knot-dns-users

knot-dns-users@lists.nic.cz

6 participants
703 discussions

by Klaus Darilion

> key > > An ordered list of references to TSIG keys. The query must match one of them. Empty value means that TSIG key is not required. > > Default: not set This is not 100% correct. At least with a notify ACL the behavior is: Empty value means that TSIG keys are not allowed. regards Klaus

6 let, 8 měsíců

Zone sign at knotd reload

by Aleš Rygl

Hi everybody, I would have a question related to zone signing. Whenever I reload knot config using knotc reload it starts to resign all DNSSEC enabled zones. It makes the daemon sometimes unresponsive to knotc utility. root@idunn:# knotc reload error: failed to control (connection timeout) Is it a design intent to sign zones while reloading config? Is it really needed? It invokes zone transfers, consumes resources, etc. Thanks for answer With regards Ales

6 let, 8 měsíců

Knot DNS 2.6.4 and 2.5.7 releases

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 2.6.4! This version improves the synthrecord module and fixes big zone transfers with a TSIG, structured logging, and DNSSEC re-signing. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.6.4/NEWS Documentation: https://www.knot-dns.cz/docs/2.6/html/ Source code: https://secure.nic.cz/files/knot-dns/knot-2.6.4.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.6.4.tar.xz.asc Some of the bugfixes were backported to Knot DNS 2.5.7. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.5.7/NEWS Documentation: https://www.knot-dns.cz/docs/2.5/html/ Source code: https://secure.nic.cz/files/knot-dns/knot-2.5.7.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.5.7.tar.xz.asc Regards, Daniel

6 let, 8 měsíců

Zone transfer from KNOT (master) to BIND (slave) fails with NAUTH

by Matthias Nagel

Helly everybody, there is a KNOT DNS master name server that I do not manage myself for my domain. I try to setup a BIND DNS server as a slave in-house. BIND fails to do the zone transfer and reports 31-Dec-2017 16:19:02.503 zone whka.de/IN: Transfer started. 31-Dec-2017 16:19:02.504 transfer of 'whka.de/IN' from 2001:7c7:2000:53::#53: connected using 2001:7c7:20e8:18e::2#53509 31-Dec-2017 16:19:02.505 transfer of 'whka.de/IN' from 2001:7c7:2000:53::#53: failed while receiving responses: NOTAUTH 31-Dec-2017 16:19:02.505 transfer of 'whka.de/IN' from 2001:7c7:2000:53::#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs If try dig (this time using the IPv4 address), I get a failure, too. # dig axfr @141.70.45.160 whka.de. ; <<>> DiG 9.9.5-9+deb8u7-Debian <<>> axfr @141.70.45.160 whka.de. ; (1 server found) ;; global options: +cmd ; Transfer failed. Wireshark tells me that the reply code of the name server is `1001 Server is not an authority for domain`. What is going on here? Especially, if I query the same nameserver for an usual A-record it claims to be authoritative. Moreover, KNOT DNS manual says KNOT is an authoritative-only name server. So there is no way of being non-authoritative. Has anybody already observed something like this? Best regards, Matthias -- Evang. Studentenwohnheim Karlsruhe e.V. – Hermann-Ehlers-Kolleg Matthias Nagel Willy-Andreas-Allee 1, 76131 Karlsruhe, Germany Phone: +49-721-96869289, Mobile: +49-151-15998774 E-Mail: matthias.nagel(a)hermann-ehlers-kolleg.de

6 let, 9 měsíců

Knot Resolver 1.5.1 release

by Vladimír Čunát

Dear Knot Resolver users, Knot Resolver 1.5.1 is released, mainly with bugfixes and cleanups! Incompatible changes -------------------- - script supervisor.py was removed, please migrate to a real process manager - module ketcd was renamed to etcd for consistency - module kmemcached was renamed to memcached for consistency Bugfixes -------- - fix SIGPIPE crashes (#271) - tests: work around out-of-space for platforms with larger memory pages - lua: fix mistakes in bindings affecting 1.4.0 and 1.5.0 (and 1.99.1-alpha), potentially causing problems in dns64 and workarounds modules - predict module: various fixes (!399) Improvements ------------ - add priming module to implement RFC 8109, enabled by default (#220) - add modules helping with system time problems, enabled by default; for details see documentation of detect_time_skew and detect_time_jump Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v1.5.1/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-1.5.1.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-1.5.1.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v1.5.1/ --Vladimir

