Dear all,
knotc has a zone-check command. Is there a tool which can validate a
zone file directly?
I see that you have a DNS library which can load a zone file very fast
(https://github.com/vavrusa/luajit-kdns). However this is missing the
zone checker/validator.
The stand alone zone check command line tool I was looking for would
also verify DNSSEC signatures. Something like dnssec-verify (BIND).
Daniel
Hello everyone.
Knot DNS 2.1.1 by CZ.NIC Labs has been just declared stable. It mostly
contains bug fixes. The update is highly recommended as some of the
problems are quite critical.
- We have resolved the problem with source address selection for
UDP messages when the server is configured to listen on all
available addresses (i.e., 0.0.0.0 or ::0). Prior to this release
and depending on the networking configuration, the server could
choose a wrong source address.
- Duplicate private keys can be now imported into the KASP database.
This is practical if you have the same signing key in the legacy
format and share the key between multiple domains. Prior to this
release, sharing the key was possible only with some hacks.
- We have resolved a problem with duplicate NSEC record which had
been returned for Wildcard No Data answers. In the new version, the
record is inserted into the response only once.
- We have fixed a possible server crash, which could happen during
an incoming zone transfer when a server reload is requested.
- The fix of a crash with many configured interfaces and threads was
included in the previous release. However the fix was incomplete. We
have found another related problems which are addressed in the new
version.
Thank you for the feedback and bug reports. And we are looking forward
to hear back from you. :-)
The sources are available on our server as usual.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/raw/v2.1.1/NEWS
Sources:
https://secure.nic.cz/files/knot-dns/knot-2.1.1.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-dns/knot-2.1.1.tar.xz.asc
Best Regards,
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW: https://labs.nic.czhttps://www.nic.cz
Hello folks.
CZ.NIC Labs just released Knot DNS 1.6.7. This patch release contains
only a few improvements. Upgrade is not necessary but advised.
- The server newly logs the change in the zone serial after IXFR
transfers. Prior to this release, information about serial was logged
only for AXFR transfers. This modification unifies the logging
behavior.
- We have added the 'timer-db' configuration option, which allows
relocation of zone timer database. This is useful if you run multiple
daemon instances sharing the same zone storage directory.
- The RRL implementation newly supports zero value for the
'rate-limit-slip' option. With this setting, all responses for a flow
exceeding the configured limit will be dropped.
- The documentation for RRL was extended to include information about
expected operational impact of various settings.
As you can see, the changes are rather small. We will continue in this
trend with the LTS version of Knot DNS. If you run Knot DNS 1.6 and look
for a new features and improvements, please consider an early upgrade to
Knot DNS 2.x.
The sources are available on our server as usual.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/raw/1.6/NEWS
Source archives:
https://secure.nic.cz/files/knot-dns/knot-1.6.7.tar.xzhttps://secure.nic.cz/files/knot-dns/knot-1.6.7.tar.gz
GPG signatures:
https://secure.nic.cz/files/knot-dns/knot-1.6.7.tar.xz.aschttps://secure.nic.cz/files/knot-dns/knot-1.6.7.tar.gz.asc
Best Regards,
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW: https://labs.nic.czhttps://www.nic.cz
Hello list,
this is just a quick note that we plan to do an ordinary bug fix release
of Knot DNS 1.6.7 and Knot DNS 2.1.1 the next week.
As for 2.1.1, we did some changes in the networking code and we want to
make sure that everything is working correctly. If you can help us with
testing we would be very happy. The tarball with sources for testing is
available on our server:
https://secure.nic.cz/files/knot-dns/knot-2.1.1-test.tar.xz
Thank you.
