Hi,
I am still very new to knot ;-)
FYI: This is Knot DNS 3.3.3 because 3.3.4 hasn't been shown up in FreeBSD's ports collectioon, yet.
Here are my settings regarding dnssec policy:
policy:
- id: ecdsa
algorithm: ecdsap256sha256
ksk-lifetime: 3650d
zsk-lifetime: 330d
propagation-delay: 1d
nsec3: on
cds-cdnskey-publish: rollover
Whatever I tell nsec3, either "on" or "true", only NSEC RR are generated, no NSEC3.
dns> grep -i nsec3 zones/ellael.org
dns>
dns> grep -i nsec zones/ellael.org
3600 IN RRSIG NSEC 13 2 3600 20240226084528 20240212071528 9562 ellael.org. fkpFcgkVq8ZRZT0GX5kVcfPZBB5S/2Gvh4XqrkrywbZXFKiCttYqCX7rBdJSbyem5G8Bxg1LKaxu7LrIoxtyVA==
3600 IN NSEC _dmarc.ellael.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY CAA
3600 IN RRSIG NSEC 13 3 3600 20240226084528 20240212071528 9562 ellael.org. R7Pz2JuKi7vQDe0KMt29NHGtKvuEnH2LPKcxTWLP9HyfuMxJx4BEyPE6i+JAw8RxfSIqWAcV/KMyCHaLgFtXXw==
3600 IN NSEC _token._dnswl.ellael.org. TXT RRSIG NSEC
3600 IN RRSIG NSEC 13 4 3600 20240226084528 20240212071528 9562 ellael.org. 3oUCWWTH2s9oH/Ea0b+MDrrQcOEuTbwx1iEuXaLq7wFribrnIGY8JeeiE3TO59n1lckKm4hia+2ox324xoxCzA==
[snip]
What am I doing wrong?
Thanks in advance and kind regards,
Michael
Hi,
I am very new to Knot [1].
Excerpts from my knot.conf:
policy:
...
ksk-lifetime: 3650d
zsk-lifetime: 330d
propagation-delay: 1d
...
dns> knotc zone-status ellael.org
[ellael.org.] role: master | serial: 2024021201 | re-sign: +12D8h42m21s
I am a bit puzzled by that "re-sign: +12D8h42m21s".
Does that mean "time until newly issued signatures" and becomes triggered by default "rrsig-lifetime: 14d" value?
If so, I am very much relieved, if not, what is going on, then?
Here is my question:
How can I find out the dates for upcoming KSK or ZSK rollovers?
This I couldn't find in the documentation, sorry.
Thanks and regards,
Michael
[1]
I've been bitten by that subtle bug in mailing list processing system ;-) My questions regarding migration strategy has become obsolete in the meantime, because I managed to migrate successfully. Thanks to the great documentation of Knot I could help myself ;-)
Subject: GUI Frontends for Knot DNS Server
Good day from Singapore,
Are there any GUI frontends for configuring Knot DNS Server?
I prefer GUI configuration interface. It is more efficient than
command line interface (CLI).
Thank you.
Regards,
Mr. Turritopsis Dohrnii Teo En Ming
Targeted Individual in Singapore
Blogs:
https://tdtemcerts.blogspot.comhttps://tdtemcerts.wordpress.com
Hello,
Running knot-resolver 5.6.0-1 amd64 (latest available via apt) on
debian-12 bookworm, fully upgraded.
systemctl start kresd@1 fails to run.
systemctl status kresd@1 shows the following errors:
[system] error while loading config:
...b/x86_64-linux-gnu/knot-resolver/kres_modules/policy.lua:378: bad
argument #1 to 'create' (table expected, got nil) (workdir
'/var/lib/knot-resolver')
Here is my kresd.conf. It had been running ok for a long time ( I don't
recall making any changes) :
- Default empty Knot DNS Resolver configuration in -*- lua -*-
-- Bind ports as privileged user (root) --
net = { '127.0.53.0' }
-- Switch to unprivileged user --
user('knot-resolver','knot-resolver')
-- Unprivileged
-- cache.size = 100*MB
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), internalDomains))
policy.add(policy.suffix(policy.STUB({'127.53.0.0'}), internalDomains))
policy.TLS_FORWARD({
-- multiple servers can be specified for a single slice
-- the one with lowest round-trip time will be used
{'9.9.9.9', hostname='dns.quad9.net'},
{'149.112.112.112', hostname='dns.quad9.net'},
})
All help is greatly appreciated,
Mike Wright
Dear mailing list subscribers,
due to a subtle bug in our mailing list processing system, a few emails
sent to the mailing list <knot-dns-users(a)lists.nic.cz> over the past two
years were blocked and awaiting approval without our knowledge. After
filtering out spam, we will review what we believe is still relevant and
reach out to the senders directly in the coming days.
If your email did not pass through the moderation phase, please resend
it to the list after the middle of next week. We are sorry for this
issue.
Our thanks go to Juha Suhonen who helped us discover the problem by
pointing out that his email is still waiting. Thank you, Juha.
Best regards,
David Vašek, Knot DNS team
Hi,
I’m updating our config files and I’m wondering if we need to set ‘key’ in remotes section, and in acl section?
If I have this in my config:
remote:
- id: remote01
address: 127.0.0.1
key: my_key
acl:
- id: allow_transfer
address: 127.0.0.1
key: my_key
action: transfer
zone:
- domain: example.com
acl: [ allow_transfer ]
notify: [ remote01 ]
Couldn’t I just remove key attribute from the remote, since the acl declares the address and key that are allowed to transfer the zone?
.einar
