knot-dns-users

knot-dns-users@lists.nic.cz

6 participants
703 discussions

by Aleš Rygl

Dobry den, narazil jsem na problem s fungovanim modulu mod-synthrecord pri pouziti vice siti soucasne: Konfigurace: mod-synthrecord - id: customers1 type: forward prefix: ttl: 300 network: [ 46.12.0.0/16, 46.13.0.0/16 ] zone: - domain: customers.tmcz.cz file: db.customers.tmcz.cz module: mod-synthrecord/customers1 S uvedenou konfiguraci Knot generuje pouze zaznamy z posledni uvedene site, pro 46.12.0.0/16 dava NXDOMAIN. Stejne se to chova i s touto formou zapisu. mod-synthrecord - id: customers1 type: forward prefix: ttl: 300 network: 46.12.0.0/16 network: 46.13.0.0/16 Konfiguracne je to ok, knot neprotestuje, ale zaznamy negeneruje. Knot je 2.6.1-1+0~20171112193256.11+stretch~1.gbp3eaef0. Diky za pomoc ci nasmerovani. S pozdravem Ales Rygl

6 let, 10 měsíců

Re: [knot-dns-users] Dotaz na podporu DNS KNOT

by Vladimír Čunát

On 11/20/2017 12:37 PM, Petr Kubeš wrote: > Je prosím někde dostupna nějaká jednoduchá "kuchařka" pro zprovoznění > takovéhoto DNS resolveru? V některých systémech už je přímo balíček se službou, případně máme PPA obsahující novější verze. https://www.knot-resolver.cz/download/ Vyhnul bych se verzím před 1.3.3. Přímo kuchařku nemáme, ale kresd funguje dobře i bez konfigurace - pak poslouchá na všech lokálních adresách na UDP+TCP portu 53, se 100 MB cache v momentálním adresáři. Akorát pro validaci DNSSEC je potřeba zadat jméno souboru s kořenovými klíči, třeba "kresd -k root.keys" - ten je při neexistenci inicializován přes https. Různé možnosti jsou popsány v dokumentaci http://knot-resolver.readthedocs.io/en/stable/daemon.html V. Čunát

6 let, 10 měsíců

Dotaz na podporu DNS KNOT

by Petr Kubeš

Dobrý den, prosím o radu. provozujeme malou síť a v současné době využíváme externí DNS poskytovatele (UPC). CHtěli by jsme na hraničním uzlu zprovoznit vlastní DNS , konkrétně KNOT v konfiguraci, kdy by majoritně fungoval jako DNS RESOLVER a v budoucnu případně dostal i naše zony. Není prosím u vás někde dostupný návod step by step, co konkrétně nastavit, aby jsme mohli úspěšně takovýto KNOT zprovoznit v několika krocích jako CZ Resolver DNS? Asi špatné období, nedaří se mi bohužel z dostupných manuálů, nebo návodů systém KNOT dns nastavit tak, aby odpovídal a synchronizoval DNS zóny. Velice děkuji za radu P.Kubeš

