Hi everybody,
I would have a question related to zone signing. Whenever I reload knot config
using knotc reload it starts to resign all DNSSEC enabled zones. It makes the
daemon sometimes unresponsive to knotc utility.
root@idunn:# knotc reload
error: failed to control (connection timeout)
Is it a design intent to sign zones while reloading config? Is it really
needed? It invokes zone transfers, consumes resources, etc.
Thanks for answer
With regards
Ales
Helly everybody,
there is a KNOT DNS master name server that I do not manage myself for my domain. I try to setup a BIND DNS server as a slave in-house. BIND fails to do the zone transfer and reports
31-Dec-2017 16:19:02.503 zone whka.de/IN: Transfer started.
31-Dec-2017 16:19:02.504
transfer of 'whka.de/IN' from 2001:7c7:2000:53::#53:
connected using 2001:7c7:20e8:18e::2#53509
31-Dec-2017 16:19:02.505
transfer of 'whka.de/IN' from 2001:7c7:2000:53::#53:
…
[View More] failed while receiving responses: NOTAUTH
31-Dec-2017 16:19:02.505
transfer of 'whka.de/IN' from 2001:7c7:2000:53::#53:
Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs
If try dig (this time using the IPv4 address), I get a failure, too.
# dig axfr @141.70.45.160 whka.de.
; <<>> DiG 9.9.5-9+deb8u7-Debian <<>> axfr @141.70.45.160 whka.de.
; (1 server found)
;; global options: +cmd
; Transfer failed.
Wireshark tells me that the reply code of the name server is `1001 Server is not an authority for domain`. What is going on here?
Especially, if I query the same nameserver for an usual A-record it claims to be authoritative. Moreover, KNOT DNS manual says KNOT is an authoritative-only name server. So there is no way of being non-authoritative.
Has anybody already observed something like this?
Best regards, Matthias
--
Evang. Studentenwohnheim Karlsruhe e.V. – Hermann-Ehlers-Kolleg
Matthias Nagel
Willy-Andreas-Allee 1, 76131 Karlsruhe, Germany
Phone: +49-721-96869289, Mobile: +49-151-15998774
E-Mail: matthias.nagel(a)hermann-ehlers-kolleg.de
[View Less]
Dear Knot Resolver users,
Knot Resolver 1.5.1 is released, mainly with bugfixes and cleanups!
Incompatible changes
--------------------
- script supervisor.py was removed, please migrate to a real process manager
- module ketcd was renamed to etcd for consistency
- module kmemcached was renamed to memcached for consistency
Bugfixes
--------
- fix SIGPIPE crashes (#271)
- tests: work around out-of-space for platforms with larger memory pages
- lua: fix mistakes in bindings affecting 1.4.0 and …
[View More]1.5.0 (and
1.99.1-alpha),
potentially causing problems in dns64 and workarounds modules
- predict module: various fixes (!399)
Improvements
------------
- add priming module to implement RFC 8109, enabled by default (#220)
- add modules helping with system time problems, enabled by default;
for details see documentation of detect_time_skew and detect_time_jump
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v1.5.1/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-1.5.1.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-1.5.1.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v1.5.1/
--Vladimir
[View Less]
Hello guys,
there has been a request in our issue tracker [1], to enable
IPV6_USE_MIN_MTU socket option [2] for IPv6 UDP sockets in Knot DNS.
This option makes the operating system to send the responses with a
maximal fragment size of 1280 bytes (minimal MTU size required by IPv6
specification).
The reasoning is based on the draft by Mark Andrews from 2012 [3]. I
wonder if the reasoning is still valid in 2016. And I'm afraid that
enabling this option could enlarge the window for possible DNS …
[View More]cache
poisoning attacks.
We would appreciate any feedback on your operational experience with DNS
on IPv6 related to packet fragmentation.
[1] https://gitlab.labs.nic.cz/labs/knot/issues/467
[2] https://tools.ietf.org/html/rfc3542#section-11.1
[3] https://tools.ietf.org/html/draft-andrews-dnsext-udp-fragmentation-01
Thanks and regards,
Jan
[View Less]
Hi everybody,
Is there a way how to change TTL of all zone records at once using knotc? I.e.
without editing the zone file manually. Something what I can do using $TTL
directive in Bind9 zone files?
If not I would like to ask for implementing if possible.
Thanks
Regards
Ales Rygl