6 let, 9 měsíců

About memcached backend module

by Yoshihito Horigome

Hello all, According to the document, I built memcached as a back end, so I built it from the source, but the following error message is output and can not be used. https://knot-resolver.readthedocs.io/en/stable/build.html#building-from-sou… $ sudo kresd [system] interactive mode > modules.load 'memcached' error: error loading module 'memcached' from file '/usr/local/lib/kdns_modules/memcached.so': /usr/local/lib/kdns_modules/memcached.so: undefined symbol: luaopen_memcached error: No such file or directory > $ ll /usr/local/lib/kdns_modules/ total 404 drwxr-xr-x 4 root root 4096 Dec 13 21:59 ./ drwxr-xr-x 7 root root 4096 Dec 13 21:59 ../ -rwxr-xr-x 1 root root 35904 Dec 13 21:59 ahocorasick.so* -rwxr-xr-x 1 root root 38848 Dec 13 21:59 cookies.so* drwxr-xr-x 2 root root 4096 Dec 13 21:59 daf/ -rw-r--r-- 1 root root 8664 Dec 13 21:59 daf.lua -rw-r--r-- 1 root root 1098 Dec 13 21:59 detect_time_jump.lua -rw-r--r-- 1 root root 2329 Dec 13 21:59 detect_time_skew.lua -rw-r--r-- 1 root root 2218 Dec 13 21:59 dns64.lua -rwxr-xr-x 1 root root 45016 Dec 13 21:59 dnstap.so* -rw-r--r-- 1 root root 1204 Dec 13 21:59 etcd.lua -rw-r--r-- 1 root root 3199 Dec 13 21:59 graphite.lua -rwxr-xr-x 1 root root 44376 Dec 13 21:59 hints.so* drwxr-xr-x 2 root root 4096 Dec 13 21:59 http/ -rw-r--r-- 1 root root 11077 Dec 13 21:59 http.lua -rw-r--r-- 1 root root 1263 Dec 2 00:16 ketcd.lua -rw-r--r-- 1 root root 7967 Dec 13 21:59 kres-gen.lua -rw-r--r-- 1 root root 10178 Dec 13 21:59 kres.lua -rwxr-xr-x 1 root root 14216 Dec 13 21:59 memcached.so* -rw-r--r-- 1 root root 15867 Dec 13 21:59 policy.lua -rw-r--r-- 1 root root 5346 Dec 13 21:59 predict.lua -rw-r--r-- 1 root root 4267 Dec 13 21:59 priming.lua -rw-r--r-- 1 root root 4313 Dec 13 21:59 prometheus.lua -rwxr-xr-x 1 root root 18336 Dec 13 21:59 redis.so* -rw-r--r-- 1 root root 3639 Dec 13 21:59 renumber.lua -rwxr-xr-x 1 root root 34048 Dec 13 21:59 stats.so* -rw-r--r-- 1 root root 1818 Dec 13 21:59 ta_signal_query.lua -rw-r--r-- 1 root root 15314 Dec 13 21:59 trust_anchors.lua -rw-r--r-- 1 root root 2068 Dec 13 21:59 version.lua -rw-r--r-- 1 root root 2656 Dec 13 21:59 view.lua -rw-r--r-- 1 root root 1658 Dec 13 21:59 workarounds.lua -rw-r--r-- 1 root root 5307 Dec 13 21:59 zonefile.lua Is it something you need to do with a description other than documentation? The source file is working with knot-resolver-1.5.1. env: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.3 LTS Release: 16.04 Codename: xenial $ sudo make info PREFIX="/usr/local" ETCDIR="/etc/knot-resolver/" CFLAGS="-fstack-protector" fatal: Not a git repository (or any of the parent directories): .git Target: Knot DNS Resolver 1.5.1-POSIX Compiler: cc -fstack-protector -std=c99 -D_GNU_SOURCE -Wno-unused -Wtype-limits -Wformat -Wformat-security -Wall -I/home/kometch/knot-resolver-1.5.1 -I/home/kometch/knot-resolver-1.5.1/lib/generic -I/home/kometch/knot-resolver-1.5.1/contrib -I/home/kometch/knot-resolver-1.5.1/contrib/lmdb -DPACKAGE_VERSION="\"1.5.1\"" -DPREFIX="\"/usr/local\"" -DMODULEDIR="\"/usr/local/lib/kdns_modules\"" -O2 -D_FORTIFY_SOURCE=2 -I/usr/include/p11-kit-1 -I/usr/include/luajit-2.1 -I/usr/include/p11-kit-1 -Icontrib/ccan/compiler -Icontrib/ccan/ilog -Icontrib/ccan/isaac -Icontrib/ccan/json -Icontrib/ccan/asprintf -Icontrib/murmurhash3 -DENABLE_COOKIES Variables --------- HARDENING: yes BUILDMODE: dynamic PREFIX: /usr/local PREFIX: /usr/local DESTDIR: BINDIR: /usr/local/bin SBINDIR: /usr/local/sbin LIBDIR: /usr/local/lib ETCDIR: /etc/knot-resolver/ INCLUDEDIR: /usr/local/include MODULEDIR: /usr/local/lib/kdns_modules Core Dependencies ------------ [yes] libknot (lib) [yes] embedded lmdb (lib) [yes] luajit (daemon) [yes] libuv (daemon) [yes] libgnutls (daemon) Optional -------- [no] doxygen (doc) [no] sphinx-build (doc) [no] python-breathe (doc) [yes] go (modules/go, Go buildmode=c-shared support) [yes] libmemcached (modules/memcached) [yes] hiredis (modules/redis) [yes] cmocka (tests/unit) [yes] systemd (daemon) [yes] nettle (modules/cookies) [yes] Lua socket ltn12 (trust anchor bootstrapping) [yes] Lua ssl.https (trust anchor bootstrapping) [yes] libedit (client) [yes] libfstrm (modules/dnstap) [yes] libprotobuf-c (modules/dnstap) [yes] proto-c (modules/dnstap) [yes] lcov (code coverage) [yes] luacov (code coverage) make: Nothing to be done for 'info'. ii libmemcached-dev 1.0.18-4.1 arm64 C and C++ client library to the memcached server (development files) ii libmemcached-tools 1.0.18-4.1 arm64 Commandline tools for talking to memcached via libmemcached ii libmemcached11:arm64 1.0.18-4.1 arm64 C and C++ client library to the memcached server ii libmemcachedutil2:arm64 1.0.18-4.1 arm64 library implementing connection pooling for libmemcached $ sudo memcached -V memcached 1.5.3 Best regards.

