Tha man page for keymgr says that the keymgr generate command
(quote) Generates new DNSSEC key and stores it in KASP database. (unquote)
What is exactly stored in the KASP database?
The reason I am asking is because the actual cryptographic key will be
available in the clear only when using the default key store. When using an
HSM (or event softhsm) only the HSM will have access to the key in the
clear. So, what is it that gets stored in the KASP database when an HSM is
used for generating keys?
Hi,
We are testing migration from bind to knot, to implement dnssec. We like
many things about knot! Thank you for making it available!
So far many things work, but we do have some uncertainties. Hope they're
not too basic to ask here...
We are using ubuntu, knot 3.1.0, our static bind zone files saved as
/var/lib/knot/zones/db.domain.com and also the non-binary knot config.
(in /etc/knot/knot.conf)
1) I wanted to test the knotc zone-backup command, but we're getting:
> error: backup init failed (operation not permitted)
Is the zone-backup command geared towards binary zones? Are our static
zone files the reason this doesn't work? I realise we can simply copy
the zone files, so in our case, the backup command probably adds nothing.
2) I have enabled DNSSEC, and upon restart we saw the keys being
generated, and files appeared under /var/lib/knot/keys
I guess keeping copies of the files there is adequate backup too? No
"knotc zone-backup" required here as well?
3) After each knot restart, we are seeing:
> Aug 2 16:44:56 Latitude-E7470 knotd[259063]: info: [1.2.3.4.in-addr.arpa.] DNSSEC, zone is up-to-date
> Aug 2 16:44:56 Latitude-E7470 knotd[259063]: info: [1.2.3.4.in-addr.arpa.] loaded, serial none -> 2017041004, 106139 bytes
> Aug 2 16:44:56 Latitude-E7470 knotd[259063]: info: [1.2.3.4.in-addr.arpa.] DNSSEC, next signing at 2021-08-09T16:10:10+0200
> Aug 2 16:44:56 Latitude-E7470 knotd[259063]: info: [domain.com.] DNSSEC, zone is up-to-date
> Aug 2 16:44:56 Latitude-E7470 knotd[259063]: info: [domain.com.] loaded, serial none -> 2021072903, 183151 bytes
> Aug 2 16:44:56 Latitude-E7470 knotd[259063]: info: [domain.com.] DNSSEC, next signing at 2021-08-09T16:10:10+0200
> Aug 2 16:44:56 Latitude-E7470 knotd[259063]: warning: [domain.com.] failed to update zone file (operation not permitted)
> Aug 2 16:44:56 Latitude-E7470 knotd[259063]: error: [domain.com.] zone event 'journal flush' failed (operation not permitted)
> Aug 2 16:44:56 Latitude-E7470 knotd[259063]: warning: [1.2.3.4.in-addr.arpa.] failed to update zone file (operation not permitted)
> Aug 2 16:44:56 Latitude-E7470 knotd[259063]: error: [1.2.3.4.in-addr.arpa.] zone event 'journal flush' failed (operation not permitted)
We would like to understand the warnings/errors here too. Why would knot
try to update the zone files, and why it is failing? I have set the
permissions on the zone files 660 / knot:knot so it should be able edit
them. (but again: why would knot want to update them?)
Thanks for any feedback!
MJ
Hi all
I am currently running these two policies:
```
policy:
- id: edecc
algorithm: ed25519
nsec3: on
- id: rsa
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 2048
nsec3: on
```
I tried enabling both with this command, but to no effect:
```
dnssec-policy: [ edecc, rsa ]
```
Is there a way to do both at the same time in one zone?
I am currently running knot 3.0.8
Cheers,
Stefan
Hi,
i'm trying to setup a knot dns server for my personal domain.
The servers are running and synchronizing between master and slave, but
i cannot figure out why they do not get accepted by my domain hoster.
I do get a 'Parameter value range error' response from them, so i figure
it may be my configuration which is not right.
I'm no pro in this stuff but i'm curious how it works, so if you don't
mind i'll post it here and maybe someone has a thought what could be
going on. Or maybe has some additional test i can run.
I also checked them with nast from denic:
https://www.denic.de/en/service/tools/nast/ (Nameserver Predelegation Check)
Which doesn't complain, if i enter ns1.mydomain.de/ns2.domain.de and
ipv4 / ipv6 ip's and click 'execute check'.
I also checked with dig for response:
dig @ns1.mydomain.de mydomain.de soa
;; BADCOOKIE, retrying.
