Adding ALIAS local resolution to knot-dns - knot-dns-users

Daniel Salzman

15 Dub 15 Dub

14:08

Hi Bron, Welcome aboard! First of all, I have to say that the ALIAS record type (and similar alternatives) is rather a workaround until HTTPS/SVCB alias mode is widely supported. We added this type primarily for use with our Redis backend and we aren't philosophically ready to add processing of it to the server itself. However, I believe we can find a solution for your needs. I think that your use case, where the target ALIAS zone is locally available, is not common. Usually, a full DNS resolver is necessary, which is the biggest issue. Our server is focused on high performance, so performing the resolution while responding to queries is not optimal. In your case it is not even necessary. Possible options: - Using our Redis backend in combination with https://gitlab.nic.cz/knot/knot-dns/-/blob/master/scripts/redis_unalias.py Sorry for the lack of documentation. - If the dynamic records are uniform across the zones, cannot you use something like (ignore the random zone names)?: knotc> zone-begin -- OK knotc> zone-set -- test A 192.168.1.1 OK knotc> zone-diff -- [.] +test. 3600 A 192.168.1.1 [e92bd5f.4738fa5efafc1ebdc3.] +test.e92bd5f.4738fa5efafc1ebdc3. 3600 A 192.168.1.1 [63da60e39bb6cd76fa.] +test.63da60e39bb6cd76fa. 3600 A 192.168.1.1 [96e07.] +test.96e07. 3600 A 192.168.1.1 [aa.] +test.aa. 3600 A 192.168.1.1 [center.] +test.center. 3600 A 192.168.1.1 [collector.] +test.collector. 3600 A 192.168.1.1 [e6a69.] +test.e6a69. 3600 A 192.168.1.1 [ecbecfc1abcc.] +test.ecbecfc1abcc. 6536 A 192.168.1.1 [hawking.] +test.hawking. 16183 A 192.168.1.1 [noc3598.] +test.noc3598. 3600 A 192.168.1.1 [records.] +test.records. 3600 A 192.168.1.1 knotc> zone-commit -- OK - If you insist on the dynamic ALIAS resolution, a new query module could be implemented. What do you think? Maybe more details about your deployment would help. Feel free to send me relevant zone snippets. Daniel On 4/14/26 17:11, brong--- via knot-dns-users wrote:

...

Hi, Fastmail has been running Knot for a few years now. Thank you for such excellent software! I'm new to this list, and new to the Knot codebase, but I'm an experienced C developer and have been working on Cyrus IMAPd (a mostly C codebase) for many years. We have hundreds of thousands of domains, and currently they all have the same set of service IPs compiled into them. This has generally been fine - setting up a new server takes an hour or so to build all the domains, but we just wait until it's done then bring it into rotation. Our current challenge -- we want to be able to transfer everything to a new IP range quickly for datacenter failover. Rebuilding every zone is too expensive for this. I looked at a few different issues and (along with Claude) figured that it wasn't much work to extend the ALIAS type to follow the pointer to another zone inside the same server and return the records from that. I have an initial pass at: https://github.com/fastmail/knot-dns/tree/local-alias-synth For now I've kept it as separate commits showing the evolution of the idea as I've tested it more and thought through how I want it to interact (basically any ALIAS get substituted with the contents of the name it points to, so you can mix and match them all sorts of ways). I'm very happy to engage on testing and modifying this code to match what the upstream project wants; or revisit the approach if this doesn't match your vision. I just need something that has these properties, and this seemed a good way to get there. Thanks, Bron. --

Reply

Daniel Salzman

18:13

Bron, Thanks for the details. Let me think about it. There is another important aspect of the solution, DNSSEC. Your proposed solution would require online signing, which is not ideal for high-traffic environments (unless you have thousands of servers :-)). What is your stance on DNSSEC? Do you use zone transfers, or how do you feed your Knot servers? Daniel On 4/15/26 17:01, Bron Gondwana wrote:

...

On Wed, Apr 15, 2026, at 08:08, Daniel Salzman wrote:

Hi Bron, Welcome aboard!

Hi Daniel, thank you!

First of all, I have to say that the ALIAS record type (and similar alternatives) is rather a workaround until HTTPS/SVCB alias mode is widely supported. We added this type primarily for use with our Redis backend and we aren't philosophically ready to add processing of it to the server itself. However, I believe we can find a solution for your needs. I think that your use case, where the target ALIAS zone is locally available, is not common. Usually, a full DNS resolver is necessary, which is the biggest issue. Our server is focused on high performance, so performing the resolution while responding to queries is not optimal. In your case it is not even necessary.

