Hi,
we're using knot DNS (2.0.2) on one of our primaries, to balance out
"BIND is used everywhere". So far, we're quite happy, but today I got
a complaint from our hostmaster team - triggered by a warning from DENIC
that "our SOA records are inconsistent".
Turns out they are, if you look at uppercase/lowercase...
$ dig +short @ns.space.net space.net soa
ns.space.net. hostmaster.space.net. 2016040601 28800 3600 864000 1800
$ dig +short @ns3.dns.space.net space.net soa
ns.Space.Net. hostmaster.Space.Net. 2016040601 28800 3600 864000 1800
first one is knot, second is BIND, and the "mixed case" spelling is
what the zone master (hidden primary) is distributing.
(I understand that DNS is not case-significant, but we're using upper
case in DNS labels because we like it that way...)
Looking at labels inside the zone (dig axfr) shows that knot is lowercasing
*everything*, not only the SOA records.
So, I started looking whether there is a switch that can change knot's
behaviour to just leave the labels alone, and do not lowercase everything.
Google did not find anything, neither did "man knotd" or "man knot.conf".
So, is there a hidden switch or compile-time feature to achieve this?
thanks in advance,
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hello to all,
I tried to look a little bit to the codes but can I ask how concurrent
update is avoided? I mean RCU is used to avoid concurrent read and write.
But how concurrent update is avoided?
Thank you!
masoud
Good morning,
I've migrated to knot2, configuration file was migrated by knot1to2
tool. Knot 2 loads, but to not load my DNSSEC signed zone (NSEC, not
NSEC3). Knot2 is installed from suse dns server repo, version
"knot2-2.1.1-1.1.x86_64".
Error message:
Apr 7 08:57:39 celer knotd[21676]: info: reloading configuration file
'/etc/knot/knot.conf'
Apr 7 08:57:39 celer knotd[21676]: info: configuration reloaded
Apr 7 08:57:39 celer knotd[21676]: info: [domain.cz] zone loader,
semantic check, completed
Apr 7 08:57:39 celer knotd[21676]: error: [domain.cz] DNSSEC, failed to
initialize (not found)
Apr 7 08:57:39 celer knotd[21676]: error: [domain.cz] failed to store
changes into journal (not found)
Apr 7 08:57:39 celer knotd[21676]: error: [domain.cz] zone event 'load'
failed (not found)
Part of the configuration file:
...
...
template:
- id: "default"
storage: "/var/lib/knot"
zone:
- domain: "domain.cz."
file: "domain.cz"
notify: "slave"
acl: "acl_slave"
semantic-checks: "on"
ixfr-from-differences: "on"
max-journal-size: "1073741824"
dnssec-signing: "on"
kasp-db: "/var/lib/knot/domain.cz.keys"
...
...
Directory "/var/lib/knot/domain.cz.keys" contains zone private and
public keys.
What did I missed ?
Thanks and best regards
J.Karliak
--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a
DomainKeys/DKIM (s ADSP) a implementaci DMARC. Pokud mate problemy s
dorucenim emailu, zacnete pouzivat metody overeni puvody emailu
zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)
policy and implementation of the DMARC. If you've problem with sending
emails to me, start using email origin methods mentioned above. Thank
you.
I'm fairly new to knot so this may be a strange question that I am
just not quite getting the config for notify somewhere.
I have this in my config:
remotes {
dnsp61 { address 192.168.1.173; }
}
zones {
storage "/var/lib/knot";
dnssec-keydir "keys";
dnssec-enable off;
brettcarr.uk {
file "brettcarr.uk";
xfr-in dnsp61; # define 'master' for this zone
notify-in dnsp61; # also allow NOTIFY from 'master'
}
The zone axfr's at startup no problems.
The master (dnsp61) is sending notifies to the knot server
(192.168.1.170) as you can see from tcpdump output below
18:24:55.310553 IP 192.168.1.173.42438 > 192.168.1.170.domain: 27743
notify [b2&3=0x2400] [1a] SOA? brettcarr.uk. (89)
but the knot server is not reacting to the notify.
Am I missing something?
TIA
--
Brett
Hi,
I tried to install Knot 2.x deb on Debian Jessie. Following the instructions for Knot 2.x, I got Knot 1.6 installed. Any advice how to install Knot 2 deb on Jessie?
Regards
Volker
LOC records are special. The first octet of a LOC record is a version
number. According to RFC 1876:
VERSION Version number of the representation. This must be zero.
