Is there a way to configure Knot to avoid overwriting a zone file when
it's doing automatic signing?
I was hoping some combination of zonefile-load and journal-content
would tell Knot to store its internally managed data in the journal
instead of in the zone file, but I haven't found that combination. I
don't see any other likely candidates in the config options, but
hoping I've missed something...
Good afternoon,
in preparation for Knot 3.1, I wanted to update our template that uses
zonefile-load: difference-no-serial from journal-content: changes to
journal-content: all.
However, it seems that we somehow have to update the existing journal.
Otherwise it seems the first change to a zone after that change, will
lead to the following error (running knot 3.0.4):
error: [example.net.] zone event 'load' failed (semantic check)
Subsequent changes seem to be applied just fine.
What is the proposed strategy to change this setting?
Regards
André
Hi,
we performed successfully an algorithm rollover. After changing the
algorithm in the configuration file everything worked as expected. All
zones have been updated to the new algorithm.
When I now sign a new zone the zone is being signed with the old
algorithm's key and an algorithm rollover is being triggered immediately.
Is this an expected behavior? How can I avoid this? Do I have to delete
the old key?
Thanks a lot,
Thomas
Hi!
I have two Debian 10 Buster systems, both patched up current, and both
running Knot 3.0.4-1~cz.nic~buster1 from the apt repository at
https://deb.knot-dns.cz/knot-latest/.
Both Knot installations have virtually identical configs .. really
only different in the related hosts and zone lists. Their logging
configs are both:
log:
- target: syslog
any: info
One of these Knot instances logs to syslog, and the other logs to
systemd-journald. I'm trying to figure out why the difference, and
I've come up empty. The Knot docs simply say that if Knot is compiled
against systemd, then a 'syslog' setting will use systemd-journald.
Mostly I want to know so that I can convince the one using journald to
stop doing that. :) What other things might trigger Knot to use
syslog on a systemd-managed host?
Hi,
is it possible to have two different DNSSEC policies in place? For
example having one domain singed with Alg 8 and another one with Alg 13?
Thanks a lot,
Thomas
Hi!
Today we tried to do a dynamic update to the dnskey set.
What we want to do is to import the ZSK from another signer.
Didn’t work so well.
Feb 16 17:15:28 ip-172-31-38-41 knotd[24222]: warning: DDNS, refusing to update DNSSEC-related record
I guess knot doesn’t like dynamic DNSSEC updates.
I even tried with policy manual:on.
What does one have to do to be allowed to add (or delete) DNSKEY records?
/Ulrich
Hello all, I am attempting to test freezing a zone, and something appears not to be working (that something could be my understanding of how it is supposed to work).
Using a very simple example.com zone (the default that ships with v3.0.4), I am able to query for "mail.example.com" and get the correct response back. I then query for "test.example.com" and get an NXDOMAIN, as expected. Then I do the following:
$ sudo knotc zone-freeze example.com
OK
$
Doing a zone-status, I see:
$ sudo knotc zone-status example.com
[example.com.] role: master | serial: 2010111219 | transaction: none | freeze: yes | expiration: not scheduled | notify: not scheduled
$ sudo knotc zone-begin example.com
OK
$ sudo knotc zone-set example.com test 3600 A 150.150.150.150
OK
$ sudo knotc zone-commit example.com
OK
$ sudo knotc zone-flush example.com
OK
$
After the zone-flush, I am able to query for "test.example.com" and I get back the A-record with address 150.150.150.150. I would have thought that with the zone frozen, the zone-flush would not go through and the A-record for "test" would not be added.
Am I missing something obvious, or does zone-freeze just not work in version 3.0.4?
Thanks in advance,
~J
