i have had a fun day chasing diags of the form
```
2024-06-22T18:32:57.305472+00:00 ns knotd[24354]: info: [foo.com.] control, received command 'zone-reload'
2024-06-22T18:32:57.307532+00:00 ns knotd[24354]: info: [foo.com.] zone file parsed, serial 1719081134
2024-06-22T18:32:57.307669+00:00 ns knotd[24354]: warning: [foo.com.] zone file changed with decreased SOA serial
2024-06-22T18:32:57.307828+00:00 ns knotd[24354]: error: [foo.com.] zone event 'load' failed (value is out of range)
```
i have the following hypothesis:
- `serial-policy: unixtime` is configured in `/etc/knot/knot.conf`.
- emacs dns-mode sets the SOA serial to the current unixtime when one
saves the zone file
- a few seconds later, i do `knotc zone sign` and `knotc zone-reload`
- knot then says "you have manually specified a new serial, but it is
less than the current unixtime; i.e. you are trying to go backward.
bad geek!"
- i.e. knot did not like me mucking with the SOA serial in the zone
file when `serial-policy: unixtime` was configured.
i tested this hypothesis by putting the serial from the server's current
SOA in the zone file and doing sign & reload. it succeeded, and the new
zone in all servers is the unixtime of the signing, not of the zone
file.
my current conclusion is: do not have both emacs dns-mode with
`serial-policy: unixtime`; use only one or t'other.
especially if doing RFC 1982 serial stepping, remember to first turn off
`serial-policy: unixtime` and `knotc reload`.
does this make sense?
randy
Good morning,
is there some tool to migrate configuration from Knot 2.2 to actual
3.3.x ? There are some configuration changes, they're so far so good,
but I'm stuck on migrating DNSSEC keys now.
Thanks and best regards.
J.Karliak
Hi,
When i try to install knot via ports as your documentation sayshttps://www.knot-dns.cz/docs/2.4/html/installation.html
[cid:f31a0a83-7640-46e7-8586-d353f8c3d8f0]
it points me to a verison of 2015
https://www.freshports.org/dns/knot
Can you guys change the line to
# cd /usr/ports/dns/knot3 just to be more clear for a new user of freebsd
https://www.freshports.org/dns/knot3
Com os meus melhores cumprimentos,
André Cruz
Howdy,
I’m trying to get Knot 3.3.5 to use authenticated DNSSEC bootstrapping following the blog article and docs. However, I’m getting an error for the signalling zones, but I fail to figure out what I may have overlooked.
error: [_signal.ns2.droso.dk <http://signal.ns2.droso.dk/>.] module 'mod-onlinesign/authsignal', incompatible with automatic signing
Relevant knot.conf snippets (in order):
policy:
- id: ecc
algorithm: ecdsap256sha256
nsec3: on
rrsig-refresh: 7d
mod-onlinesign:
- id: authsignal
nsec-bitmap: [CDS, CDNSKEY]
policy: ecc
template:
- id: default
…
dnssec-signing: on
dnssec-policy: ecc
…
zone:
- domain: _signal.ns2.droso.dk <http://signal.ns2.droso.dk/>
module: [mod-authsignal, mod-onlinesign/authsignal]
Any hint appreciated
Best
Erwin
Good morning,
ISC bind is strict about CNAME of NS server:
skipping nameserver 'aa.bb.cz' because it is a CNAME, while resolving
'9.4/4.3.2.1.in-addr.arpa/PTR'.
How about Knot resolver ?
Thanks and best regards
J.Karliak
Hi,
I have a use case, where today we’re running BIND and a daemon uses rndc to create/remove/update zones on secondary servers.
According to `man knotc` knotc only supports UNIX sockets (old ubuntu man page showed ‘-p’ parameter to specify port).
I know I could use a catalog zone, but that would be a bigger change than I prefer right now. The primary server is running BIND+DLZ
with a PostgreSQL backend. Replacing the primary is on the roadmap, but for now, I just want to replace the secondaries.
Is there a good way to remotely add zones to a knot secondary?
.einar