Yes, absolutely -we're not keen to make our server more expensive. We switched to Knot in the first place because our old backend was being hammered by DDoS attacks, even behind Cloudflare caching frontends.

Possible options: - Using our Redis backend in combination with https://gitlab.nic.cz/knot/knot-dns/-/blob/master/scripts/redis_unalias.py <https://gitlab.nic.cz/knot/knot-dns/-/blob/master/scripts/redis_unalias.py> Sorry for the lack of documentation. - If the dynamic records are uniform across the zones, cannot you use something like (ignore the random zone names)?: knotc> zone-begin -- OK knotc> zone-set -- test A 192.168.1.1 OK knotc> zone-diff -- [.] +test. 3600 A 192.168.1.1 [e92bd5f.4738fa5efafc1ebdc3.] +test.e92bd5f.4738fa5efafc1ebdc3. 3600 A 192.168.1.1 [63da60e39bb6cd76fa.] +test.63da60e39bb6cd76fa. 3600 A 192.168.1.1 [96e07.] +test.96e07. 3600 A 192.168.1.1 [aa.] +test.aa. 3600 A 192.168.1.1 [center.] +test.center. 3600 A 192.168.1.1 [collector.] +test.collector. 3600 A 192.168.1.1 [e6a69.] +test.e6a69. 3600 A 192.168.1.1 [ecbecfc1abcc.] +test.ecbecfc1abcc. 6536 A 192.168.1.1 [hawking.] +test.hawking. 16183 A 192.168.1.1 [noc3598.] +test.noc3598. 3600 A 192.168.1.1 [records.] +test.records. 3600 A 192.168.1.1 knotc> zone-commit -- OK

It's sadly not 100% uniform across all zones. We have default records, which can be overridden by individual customers.

- If you insist on the dynamic ALIAS resolution, a new query module could be implemented.

I do think that the ALIAS resolution the way I did it is an exact match for what we want, it's a layer of indirection for the records which are "a service provided by us" - the kind of thing you'd just use a CNAME for if it wasn't for how CNAMEs and MX records behave so unfortunately.

What do you think? Maybe more details about your deployment would help. Feel free to send me relevant zone snippets.

