knot-dns-users

knot-dns-users@lists.nic.cz

5 participants
727 discussions

by Chris

I'm currently on 2.6.5, and am moving everything to a new server I've created that's using the newest version. However, I've got a couple of zones I am trying to clean up before the move. In my effort to resign these zones, I'm retiring/removing keys associated with these zones prior to resigning them. But keymgr(8) isn't working as expected. eg; 12:25pm Fri, 21 # keymgr some.zone. set 09696 retire=20200821122736 remove=20200821122755 12:28pm Fri, 21 # keymgr some.zone. list iso ... 83ded1e7f4375657fe12ca666d4bbc6c33b7edea ksk=no zsk=yes tag=09696 algorithm=5 public-only=no created=2020-05-06T04:42:32 pre-active=2020-05-06T04:42:32 publish=2020-05-06T05:42:32 ready=1970-01-01T00:00:00 active=2020-05-06T18:42:32 retire-active=1970-01-01T00:00:00 retire=2020-08-21T12:27:36 post-active=1970-01-01T00:00:00 remove=2020-08-21T12:27:55 ... As you can see, it's 12:28 but the key was not removed. What am I (missing/misunderstanding? Thanks. --Chris

4 roky, 7 měsíců

KSK and ZKS roll-overs on schedule

by Thomas

Hi, I have another requirement for a capability test. I need to perform ZSK and KSK rollovers on specific times. Something like KSK rollover after exactly 60 hours. Or ZSK rollover after exactly 24 hours and another one after another 24 hours. And so on... One additional requirement is that I need to pre-generate the keys. I was thinking of doing it with manual key management enabled and to use the keymgr tool for it. But I'm unsure about how to set the key attributes correctly an in what order. At what point I have to set the new key to active, and how can I remove the old key, and so on... I have never done it manually as I normally use Knots automatic key management. Is the "knotc zone-key-rollover" useful here, or is it only useful in an automatic key management set up? I really appreciate any help here! Thanks a lot, Thomas

4 roky, 8 měsíců

Re: [knot-dns-users] Unexpected behaviour of `knotc zone-set` when adding a TXT record

by Daniel Salzman

Hello, You have to escape the quotes: zone-set bastetrix.com @ 86400 TXT \"v=spf1 include:spf.messagingengine.com -all\" Regards, Daniel On 8/9/20 4:47 AM, Sadiq Saif wrote: > Hi all, > > Today I ran into some unexpected behaviour, I wanted to make a modification to the TTL (3600->86400) for the SPF TXT record for bastetrix.com, so I did the following: > > zone-set bastetrix.com @ 86400 TXT "v=spf1 include:spf.messagingengine.com -all" > > But the result was unexpected, instead of modifying the record, I got a new record that looked like this: > > bastetrix.com. 86400 IN TXT "v=spf1" "include:spf.messagingengine.com" " -all" > > RFC 7208 Section 3.3: > > 3.3. Multiple Strings in a Single DNS Record > > As defined in [RFC1035], Sections 3.3 and 3.3.14, a single text DNS > record can be composed of more than one string. If a published > record contains multiple character-strings, then the record MUST be > treated as if those strings are concatenated together without adding > spaces. For example: > > IN TXT "v=spf1 .... first" "second string..." > > is equivalent to: > > IN TXT "v=spf1 .... firstsecond string..." > > TXT records containing multiple strings are useful in constructing > records that would exceed the 255-octet maximum length of a > character-string within a single TXT record. > > If I'm not misreading this bit of the RFC, that record would result in a wrongly formatted SPF record without the correct spaces. > > And indeed when I added the same SPF record to another zone (bastetrix.net) using `knotc zone set` Fastmail's DNS record checker said that I had not added a SPF record. I had to edit the zone by hand in a text editor to fix the issue. > > Is this a bug in `knotc zone-set` or intended behaviour? Am I misunderstanding some implementation detail in TXT records or the RFC? > -- > Sadiq Saif > Bastetrix LLC >

4 roky, 8 měsíců

re-sign zone

by Thomas

Hi, I have the requirement to re-sign my zones exactly every 24 hours. I'm not sure how to achieve this, because I'm not clear about the correlation of the following parameters: zsk-lifetime propagation-delay rrsig-lifetime rrsig-refresh rrsig-pre-refresh Can anybody give a hint what values I need to have an exact re-signing period of 24 hours? Thanks a lot, Thomas

4 roky, 8 měsíců

Is cds-cdnskey-publish doing too many publishes?

by Jan-Piet Mens

I have the following signing policy configured in a test environment: - id: rsadefault algorithm: RSASHA256 ksk-size: 2048 ksk-lifetime: 30m zsk-size: 1024 zsk-lifetime: 2h propagation-delay: 2s dnskey-ttl: 10s zone-max-ttl: 15s nsec3: on nsec3-iterations: 5 nsec3-salt-length: 8 nsec3-salt-lifetime: 100d cds-cdnskey-publish: always ksk-submission: ds_checker ds-push: hidden-primary I notice that every five minutes Knot is updating the DS in the parent zone hosted on a BIND server. It appears that every time Knot refreshes the secondary it also updates the DS in the parent. (Logs below.) Isn't that a bit much? I realize I've configured `cds-cdnskey-publish: always', but I was expecting "always if something changes" :-) I would prefer on CDS publishing on "rollover", but then the DS record isn't added to the parent when a zone is first signed. Is this expected behaviour, respectively, is there a different configuration I should set? Thank you, -JP zone aa.tm. has an SOA refresh of 300s (5 minutes) Knot console: Jul 15 14:38:14 ods knotd[14346]: info: [aa.tm.] refresh, remote 192.168.1.140@53, remote serial 20, zone is up-to-date Jul 15 14:38:14 ods knotd[14346]: info: [aa.tm.] DS push, outgoing, remote 192.168.1.140@53, success BIND console: 15-Jul-2020 16:38:23.946 client @0x7fd5bc7f8568 192.168.1.150#58386 (aa.tm): query: aa.tm IN SOA -E(0)T (192.168.1.140) 15-Jul-2020 16:38:23.947 client @0x7fd5bc7de168 192.168.1.150#58388/key k-signer (tm): query: tm IN SOA -SE(0)T (192.168.1.140) 15-Jul-2020 16:38:23.947 client @0x7fd5bc7de168 192.168.1.150#58388/key k-signer: signer "k-signer" approved 15-Jul-2020 16:38:23.947 client @0x7fd5bc7de168 192.168.1.150#58388/key k-signer: updating zone 'tm/IN': deleting rrset at 'aa.tm' DS 15-Jul-2020 16:38:23.947 client @0x7fd5bc7de168 192.168.1.150#58388/key k-signer: updating zone 'tm/IN': adding an RR at 'aa.tm' DS 54410 8 2 5EAF060C7F00846B82D66CAAB29542450383DDF99390151694CC2A95 8C78E648 ... after five minutes ... Knot console: Jul 15 14:43:14 ods knotd[14346]: info: [aa.tm.] refresh, remote 192.168.1.140@53, remote serial 20, zone is up-to-date Jul 15 14:43:14 ods knotd[14346]: info: [aa.tm.] DS push, outgoing, remote 192.168.1.140@53, success BIND console: 15-Jul-2020 16:43:24.016 client @0x7fd56c220d68 192.168.1.150#58390 (aa.tm): query: aa.tm IN SOA -E(0)T (192.168.1.140) 15-Jul-2020 16:43:24.017 client @0x7fd59c324768 192.168.1.150#58392/key k-signer (tm): query: tm IN SOA -SE(0)T (192.168.1.140) 15-Jul-2020 16:43:24.017 client @0x7fd59c324768 192.168.1.150#58392/key k-signer: signer "k-signer" approved 15-Jul-2020 16:43:24.017 client @0x7fd59c324768 192.168.1.150#58392/key k-signer: updating zone 'tm/IN': deleting rrset at 'aa.tm' DS 15-Jul-2020 16:43:24.017 client @0x7fd59c324768 192.168.1.150#58392/key k-signer: updating zone 'tm/IN': adding an RR at 'aa.tm' DS 54410 8 2 5EAF060C7F00846B82D66CAAB29542450383DDF99390151694CC2A95 8C78E648

4 roky, 9 měsíců

Revoking DNSSEC KSK (a la RFC 5011)

by Jan-Piet Mens

Hello! first of all, thank you for a wonderful authoritative DNS server; as mentioned a while back, I'm loving the automatic key management and DS push; both work a treat. I have a requirement for manual key management and that is to be able to roll KSK keys a la RFC 5011 for both BIND and Unbound instances to automatically change their trust anchors. In Knot I can retire a key and subsequently have it removed, but the key isn't revoked (a.k.a. key flags 257+128 == 385). keymgr . set 41155 active=+1mi retire=+5mi remove=+60mi As such, BIND will, when this particular KSK is removed from the DNSKEY RRset, (rightly) complain: managed-keys-zone: Active key 41155 for zone . unexpectedly missing managed-keys-zone: Key 30377 for zone . is now trusted (acceptance timer complete) I've not found the word 'revoke' in the documentation, and no flags I can set with keymgr(8) seem to indicate that I can revoke a key. Can you help me, please? As an aside, I've noticed that when keymgr's `remove' time is reached, the key is removed from the zone (which is expected), however the key itself remains in the key store. From there, I can delete it, but I can also set flags on it in such a way as that it's brought *back* into the zone. Is that expected behaviour? It's not a problem per se, I'd just like to know whether I've understood the system. Thank you and kind regards, -JP

4 roky, 9 měsíců

Log query

by Smile TV

Dear all, I am deploying a DNS system using the Knot DNS software. I have read in the document and I did not see any DNS query log. So let me ask DNS Knot software can collect DNS query log? If possible, what is the configuration? Best regards, Chinhlk.

4 roky, 9 měsíců

Manual Key Rollover - 2 ZSKs with same key id

by Thomas E.

Hi, I performed a manual key roll over with this command: $ knotc zone-key-rollover dnssec-test.xxx zsk The result is 2 different ZSK's with the same key id: dnssec-test.xxx. 3600 IN DNSKEY 256 3 8 ( AwEAAc5W..... ) ; ZSK; alg = RSASHA256; key id = 7030 dnssec-test.xxx. 3600 IN DNSKEY 256 3 8 ( AwEAAc7Q5U...... ) ; ZSK; alg = RSASHA256; key id = 7030 >From the log: 2020-07-03T14:52:59 info: [dnssec-test.xxx.] DNSSEC, key, tag 56464, algorithm RSASHA256, KSK, public, ready, active+ 2020-07-03T14:52:59 info: [dnssec-test.xxx.] DNSSEC, key, tag 7030, algorithm RSASHA256, public 2020-07-03T14:52:59 info: [dnssec-test.xxx.] DNSSEC, key, tag 7030, algorithm RSASHA256, public, active 2020-07-03T14:52:59 info: [dnssec-test.xxx.] DNSSEC, signing started 2020-07-03T14:52:59 info: [dnssec-test.xxx.] DNSSEC, zone is up-to-date Is it the indented behavior to have two ZSK's with the same key id? Thanks a lot, Thomas

4 roky, 9 měsíců

Knot DNS 2.9.5 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 2.9.5! It's a serious bugfix version for those how use Knot DNS 2.9.0-2.9.4 for DNSSEC zone signing with automatic DNSKEY management and who rely on automatic maximum zone TTL computation. We apologize for possible inconvenience! Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.9.5/NEWS Source code: https://secure.nic.cz/files/knot-dns/knot-2.9.5.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.9.5.tar.xz.asc Documentation: https://www.knot-dns.cz/docs/2.9/html Support and funding: https://www.knot-dns.cz/support Regards, Daniel

4 roky, 10 měsíců

Knot DNS bug notification

by libor.peltan

Hi all, we'd like to inform you about recently found bug in Knot DNS 2.9.x. The bug affects automatic key roll-overs when automatic key management is configured https://www.knot-dns.cz/docs/2.9/singlehtml/index.html#automatic-dnssec-sig… The ZSK, CSK or algorithm roll-over might be finished too early, so that DNSKEY and RRSIG records in resolvers' caches get out of sync, leading to temporary DNSSEC validation failure. Affected versions are Knot DNS 2.9.0 -- 2.9.4. We will release fixing version 2.9.5 soon. In the meantime, we recommend to apply the workaround: set the configuration option zone-max-ttl https://www.knot-dns.cz/docs/2.9/singlehtml/index.html#zone-max-ttl explicitly to a value greater or equal to maximal TTL among all records in the zone. (Remove the workaround once upgraded to fixed version.) Many thanks to Anand Buddhdev from RIPE NCC for finding this bug. Caring regards, Libor Peltan CZ.NIC

4 roky, 11 měsíců

← Newer
1
...
17
18
19
20
21
22
23
...
73
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

knot-dns-users