Hello everyone!
Today, CZ.NIC Labs releases Knot DNS 2.0.0-beta.
We finally managed to complete, stabilize, and document all new features of
the upcoming Knot DNS version. We are aware of some glitches in this release,
however we think that it is ready to be tested by a wider audience.
There are two key features of Knot DNS 2.0:
# New DNSSEC implementation
I wrote quite a lot about the new DNSSEC in the 1.99.1 release announcement.
Since then, only a few things changed. There was a bug in the ZSK rotation
algorithm. The old DNSKEY was removed too soon possibly breaking the
validation. This problem is resolved now. The keymgr utility has a new manual
page. And the documentation was updated to reflect all changes.
# New configuration format
This change is quite significant for the future development of Knot DNS. And
it will affect everyone using the software.
We decided to switch from a custom configuration format to YAML. Internally,
the configuration is stored in a binary database (LMDB). At the moment, you
won't probably notice anything about the database. However we are working on a
new interface, which will allow making changes into the configuration without
a full server reload. If you have Knot DNS with thousands of zones, you will
benefit this for sure.
We don't support full YAML specification, but there is a certain level of
compatibility. We plan to extend the support so you can generate the config
from your favorite scripting language.
Some configuration options (and configuration sections) were renamed.
We changed the concept how the incoming and outgoing connections are
configured. We split 'remotes' to 'remote' and 'acl'. 'remote' defines target
for outgoing connection (zone transfer source, notification target). And 'acl'
defines rules for accepting connections initiated by a remote client (outgoing
transfer, incoming notification, and incoming update).
At the moment, only one address can be specified for each 'remote' or 'acl'.
In addition, we removed 'groups' as it was complicating the implementation. We
are aware that the current state is not ideal. And we are looking for feedback
and suggestions from the community.
We are not just removing and changing things - we added support for zone
templates, which is something a lot of our users asked for. A template allows
you to configure options shared among multiple zones. A change in the template
affects all zones, which use the template.
To convert the configuration from the 1.6 to the 2.0 format, the knot1to2 tool
is provided. The tool doesn't support conversion for answering modules (e.g.
synth_record), but should handle anything else. Please, review the
configuration after performing the automatic conversion.
That's all, folks! Please, give it a try. Experiment with the new DNSSEC and
play around with the new configuration. And most importantly, let us know what
do you think.
Thank you for using Knot DNS!
Sources:
https://secure.nic.cz/files/knot-dns/knot-2.0.0-beta.tar.xzhttps://secure.nic.cz/files/knot-dns/knot-2.0.0-beta.tar.gz
GPG signatures:
https://secure.nic.cz/files/knot-dns/knot-2.0.0-beta.tar.xz.aschttps://secure.nic.cz/files/knot-dns/knot-2.0.0-beta.tar.gz.asc
Best Regards,
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW: https://labs.nic.czhttps://www.nic.cz
I'm generating my Knot's config from a Jinja2 template, and I'm having a
problem with one thing. For example, if I have a list of elements,
[e1,e2,e3,e4], and I want to generate a "groups" config for these based
on a condition, and I do:
groups {
mygroup {
{% for x in list %}
{% if condition %}
{{ x }},
{% endif %}
{% endfor %}
}
However, this results in a syntax error, because the last element ends
with a comma, and then there's a closing bracket.
I tried to insert the comma conditionally, by checking to see if it was
the last element, but this can also fail if the last element didn't
match the condition.
So I thought about this ugly hack:
groups {
mygroup {
{% for x in list %}
{% if condition %}
,{{ x }}
{% endif %}
{% endfor %}
}
Notice that I have the comma *before* each element. This results in an
opening brace, a comma, and then the other elements. My supposition is
that Knot's syntax parser is okay with this, because it just sees a null
first element. If I check this with knotc's "checkconf", it says the
syntax is okay.
Can I safely use such a config?
Regards,
Anand
Dear Knot developers,
In Knot 1.6.3, is it safe to leave out the "interfaces" section of the
config on a multi-homed server? Will Knot enumerate all the addresses on
the host and bind to them, or will it bind to 0.0.0.0 and ::?
Secondly, if bound to 0.0.0.0 and ::, will Knot use recvmmsg correctly
and set the source address in UDP reply packets to the address the query
was sent to?
Regards,
Anand
Hi,
I am trying to use nsupdate from knot 1.6.1. I have generated key files using dnssec-keygen from BIND 9.9.5. i.e.
dnssec-keygen -a HMAC-MD5 -b 256 -n HOST -C host.example.com
Whenever I try to use the files with nsupdate -k <file> though I get:
; Error: failed to read key file: public key file is invalid
I have also tried without the “-C” to dnssec-keygen.