Cheers,
Jan
Hi,
I’m trying to compile Knot 2.1, but it fails. Here is the error part:
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../src -include
../../src/config.h -I./shared -I./lib -I./lib/dnssec -I../../src
-I/usr/include/p11-kit-1 -fvisibility=hidden -D_FORTIFY_SOURCE=2
-march=native -O2 -pipe -fstack-protector-strong -fstack-check -Wall
-Werror=format-security -Werror=implicit -fpredictive-commoning -MT
lib/event/action/libdnssec_la-initial_key.lo -MD -MP -MF
lib/event/action/.deps/libdnssec_la-initial_key.Tpo -c
lib/event/action/initial_key.c -fPIC -DPIC -o
lib/event/action/.libs/libdnssec_la-initial_key.o
lib/binary.c: In function 'base64_decode_raw':
lib/binary.c:47:2: warning: statement with no effect [-Wunused-value]
nettle_len dst_size = dst_max_size;
^
lib/binary.c:47:13: error: expected ';' before 'dst_size'
nettle_len dst_size = dst_max_size;
^
lib/binary.c:48:50: error: 'dst_size' undeclared (first use in this
function)
int result = nettle_base64_decode_update(&ctx, &dst_size, dst,
src_len, src);
^
lib/binary.c:48:50: note: each undeclared identifier is reported only
once for each function it appears in
lib/binary.c:54:1: warning: control reaches end of non-void function
[-Wreturn-type]
}
^
I suppose this has to do with the flags used on my system (Arch Linux) ?
Thanks,
Bruno
Hi,
I’ve installed knot 2.0.2 on one of my server.
It’s configured with three IPv6 and I manage their reliability with some
source-specifi routing:
alarig@bulbizarre ~ $ ip -6 route list | grep default
default from 2001:470:1f13:138:715d:2fa0:b591:532f via fe80::20d:b9ff:fe3a:1fa1 dev eth0 metric 1024
default from 2a00:5881:4008:400::1 dev tun0 metric 1024
default from 2a01:240:fe00:82af:764f:b47e:d131:85e4 via fe80::20d:b9ff:fe3a:1fa1 dev eth0 metric 1024
default via fe80::20d:b9ff:fe3a:1fa1 dev eth0 metric 4
It works fine as I can ping those three IP from the same machine at the
same moment.
But, knot don’t take care of this and answer with the “nearest” IPv6
(like the IP source is calculated when you have several ones).
bulbizarre ~ # tcpdump -i any host mc.swordarmor.fr
23:13:07.276493 IP6 2001:41d0:a:27e4::1.52203 > florizarre.swordarmor.fr.domain: 59831+ SOA? swordarmor.fr. (31)
23:13:07.276647 IP6 bulbizarre.swordarmor.fr.domain > 2001:41d0:a:27e4::1.52203: 59831*- 1/0/0 SOA (86)
You can see that knot answer with 2001:470:1f13:138:715d:2fa0:b591:532f, which
is the one chosen if I’m the initiator of the connection.
Indeed, it works with my IRCd:
23:14:17.684155 IP6 2001:41d0:a:27e4::1.36490 > florizarre.swordarmor.fr.6697: Flags [P.], seq 53:106, ack 106, win 331, options [nop,nop,TS val 4047617704 ecr 1587664633], length 53
23:14:17.684301 IP6 florizarre.swordarmor.fr.6697 > 2001:41d0:a:27e4::1.36490: Flags [P.], seq 106:211, ack 106, win 240, options [nop,nop,TS val 1587724598 ecr 4047617704], length 105
23:14:22.555891 IP6 2001:41d0:a:27e4::1.34822 > bulbizarre.swordarmor.fr.6697: Flags [P.], seq 1:62, ack 61, win 331, options [nop,nop,TS val 4047618922 ecr 1587729432], length 61
23:14:22.555928 IP6 bulbizarre.swordarmor.fr.6697 > 2001:41d0:a:27e4::1.34822: Flags [.], ack 62, win 274, options [nop,nop,TS val 1587729469 ecr 4047618922], length 0
Is it a known bug?
--
alarig
Hi,
I did a "apt-get upgrade" on my Knot node.
The package update fails with "Failed to initialize default key store
(unknown error -13)."