Implementations are required to check this field and make
no assumptions about the format of unrecognized versions.
This means that if a LOC record's VERSION field is not zero, the RR
cannot be presented in the canonical presentation format, but it is
still a valid wire-format RR.
Currently, kdig prints a warning message "can't print whole section" and
a LOC record with a blank RDATA when it attempts to dump a LOC record
with a non-zero VERSION field.
This commit modifies the version check in wire_loc_to_str() to fall back
to the generic presentation format if the VERSION field is not 0. This
particular case is even explicitly described as a use case for the
generic presentation format in RFC 3597:
Using the generic representation for the RDATA of an RR of known type
can also be useful in the case of an RR type where the text format
varies depending on a version, protocol, or similar field (or
several) embedded in the RDATA when such a field has a value for
which no text format is known, e.g., a LOC RR [RFC1876] with a
VERSION other than 0.
---
src/libknot/rrset-dump.c | 95 +++++++++++++++++++++++++-----------------------
1 file changed, 49 insertions(+), 46 deletions(-)
diff --git a/src/libknot/rrset-dump.c b/src/libknot/rrset-dump.c
index c71eae1..ffdd825 100644
--- a/src/libknot/rrset-dump.c
+++ b/src/libknot/rrset-dump.c
@@ -508,6 +508,47 @@ static void wire_len_data_encode_to_str(rrset_dump_params_t *p,
p->ret = 0;
}
+static void wire_unknown_to_str(rrset_dump_params_t *p)
+{
+ int ret;
+ size_t in_len = p->in_max;
+ size_t out_len = 0;
+
+ // Write unknown length header.
+ if (in_len > 0) {
+ ret = snprintf(p->out, p->out_max, "\\# %zu ", in_len);
+ } else {
+ ret = snprintf(p->out, p->out_max, "\\# 0");
+ }
+ if (ret <= 0 || (size_t)ret >= p->out_max) {
+ return;
+ }
+ out_len = ret;
+
+ // Fill in output.
+ p->out += out_len;
+ p->out_max -= out_len;
+ p->total += out_len;
+
+ // Write hex data if any.
+ if (in_len > 0) {
+ // If wrap mode wrap line.
+ if (p->style->wrap) {
+ dump_string(p, BLOCK_INDENT);
+ if (p->ret != 0) {
+ return;
+ }
+ }
+
+ wire_data_encode_to_str(p, &hex_encode, &hex_encode_alloc);
+ if (p->ret != 0) {
+ return;
+ }
+ }
+
+ p->ret = 0;
+}
+
static void wire_text_to_str(rrset_dump_params_t *p)
{
// First byte is string length.
@@ -938,6 +979,14 @@ static void wire_loc_to_str(rrset_dump_params_t *p)
// Read values.
wire_ctx_t wire = wire_ctx_init_const(p->in, p->in_max);
uint8_t version = wire_ctx_read_u8(&wire);
+
+ // Version check.
+ if (version != 0) {
+ wire_unknown_to_str(p);
+ return;
+ }
+
+ // Continue to read values.
uint8_t size_w = wire_ctx_read_u8(&wire);
uint8_t hpre_w = wire_ctx_read_u8(&wire);
uint8_t vpre_w = wire_ctx_read_u8(&wire);
@@ -953,11 +1002,6 @@ static void wire_loc_to_str(rrset_dump_params_t *p)
p->in += wire_ctx_offset(&wire);
p->in_max = wire_ctx_available(&wire);
- // Version check.
- if (version != 0) {
- return;
- }
-
// Latitude calculation.
char lat_mark;
uint32_t lat;
@@ -1210,47 +1254,6 @@ static void wire_tsig_rcode_to_str(rrset_dump_params_t *p)
p->ret = 0;
}
-static void wire_unknown_to_str(rrset_dump_params_t *p)
-{
- int ret;
- size_t in_len = p->in_max;
- size_t out_len = 0;
-
- // Write unknown length header.
- if (in_len > 0) {
- ret = snprintf(p->out, p->out_max, "\\# %zu ", in_len);
- } else {
- ret = snprintf(p->out, p->out_max, "\\# 0");
- }
- if (ret <= 0 || (size_t)ret >= p->out_max) {
- return;
- }
- out_len = ret;
-
- // Fill in output.
- p->out += out_len;
- p->out_max -= out_len;
- p->total += out_len;
-
- // Write hex data if any.
- if (in_len > 0) {
- // If wrap mode wrap line.