6 let, 10 měsíců

Migrace na knot: Main process exited, code=killed, status=11/SEGV

by Aleš Rygl

Dobry den, Rad bych pozadal o radu. Experimentuji s Knot DNS, verze 2.6.0-3+0~20171019083827.9+stretch~1.gbpe9bd69. Debian Stretch. Mam nasazeny DNSSEC s KSK a ZSK v algoritmu 5 a Bind9, klice bez metadat. Snazim se prejit na Knot, s tim, ze mam dve testovaci zony. Pouzivam nasledujici postup. 1. Naimportuji stavajici klice pomoci keymgr 2. nastavim timestamy: keymgr t-sound.cz set 18484 created=+0 publish=+0 active=+0 keymgr t-sound.cz set 04545 created=+0 publish=+0 active=+0 3. zavedu zonu do Knotu. lifetime je extremne kratky, abych vedel, jak mi to funguje. zone: - domain: t-sound.cz template: signed file: db.t-sound.cz dnssec-signing: on dnssec-policy: migration - domain: mych5.cz template: signed file: db.mych5.cz dnssec-signing: on dnssec-policy: migration acl: [allowed_transfer] notify: idunn-freya-gts policy: - id: migration algorithm: RSASHA1 ksk-size: 2048 zsk-size: 1024 zsk-lifetime: 20m ksk-lifetime: 10d propagation-delay: 5m Toto projde. Knot zacne podepisovat importovanymi klici. Nasledne zmenim policy u t-sound.cz na policy: - id: migration3 algorithm: ecdsap256sha256 zsk-lifetime: 20m ksk-lifetime: 10d propagation-delay: 5m ksk-submission: nic.cz Knot vygeneruje nove klice: Nov 10 16:40:09 idunn knotd[21682]: warning: [t-sound.cz.] DNSSEC, creating key with different algorithm than policy Nov 10 16:40:09 idunn knotd[21682]: warning: [t-sound.cz.] DNSSEC, creating key with different algorithm than policy Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, algorithm rollover started Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, loaded key, tag 18484, algorithm 5, KSK yes, ZSK no, public yes, ready no, active yes Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, loaded key, tag 5821, algorithm 5, KSK no, ZSK yes, public yes, ready no, active yes Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, loaded key, tag 4256, algorithm 13, KSK yes, ZSK no, public no, ready no, active no Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, loaded key, tag 39697, algorithm 13, KSK no, ZSK yes, public no, ready no, active yes Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, signing started Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, successfully signed Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, next signing at 2017-11-10T16:45:09 Rozbehne se mechanismus ZSK rolloveru, vypublikuje se CDNSKEY. Projde sumbission. Vysledny stav je, ze zona funguje, Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, signing zone Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, loaded key, tag 4256, algorithm 13, KSK yes, ZSK no, public yes, ready no, active yes Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, loaded key, tag 22255, algorithm 13, KSK no, ZSK yes, public yes, ready no, active yes Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, signing started Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, successfully signed Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, next signing at 2017-11-12T23:03:27 Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] zone file updated, serial 1510523007 -> 1510523307 Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] notify, outgoing, 93.153.117.50@53: serial 1510523307 Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] IXFR, outgoing, 93.153.117.50@35557: started, serial 1510523007 -> 1510523307 Nov 12 22:48:27 idunn knotd[24980]: debug: [t-sound.cz.] IXFR, outgoing, 93.153.117.50@35557: serial 1510523007 -> 1510523307 Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] IXFR, outgoing, 93.153.117.50@35557: finished, 0.00 seconds, 1 messages, 780 bytes Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] IXFR, outgoing, 93.153.117.20@57641: started, serial 1510523007 -> 1510523307 Nov 12 22:48:27 idunn knotd[24980]: debug: [t-sound.cz.] IXFR, outgoing, 93.153.117.20@57641: serial 1510523007 -> 1510523307 Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] IXFR, outgoing, 93.153.117.20@57641: finished, 0.00 seconds, 1 messages, 780 bytes ZSK se rotuji. Pak ale dojde k chybe nize: Nov 12 23:03:27 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, signing zone Nov 12 23:03:27 idunn knotd[24980]: warning: [t-sound.cz.] DNSSEC, key rollover [1] failed (unknown error -28) Nov 12 23:03:27 idunn knotd[24980]: error: [t-sound.cz.] DNSSEC, failed to initialize (unknown error -28) Nov 12 23:03:27 idunn knotd[24980]: error: [t-sound.cz.] zone event 'DNSSEC resign' failed (unknown error -28) Stav klicu v tomto okamziku: root@idunn:/var/lib/knot# keymgr t-sound.cz list human c87e00bd71d0f89ea540ef9c21020df1e0106c0f ksk=yes tag=04256 algorithm=13 public-only=no created=-2D16h24m21s pre-active=-2D16h24m21s publish=-2D16h19m21s ready=-2D16h14m21s active=-1D18h14m21s retire-active=0 retire=0 post-active=0 remove=0 fe9f432bfc5d527dc11520615d6e29e5d1799d8c ksk=no tag=22255 algorithm=13 public-only=no created=-10h26m3s pre-active=0 publish=-10h26m3s ready=0 active=-10h21m3s retire-active=0 retire=0 post-active=0 remove=0 root@idunn:/var/lib/knot# knotc zone-sign t-sound.cz ale pojde a vse se tim opravi. Nov 13 08:56:41 idunn knotd[24980]: info: [t-sound.cz.] control, received command 'zone-status' Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] control, received command 'zone-sign' Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, dropping previous signatures, resigning zone Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, ZSK rollover started Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, loaded key, tag 4256, algorithm 13, KSK yes, ZSK no, public yes, ready no, active yes Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, loaded key, tag 22255, algorithm 13, KSK no, ZSK yes, public yes, ready no, active yes Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, loaded key, tag 24386, algorithm 13, KSK no, ZSK yes, public yes, ready no, active no Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, signing started Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, successfully signed Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, next signing at 2017-11-13T09:11:23 O den drive na tom knot zcela havaroval: Nov 11 23:05:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, signing zone Nov 11 23:05:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, loaded key, tag 39964, algorithm 13, KSK no, ZSK yes, public yes, ready no, active yes Nov 11 23:05:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, loaded key, tag 4256, algorithm 13, KSK yes, ZSK no, public yes, ready no, active yes Nov 11 23:05:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, signing started Nov 11 23:05:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, successfully signed Nov 11 23:05:09 idunn systemd[1]: knot.service: Main process exited, code=killed, status=11/SEGV Nov 11 23:05:09 idunn systemd[1]: knot.service: Unit entered failed state. Nov 11 23:05:09 idunn systemd[1]: knot.service: Failed with result 'signal'. Nov 11 23:05:10 idunn systemd[1]: knot.service: Service hold-off time over, scheduling restart. Nov 11 23:05:10 idunn systemd[1]: Stopped Knot DNS server. Nov 11 23:05:10 idunn systemd[1]: Started Knot DNS server. Nov 11 23:05:10 idunn knotd[23933]: info: Knot DNS 2.6.0 starting Nov 11 23:05:10 idunn knotd[23933]: info: binding to interface 0.0.0.0@553 Nov 11 23:05:10 idunn knotd[23933]: info: binding to interface ::@553 Nov 11 23:05:10 idunn knotd[23933]: info: changing GID to 121 Nov 11 23:05:10 idunn knotd[23933]: info: changing UID to 114 Nov 11 23:05:10 idunn knotd[23933]: info: loading 2 zones Nov 11 23:05:10 idunn knotd[23933]: info: [mych5.cz.] zone will be loaded Nov 11 23:05:10 idunn knotd[23933]: info: [t-sound.cz.] zone will be loaded Nov 11 23:05:10 idunn knotd[23933]: info: starting server Nov 11 23:05:10 idunn knotd[23933]: info: [t-sound.cz.] DNSSEC, loaded key, tag 39964, algorithm 13, KSK no, ZSK yes, public yes, ready no, active yes Nov 11 23:05:10 idunn knotd[23933]: info: [t-sound.cz.] DNSSEC, loaded key, tag 4256, algorithm 13, KSK yes, ZSK no, public yes, ready no, active yes Nov 11 23:05:10 idunn knotd[23933]: info: [t-sound.cz.] DNSSEC, signing started Nov 11 23:05:10 idunn knotd[23933]: warning: [mych5.cz.] DNSSEC, key rollover [1] failed (unknown error -28) Nov 11 23:05:10 idunn knotd[23933]: error: [mych5.cz.] DNSSEC, failed to initialize (unknown error -28) Nov 11 23:05:10 idunn knotd[23933]: error: [mych5.cz.] zone event 'load' failed (unknown error -28) Nov 11 23:05:10 idunn knotd[23933]: info: [t-sound.cz.] DNSSEC, successfully signed Nov 11 23:05:10 idunn systemd[1]: knot.service: Main process exited, code=killed, status=11/SEGV Nov 11 23:05:10 idunn systemd[1]: knot.service: Unit entered failed state. Nov 11 23:05:10 idunn systemd[1]: knot.service: Failed with result 'signal'. Nov 11 23:05:10 idunn systemd[1]: knot.service: Service hold-off time over, scheduling restart. Nov 11 23:05:10 idunn systemd[1]: Stopped Knot DNS server. Nov 11 23:05:10 idunn systemd[1]: Started Knot DNS server. Delam nekde chybu? Omlouvam se za komplikovany a dlouhy popis. Diky S pozdravem Ales Rygl