Our goal is to be able to switch all the records with IPs starting 103.168 to IPs in a separate datacenter when transitioning traffic to the other site (either deliberately, or for disaster recovery) Here is a zone which is absolutely vanilla, no special records. It's one of my family's domains: lorinna.net. 3600 IN SOA ( ns1.messagingengine.com. postmaster.messagingengine.com. 2026041300 ;serial 86343 ;refresh 600 ;retry 1209600 ;expire 3600 ;minimum ) lorinna.net. 3600 IN NS ns1.messagingengine.com. lorinna.net. 3600 IN NS ns2.messagingengine.com. lorinna.net. 3600 IN MX 10 in1-smtp.messagingengine.com. lorinna.net. 3600 IN MX 20 in2-smtp.messagingengine.com. lorinna.net. 3600 IN A 103.168.172.37 lorinna.net. 3600 IN A 103.168.172.52 lorinna.net. 3600 IN TXT "v=spf1 include:spf.messagingengine.com ?all" *.lorinna.net. 3600 IN MX 10 in1-smtp.messagingengine.com. *.lorinna.net. 3600 IN MX 20 in2-smtp.messagingengine.com. *.lorinna.net. 3600 IN A 103.168.172.37 *.lorinna.net. 3600 IN A 103.168.172.52 _dmarc.lorinna.net. 3600 IN TXT "v=DMARC1; p=none;" fm1._domainkey.lorinna.net. 3600 IN CNAME ( fm1.lorinna.net.dkim.fmhosted.com. ) fm2._domainkey.lorinna.net. 3600 IN CNAME ( fm2.lorinna.net.dkim.fmhosted.com. ) fm3._domainkey.lorinna.net. 3600 IN CNAME ( fm3.lorinna.net.dkim.fmhosted.com. ) mesmtp._domainkey.lorinna.net. 3600 IN CNAME ( mesmtp.lorinna.net.dkim.fmhosted.com. ) _autodiscover._tcp.lorinna.net. 3600 IN SRV ( 0 1 443 autodiscover.fastmail.com. ) _caldav._tcp.lorinna.net. 3600 IN SRV 0 0 0 . _caldavs._tcp.lorinna.net. 3600 IN SRV 0 1 443 d27457.caldav.fastmail.com. _carddav._tcp.lorinna.net. 3600 IN SRV 0 0 0 . _carddavs._tcp.lorinna.net. 3600 IN SRV ( 0 1 443 d27457.carddav.fastmail.com. ) _imap._tcp.lorinna.net. 3600 IN SRV 0 0 0 . _imaps._tcp.lorinna.net. 3600 IN SRV 0 1 993 imap.fastmail.com. _jmap._tcp.lorinna.net. 3600 IN SRV 0 1 443 api.fastmail.com. _pop3._tcp.lorinna.net. 3600 IN SRV 0 0 0 . _pop3s._tcp.lorinna.net. 3600 IN SRV 10 1 995 pop.fastmail.com. _submission._tcp.lorinna.net. 3600 IN SRV 0 0 0 . _submissions._tcp.lorinna.net. 3600 IN SRV 0 1 465 smtp.fastmail.com. mail.lorinna.net. 3600 IN MX 10 in1-smtp.messagingengine.com. mail.lorinna.net. 3600 IN MX 20 in2-smtp.messagingengine.com. mail.lorinna.net. 3600 IN A 103.168.172.65 And here's one where the apex A record and www A record are pointed to an external system, but the rest is managed at Fastmail. miv.org.au. 3600 IN SOA ( ns1.messagingengine.com. postmaster.messagingengine.com. 2026041300 ;serial 86223 ;refresh 600 ;retry 1209600 ;expire 3600 ;minimum ) miv.org.au. 3600 IN NS ns1.messagingengine.com. miv.org.au. 3600 IN NS ns2.messagingengine.com. miv.org.au. 3600 IN MX 10 in1-smtp.messagingengine.com. miv.org.au. 3600 IN MX 20 in2-smtp.messagingengine.com. miv.org.au. 3600 IN A 178.62.49.34 miv.org.au. 3600 IN TXT ( google-site-verification=3xg8-ieU1iufBCuguKrrUSGTEnrDYy7aSnPLvN66XHk ) miv.org.au. 3600 IN TXT "v=spf1 include:spf.messagingengine.com ?all" *.miv.org.au. 3600 IN MX 10 in1-smtp.messagingengine.com. *.miv.org.au. 