28 Srp
2023
28 Srp
'23
14:25
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.3.0!
This version brings full DNS/XFR over QUIC support, multi-signer operation mode, and many
more. See the changelog.
Debian and Ubuntu users can download the packages from a new repository
https://pkg.labs.nic.cz/doc/?project=knot-dns
This repository is common to both distributions and Knot versions (older versions must be
pinned). Additionally, the repository
will contain some historical Knot versions.
Prometheus exporter https://github.com/salzmdan/knot_exporter (a fork of
https://github.com/ghedo/knot_exporter) has been
replaced with https://pypi.org/project/knot-exporter/ and distribution package
knot-exporter (currently for Debian and Ubuntu).
Today Knot DNS 3.1 reached its End-of-life!
Changelog:
https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.3.0/NEWS
Migration:
https://www.knot-dns.cz/docs/latest/html/migration.html#upgrade-3-2-x-to-3-…
Download:
https://www.knot-dns.cz/download/
Documentation:
https://www.knot-dns.cz/documentation/
Support:
https://www.knot-dns.cz/support/
Regards,
Daniel
28 Srp
28 Srp
15:44
Le lundi 28 août 2023 à 14:25 +0200, Daniel Salzman a écrit :
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.3.0!
This version brings full DNS/XFR over QUIC support, multi-signer
operation mode, and many more. See the changelog.
Hello,
I upgrade to 3.3 today, and mod-onlinesign (or at least my config)
seems to be broken :
2023-08-28T10:23:17+0200 error: [8.e.d.0.8.7.6.0.1.0.0.2.ip6.arpa.] module
'mod-onlinesign/online_long', incompatible with automatic signing
2023-08-28T10:23:17+0200 error: [8.e.d.0.8.7.6.0.1.0.0.2.ip6.arpa.] module
'mod-onlinesign/online_long', failed to load (operation not supported)
here is the relevant config :
zone:
- domain: "8.e.d.0.8.7.6.0.1.0.0.2.ip6.arpa."
file: "8.e.d.0.8.7.6.0.1.0.0.2.ip6.arpa"
notify: "corrin"
dnssec-signing: "on"
dnssec-policy: "default_long"
module: [ mod-synthrecord/revas, mod-onlinesign/online_long ]
mod-onlinesign:
- id: online_long
policy: default_long
policy:
- id: default_long
algorithm: ECDSAP256SHA256
rrsig-lifetime: 240h
rrsig-refresh: 192h
ksk-submission: validating-resolver
nsec3-iterations: 0
single-type-signing: on
As I don't see anything related to onlinesign in the changelog, I don't
know where to search :/ Can you help me ?
Thanks,
--
Bastien
15:56
Hi Bastien,
in your configuration, you have dnssec-signing and mod-onlinesign
configured for the same zone. This is probably a mistake.
You should have your zone either signed normally (during load, reload
update etc), or online (during answering each query). Otherwise it might
lead to a mess. I can't even foresee the mess as we haven't even tried it.
Since you are using mod-synthrecord, you probably should stick to just
mod-onlinesign. However, a new feature
https://www.knot-dns.cz/docs/3.3/singlehtml/index.html#reverse-generate
is an alternative to mod-synthrecord for reverse zones, and that one is
compatible with normal signing. You might consider migrating to it.
I guess that the error comes from a newly added sanity check, which was
considered a tiny change and therefore not mentioned in the changelog.
Cheers,
Libor
Dne 28. 08. 23 v 15:44 Bastien Durel napsal(a):
Le lundi 28 août 2023 à 14:25 +0200, Daniel Salzman a
écrit :
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.3.0!
This version brings full DNS/XFR over QUIC support, multi-signer
operation mode, and many more. See the changelog.
Hello,
I upgrade to 3.3 today, and mod-onlinesign (or at least my config)
seems to be broken :
2023-08-28T10:23:17+0200 error: [8.e.d.0.8.7.6.0.1.0.0.2.ip6.arpa.] module
'mod-onlinesign/online_long', incompatible with automatic signing
2023-08-28T10:23:17+0200 error: [8.e.d.0.8.7.6.0.1.0.0.2.ip6.arpa.] module
'mod-onlinesign/online_long', failed to load (operation not supported)
here is the relevant config :
zone:
- domain: "8.e.d.0.8.7.6.0.1.0.0.2.ip6.arpa."
file: "8.e.d.0.8.7.6.0.1.0.0.2.ip6.arpa"
notify: "corrin"
dnssec-signing: "on"
dnssec-policy: "default_long"
module: [ mod-synthrecord/revas, mod-onlinesign/online_long ]
mod-onlinesign:
- id: online_long
policy: default_long
policy:
- id: default_long
algorithm: ECDSAP256SHA256
rrsig-lifetime: 240h
rrsig-refresh: 192h
ksk-submission: validating-resolver
nsec3-iterations: 0
single-type-signing: on
As I don't see anything related to onlinesign in the changelog, I don't
know where to search :/ Can you help me ?
Thanks,
--
16:44
Le lundi 28 août 2023 à 15:56 +0200, libor.peltan a écrit :
Hi Bastien,
in your configuration, you have dnssec-signing and mod-onlinesign
configured for the same zone. This is probably a mistake.
You should have your zone either signed normally (during load, reload
update etc), or online (during answering each query). Otherwise it
might
lead to a mess. I can't even foresee the mess as we haven't even
tried it.
Since you are using mod-synthrecord, you probably should stick to
just
mod-onlinesign. However, a new feature
https://www.knot-dns.cz/docs/3.3/singlehtml/index.html#reverse-generate
is an alternative to mod-synthrecord for reverse zones, and that one
is
compatible with normal signing. You might consider migrating to it.
I guess that the error comes from a newly added sanity check, which
was
considered a tiny change and therefore not mentioned in the
changelog.
Thanks for the quick answer :)
You're right, the dnssec zone options can be removed ; I must have
copied the zone stanza from another one (with no synthrecord/onlinesig)
Thanks for the reverse-generate suggestion, but I will stick to
synthrecord as machines with privacy extensions lies in this address
space ;)
Regards,
--
Bastien
451
days inactive
451
days old
3 comments
3 participants
participants (3)
-
Bastien Durel -
Daniel Salzman -
libor.peltan