6 let, 10 měsíců

Knot DNS 2.6.1 and 2.5.6 releases

by Daniel Salzman

Hello Knot DNS users, CZ.NIC has released Knot DNS 2.6.1! With this version it is possible to configure CDS/CDNSKEY publishing or to enable Opt-Out bit in the NSEC3 chain. The DNSSEC-related logging was simplified and DNSSEC key rollovers were documented in detail. As for the bugfixes, the most important are server crash upon dynamic zone addition, incorrect DNAME semantic check for the zone apex, and non-functional immediate zone flush during zone loading. Changelog: https://gitlab.labs.nic.cz/labs/knot/raw/v2.6.1/NEWS Documentation: https://www.knot-dns.cz/docs/2.6/html/ Source code: https://secure.nic.cz/files/knot-dns/knot-2.6.1.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.6.1.tar.xz.asc Some of the relevant fixes have been backported to the previous major version as Knot DNS 2.5.6. Changelog: https://gitlab.labs.nic.cz/labs/knot/raw/v2.5.6/NEWS Documentation: https://www.knot-dns.cz/docs/2.5/html/ Source code: https://secure.nic.cz/files/knot-dns/knot-2.5.6.tar.xz https://secure.nic.cz/files/knot-dns/knot-2.5.6.tar.xz.asc Regards, Daniel

6 let, 11 měsíců

Knot Resolver 1.5.0 release

by Vladimír Čunát

Dear Knot Resolver users, Knot Resolver 1.5.0 has been released! Bugfixes -------- - fix loading modules on Darwin Improvements ------------ - new module ta_signal_query supporting Signaling Trust Anchor Knowledge using Keytag Query (RFC 8145 section 5); it is enabled by default - attempt validation for more records but require it for fewer of them (e.g. avoids SERVFAIL when server adds extra records but omits RRSIGs) Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v1.5.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-1.5.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-1.5.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v1.5.0/ --Vladimir

6 let, 11 měsíců

Knot Resolver experimental release

by Vladimír Čunát

Dear Knot Resolver users, Knot Resolver 1.99.1-alpha has been released! This is an experimental release meant for testing aggressive caching. It contains some regressions and might (theoretically) be even vulnerable. The current focus is to minimize queries into the root zone. Improvements ------------ - negative answers from validated NSEC (NXDOMAIN, NODATA) - verbose log is very chatty around cache operations (maybe too much) Regressions ----------- - dropped support for alternative cache backends and for some specific cache operations - caching doesn't yet work for various cases: * negative answers without NSEC (i.e. with NSEC3 or insecure) * +cd queries (needs other internal changes) * positive wildcard answers - spurious SERVFAIL on specific combinations of cached records, printing: <= bad keys, broken trust chain - make check - a few Deckard tests are broken, probably due to some problems above + unknown ones? Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v1.99.1-alpha/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-1.99.1-alpha.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-1.99.1-alpha.tar.xz… Documentation (not updated): http://knot-resolver.readthedocs.io/en/v1.4.0/ --Vladimir