; <<>> DiG 9.16.18 <<>> @ns1.mydomain.de mydomain.de soa
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1174
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 270b9518832d67270100000060d6d65c1844d3479cc64453 (good)
;; QUESTION SECTION:
;mydomain.de. IN SOA
;; ANSWER SECTION:
mydomain.de. 86400 IN SOA ns1.mydomain.de.
dnsadmin.mydomain.de. 2021062526 14400 1800 2419200 900
;; Query time: 63 msec
;; SERVER: aa.bb.cc.dd.ee#53(aa.bb.cc.dd)
;; WHEN: Sa Jun 26 09:25:16 CEST 2021
;; MSG SIZE rcvd: 119
and here is my config:
server:
identity: ns1.mydomain.de
nsid: ns1.mydomain.de
rundir: "/run/knot"
user: knot:knot
listen: [ aa.bb.cc.dd.ee@53, aa:bb:cc:dd@53 ]
mod-rrl:
- id: default
rate-limit: 200
slip: 2
log:
- target: syslog
any: info
policy:
- id: rsa2k
algorithm: RSASHA256
ksk-size: 4096
zsk-size: 2048
nsec3: on
- id: ececc
algorithm: ecdsap384sha384
nsec3: on
template:
- id: default
storage: "/var/lib/knot"
dnssec-signing: on
dnssec-policy: rsa2k
global-module: mod-cookies
global-module: mod-rrl/default
database:
storage: "/var/lib/knot"
key:
- id: dnsmaster
algorithm: hmac-sha512
secret: secret
- id: dnsslave
algorithm: hmac-sha512
secret: secret
remote:
- id: secondary
address: ee.ff.gg.hh@53
key: dnsslave
acl:
- id: acl_secondary
address: ee.ff.gg.hh
key: dnsmaster
action: transfer
zone:
- domain: mydomain.de
file: "/etc/knot/zones/mydomain.de.zone"
notify: secondary
acl: acl_secondary
zonefile-load: difference
and my zone file (without the keys and stuff added from knotd):
;; Zone dump (Knot DNS 3.0.7)
mydomain.de. 86400 SOA ns1.mydomain.de.
dnsadmin.mydomain.de. 2021062526 14400 1800 2419200 900
mydomain.de. 86400 AAAA aa:bb:cc:dd
mydomain.de. 86400 A aa.bb.cc.dd
mydomain.de. 86400 TXT "v=spf1 ip4:aa.bb.cc.dd -all"
mydomain.de. 86400 NS ns1.mydomain.de.
mydomain.de. 86400 NS ns2.mydomain.de.
mydomain.de. 86400 MX 10 mail.mydomain.de.
_dmarc.mydomain.de. 86400 TXT "v=DMARC1; p=reject;
rua=mailto:postmaster@mydomain.de; pct=100; fo=0:d:s; aspf=r; adkim=r;"
_token._dnswl.mydomain.de. 86400 TXT "somestuff"
2020._domainkey.mydomain.de. 86400 TXT "v=DKIM1;k=rsa;p=alongline"
_mta-sts.mydomain.de. 86400 TXT "v=STSv1; id=20210519103000Z;"
_smtp._tls.mydomain.de. 86400 TXT "v=TLSRPTv1;
rua=mailto:postmaster@mydomain.de"
autoconfig.mydomain.de. 86400 AAAA aa:bb:cc:dd
autoconfig.mydomain.de. 86400 A aa.bb.cc.dd
test.mydomain.de. 86400 AAAA ee:ff:gg:hh
test.mydomain.de. 86400 A ee.ff.gg.hh
imap.mydomain.de. 86400 AAAA aa:bb:cc:dd
imap.mydomain.de. 86400 A aa.bb.cc.dd
mail.mydomain.de. 86400 AAAA aa:bb:cc:dd
mail.mydomain.de. 86400 A aa.bb.cc.dd
mta-sts.mydomain.de. 86400 AAAA aa:bb:cc:dd
mta-sts.mydomain.de. 86400 A aa.bb.cc.dd
ns1.mydomain.de. 86400 AAAA aa:bb:cc:dd
ns1.mydomain.de. 86400 A aa.bb.cc.dd
ns2.mydomain.de. 86400 A ee.ff.gg.hh
ns2.mydomain.de. 86400 AAAA ee:ff:gg:hh
smtp.mydomain.de. 86400 AAAA aa:bb:cc:dd
smtp.mydomain.de. 86400 A aa.bb.cc.dd
wiki.mydomain.de. 86400 AAAA aa:bb:cc:dd
wiki.mydomain.de. 86400 A aa.bb.cc.dd
www.mydomain.de. 86400 AAAA aa:bb:cc:dd
www.mydomain.de. 86400 A aa.bb.cc.dd
thanks for listening!
juergen
Hello List,
I like to change to knot but ..........;-)
Can any help Please?
1.
My config is working with the Master Domains but I have a problem to configure
to allow update "AXFER" TO my SLAVE servers ?
What is the way to allow this.
2.
I have a internal zone "examle.com.lan" this is loading, but I have to
configure a PTR Zone this is not working, have any a example to configure this
out.
also a in-addr-arpa zonen?
3.
the same Problem I have with ip6-arpa, what is the way to configure my hurican
Net reverse zone
with my old server bind this is all working, but I like to change :-)
for all Help / answers all thanks
--
mit freundlichen Grüßen / best regards
Günther J. Niederwimmer