Hi,
I'm in the process of changing the key algorithm from the former Knot
default of RSASHA256 to the newer default ecdsap256sha256. For this I
have just updated the DNSSEC policy and reloaded Knot. This created a
new ZSK and signed the zone with this new ZSK, but also with the old
one. Now the zone is signed with two ZSKs. How can I get rid of the old ZSK?
I already tried to set "retire" and "remove" on the old ZSK with keymgr
to a value in the near future, but that just lead to the error message
"keys validation failed (missing active KSK or ZSK)" when issuing a
zone-sign to this particular zone. So I'm stuck now.
Additionally: How can I do a KSK rollover to also change the algorithm
from RSASHA256 to ecdsap256sha256? I couldn't find a documentation
explaining this step. I know that I need to have two KSKs until the DS
record on the parent is updated pointing to the new key, but I don't
know how to create a new KSK with Knot.
Thanks in advance for explaining the process.
Cheers,
Tobias
Dear Knot DNS users,
CZ.NIC is proud to release the 2.4.2 release of Knot DNS. This release
contains many improvements over 2.3.x release of Knot DNS.
The Knot DNS 2.4.x is the new stable branch. Starting from the 2.4.0 release
we are going to support current stable (2.4.x) and previous stable (2.3.x)
branches, and at the same time we are deprecating previous Knot DNS 1.6.x
release.
This release adds significant IXFR speedup in case of many zones,
improvements to knotc status command and several other small fixes
and improvements.
And that's it! Thank you for using Knot DNS. And we are really looking
forward to your feedback.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/raw/v2.4.2/NEWS
Sources:
https://secure.nic.cz/files/knot-dns/knot-2.4.2.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-dns/knot-2.4.2.tar.xz.asc
Documentation:
https://www.knot-dns.cz/docs/2.x/html/
Cheers,
--
Ondřej Surý -- Technical Fellow
--------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Milesovska 5, 130 00 Praha 3, Czech Republic
mailto:ondrej.sury@nic.cz https://nic.cz/
--------------------------------------------
Dear Knot Resolver users,
a bugfix release of Knot Resolver 1.2.4 has been released.
The release contains following improvements and bugfixes:
Security
--------
- Knot Resolver 1.2.0 and higher could return AD flag for insecure
answer if the daemon received answer with invalid RRSIG several
times in a row.
Improvements
------------
- modules/policy: allow QTRACE policy to be chained with other
policies
- hints.add_hosts(path): a new property
- module: document the API and simplify the code
- policy.MIRROR: support IPv6 link-local addresses
- policy.FORWARD: support IPv6 link-local addresses
- add net.outgoing_{v4,v6} to allow specifying address to use for
connections
Bugfixes
--------
- layer/iterate: some improvements in cname chain unrolling
- layer/validate: fix duplicate records in AUTHORITY section in case
of WC expansion proof
- lua: do *not* truncate cache size to unsigned
- forwarding mode: correctly forward +cd flag
- fix a potential memory leak
- don't treat answers that contain DS non-existance proof as insecure
- don't store NSEC3 and their signatures in the cache
- layer/iterate: when processing delegations, check if qname is at or
below new authority
The update from 1.2.3 to 1.2.4 is recommended. The update from 1.1.x
to 1.2.x branch is strongly recommended, the 1.1.x branch is no longer
supported.
Full changelog:
https://gitlab.labs.nic.cz/knot/resolver/raw/v1.2.4/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-1.2.4.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-1.2.4.tar.xz.asc
Documentation:
http://knot-resolver.readthedocs.io/en/latest/
--
Ondřej Surý -- Technical Fellow
--------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Milesovska 5, 130 00 Praha 3, Czech Republic
mailto:ondrej.sury@nic.cz https://nic.cz/
--------------------------------------------
Hi,
i’m evaluating some DNS solution for our multi-site distributed environment.
I do not want a master-slave scenario, but would like to implement some multi-master.
do you think is achievable with KNOT? have you ever implemented some master-to-master synchronisation? what could be the benefits having a multi-master scenario against the classic master-slave scenario?
thanks!
Giovanni Civardi
System Engineer
MainStreaming
Phone +39 02 868969.69
Web http://www.mainstreaming.tv
Hi All,
I built Knot 2.4.1 rpm and tried it on CentOS7. The server isn't reading
any of our zones with an error of:
"failed to load persistent timers (invalid parameter)"
Therefore it won't accept any notifies form master and won't read or
transfer any zone. Even when I do "knotc refresh ZONE" it will fail
saying zone is unknow.
