-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Community
A I am a Knot DNS user, I would like to subscribe to your mailing
list. How can I do that?
Best regards
Yves Bovard
- --
SWITCH
- --------------------------
Yves Bovard, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 31
yves.bovard(a)switch.ch, http://www.switch.ch
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJWJNm7AAoJEOgRvbd1sr4QoV8QAK//5Hio41UtP56JWvnBxyLo
gmQRXZrD2Q6B97e0OfvFA2CLnmmKfmQwHniCWG4prgktdtsiwLscWFhBdTGk4OW9
0w9VHWc+Jvl3gDv18kmGaN9azMsoqiZ6ws3CsnEq/WdObR0a0KwJHuy3yJBJleXz
NpUN58qp+kaPQ46a0o2WKgAtDpilg30tWX2k2gLPXlNfu7IGPkmp+sXrPwWFtim5
CZHeDFfPYCWlaD8Lw1VC/7u8dKUMk4yYE35ioXlMxt2Xgdeagu70ZW9EyC7Xx4EZ
iPFDKdvxRpBljhc8YchXSldkg4rqtsQwE4h4Q07s7RAv/tkZKxAllodtiRtFC/TP
oVQ4QUjFcbUKC5dUWCQnGVbyyzBVgdWsBnhhQKiuM1477dwKe2ugMFNvIGo7GqAJ
3HDqL+L1FteBbW9iBvHN3XRcXk4bdKBm2MvbJ3KN6SptvM7n85jhLNIV+Tao+UGP
uVi3+f4KC9m2H9D7GnIjsWZQkxCfAo0di1RYG9L57wOIm/cCJYbn90nDm7sAvomb
hxRAdJYCTM+xVvlhoiANqcXll9MS4yZTD5KhZR5DgZpCoJPbatxbEy3l3r9ZTFYb
Xh3+plCk67mYClcbIo7Ln5+kWJMLKObTcSvHaApWJiMhrbU3eKoXNMZE+w90NSOW
wcgyCg0F+VtwoN+EVWXv
=9ZJL
-----END PGP SIGNATURE-----
Hi,
I need to listen on inteface which may not be present at start time.
I want to ask if there is a way to enable non-local interface bind on
KnotDNS 1.6.
The version 2.X supports this feature, but thos version os nt available
for CentOS /as I read in maliling list archive and seen the build for EPEL/.
best regards
Peter Hudec
--
*Peter Hudec*
Infraštruktúrny architekt
phudec(a)cnc.sk <mailto:phduec@cnc.sk>
*CNC, a.s.*
Borská 6, 841 04 Bratislava
Recepcia: +421 2 35 000 100
Mobil:+421 905 997 203
*www.cnc.sk* <http:///www.cnc.sk>
Hi!
In the last few days I have tried a new service for DDNS, nsupdate.info.
I have some problems with the service and I have been able to reproduce the
problem in a small sample script.
The attached script does update my bind9 instance but reports SERVFAIL for
Knot.
Unfortunately I still have not been able to get Knot to write more
extensive log entries.
The script uses the Python dns library from Nominum.
This is the output of the script (first update to bind then to knot)
$ python example.py
performing add for name ddns.example.com and origin example.com with rdtype
A and ipaddr 2.3.4.5
performing add for name ddns.example.com and origin example.com with rdtype
A and ipaddr 2.3.4.5
DNS error [SERVFAIL] performing add for name ddns.example.com and origin
example.com with rdtype A and ipaddr 2.3.4.5
Knot didn't log anything at all. (Any hints for that config would be
welcome.) Bind did log the following
Oct 5 21:07:49 localhost named[23792]: client beef::cafe#59322/key
example.com: updating zone 'example.com/IN': adding an RR at '
ddns.example.com.' A
Some error in the script? Could someone point me to a working script?
Any hints are welcome!
Kind regards from Stockholm
Ulrich
--
Ulrich Wisser
ulrich(a)wisser.se
Hello everyone!
CZ.NIC Labs just released Knot DNS 2.0.1. There is a lot of bug fixes, new
features, and improvements since the final release.
Let's start with the bug fixes:
- The 2.0.1 received all the relevant bug fixes included in the 1.6.5. Namely
fix for expired zones reloading, fix for race-condition in event scheduling,
fix for NSEC proofs with zones containing lots of delegations, fix for TC
flag setting in RRL slipped answers, fix for root label compression, and fix
for journald logging without systemd.
- The old version was incorrectly following CNAME when queried for the NSEC
record. This is fixed in the new version.
- There was a bug in the code planning DNSSEC resigning. The code hadn't
considered expiration of DNSKEY RRSIGs and therefore these signatures
could have had expired. This problem is resolved now.
- Binding to an unavailable IPv6 address was broken on Linux (IP_FREEBIND).
When the daemon was started before the network was fully up, the daemon
failed to bind IPv6 addresses. This problem is fixed as well.
- The knotc utility entered an infinite loop when the zonestatus or memstats
command was executed for an individual zone. This shouldn't happen any more.
