I am trying to import a public key generated by BIND into Knot, when using
the SoftHSM2 key store. I have the following pieces of information:
In my knot.conf file:
policy:
- id: SoftHSMRSAPolicy
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 2048
ksk-lifetime: 7h
zsk-lifetime: 6h
dnskey-ttl: 12s
zone-max-ttl: 15s
keystore: SoftHSM
zone:
- domain: 00.mydomain.com
storage: /srv/knot
file: db.mydomain00
dnssec-signing: on
dnssec-policy: SoftHSMRSAPolicy
The public key is in a file named pubkey, and has the following contents:
; This is a zone-signing key, keyid 14694, for 00.mydomain.com.
; Created: 20211109192137 (Tue Nov 9 12:21:37 2021)
; Publish: 20211109192137 (Tue Nov 9 12:21:37 2021)
; Activate: 20211109192137 (Tue Nov 9 12:21:37 2021)
00.mydomain.com. IN DNSKEY 256 3 8 AwEAAd1XmDMiF4/WWW+lneSg2hScxQl
TJHU/cIyBnDJDnW3MFkuyR7e+y3UqZScTXz5tfcGkDYGpqFqZ3+RgyN7A3ZAC3RsayivUuE9lec25IT97
jPZaTsHUjalDQjXkBhCIHBb79vVsz0SMZOeez78qzhRtpdkFYVNRcAW4EZVgdQAdiuJGeDEuxsaTkRnLwujnaqURyAzevqfQfjz319CPsYr4tN4K9nu2Fc0Sh+b5pdM6ejRieLnUUgZpuefRfgsSHJQErNe
FevdtihLpq93r
E5OARwmK0c4vyzgpmREloMJlwV+lrZdlKqZnnIZIXgkD+59Tjh0XZ72exdvonun4uG8=
(The DNSKEY record is in a single line.)
The command I am using to import this key is
# ./keymgr 00.mydomain.com. import-pub ./pubkey
This spins for a few seconds and then prints out:
Error: file error
Any ideas as to what it is that I am doing wrong?
The command that I am invoking to import this public key is the following:
I have been trying to get a better understanding concerning the information
Knot stores in its KASP. Knot adds new key information into the KASP by
means of the kasp_db_add_key function. One of the arguments to this
function is a pointer to a key_params_t structure, one of whose members is
called is_pub_only. This would seem to imply that the KASP may contain
information about key pairs such that only the public component of the key
pair is available to Knot.
Under what set of circumstances would such a key be stored in the KASP?
Since they are used for signing RRs, any KSKs and ZSKs in the KASP have to
be complete, in that both the private and the public components are
available to Knot (I know that the private component itself is not present
in the KASP, but that's OK). A KASP key for which the private component is
not available could be used for verifying signatures - but that's not
something that Knot does, right?
So, under what set circumstances would Knot add a key to the KASP such that
the is_pub_only member is set to true?
Hi,
I'm trying to dig into the dns-benchmark tools, but am running into a
few issues. I realized that it requires some specific settings, like
/home/dnsbench seems to be hardcoded for the logs somehow, and it being
run as root, but now I see a lot of syntax error message flooding me,
with lines in between about that hostname is an invalid number:
standard_in) 2: syntax error
(standard_in) 2: syntax error
(standard_in) 2: syntax error
(standard_in) 2: syntax error
(standard_in) 1: syntax error
(standard_in) 1: syntax error
(standard_in) 1: syntax error
(standard_in) 1: syntax error
(standard_in) 1: syntax error
/tmp/benchmark-1636019360/modules/responses.sh: line 170: printf:
hostname: invalid number
knot2 ssh: % answered for Could q/s, not B avg (resolve a/s, 0 B avg)
(repeated output)
Anyone else using the tools and potentially can give me a prod in the
right direction? We'd like to check how knot performs in our
environment with the systems we have at hand.
Thanks in advance for any advice,
Rhonda
Hi,
we've had knot in use for years now and are still using version 1.6.7. I
We've recently migrated e-mail to exchange online. I've been asked to update the MX record in the zone to point to mail.protection.outlook.com.
I initially tried to simply replace the current value by mail.protection.outlook.com but then the name of the zone is added to the value. This is not a valid record.
I see no way to update the MX record to this value. Any suggestions?
Thanks in advance for the feedback.
Kind regards,
Dirk
There is an Internet draft (
https://datatracker.ietf.org/doc/html/draft-koch-dnsop-dnssec-operator-chan…)
that describes a mechanism to facilitate the operation consisting of
changing the DNS delegation for a signed DNS zone. Since this is a draft, I
do not expect for Knot to provide support for it already (in fact, I know
it does not, for it involves signing a DNSKEY RR, which Knot does not do)
but I wonder whether this is something that is in Knot's roadmap?
Dear Guru(s),
If the following questions have already been asked, I do apologize and
would very much appreciate the pointers to where I can read the answer(s).
I am currently ‘running’ a DNSsec-signed zone using Alg-8 [RSA/SHA2-256].
However, I would very much like to DNSsec-sign and publish my zone with two
different algorithms (say, Alg-8 [RSA/SHA2-256] + Alg-13
[ECDSA-P256/SHA2-256]) *simultaneously*,
in case the client-validators out there cannot process one algorithm or the
other (never mind that they both are the ‘MUST’ in RFC 8624).
It also is an opportunity to train myself in case I need to ‘add’ the third
one (say, Alg-15 [ED25519]) or ‘migrate’ to the Alg-13 + Alg-15 combination
in the future.
Background Information:
1. I have a ‘hidden server’ acting as ‘The Signer’.
2. ‘The Signer’ feeds the already-signed zone to the visible ‘Primary
Server’.
3. The ‘Primary Server’, in turn, feeds all other ‘Secondary Servers’, some
of which are not under my control.
4. Unfortunately, currently none of the above servers is a Knot, but I am
switching The Signer to Knot.
My questions are:
5. What will be the correct configuration for The Knot Signer? I don’t mind
maintaining two completely separated ‘Signed Trees’ of the same zone,
unless cross-signing (the keys) between algorithms is the best practice.
6. Will there be any special configuration for the ‘Primary/Secondary
Servers’? If so, I will then need to inform admins of the servers outside
my control.
Thank you for any help you can offer, both on and off the mailing list.
Gratefully,
Pirawat.
--
_/_/ _/_/ _/_/ _/_/ Assist.Prof. Pirawat WATANAPONGSE,
Ph.D.
_/_/ _/_/ _/_/ _/_/ Department of Computer Engineering
_/_/ _/_/ _/_/ _/_/ Kasetsart University, Bangkhen (Main)
Campus
_/_/_/_/ _/_/ _/_/ Bangkok 10900, THAILAND
_/_/_/_/ _/_/ _/_/ eMail: Pirawat.W(a)ku.th or
Pirawat.W(a)ku.ac.th
_/_/ _/_/ _/_/ _/_/ Tel: +66 2 797 0999 extension 1417
_/_/ _/_/ _/_/_/_/_/_/ Fax: +66 2 579 6245
_/_/ _/_/ _/_/_/_/ http://www.cpe.ku.ac.th/~pw/
Hi all
My server recently gained two more IPv6 & IPv4 addresses. That broke my
transfer setup because for some reason knot is not using the address it is
binding to for the requests but some of the other ones.
Can I configure that?
Best,
Stefan