Are there different flags I need? Or does someone have an example of the file format required?
Thanks,
Andrew
Hi,
I'm looking at knot-1.6.1 after have experienced failure with sending
AXFR after a zone grew due to enabling DNSSEC, adding a lot of records.
I don't know much about iovecs, but isn't this a short write?
--8<---------------cut here---------------start------------->8---
libknot/internal/errcode.h:
enum knot_error {
...
KNOT_ECONNREFUSED = -ECONNREFUSED,
...
KNOT_ERROR_MIN = -1000,
...
KNOT_ERROR = KNOT_ERROR_MIN,
...
KNOT_ECONN,
...
};
libknot/internal/net.c:
int tcp_send_msg(int fd, const uint8_t *msg, size_t msglen)
{
...
int total_len = iov[0].iov_len + iov[1].iov_len;
int sent = writev(fd, iov, 2);
if (sent != total_len) {
return KNOT_ECONN;
}
...
}
knot/server/tcp-handler.c:
tcp_handle()
{
...
while (state & (NS_PROC_FULL|NS_PROC_FAIL)) {
uint16_t tx_len = tx->iov_len;
state = knot_process_out(tx->iov_base, &tx_len, &tcp->query_ctx);
/* If it has response, send it. */
if (tx_len > 0) {
if (tcp_send_msg(fd, tx->iov_base, tx_len) != tx_len) {
ret = KNOT_ECONNREFUSED;
break;
}
}
}
...
}
--8<---------------cut here---------------end--------------->8---
Happy to file a bug report if that's a more proper way of reporting
bugs.
This patch adds a new "forced generic" dump style which dumps resource
record types and data in the generic RFC 3597 representation format,
even for known resource record types. A corresponding +generic option to
kdig enables this dump style.
Generic representation format is very handy when dealing with older DNS
software that may not support a new resource record type, or with
systems where it is more convenient to use the generic format even with
known types. It is also a nice debugging / educational feature. (No need
to fire up Wireshark.)
---
man/kdig.1.in | 3 +++
src/libknot/rrset-dump.c | 10 +++++++++-
src/libknot/rrset-dump.h | 2 ++
src/utils/kdig/kdig_params.c | 13 +++++++++++++
4 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/man/kdig.1.in b/man/kdig.1.in
index 4772e27..b6f2286 100644
--- a/man/kdig.1.in
+++ b/man/kdig.1.in
@@ -178,6 +178,9 @@ Use EDNS version (default is 0).
Disable IDN transformation to ASCII and vice versa.
IDNA2003 support depends on libidn availability during project building!
.TP
+.BR +generic
+Use the generic representation format when printing resource record types and data.
+.TP
.BI +client= SUBN
Set EDNS client subnet SUBN=IP/prefix.
.TP
diff --git a/src/libknot/rrset-dump.c b/src/libknot/rrset-dump.c
index dd4625d..2f503c1 100644
--- a/src/libknot/rrset-dump.c
+++ b/src/libknot/rrset-dump.c
@@ -1774,6 +1774,10 @@ int knot_rrset_txt_dump_data(const knot_rrset_t *rrset,
return ret;
}
+ if (style->generic) {
+ return dump_unknown(&p);
+ }
+
switch (rrset->type) {
case KNOT_RRTYPE_A:
ret = dump_a(&p);
@@ -1941,7 +1945,11 @@ int knot_rrset_txt_dump_header(const knot_rrset_t *rrset,
}
// Dump rrset type.