- The dnsproxy module was not working properly as we have changed the request
processing code without updating the module. This has been addressed.
- There was a problem with parsing time stamps in the DNSSEC KASP database
when compiled against the uClibc standard C library (e.g., in Alpine Linux).
The parsing has been rewritten to work in strict POSIX environment.
- We have fixed multiple problems related to endianness. We have eliminated
compilation warnings on OpenBSD related to endian conversion functions. The
multi-value config options parsing didn't work on big-endian machines. And
we also added detection of the Nettle library version, because the version
3 changed the Base64 decoding API incompatibly.
As for the new features:
- The keymgr utility now supports 'zone key ds' command to retrieve DS records
for a key. And also 'tsig generate' command to generate TSIG key in the
format accepted by Knot DNS.
- We have added module scoping. So the modules can be configured either to
process all queries received by the server. Or their scope is limited to
individual zones.
- The 'include' config directive supports file name globbing. So you can
import multiple files at once (e.g., include: conf.d/*.conf).
- Same as in the 1.6.5, the 2.0.1 supports the 'request-edns-option' config
option allowing to add custom EDNS0 options into the DNS queries initiated
by the server.
And at last but not least, the improvements:
- We have decided to remove NS record from the Authority section for NOERROR
responses. We used to put these records there because BIND and NSD did it.
But these records are not required by any RFC and just increase the size of
the response.
- The persistent zone timers are written only on server shutdown for better
startup performance.
- The change of TTL over DDNS is now allowed without removing the existing
records.
- We have reviewed the documentation and fixed a couple of grammar mistakes,
updated some sections, and improved formatting a little bit.
- The yparser and zscanner header files are now installed.
As you may see, we are not lagging behind. This list is quite long for a patch
release. And we have much more up in our sleeve. Thank you for reading this
far. And we are looking forward to your feedback.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/raw/v2.0.1/NEWS
Sources:
https://secure.nic.cz/files/knot-dns/knot-2.0.1.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-dns/knot-2.0.1.tar.xz.asc
Cheers,
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW: https://labs.nic.czhttps://www.nic.cz
Hello!
I have tried to get the latest version of Knot running on my Raspberry Pi 2.
Unfortunately does Raspian only have packages for an old version. I updated
my Pi to debian jessie. There is actually a version of Raspian based on
jessie. That version of Raspian does come with slightly newer packages, but
still not up to date.
So I compiled my own version. 2.1.0-dev
Everything works fine until the moment I try to start knotd. IT will crash
with a segfault.
I did recompile with --enable-debug but I do not get any debug output in
syslog.
I did run with gdb and got the following information
SYSLOG:
Sep 16 22:36:57 localhost knotd[3522]: info: Knot DNS 2.1.0-dev starting
Sep 16 22:36:57 localhost knotd[3522]: info: binding to interface
'2001:470:28:193::53@53'
Sep 16 22:36:57 localhost knotd[3522]: info: configured 1 zones
Sep 16 22:36:57 localhost knotd[3522]: info: changing GID to '1003'
Sep 16 22:36:57 localhost knotd[3522]: info: changing UID to '1002'
Sep 16 22:36:57 localhost knotd[3522]: info: loading zones
Sep 16 22:36:57 localhost knotd[3522]: info: [example.com] zone will be
loaded, serial 0
Sep 16 22:36:57 localhost knotd[3522]: info: starting server
GDB:
[New Thread 0x50baa200 (LWP 3526)]
[New Thread 0x50aaa200 (LWP 3527)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x50baa200 (LWP 3526)]
scanner_process (scanner=0x50978008) at knot/zone/zonefile.c:152
152 if (zc->ret != KNOT_EOK) {
(gdb) bt
#0 scanner_process (scanner=0x50978008) at knot/zone/zonefile.c:152
#1 0x76d80a14 in ?? () from /usr/lib/arm-linux-gnueabihf/libzscanner.so.0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) l
147
148 /*! \brief Creates RR from parser input, passes it to handling
function. */
149 static void scanner_process(zs_scanner_t *scanner)
150 {
151 zcreator_t *zc = scanner->data;
152 if (zc->ret != KNOT_EOK) {
153 scanner->stop = true;
154 return;
155 }
156
(gdb)
It seems that the scanner thread is somehow missing. But why? Anybody with
experience with knot on armhf?
/Ulrich
--
Ulrich Wisser
ulrich(a)wisser.se
Hello,
are there any plans to publish latest builds (2.0.1) for jessie? The most
current package I can find is knot_2.0.0-1+0~bpo80+1_amd64.deb.
Regards,
PJ
Hello list.
Today, CZ.NIC Labs releases Knot DNS 1.6.5. This patch release contains quite
a lot of non-critical bug fixes and some minor improvements. Everyone is
advised to upgrade.
Let's go through the fixed bugs quickly:
- The server no longer loads expired zones on 'knotc reload' and server
startup.
- We have fixed a rare race-condition in the event scheduling code. The race
caused that events for some zones were significantly delayed. (We were
reported that the server is occasionally ignoring notify messages for random
zones when the server is receiving many notifies. We believe this bug
was the cause and the problem should no longer appear.)