3600 IN MX 20 in2-smtp.messagingengine.com. *.miv.org.au. 3600 IN A 103.168.172.37 *.miv.org.au. 3600 IN A 103.168.172.52 _dmarc.miv.org.au. 3600 IN TXT "v=DMARC1; p=none;" fm1._domainkey.miv.org.au. 3600 IN CNAME fm1.miv.org.au.dkim.fmhosted.com. fm2._domainkey.miv.org.au. 3600 IN CNAME fm2.miv.org.au.dkim.fmhosted.com. fm3._domainkey.miv.org.au. 3600 IN CNAME fm3.miv.org.au.dkim.fmhosted.com. mesmtp._domainkey.miv.org.au. 3600 IN CNAME ( mesmtp.miv.org.au.dkim.fmhosted.com. ) _autodiscover._tcp.miv.org.au. 3600 IN SRV ( 0 1 443 autodiscover.fastmail.com. ) _caldav._tcp.miv.org.au. 3600 IN SRV 0 0 0 . _caldavs._tcp.miv.org.au. 3600 IN SRV 0 1 443 d442465.caldav.fastmail.com. _carddav._tcp.miv.org.au. 3600 IN SRV 0 0 0 . _carddavs._tcp.miv.org.au. 3600 IN SRV ( 0 1 443 d442465.carddav.fastmail.com. ) _imap._tcp.miv.org.au. 3600 IN SRV 0 0 0 . _imaps._tcp.miv.org.au. 3600 IN SRV 0 1 993 imap.fastmail.com. _jmap._tcp.miv.org.au. 3600 IN SRV 0 1 443 api.fastmail.com. _pop3._tcp.miv.org.au. 3600 IN SRV 0 0 0 . _pop3s._tcp.miv.org.au. 3600 IN SRV 10 1 995 pop.fastmail.com. _submission._tcp.miv.org.au. 3600 IN SRV 0 0 0 . _submissions._tcp.miv.org.au. 3600 IN SRV 0 1 465 smtp.fastmail.com. mail.miv.org.au. 3600 IN MX 10 in1-smtp.messagingengine.com. mail.miv.org.au. 3600 IN MX 20 in2-smtp.messagingengine.com. mail.miv.org.au. 3600 IN A 103.168.172.65 www.miv.org.au. 3600 IN A 178.62.49.34 And here's one that runs entirely separately, just using Fastmail for DNS: dkim2.com. 3600 IN SOA ( ns1.messagingengine.com. postmaster.messagingengine.com. 2026040300 ;serial 86265 ;refresh 600 ;retry 1209600 ;expire 3600 ;minimum ) dkim2.com. 3600 IN NS ns1.messagingengine.com. dkim2.com. 3600 IN NS ns2.messagingengine.com. dkim2.com. 3600 IN MX 10 mail.dkim2.com. dkim2.com. 3600 IN A 134.209.211.166 dkim2.com. 3600 IN TXT "v=spf1 a mx -all" *.dkim2.com. 3600 IN MX 10 mail.dkim2.com. _dmarc.dkim2.com. 3600 IN TXT ( "v=DMARC1; p=none; rua=mailto:dmarc@dkim2.com" ) ed25519._domainkey.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=ed25519; p=H4AK/+/8XXxmn/bnyOHaqPpyJtrqBf80sgZpnepMPUQ=" ) fm1._domainkey.dkim2.com. 3600 IN CNAME fm1.dkim2.com.dkim.fmhosted.com. fm2._domainkey.dkim2.com. 3600 IN CNAME fm2.dkim2.com.dkim.fmhosted.com. fm3._domainkey.dkim2.com. 3600 IN CNAME fm3.dkim2.com.dkim.fmhosted.com. mesmtp._domainkey.dkim2.com. 3600 IN CNAME ( mesmtp.dkim2.com.dkim.fmhosted.com. ) sel1._domainkey.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwtNJpRLYM99Ya2Vm5Th/BUxw7MazipAvYMHJA80TD9P1F5gx6eHMT8kErqOG5w7ngZPAoEvH0Dq2rfyGC7gqp93RR7xCD/YNm72/uq9NC+zv1gQ3IqeHbKJEd8MQMj4CL+0fhRyAPpMWEPirYGSgVDxKjJHwa0XLlt00iI6DV1m/IhbH2hzcd6WfBBdiFLV+ovTS8InQDedl12aJtRJv/gKLA+6+Nd4DlTb3mBT2JvT0WoIbJ43pZpBR8ItXHOGT75mxMILEcWI2EhtPq/GaJHWbn7RxgyV0I44bTUiKut+8udflCjSpiOBXlFNp20bUQTjNxKNcCiLGFzc8cYFIwIDAQAB" ) dev.dkim2.com. 3600 IN A 134.209.211.166 mail.dkim2.com. 3600 IN A 134.209.211.166 mailman.dkim2.com. 3600 IN MX 10 mail.dkim2.com. mailman.dkim2.com. 3600 IN A 134.209.211.166 mailman.dkim2.com. 3600 IN A 