knot-dns-users

knot-dns-users@lists.nic.cz

6 participants
686 discussions

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.2.9! This is a bug fix version. Upgrade is recommended. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.2.9/NEWS Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

9 měsíců

Is it safe to alter dnssec-policy for a zone?

by Jan-Piet Mens

I have a zone for which I'd like to ensure an admin cannot mistakenly kick off a KSK rollover, so I am considering setting configuring its dnssec-policy to one with `manual: on' which prevents even a `knotc zone-key-rollover' on it. I have experimented with switching `manual: on' to `manual: off', and the idea seems to work. I have also apparently successfully been able to alter `ksk-lifetime', and have not noticed anything going wrong. Based on this, I wish to know if it is considered safe to alter many (all?) of a policy's settings, as long as neither algorithm nor key sizes are changed, and whether it is safe to alter the policy itself (i.e. also change a policy name for a zone). ksk-lifetime, delays, rrsig-lifetimes, ksk-submission, etc.: can all these be changed without breaking signing of a zone? Thank you & regards, -JP

9 měsíců, 2 týdny

zone event 'flush' on catalog?

by Jan-Piet Mens

Hello! I have here a catalog zone with roughly 230 member zones in it, and I occasionally see the following warning/error in the log: 2023-07-12T18:01:17+0200 warning: [k-catalog.] failed to update zone file (operation not permitted) 2023-07-12T18:01:17+0200 error: [k-catalog.] zone event 'flush' failed (operation not permitted) The catalog itself appears to work correctly; it's transferred to secondary BIND servers and they correctly process member zones. template: - id: default storage: "..." zonefile-load: difference file: "%s" serial-policy: dateserial master: pdns catalog-role: member catalog-zone: k-catalog acl: [ xfr, notify_from_pdns, xfer_to_bind ] - id: catzonetemplate catalog-role: generate acl: xfer_to_bind zone: - domain: k-catalog semantic-checks: off template: catzonetemplate journal-content: none acl: [ xfr, xfer_to_bind ] While pasting the configuration it occurs to me it might be due to there not being a 'backing' file for the catalog. Is that the problem? Is it even possible on a catalog-role:generate to have a file? Thanks for your help. -JP

9 měsíců, 2 týdny

catalog-role:interpret broken since upgrade to knot 3.2.6

by Daniel Gröber

Hi Knotty people, I've started uprading my infrastructure to Debian 12 which comes with knot 3.2.6 (instead of 3.0.5) and since the upgrade my catalog zone configuration doesn't seem to work anymore. I have this in knot.conf: zone: - domain: dxld.catalog catalog-role: interpret catalog-template: dxld-master template: dxld-master dxld.catalog gets loaded properly, `knotc zone-read dxld.catalog`: [dxld.catalog.] dxld.catalog. 0 SOA ns0.dxld.at. hostmaster.dxld.at. 2023070601 900 300 86400 300 [dxld.catalog.] version.dxld.catalog. 0 TXT "2" [dxld.catalog.] zones.dxld.catalog. 0 PTR dxld.at. [dxld.catalog.] zones.dxld.catalog. 0 PTR dxld.net. [dxld.catalog.] zones.dxld.catalog. 0 PTR darkboxed.org. but the zones pointed to don't get instantiated (as seen by `knotc zone-status`). Any ideas what could have changed to break this? Thanks, --Daniel

9 měsíců, 3 týdny

Knot DNS 3.2.8 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.2.8! This is a bug fix version. Upgrade is recommended for users of version 3.2.7 with journal enabled. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.2.8/NEWS Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

10 měsíců

Failed to load journal (loop detected)

by Ondřej Caletka

Hey, after an (unattended) upgrade to 3.2,7, one of my zones (the one that does rapid KSK rollovers) failed to load. Trying ro reload emits these errors in the log: info: [83.204.91.in-addr.arpa.] zone file parsed, serial 1622013488 error: [83.204.91.in-addr.arpa.] failed to apply journal changes, serial 1622013488 -> 1686209286 (loop detected) 2023-06-23T12:11:57+0200 error: [83.204.91.in-addr.arpa.] failed to apply journal changes, serial 1622013488 -> 1686209286 (loop detected) warning: [83.204.91.in-addr.arpa.] failed to load journal (loop detected) 2023-06-23T12:11:57+0200 warning: [83.204.91.in-addr.arpa.] failed to load journal (loop detected) info: [83.204.91.in-addr.arpa.] zone not found error: [83.204.91.in-addr.arpa.] zone event 'load' failed (not exists) 2023-06-23T12:11:57+0200 error: [83.204.91.in-addr.arpa.] zone event 'load' failed (not exists) Calling `kjournalprint 83.204.91.in-addr.arpa` yields 600 lines of journal full of both additions and deletions, nothing seems particularly wrong. Is there anything I should try before purging the journal and starting from scratch? There are other zones on the same server with similar config that just work normally, so I guess this is somehow related to the size of the journal for this zone, which rotates DNSSEC keys very often. -- Cheers, Ondřej Caletka

10 měsíců, 1 týden

TCP requirement for catalog zones breaks interoperability

by Matthew Pounsett

The 3.0 documentation for catalog zones says the following: «The difference is that standard DNS queries to a catalog zone are answered with REFUSED as though the zone doesn’t exist, unless querying over TCP from an address with transfers enabled by ACL.» This seems like an odd requirement, and it breaks interoperability with other vendors' authoritative servers. BIND, for example, does not send the SOA check for a zone transfer over TCP, and so it's impossible to use a Knot primary and BIND secondary with catalog zones. Is there some way to work around this?

10 měsíců, 1 týden

Knot DNS 3.2.7 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.2.7! This is a bugfix version with some improvements. Please note that the 3.3.0 version will be released in August and the 3.1 branch will no longer be officially supported. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.2.7/NEWS Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

10 měsíců, 3 týdny

Monitor journal usage

by Einar Bjarni Halldórsson

Hi, Yesterday we got hit by the per-zone journal becoming full [1] As a result we're looking into how we can monitor the status to warn us if we're near the journal limits, but I can't find a way to report the currant journal usage (global and per-zone). Any ideas? [1] https://gitlab.nic.cz/knot/knot-dns/-/issues/842

11 měsíců, 4 týdny

Knot DNS 3.2.6 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 3.2.6! This is mostly a bugfix version with a few improvements. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.2.6/NEWS Download: https://www.knot-dns.cz/download/ Documentation: https://www.knot-dns.cz/documentation/ Support: https://www.knot-dns.cz/support/ Regards, Daniel

1 rok

← Newer
1
2
3
4
5
6
7
...
69
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

knot-dns-users