312983
Hi,
I want to use Ansible to deploy zone files to my Knot signer (hidden
master). The zone files should be generated from the Ansible playbook
data and will not contain any DNSSEC related information, just SOA, NS,
A, AAAA, TXT and MX records. I'd like to use Knot DNSSEC auto-signing. I
can stop the Knot process before deploying new zone files. I use
zonefile-load: difference in this case, as of the DNSKEY / CDNSKEY / CDS
data should not be replaced with something new. Should this work for me,
or is there anything I miss or is there even a better option?
Kind regards,
Volker