134.209.211.166 mailman.dkim2.com. 3600 IN TXT "v=spf1 a mx -all" _dmarc.mailman.dkim2.com. 3600 IN TXT "v=DMARC1; p=none" sympa.dkim2.com. 3600 IN MX 10 mail.dkim2.com. sympa.dkim2.com. 3600 IN A 134.209.211.166 sympa.dkim2.com. 3600 IN A 134.209.211.166 sympa.dkim2.com. 3600 IN TXT "v=spf1 a mx -all" _dmarc.sympa.dkim2.com. 3600 IN TXT "v=DMARC1; p=none" test1.dkim2.com. 3600 IN MX 10 mail.dkim2.com. test1.dkim2.com. 3600 IN TXT "v=spf1 a mx -all" _dmarc.test1.dkim2.com. 3600 IN TXT "v=DMARC1; p=none" ed25519._domainkey.test1.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=ed25519; p=hwjviTXyzUXSCWayBqE17s/4NSynQKxw58jayHudRAI=" ) rsa1024._domainkey.test1.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIubB7x1q3rNGDWgObuKSOyYVtVKmcJpIvtWdRzg71iGRGqMdEE18GAOk+6j+GAcHTppkh4qR1d9vOl4S1L8ClAvSFUz0azi31fLQcMpZbagyseSq9FnF4nHL/7MAA2brAXkVCQ1rZLKNHMwkXGggkA9kg+LloNfSML+utkhN3gQIDAQAB" ) sel1._domainkey.test1.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRtvI17L4pHwF58KhyjiN7d74ZHDZia1IOzuXA6hygEuxt0+0Ey9PJvrDpKp/JsJIiJ0Ji8hrQfeMbAX5wHpz8GAkRlWOdorPuZiMZegTU9oD9nWRO/GcAu7Ub4V1pF6AwwfykCmzKbomX7jWa1y0oNgMHMUeZAi1XveQ6cfebJOwtgqWMOTSenY8+p8hU97YFxwKXO0FsAQYvNMMSZAXPM00V/ZaxiZ1UZUCMM/uesVkU7pIOzItGEjoWUrPkIos1GGf+2nBncqNgmivPkJPFeaJXOIL1iHqKJrSzZuTxCWPTQ+JVPyeAgDk0xyGK3RbiyItPjVZhBs7sZekNGVCwIDAQAB" ) sel2._domainkey.test1.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqiTwabnGlrGDoPlSHpfiWjsbwucsezwm/iU9bjloGqothOM7XNIrS1ub2f5BNz9yQjOhWGJ+fo8DOnF9YdUKXkBxuUdt49eyClLDaUG4Q35hJBWFF1MsmihtJpo6PzXGZYP/c4mPc2vXTPd3hbAqkftMgUCOCUIUyUEXhMl/R6/XkXATcyDId3TsSyQUJk3U+2r/wQJGz5JkOxyDX1NEawfh3GDuppCUFZFWnsrEvolBGDqZk8RG2FNmRysglRau4z9GG8jieXG4NjIT/yOh3pjbYGq4tgrMVZ7AcrIpCRbEJTUCExgrh3iQRXReVPy2qhcgY6BQLF2ahiTBUm2wAwIDAQAB" ) sel3._domainkey.test1.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr8xHmZoXE3P12DNh5jhFAJjtI9kosn3bISKWYNyn2PAn8E+Ik70iScLj8bFUNcjlLRtBDo5KZ323gdoYS3AUBSJlbkLJKCnQnH6pY+rawmt5kCNJm15DTFlOyZhaMWUilFyVzzGDqXf3d/VzFiX+13GnDdwR1QOnbOTMKx9Y0+nEhlnqRwv3YFjAO1aQOdFzguxMi5wiZQIFtmwwY8GgFIVrEqFq4UCU/hc/E2YcYjHv5zg2KR/zJivfXdLOceHqzJTYdOca/IDqfat2IgOooVVsfHZCCScOutZe9JwWYt98EOiFfvmLs3pvJnBLyGM2BOZUpJnkXSDCnTKxboRnqQIDAQAB" ) test2.dkim2.com. 3600 IN MX 10 mail.dkim2.com. test2.dkim2.com. 3600 IN TXT "v=spf1 a mx -all" _dmarc.test2.dkim2.com. 3600 IN TXT "v=DMARC1; p=none" rsa1024._domainkey.test2.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcSzEVS5IaMQZWJaqmA7dnD1fHuks1mqzY9RfQn9skWCYJZxHx0d45oSSrMt8lSKZiN4FLgbBl0jiLWXq+oPP3rUEhQrqElzyzo1Swn1Phsq45ij655pXFgZpfXvS95nP2GGDrQLcZhi5VNDg9ACoitB1CtxTipRXm8anlzLtg2QIDAQAB" ) sel1._domainkey.test2.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAolQDA1kFcPW13OQNJv7zEGhf18S+PU8oGUOSScVYRJELDUxZzv0i1OsyNW5T2hZlmTDFRszoxstj1o8JBn9nYm6zfdvr4w8JS5SrAEx8MzI4N/SghA334hbXtXQZ3br179XVgTMGJL0OMWw2Qp0c9HQAtQNF3ckeMiPncWp8e58in5YCjvHhezl8/VGrBx+CsDKxT8JFs/0QluC6AFQuM9ZIsm3RPwf4BsPE0/ADpuA5GUUdYUzhNt2Uq9Wr82BJLt8cy1a9FVEGKxdMhgJ7Gx4hx8GpM/oaiQYMO9VmNZVz8n87BkNOnjlpYFCtfb9FH8/mYPwqaSa0DmcahfeHVQIDAQAB" ) sel2._domainkey.test2.