- if (p->style->wrap) {
- dump_string(p, BLOCK_INDENT);
- if (p->ret != 0) {
- return;
- }
- }
-
- wire_data_encode_to_str(p, &hex_encode, &hex_encode_alloc);
- if (p->ret != 0) {
- return;
- }
- }
-
- p->ret = 0;
-}
-
static size_t dnskey_len(const uint8_t *rdata,
const size_t rdata_len)
{
--
2.7.0
Hi ..
I'm trying out the dnstap support in Knot, and I seem to have an issue getting it to write to a socket instead of a file. If I give it a file to write to, things seem to work as expected. When I write to a socket, the socket file is not created, and there don't appear to be any errors.
Have I got something wrong?
My very basic config and startup log is included below.
---
server:
rundir: /home/matt/etc/knot
user: matt:staff
listen: 0.0.0.0@5353
log:
- target: /home/matt/etc/knot/logfile
server: info
zone: info
any: info
mod-dnstap:
- id: capture_all
sink: unix:/home/matt/etc/knot/capture.tap
template:
- id: default
storage: /home/matt/etc/knot/zones
kasp-db: /home/matt/etc/knot/kasp
module: mod-dnstap/capture_all
zone:
- domain: myzone.test
dnssec-signing: on
---
2016-02-23T18:09:47 info: Knot DNS 2.1.1 starting
2016-02-23T18:09:47 info: binding to interface '0.0.0.0@5353'
2016-02-23T18:09:47 info: changing GID to '60'
2016-02-23T18:09:47 info: changing UID to '1001'
2016-02-23T18:09:47 info: PID stored in '/home/matt/etc/knot/knot.pid'
2016-02-23T18:09:47 info: changed directory to /
2016-02-23T18:09:47 info: loading 1 zones
2016-02-23T18:09:47 info: [myzone.test] zone will be loaded, serial 0
2016-02-23T18:09:47 info: starting server
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, loaded key, tag 26654, algorithm 8, KSK yes, ZSK no, public no, active no
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, loaded key, tag 7468, algorithm 8, KSK no, ZSK yes, public yes, active yes
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, loaded key, tag 20456, algorithm 8, KSK yes, ZSK no, public yes, active yes
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, signing started
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, zone is up-to-date
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, next signing on 2016-02-29T23:43:54
2016-02-23T18:09:47 info: [myzone.test] loaded, serial 0 -> 2016022209
2016-02-23T18:09:47 info: server started as a daemon, PID 26600
2016-02-23T18:09:47 info: remote control, binding to '/home/matt/etc/knot/knot.sock'
2016-02-23T18:11:07 info: remote control, received command 'stop'
2016-02-23T18:11:07 info: stopping server
2016-02-23T18:11:07 info: updating zone timers database
2016-02-23T18:11:07 info: shutting down
Dear all,
knotc has a zone-check command. Is there a tool which can validate a
zone file directly?
I see that you have a DNS library which can load a zone file very fast
(https://github.com/vavrusa/luajit-kdns). However this is missing the
zone checker/validator.
The stand alone zone check command line tool I was looking for would
also verify DNSSEC signatures. Something like dnssec-verify (BIND).
Daniel
Hello everyone.
Knot DNS 2.1.1 by CZ.NIC Labs has been just declared stable. It mostly
contains bug fixes. The update is highly recommended as some of the
problems are quite critical.
- We have resolved the problem with source address selection for
UDP messages when the server is configured to listen on all
available addresses (i.e., 0.0.0.0 or ::0). Prior to this release
and depending on the networking configuration, the server could
choose a wrong source address.
- Duplicate private keys can be now imported into the KASP database.
This is practical if you have the same signing key in the legacy
format and share the key between multiple domains. Prior to this
release, sharing the key was possible only with some hacks.
- We have resolved a problem with duplicate NSEC record which had
been returned for Wildcard No Data answers. In the new version, the
record is inserted into the response only once.
- We have fixed a possible server crash, which could happen during
an incoming zone transfer when a server reload is requested.
- The fix of a crash with many configured interfaces and threads was
included in the previous release. However the fix was incomplete. We
have found another related problems which are addressed in the new
version.
Thank you for the feedback and bug reports. And we are looking forward
to hear back from you. :-)
The sources are available on our server as usual.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/raw/v2.1.1/NEWS
Sources:
https://secure.nic.cz/files/knot-dns/knot-2.1.1.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-dns/knot-2.1.1.tar.xz.asc
Best Regards,
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW: https://labs.nic.czhttps://www.nic.cz