- There was a bug in the NSEC proofs construction. When the zone contained
many delegations, the NSEC proving non-existence of a covering wildcard was
incorrect. The problem is fixed now.
- The TC flag was not set correctly for RRL slipped answers. This problem
is resolved as well.
- We have disabled domain name compression for the root label '.' because it
caused negative compression and some client implementations (like Go DNS)
might have problem decoding these answers.
- The server is now checking whether it is executed in the systemd enviroment
before using journald as a sink for log messages. Also the systemd library
detection at a build time was improved.
- We have also eliminated compilation warnings in endian-conversion functions
on OpenBSD.
And as for the new features:
- The persistent timers are now written to the on-disk database only on server
shutdown. This change was done mainly to improve startup and reload
performance.
- The 'max-conn-idle', 'max-conn-handshake', 'max-conn-reply', and
'notify-timeout' config options now accept time units specification
(e.g., one can use 2m instead of 120).
- We have added 'request-edns-option' config option, which allows inserting
custom EDNS0 options into all queries initiated by the server.
And that's all folks. I would like to thank everyone involved in making this
release, especially bug reporters. We are looking forward to your feedback.
The sources are available as usual.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/raw/1.6/NEWS
Source archives:
https://secure.nic.cz/files/knot-dns/knot-1.6.5.tar.xzhttps://secure.nic.cz/files/knot-dns/knot-1.6.5.tar.gz
GPG signatures:
https://secure.nic.cz/files/knot-dns/knot-1.6.5.tar.xz.aschttps://secure.nic.cz/files/knot-dns/knot-1.6.5.tar.gz.asc
Best Regards,
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW: https://labs.nic.czhttps://www.nic.cz
Hi,
I'm running Knot 2.0.0 and automatically signing my zone with manual key
management policy. When I manually refreshed the signatures by running
"knotc signzone <zone>", all the signatures were refreshed as expected,
except the DNSKEY RRset, whose signature remained untouched. I thought
this wouldn't be a big deal, as Knot would probably automatically
refresh DNSKEY RRset signature when about 1/10 of its lifetime will be
remaining.
However, when I now look at "knotc zonestatus", it shows that the next
resigning is scheduled far beyond the exipration of the DNSKEY RRset
signature. So, is my DNSKEY RRset signature going to be expired or is
DNSKEY handled in some special way so that it will be eventually
refreshed before expiring?
My current DNSKEY RRSIG will expire at 20150828172101:
nxdomain.fi. 600 IN RRSIG DNSKEY 8 2 600 20150828172101 20150729172101
61894 nxdomain.fi. qQJm.....
But the next resigning is scheduled on 2015-09-14:
nxdomain.fi. type=master | serial=2015081708 | DNSSEC resign in
647h56m43s | automatic DNSSEC, resigning at: 2015-09-14T02:26:59
Thanks,
Antti
Hi,
My system is debian 6.0 (yes I know it's out of date).
When I installed knot from source following the document, I got failed
as below. How can I get continued? thanks.
$ autoreconf -i -f
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
configure.ac:35: error: possibly undefined macro: AC_SUBST
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:93: error: possibly undefined macro: AS_IF
configure.ac:102: error: possibly undefined macro: AC_MSG_WARN
configure.ac:122: error: possibly undefined macro: AC_DEFINE
configure.ac:163: error: possibly undefined macro: AC_MSG_ERROR
configure.ac:251: error: possibly undefined macro: AC_SEARCH_LIBS
autoreconf: /usr/bin/autoconf failed with exit status: 1
Network renumbering requires that A and AAAA RRs are directly or
indirectly (DHCP) updated. This in turn requires dynamic DNS updates
(RFC 2136).
Although Knot DNS allows dynamic updates, it is not really prepared to
securely handle this scenario. Knot DNS can either allow an address or
key to update RRs in a zone via ACLs which is not fine-grained enough to
useful for this purpose because it is questionable from a security
perspective (under a certain threat model etc.). Assume that example.com
uses dynamic DNS updates to update A and AAAA RRs to be prepared to
renumber its network. If example.com uses a DHCP server to update the
RRs, it suffices to take over the DHCP server of example.com to update
any RRs in the zone of example.com, including NS, MX, TLSA and SSHFP
RRs. If every host of example.com updates its own A and AAAA RRs
directly and indirectly via a DHCP server, the problem is still the
same, even if you move every hostname in a separate zone, for example it
suffices to take over the webserver that serves example.com to change
the MX RRs of example.com. With more fine-grained ACLs the problem would
not exist.
Currently ACLs consist of a subject (address and key), operation
(transfer, notify, update, control) and object (zone). I think it would
suffice to extend the object of an ACL to a triple (zone, name, type)
similar to dynamic update policies in BIND. Perhaps it would also be
useful to be able to use wildcards and negation. Are there any plans to
extend the ACL mechanism in this way?
Regards,
Matthias-Christian