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3i4wXkWpIYib21p0CZx1dobNCYababIxIZAJO5SEGiK++C7jLgnpqg+lvTKS7eR5q1MO3ZCY19Bgm/PcigLvuLtMzap4yY+h9hnsQYzrdcAamzrpB3cjiNoCNhT0Zp7kRI6Rx0t2Uc91e0CvaFf8zAJIF4VUyQNXx9Gn/SEtNr0iQCNsPptGA1PUGUwDQUGze7fkXtnBOrgvNjILfnUC7MA6W+2+mCYtHzOkRB+t6SMutR2cDSXabjYBL5/1bweL6ABDouGgBnIj9LrY6RcbzrBpLuUAuXi71dLEHs0KW0UdImyUpE1i+thKqhNGaYnaL8KrTlDUC8g62T2kQNuHJQIDAQAB" ) sel3._domainkey.test2.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDOUuL/rLDi7fohdOw/sk31eGe5CtX9UEw5pSQv/EyYwW9lxZqi9SwU8Of+z7uHLMFJi+YbYV25CYDUrDIE71WLKou3FL0WyH0U4DrZoR7CBnMjRz92Lqh+VV1PJz0t5mU8YD0O+JJ80jScKIIcC8r1qysQI9Y7EdIAWFZlYS97c6WhKVg94xeOAaRDnpbr80H29g9pqGs4Yk4Hc1r5OXptj12sBMO7JCz/4dQ2Di0JsPOwEjWNbV9ysz8EcSW/+RoFG5Iomf4/q/aW7T6tUGqdj8M0eQ0TO0xW0lc4jqKUHH85LbdZFhcDIBUg8ML6mRgSVy779MxMP7+uw3iVLQQIDAQAB" ) test3.dkim2.com. 3600 IN MX 10 mail.dkim2.com. test3.dkim2.com. 3600 IN TXT "v=spf1 a mx -all" _dmarc.test3.dkim2.com. 3600 IN TXT "v=DMARC1; p=none" ed25519._domainkey.test3.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=ed25519; p=reUWo3pXLWHk5dILIK4NoCR3F2iACFdQ/FlhvVvMtxc=" ) sel1._domainkey.test3.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAju2t0p4xwgCT4UCRgfNZ27U6nhQ5sHSV23hR2TBngda8yAChPInsdVyjJv+cSeZf7tG7yKrzKTM9KaKK8BzBguYrJ9DRJqg7MPPsXlZJ53Ydku3GKLcuiBmDrwUxyBGAMFxndVs+uNJkF2qi+RK0Dgd45wMZiJJF1K3bPjkkQub4Ex4MXvbIqqThthlYiKUGHFBPKg7DALkdoIlegrAP4xZ43Cszd5u9AvNdjvAr31ajjaGrGuQH+gW5kXdwZpDiQgvi0Obnr7AZeVSyr4I5CTNLoj4ed4I0AOJ3TsoZM1fFzHr/rqhL+oEKW3tA7UYGaRoXFDei0qLXhRGTJjzscQIDAQAB" ) sel2._domainkey.test3.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAynXlN4POdoj82RpdpD7iG8RR/RF1TjQxy65Fu/12cV0YYX1mZLOHcvSUkxkxMKSxdZnv/7UKuQcbdQXC7jBah/JQNYzLVDUe3bKbrjsypczRPYKajxnEYCsjvoKDR9g2XtlppGrchst77wcj3SWplz2MGBk5E2SGVo1TuvuRt2S0iiye8+Z2KBaVUE3t55YxRHhjIfudboyq4Vqt6o1/6gl7eieZjqfqIBcU8k1xgEG5EG5GYCV12cUzvFU4Q5jPIzDWydppSN+jsIdSRbA8E0GweeRYumuNHryfDexZ04GafvjDwC+b9PCD5r8xiyt7N8gPNG052smGeK39N9Y/TQIDAQAB" ) sel3._domainkey.test3.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmJR1PxhxeO2eZlHPZfikAOyn/95rjszoGWRZti+0VyitapUVvla9noM3w0rbFEbVwW4Y3ILqY7j1C1jiM02okbYNYwE0CC1WSTGUrSoyRV7nGFJ5n6vcLCLqE9EFJwFnUCCXDTz+90D4aiXgasm/MAJJMkBQzdrrpQTwnLGVfWYGenqUWJ1+yn8kXmDq/wub0oE5G3DEE7noCgxpzkEd6tqCIJ3Z1wcA9qnUsTBjmDLPEZAwc4ajwZ/cfXceDXnprUKlFvq9tfMReKfObT2g6/iBsesBLCsuYgHKRydNqT1+YU0GmkSQkXutgyH5o4WzkUsPim2saIiTkVPTCtbWBwIDAQA" ) test4.dkim2.com. 3600 IN MX 10 mail.dkim2.com. test4.dkim2.com. 3600 IN TXT "v=spf1 a mx -all" _dmarc.test4.dkim2.com. 3600 IN TXT "v=DMARC1; p=none" ed25519._domainkey.test4.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=ed25519; p=fJAwKEPblCYdjrEIPeyOFy6AeXZUBALBdGQRjSPe97c=" ) sel1._domainkey.test4.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqxfEjz2MPZ7ZiE/uQkgPOC7mn0CweB5MZgHMqgGPQodj2DpbILnxBivC64VV5/JItBaNCtEL3UFY1YzlJOKzqjJacF66u9en4m6L6uC31vrHmVME6+rx7B5nMBlkwPheamx8Dyf+wNo3/9UCKxSdFdtiJLpLGC7Tg2ry7tpxST4Joaf9fIggc3Zmaraidk0S0uJKQq6ZKoZtjJkt0Bd+LGEnGC6C9/lrjHarnImc1bcELpJrzmneOmJO1/b4C8TXawu7luKn6dTWhujAOam+sO4vXxwpCDEa2saSrB6ru2Ef4ittBVn8fYDCwCjqbniU3B/g7BcBYnnMLUvQecZEqwIDAQAB" ) sel2._domainkey.test4.