This is an upgrade from Knot 2.2, and same configs doesn't complain
about anything and the server starts fine using that version, and load
zones, and respond to DNS queries without a problem.
I tried to find a procedure for a first time install for Knot and see if
there is any required initialization that needs to be done but no luck.
Have anyone tried Knot 2.4.1 with CentOS 7 please and successfully had
it running?
Note that I tried:
knotc conf-check (responds with: Configuration is valid)
knotc conf-read (shows all zones and template configs being read and
doesn't show any warning or error)
knotc conf-init
knotc conf-import /etc/knot/knot.conf
Either one of those will generate confdb. However, conf-init generates
it but then Knot doesn't show anything in the logs (set to debug), but
does generate timers folder.
But conf-import show same logs with same errors above, and still won't
load any of our zones.
I'm using these template settings:
""
mod-rrl:
- id: default
rate-limit: 200 # Allow 200 resp/s for each flow
slip: 2 # Every other response slips
template:
- id: default
storage: /var/lib/knot/zones
journal-db: journals
timer-db: timers
zonefile-sync: 60
semantic-checks: on
global-module: mod-rrl/default
""
I'd appreciate any suggestion please.
I'm new to this list, so if this is not where I was suppose to send this
please accept my apologize.
Thanks,
Kareem.
--
Abdulkareem H. Ali
Network Operations Engineer
CentralNic Group PLC
London Stock Exchange Symbol: CNIC
+44 20 3388 0600
www.CentralNic.com
CentralNic Group PLC is a company registered in England and Wales with
company number 8576358. Registered Offices: 35-39 Moorgate, London, EC2R
6AR.
Dear all,
I'm setting up my own DNS and was not fund of the Idea to use bind. Then
someone pointed me to knot which ich immediatly found interresting.
After first successes I ran today into an error I could not resolve -
neither find anything on the web.
Finally I found this [1].
Is there a strong reason why you get specific modules only if you
compile knot yourself ?
For me I'm sad to say this is a no-go. I want to rely on automatic
updates for security.
Any chance this will be fixed ?
best regards
Dirk
[1] https://lists.nic.cz/pipermail/knot-dns-users/2017-January/001039.html
Dear Knot Resolver users,
a bugfix release of Knot Resolver 1.2.3 has been released.
The release contains following bugfixes:
- Disable storing GLUE records into the cache even in the
(non-default) QUERY_PERMISSIVE mode
- iterate: skip answer RRs that don't match the query
- layer/iterate: some additional processing for referrals
- lib/resolve: zonecut fetching error was fixed
The update from 1.2.2 to 1.2.3 is recommended. The update from 1.1.x
to 1.2.x branch is strongly recommended.
Full changelog:
https://gitlab.labs.nic.cz/knot/resolver/raw/v1.2.3/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-1.2.3.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-1.2.3.tar.xz.asc
Documentation:
http://knot-resolver.readthedocs.io/en/latest/
--
Ondřej Surý -- Technical Fellow
--------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Milesovska 5, 130 00 Praha 3, Czech Republic
mailto:ondrej.sury@nic.cz https://nic.cz/
--------------------------------------------
Hi,
We would like to enable ECS responses in our Knot server in order to
indicate to recursives that they should send it in requests if they can. The
goal is gauge how widespread usage of this feature this is and to collect
some statistics on the client networks being transmitted. We don't have a
way of providing tailored responses yet (not sure how this would be done,
but that's another topic.) Is there a way of enabling ECS so that it's
included in responses, perhaps with a scope prefix-length of 0 (as
described in section 12.1 of draft-ietf-dnsop-edns-client-subnet-08)?
Thanks,
Chuck
Dear Knot DNS users,
CZ.NIC is proud to release the 2.4.1 release of Knot DNS. This release
contains many improvements over 2.3.x release of Knot DNS.
The Knot DNS 2.4.x is the new stable branch. Starting from this release
we are going to support current stable (2.4.x) and previous stable (2.3.x)
branches, and at the same time we are deprecating previous Knot DNS 1.6.x
release.
This is a bugfix release containing small fixes, but the upgrade is
recommended.
And that's it! Thank you for using Knot DNS. And we are really looking
forward to your feedback.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/raw/v2.4.1/NEWS
Sources:
https://secure.nic.cz/files/knot-dns/knot-2.4.1.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-dns/knot-2.4.1.tar.xz.asc
Documentation:
https://www.knot-dns.cz/docs/2.x/html/
--
Ondřej Surý -- Technical Fellow
--------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Milesovska 5, 130 00 Praha 3, Czech Republic
mailto:ondrej.sury@nic.cz https://nic.cz/
--------------------------------------------