6 let, 11 měsíců

Knot Resolver autostart on systemd

by Thomas Van Nuit

Hello, one more question: What is the proper way of autostarting Knot Resolver 1.4.0 on systemd (Debian Stretch in my case) to be able to listen on interfaces other from localhost? As per the Debian README I've set up the socket override. # systemctl edit kresd.socket: [Socket] ListenStream=<my.lan.ip>:53 ListenDatagram=<my.lan.ip>:53 However after reboot the service doesn't autostart. # systemctl status kresd.service kresd.socket - Knot DNS Resolver network listeners Loaded: loaded (/lib/systemd/system/kresd.socket; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/kresd.socket.d └─override.conf Active: failed (Result: resources) Docs: man:kresd(8) Listen: [::1]:53 (Stream) [::1]:53 (Datagram) 127.0.0.1:53 (Stream) 127.0.0.1:53 (Datagram) <my.lan.ip>:53 (Stream) <my.lan.ip>:53 (Datagram) Oct 01 23:17:12 <myhostname> systemd[1]: kresd.socket: Failed to listen on sockets: Cannot assign requested address Oct 01 23:17:12 <myhostname> systemd[1]: Failed to listen on Knot DNS Resolver network listeners. Oct 01 23:17:12 <myhostname> systemd[1]: kresd.socket: Unit entered failed state. To get it running I have to type in manually: # systemctl start kresd.socket I apologize, I am now to systemd and its socket activation so it's not clear to me whether service or socket or both have to be somehow set up to autostart or not. Could anyone clarify this? Also, this is also in the log (again, Debian default): Oct 01 23:18:22 <myhostname> kresd[639]: [ ta ] keyfile '/usr/share/dns/root.key': not writeable, starting in unmanaged mode The file has permissions 644 for root:root. Should this be owned by knot, or writeable by others? Thanks! -- Regards, Thomas Van Nuit Sent with [ProtonMail](https://protonmail.com) Secure Email.

6 let, 11 měsíců

Knot 2.5.3 install fails if IPv6 address present

by knot＠johnbond.org

Hello all, I have come across an incompatibility with /usr/lib/knot/get_kaspdb and knot in relation to IPv6. Knot expects unquoted ip addresses however the kaspdb tool uses the python yams library which requires valid yams and therefore needs IPv6 addresses to be quoted strings as the contain ‘:’. This incompatibility causes issues when updating knot as the ubuntu packages from 'http://ppa.launchpad.net/cz.nic-labs/knot-dns/ubuntu’ call get_kaspdb during installation. The below gist shows how to recreate this issue. Please let me know if you need any further information https://gist.github.com/b4ldr/bd549b4cf63a7d564299497be3ef868d Thanks John

6 let, 11 měsíců

Knot Resolver 1.4.0 release

by Vladimír Čunát

Dear Knot Resolver users, Knot Resolver 1.4.0 has been released! Incompatible changes -------------------- - lua: query flag-sets are no longer represented as plain integers. kres.query.* no longer works, and kr_query_t lost trivial methods 'hasflag' and 'resolved'. You can instead write code like qry.flags.NO_0X20 = true. Bugfixes -------- - fix exiting one of multiple forks (#150) - cache: change the way of using LMDB transactions. That in particular fixes some cases of using too much space with multiple kresd forks (#240). Improvements ------------ - policy.suffix: update the aho-corasick code (#200) - root hints are now loaded from a zonefile; exposed as hints.root_file(). You can override the path by defining ROOTHINTS during compilation. - policy.FORWARD: work around resolvers adding unsigned NS records (#248) - reduce unneeded records previously put into authority in wildcarded answers Full changelog: https://gitlab.labs.nic.cz/knot/resolver/raw/v1.4.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-1.4.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-1.4.0.tar.xz.asc Documentation: http://knot-resolver.readthedocs.io/en/v1.4.0/ --Vladimir

6 let, 11 měsíců

← Newer
1
...
31
32
33
34
35
36
37
...
71
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

knot-dns-users