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApolcHH25pnffLSu90xCKJINg7wItlff/H1x529bcRoYDl171r7rqnXA4dBaVSQoIK+vHsoizucMNw1dvdlxgdjOjBxJQOzF5gT4rvFjXn6gJG41MJcAolxA12FAM3XAlYmy2tE5jIU9TXenLgnXzLuf+YYLWsU2XHFO7yQkOwakgLFVQ7hljB1lCA6gWdERj1pa/v0njvBCK2k4+n70cS0CVE4n1zeKUSM/WHhqrW1ty2N4DW47JpBlbmJLepMuR3wPnkE7vL4OR+2HmZ+x6DzdZbzo0FFvh7jdfjlX/BB84ixaXIsJfEzWZMRc6DF+7oQIJ7WkyAETX2CXp/GpQwwIDAQAB" ) sel3._domainkey.test4.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiy1mVSb6jt4Y4m0V2M3/e/azZBQUGjahidiAgIE/4ZrJn65azagf3byfJwSvyxbnUSNvvJRf4aEiktKVOWKm9HbFMB8bS972Uj6IhviNrbrI7fdos/wv7SB7lCEVETKHC8lot7mw3xD86RLzhBFlBpgKreQrN0bXGC7vkMLE5Noxxj1BdVOEL7RQf96NGgi08ksgvlOMAcEVsVrGYJbrqAW85QJYe/0oQTb9BB86gRqweaZprFPDKB0/UUlRMNNR3+Zwrp7ibb8c0QXaDJ4V+5k2ABw8Cp99uXHeK8K50nfakQnY5EUlQ8lpCIG2JHLHTF7s4TbnXJST7Jy5RSmNywIDAQAB" ) test5.dkim2.com. 3600 IN MX 10 mail.dkim2.com. test5.dkim2.com. 3600 IN TXT "v=spf1 a mx -all" _dmarc.test5.dkim2.com. 3600 IN TXT "v=DMARC1; p=none" ed25519._domainkey.test5.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=ed25519; p=IAG1F5P3LD1Q8Y67PeW7YJLuvrM19wpaof+dzdC679I=" ) sel1._domainkey.test5.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YUNs4TOful7xAtEh/PcKbVRvxBOOC52crCwqRCeVUnsvyOPx/qtY0oA2qPZVzDFU/h3fyz54eqYMiOIbxJavt3+nDNf8VfyHxQfc6+JdHdcHAJDpM1EMgN5awMxvc76csMVN6hnYFeOuSZECQy8Kr2C8QPCTcoMeNmR0udfKBo17Gjx4Wg9QDlc0CrzdenXscs0+D/3Y47lN1KllQeBAR7wvTVFoFKvSZ2CvwW264Syx76viMd0+JaK0YdhAcphMuHeNWzCKA+pMVD45gtikpkOQo+MBQIV96lNXa3fEw20S1IZfCMZHMSBbLmsiDY4luCe6kA08khNaE/zBi1GbQIDAQAB" ) sel2._domainkey.test5.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSkJ+kfygUujU2u3tquvkjpPV/Gluz9k7rNnDfQwSddbZLOtDSQRt5pA04fjUcS+PraUAg2arKuGv05Nuw/X0ts7bh3N0b2Iwbg1IEGGa6gXMmJ6Lj5T0O716rk0GOvdWqLz/466MzCH8viwPwSLY25EBDD3r1Y9o58xy6VhiUuMsqttjzsk743A0wKQHr5FEYim0qnfY0ePfAr0s36XItgQaXH9pkr2CPmqSXlIwKN99h2TJVcf86dMDqxuqUnI2OilwKcGtMk2/oMxC3A5gGgFkivxUIdoKs0Y/JruR6mvnoFREbC5GToWNGCgciYbxMfaQIRO9tJwyPGl8gPpiQIDAQAB" ) sel3._domainkey.test5.dkim2.com. 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsU7LuV9aZv8jiNflYQBEpGjGjzKF+PBBFSezLBkRsYQ8IKcmCa0v/BI2hC0h0DGqtOb4dz640F3oZFRyUcX5PsKinm6SChl1qOog4+3oNFs7bhe3NJm7MRgTCSKomEWKXJei303wy/iDKtm+KUL8mSFNlAr3FnVTxXq2LY+rUG786Ha7xvK7NeLN4+R22061QVf+rqWhMgZB0fEGzIAVx2C7P2dCMT1sZoPPXHajXmw36LbOUDp151tfH7LQ9qdPL+08FYjM4xoJdLy3kgHATb0bnebq0Mfxym2x14nI6YoOzqE+fcL4xJXqfVISC1Uyvx0ndNO6jajsBIbr2ihKewIDAQAB" ) ... so basically my idea is to replace every current 103.168.172.x IP in our generated zones with an indirection to the actual service name, and then be able to update just that one zone file in order to change the IPs which are served for that service. I'd be happy to re-implement that as a separate plugin, or as variables or some other way to do that indirection - I just want it to keep the DNS service fast, and allow me to switch all those records all at once. Thanks, Bron. -- Bron Gondwana, CEO, Fastmail Pty Ltd / Fastmail US LLC brong(a)fastmailteam.com