6 let, 9 měsíců

forcing minimal fragment size for IPv6 datagrams

by Jan Včelák

Hello guys, there has been a request in our issue tracker [1], to enable IPV6_USE_MIN_MTU socket option [2] for IPv6 UDP sockets in Knot DNS. This option makes the operating system to send the responses with a maximal fragment size of 1280 bytes (minimal MTU size required by IPv6 specification). The reasoning is based on the draft by Mark Andrews from 2012 [3]. I wonder if the reasoning is still valid in 2016. And I'm afraid that enabling this option could enlarge the window for possible DNS cache poisoning attacks. We would appreciate any feedback on your operational experience with DNS on IPv6 related to packet fragmentation. [1] https://gitlab.labs.nic.cz/labs/knot/issues/467 [2] https://tools.ietf.org/html/rfc3542#section-11.1 [3] https://tools.ietf.org/html/draft-andrews-dnsext-udp-fragmentation-01 Thanks and regards, Jan

6 let, 10 měsíců

knotc - zone records TTL change

by Aleš Rygl

Hi everybody, Is there a way how to change TTL of all zone records at once using knotc? I.e. without editing the zone file manually. Something what I can do using $TTL directive in Bind9 zone files? If not I would like to ask for implementing if possible. Thanks Regards Ales Rygl

6 let, 10 měsíců

Knot DNS 2.6.3 release

by Daniel Salzman

Hello Knot DNS users, As today is the birthday of RFC 1034 and RFC 1035, CZ.NIC has released a gift - Knot DNS 2.6.3! We apologize for the incompatibility issues between Knot DNS 2.6.1 and Knot DNS 2.6.2. Should be fixed in this version. Changelog: https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.6.3/NEWS Documentation: https://www.knot-dns.cz/docs/2.6/html/ Source code: https://secure.nic.cz/files/knot-dns/knot-2.6.3.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.6.3.tar.xz.asc Regards, Daniel

6 let, 10 měsíců

Knot DNS 2.6.2 release

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 2.6.2! This version primarily extends dnskey rollover support. From now it's easy with enabled automatic DNSSEC signing to switch between (KSK, ZSK) key pair and one CSK. An algorithm rotation is also possible. One old bug was fixed relating to unexpected reply for a DS query with an owner below a delegation point. Some issues with old compilers or 32-bit platforms were resolved. Changelog: https://gitlab.labs.nic.cz/labs/knot/raw/v2.6.2/NEWS Documentation: https://www.knot-dns.cz/docs/2.6/html/ Source code: https://secure.nic.cz/files/knot-dns/knot-2.6.2.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.6.2.tar.xz.asc Regards, Daniel

6 let, 10 měsíců

← Newer
1
...
30
31
32
33
34
35
36
...
71
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

knot-dns-users