Can anyone tell me what that means?
root@localhost:~# knotd --version
knotd (Knot DNS), version 2.1.0
root@localhost:~# ps aux | grep knot
knot 30048 0.0 0.6 1245236 6400 ? Ssl 16:08 0:00
/usr/sbin/knotd -d -c /etc/knot/knot.conf
root@localhost:~# /etc/init.d/knot restart
* Restarting Knot DNS server knotd
[ OK ]
root@localhost:~# ps aux | grep knot
knot 30115 0.0 0.6 1245224 6200 ? Ssl 16:09 0:00
/usr/sbin/knotd -d -c /etc/knot/knot.conf
root@localhost:~# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Setting up knot (2.1.0-2+trusty+2) ...
* Starting Knot DNS server knotd
[ OK ]
Failed to initialize default key store (unknown error -13).
dpkg: error processing package knot (--configure):
subprocess installed post-installation script returned error exit
status 1
Errors were encountered while processing:
knot
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@localhost:~# ps aux | grep knot
knot 30115 0.0 0.6 1245236 6360 ? Ssl 16:09 0:00
/usr/sbin/knotd -d -c /etc/knot/knot.conf
Kind regards,
Volker
Hello,
Knot 2.1.0-rc1 made its way to the debian repository. I installed it as
part of today's upgrade, but it seems to not like my configuration :
For each zone I got these messages :
2016-01-14T10:07:00 error: [durel.org] DNSSEC, failed to initialize
(invalid parameter)
2016-01-14T10:07:00 error: [durel.org] failed to store changes into
journal (invalid parameter)
2016-01-14T10:07:00 error: [durel.org] zone load failed (invalid
parameter)
I log zone events up to notice level.
my default template is :
template:
- id: "default"
storage: "/var/lib/knot/external"
ixfr-from-differences: "on"
dnssec-signing: "on"
kasp-db: "keys"
serial-policy: "increment"
And this zone is defined as :
- domain: "durel.org."
file: "durel.org"
notify: "corrin"
acl: "acl_corrin"
Which is this "invalid parameter ?"
Thanks,
--
Bastien
Hello everyone.
I'm glad to tell you that Knot DNS 2.1.0 by CZ.NIC Labs was just released.
Thank you for the feedback on the release candidate. I believe we have
addressed all the issues and bug reports we have received.
Let me just quickly summarize the news in the 2.1.0 you already know about:
SO_REUSEPORT support, binary configuration database, PKCS #11 support in
DNSSEC, zone file name formatters, configurable location for timer database,
experimental module for online signing, and many other improvements. If you are
interested in details, please, see the 2.1.0-rc1 announcement.
And now finally, we are getting to the news in the final release:
- We have resolved the problem with the server crashing when configured with
a high number of interfaces and threads. This problem started to affect
more people because of the introduction of the SO_REUSEPORT support which
causes a higher allocation of file descriptors.
- We have changed the '%s' zone file name formatter behavior for the root zone.
In the release candidate, the trailing dot was skipped for all zones except
for the root zone. In 2.1.0, the trailing dot is skipped even for the root
zone. The root zone therefore expands to an empty string. This should make
your Ansible templates less hacky.
- The keymgr now supports KASP database upgrade. So if you have initialized
the database with Knot DNS 2.0, please, run 'keymgr init' in the KASP
directory to avoid DNSSEC 'invalid parameter' errors. The command is
idempotent, it won't rewrite your existing settings.
- We have removed the possibility to run knotc over a network socket. The
interface allows altering the configuration and possibly sensitive content
(e.g. TSIG keys) could appear on the network in plain text. We are working
on some better configuration interface which will (among other things)
guarantee confidentiality.
- We have also fixed a problem with slave zone bootstrapping when the server
launches and the slave zone fails to load from a zone file. In this case, an
immediate zone transfer is scheduled. Prior to this release, the transfer
had to be initiated manually by knotc.
Thank you for reading so far. Hopefully I haven't forgotten about anything
important. And as always, we are here for you to answer any questions.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/raw/v2.1.0/NEWS
Sources:
https://secure.nic.cz/files/knot-dns/knot-2.1.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-dns/knot-2.1.0.tar.xz.asc
Best Regards,
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW: https://labs.nic.czhttps://www.nic.cz