Reply

Bron Gondwana

16 Dub 16 Dub

22:19

I have redone the change as a separate module (mod-localalias) instead: https://github.com/fastmail/knot-dns/tree/mod-localalias The only things this touches outside the module code itself are isolated into the first commit, an accessor for the alias data and type name. The second commit is the implementation, and the third adds test cases. I've updated our code on top of this new version, and all the tests are still passing with the addition of the module initialisation to our config. Cheers, Bron. On Wed, Apr 15, 2026, at 12:36, Bron Gondwana via knot-dns-users wrote:

...

At the moment we're not doing DNSSEC. We appreciate that it would be a big challenge. Another option I considered (less flexible but viable) is just to run two separate knot instances with the different zones loaded, and switch traffic to the other set! For DNSSEC - because the target zone(s) are also internal, I presume it would be possible to calculate once and then cache the zone so long as none of its ALIAS targets had changed. This would still be a hit of calculations as the target zone changed, but it should taper off in everyday production use. Our Knot servers are all fed directly - we run 4 of them currently, two in each datacenter, and they are all fed by a process which reads database updates from a queue, and rebuilds the zone files and then reloads them. The interesting bit of code for a new or updated zone is: # Do we have config for this zone? # Check for a template my $results = $self->knotc_cmds_read("zone[$effective_zone].template"); my $result = $results->[0] // ''; chomp $result; $result =~ s/^.* = //; my $metric_type = 'zones_updated'; if ($result ne 'default') { # setup the new zone $metric_type = 'zones_added'; my $committer = $self->knotc_begin_transaction_auto(); my ($success, $output) = $self->knotc_cmds([ [ 'conf-set', 'zone.domain', $effective_zone ], [ 'conf-set', "zone[$effective_zone].template", 'default' ], ]); unless ($success) { $Logger->log_fatal("Zone setup failed for $effective_zone: ", $output); } $committer->commit(); } $self->metrics->{$metric_type}++; # for new or updated, trigger a zone reload my ($success, $output) = $self->knotc_cmds([['zone-reload', $effective_zone]]); $Logger->log("Zone reload failed for $effective_zone: ", $output) unless $success; All the indirection there is a module which automatically sends a conf-abort if it dies before calling conf-commit and such magic. The entire zone is built based on a "needs rebuild" trigger placed in the queue to each server, so they update separately out of that queue; meaning if one is down for a while it collects a list of what to do before coming back into service. So they are all entirely independent of each other. Bron. On Wed, Apr 15, 2026, at 12:13, Daniel Salzman wrote: