Hi,
I do want to point out: http://www.lmdb.tech/doc/upgrading.html
tl;dr dump your databases *before* upgrading.
I got bitten by this on FreeBSD and had had to fall back to lmdb 0.93.5
Has anyone succeeded in this migration your knot databases to lmdb 1.0?
Which knot databases are involved? (journal, timers, kasp, …?)
Thanks and regards,
Michael
Hello
Each action I try to do on knot gets the error
error: failed to load configuration file '/usr/local/etc/knot/knot.conf'
(MDB_BAD_TXN: Transaction must abort, has a child, or is invalid)
What can I do ? (configuration not changed recently)
Hi
I have two questions about this blog post on multi-signers: https://en.blog.nic.cz/2025/05/07/knot-dns-in-a-complex-dnssec-topology/
First, the blog post shows auto-increment SOA serial mode for the zone files in-line with the docs example:
```
zonefile-sync: -1zonefile-load: difference-no-serial
journal-content: all
```
This would work fine for me in general, I don't mind zone files being the "source of truth".
But the docs has a note "This mode is not suitable if the zone can be modified externally (e.g. DDNS, knotc)."
Do I understand correctly that this is because any dynamic changes to the zone get wiped on reboot ? So, for example, if the only external DDNS modification in my environment is DNS-01 for cert issuance, it won't cause me a problem, because those are ephemeral by nature anyway ?
This then raises the second question, how would I deal with catlog zones with this concept of multi-signers ? Or are catlog zones too much trouble in a multi-signer environment ?
Thank you
Hello!
I'm testing periodic key rollovers in a playground running Knot DNS 3.5.4 (I am
aware that 3.5.5 is out, but this message is also in the current source code)
Zone transfers are not being performed, neither incoming nor outgoing (the
latter occasionally to see zone content as shown below).
At the completion of each signing operation (with purposely very short
timings), I see the following debug output:
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, signing zone
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, KSK rollover started
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, next key action, KSK tag 18749, submit at 2026-06-19T08:40:42+0000
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, key, tag 15175, algorithm ECDSAP256SHA256, KSK
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, key, tag 14234, algorithm ECDSAP256SHA256, public, active
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, key, tag 60870, algorithm ECDSAP256SHA256, KSK, public, active
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, key, tag 18749, algorithm ECDSAP256SHA256, KSK, public, active+ 2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, signing started
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, successfully signed, serial 94, new RRSIGs 3
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, next signing at 2026-06-19T08:40:42+0000
2026-06-19T08:39:32+0000 info: [b.net.] zone file updated, serial 93 -> 94
2026-06-19T08:39:32+0000 debug: [b.net.] disposal of old contents blocked by outstanding zone transfer
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, signing zone
2026-06-19T08:40:42+0000 notice: [b.net.] DNSSEC, KSK submission, waiting for confirmation
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, key, tag 15175, algorithm ECDSAP256SHA256, KSK
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, key, tag 14234, algorithm ECDSAP256SHA256, public, active
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, key, tag 60870, algorithm ECDSAP256SHA256, KSK, public, active
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, key, tag 18749, algorithm ECDSAP256SHA256, KSK, public, ready, active+
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, signing started
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, successfully signed, serial 95, new RRSIGs 6
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, next signing at 2026-07-03T06:45:11+0000
2026-06-19T08:40:42+0000 info: [b.net.] zone file updated, serial 94 -> 95
2026-06-19T08:40:42+0000 debug: [b.net.] disposal of old contents blocked by outstanding zone transfer
2026-06-19T08:40:42+0000 info: [b.net.] DS check, outgoing, remote 127.0.0.2@53 TCP, key p01., KSK submission check: negative
2026-06-19T08:40:52+0000 info: [b.net.] DS push, outgoing, remote 127.0.0.2@53 TCP, key p01., success
2026-06-19T08:41:42+0000 info: [b.net.] DS check, outgoing, remote 127.0.0.2@53 TCP, key p01., KSK submission check: positive
2026-06-19T08:41:42+0000 notice: [b.net.] DNSSEC, KSK submission, confirmed
The zone itself is trivially short:
$ dig -p 5340 @127.0.0.1 b.net AXFR +noall +answer +onesoa | ldns-read-zone -s
b.net. 60 IN SOA ns.b.net. root.b.net. 100 10800 3600 604800 3600
www.b.net. 60 IN HTTPS 0 b.net.
ns.b.net. 60 IN AAAA 2001:db8:2::4444
ns.b.net. 60 IN A 192.0.2.42
b.net. 60 IN NSEC3PARAM 1 0 0 -
b.net. 60 IN DNSKEY 257 3 13 zmXFV/KHpRk/E6l7oiRg2f2M+YpWxGqHFJtHmsAFl4KAxZPeiL2VIFLswpGnrwxO47//vz/I1VqsLhmUz9k35A== ;{id = 18749 (ksk), size = 256b}
b.net. 60 IN DNSKEY 256 3 13 x9PPypMDeXRarFtYwxT5uvQjE/DHQd6g+NcF5FkVGDhz/+Xq2r3ZDfLXYUjW1ivoZHstnH5hSC4znp9oghlLfw== ;{id = 38612 (zsk), size = 256b}
b.net. 60 IN TXT "DNS is innocent"
b.net. 60 IN NS ns.b.net.
and the IMO relevant bits of the configuration are:
acl:
- id: all_xfr
address: [ 127.0.0.1 ]
action: [ transfer, notify ]
submission:
- id: pdns_submission
check-interval: 60s
parent: pdns_remote
parent-delay: 10s
template:
- id: default
storage: "/tmp/zones"
zonefile-load: difference
file: "%s"
policy:
- id: autoFAST
keystore: pemstore
single-type-signing: off
manual: off
algorithm: ecdsap256sha256
ksk-shared: off
ksk-lifetime: 1h
zsk-lifetime: 2h
delete-delay: 1h
propagation-delay: 10s
nsec3: on
nsec3-iterations: 0
nsec3-salt-length: 0
nsec3-salt-lifetime: 0
cds-cdnskey-publish: rollover
zone-max-ttl: 60s
ksk-submission: pdns_submission
ds-push: pdns_remote
zone:
- domain: b.net
dnssec-signing: on
dnssec-policy: autoFAST
acl: [ all_xfr ]
Ought I be worried about "disposal of old contents blocked by outstanding zone
transfer"? I don't think I've noticed that before.
A second zone which uses the same policy shows the same behaviour.
Best regards,
-JP
Hello,
I would like to report a bug in Knot DNS 3.5.x where AXFR responses do not
have the Authoritative Answer (AA) bit set, which appears to violate RFC
5936 §2.2.
Affected versions tested:
- 3.5.3
- 3.5.4
Packages tested:
- cznic.1~bookworm
Summary
RFC 5936 §2.2 states:
"Each DNS message returned by the AXFR server MUST have the AA bit set to
1."
However, Knot DNS sends AXFR responses with flags set to qr only. The AA
bit is not set in any of the messages in the transfer stream.
As a result, strict secondary DNS servers, notably Windows Server DNS,
reject such responses as invalid and abort the zone transfer.
Expected behavior
AXFR response messages should have the AA bit set.
Expected flags:
qr aa
Actual behavior
AXFR response messages have only the QR bit set.
Actual flags:
qr
Possible root cause
The function axfr_process_query() in src/knot/nameserver/axfr.c does not
appear to call knot_wire_set_aa().
By contrast, the normal query path, via solve_answer() in internet.c, does
set the AA bit, so SOA, A, and other authoritative responses are returned
correctly. The AXFR code path appears to bypass this logic.
Minimal reproducer
dig @<knot-master> +tcp AXFR <zone> | head -2
Observed output:
;; flags: qr;
The AA bit is missing.
This can also be verified with tcpdump: byte 3 of each DNS message in the
AXFR stream has value 0x80 / QR only, instead of 0x84 / QR + AA.
--
Best regards,
Mateusz Masłowski
Hi all
I am having trouble forwarding a subdomain since I upgraded to the latest
knot.
For a couple of years I have been running a custom DNS server under
dynamic.estada.ch that the clients find via my regular infrastructure.
On my primary zone I have these records, but knot appears to answer weirdly:
*estada.ch.zone*
dynamic.estada.ch. 3600 A 185.194.239.135
dynamic.estada.ch. 3600 AAAA 2a0a:51c0::12b
dynamic.estada.ch. 3600 NS dynamic.estada.ch.
kdig AAAA dynamic.estada.ch @ns1.estada.ch
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 29173
;; Flags: qr rd; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 3
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; dynamic.estada.ch. IN AAAA
;; AUTHORITY SECTION:
dynamic.estada.ch. 3600 IN NS dynamic.estada.ch.
;; ADDITIONAL SECTION:
dynamic.estada.ch. 3600 IN A 185.194.239.135
dynamic.estada.ch. 3600 IN AAAA 2a0a:51c0::12b
But public servers don't get the glue records:
kdig AAAA dynamic.estada.ch @9.9.9.9
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 63899
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; dynamic.estada.ch. IN AAAA
The trouble is that most resolvers are now unable to resolve the domain as
the AAAA and A queries still get answered with NS + additional A+AAAA.
Is there a configuration option to tell knot to actually respond with the A
or AAAA record when asked?
Also ANY, TXT, or CAA queries behave the same as NS queries:
kdig ANY dynamic.estada.ch @ns1.estada.ch
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 14419
;; Flags: qr rd; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 3
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; dynamic.estada.ch. IN ANY
;; AUTHORITY SECTION:
dynamic.estada.ch. 3600 IN NS dynamic.estada.ch.
;; ADDITIONAL SECTION:
dynamic.estada.ch. 3600 IN A 185.194.239.135
dynamic.estada.ch. 3600 IN AAAA 2a0a:51c0::12b
I am happy for any pointers you may have.
Cheers,
Stefan
Hi,
until now I had 3 secondaries running and a hidden primary. This ran perfectly well.
Now, I'd like to add some fallback functionality to deal with a potential longer downtime of my hidden primary. Thus I added two more hidden primaries such that now every host (3) has a hidden primary that can serve every secondary at all hosts. But: Only one should be active! Zone and database data will frequently be rsynced to both inactive primaries. If there would be a downtime I will have to start one of the others to continue.
According to my understanding of https://www.knot-dns.cz/docs/3.5/html/configuration.html#secondary-slave-zo… I have been in the naive understanding that a configuration like ...
remote:
- id: primaryMWN # MWN hidden primary (running)
address: 10.0.1.203@5333
- id: primaryKBN # KBN hidden primary (not running, standby)
address: 10.0.2.203@5333
- id: primaryEDN # EDN hidden primary (not running, standby)
address: 10.0.3.203@5333
template:
- id: default
master: [primaryMWN, primaryKBN, primaryEDN] # queried in that order
… would work, because of:
"Note that the master option accepts a list of remotes, which are queried for a zone refresh sequentially in the specified order. When the server receives a zone change notification from a listed remote, only that remote is used for a subsequent zone transfer."
But I do get error massages like:
edn.ellael.lan (ns3) knot[29856]: warning: [ellael.org.] refresh, remote primaryKBN not usable
edn.ellael.lan (ns3) knot[29856]: info: [ellael.org.] refresh, remote primaryEDN, address 10.0.3.203@5333, failed (connection reset)
edn.ellael.lan (ns3) knot[29856]: warning: [ellael.org.] refresh, remote primaryEDN not usable
edn.ellael.lan (ns3) knot[29856]: error: [ellael.org.] refresh, failed (no usable master), next retry at 2026-04-27T19:03:03+0200, expires in 1119353 seconds
edn.ellael.lan (ns3) knot[29856]: error: [ellael.org.] zone event 'refresh' failed (no usable master)
If I do use "master: primaryMWN" only, everything runs as expected.
I must have misunderstood something ...
Ok, I will have to modify all remaining secondary's knot.conf files if desaster strikes and another primary has to take over.
BTW: I wanted to omit a multi primary setup as mentioned in https://www.knot-dns.cz/docs/3.5/singlehtml/#multi-primary because I do have the feeling that this is some sort of overkill for hosting 5 domains, only ;-)
Are there other ways to achieve my goal? ;-)
Thanks and regards,
Michael