- if (knot_rrtype_to_string(rrset->type, buf, sizeof(buf)) < 0) {
+ if (style->generic) {
+ if (snprintf(buf, sizeof(buf), "TYPE%u", rrset->type) < 0) {
+ return KNOT_ESPACE;
+ }
+ } else if (knot_rrtype_to_string(rrset->type, buf, sizeof(buf)) < 0) {
return KNOT_ESPACE;
}
if (rrset->rrs.rr_count > 0) {
diff --git a/src/libknot/rrset-dump.h b/src/libknot/rrset-dump.h
index 4519159..e44cca3 100644
--- a/src/libknot/rrset-dump.h
+++ b/src/libknot/rrset-dump.h
@@ -46,6 +46,8 @@ typedef struct {
bool human_ttl;
/*!< Format timestamp as YYYYMMDDHHmmSS. */
bool human_tmstamp;
+ /*!< Force generic data representation. */
+ bool generic;
/*!< ASCII string to IDN string transformation callback. */
void (*ascii_to_idn)(char **name);
} knot_dump_style_t;
diff --git a/src/utils/kdig/kdig_params.c b/src/utils/kdig/kdig_params.c
index ec7ec9f..6fafb22 100644
--- a/src/utils/kdig/kdig_params.c
+++ b/src/utils/kdig/kdig_params.c
@@ -54,6 +54,7 @@ static const style_t DEFAULT_STYLE_DIG = {
.empty_ttl = false,
.human_ttl = false,
.human_tmstamp = true,
+ .generic = false,
.ascii_to_idn = name_to_idn
},
.show_query = false,
@@ -551,6 +552,15 @@ static int opt_noidn(const char *arg, void *query)
return KNOT_EOK;
}
+static int opt_generic(const char *arg, void *query)
+{
+ query_t *q = query;
+
+ q->style.style.generic = true;
+
+ return KNOT_EOK;
+}
+
static int opt_nsid(const char *arg, void *query)
{
query_t *q = query;
@@ -805,6 +815,8 @@ static const param_t kdig_opts2[] = {
/* "idn" doesn't work since it must be called before query creation. */
{ "noidn", ARG_NONE, opt_noidn },
+ { "generic", ARG_NONE, opt_generic },
+
{ "client", ARG_REQUIRED, opt_client },
{ "time", ARG_REQUIRED, opt_time },
@@ -1363,6 +1375,7 @@ static void kdig_help(void)
" +[no]nsid Request NSID.\n"
" +[no]edns=N Use EDNS (=version).\n"
" +noidn Disable IDN transformation.\n"
+ " +generic Use generic representation format.\n"
" +client=SUBN Set EDNS client subnet IP/prefix.\n"
" +time=T Set wait for reply interval in seconds.\n"
" +retry=N Set number of retries.\n"
--
2.1.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
does Knot have a feature like "rndc stats" in BIND or "nsd-control
stats" that allows you to get some statistics about how many queries
were handled and what their result were (like SERVFAIL etc.)?
Julian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJU8zytAAoJECLcYT6QIdBtLg8P/2wF5gwHQigZ5dI5S2pztM0C
ryKAV5h6mqSuO91S+qA7IAP3GpAlzs5GrNYW9kGXspo+w9mwb/D5+mNhDSOGyoW9
iItT16TATzwpNK89Gw2uRhVJ2BhYTuQTmrp3WwAYHAe6wYGOQdBtZoel5UzSrm5e
I//3DFgmpGHSwITRcxOBl2MYhRpHEhiBQdUjk2MmTcy/L3GF1HMlY2oHuy4sFZk+
lL6x9N/NX/6K5OspF8p8eoNQ7LIBIA6OKNhz08SdsAKSe1F76pL+FPnb8iQUC6Ao
EXkdeFftxOxocL+TTSpAhqEF86IXvRsiNSic8wjYXt9blsMcOAJQFNgU25Bs5+IV
u8EtZgcusq5SbHD0Dp5wYkNV4BYYmjU2omzjxMtqV4MFZG9V8XFlXbfVwC64fsUe
YfYjvK071EK2hVHTrui637tnS8uEcTJa0X8lpCEgYsy+6/EGyQ3H/8eyu77jZT57
yeZnfG4Ai/QrgS6w3jEu3+uk+kwds2wYHqHbIIw3o0GQ8awQ0kPC6tKg0dXI7aFN
tlYBM0mycQv3hFSk7x6jxJ1UPWVxdIOrNg8Vgg8FsgWnXu+JHJJxEV7uoj5DogTJ
PaSFOQccTrVoa1vwJgiHLmOALdY/5FDb9cddN1GBgj2wqcUkS/hR8tSRNXkLShhX
BTijrkJTR8qeiEEFgthp
=bPR2
-----END PGP SIGNATURE-----
Hello everyone,
on behalf of CZ.NIC Labs, I would like to announce Knot DNS 1.6.2. The
patch release contains one new feature and a few small bug fixes.
With the new version, a number of concurrent TCP clients connected to
the server can be limited. The limit is set using the 'max-tcp-clients'
configuration option in the 'system' section. Purpose of this setting is
to avoid resource exhaustion when the server is under a load. And the
default value for the option is 100.
When the limit is hit, new connections are not being accepted for a few
seconds. Active connections are not affected. Please note, that we have
also slightly lowered defaults for TCP idling timeouts.
As for the bug fixes: A possible file descriptor leak when terminating
inactive TCP clients was fixed. Scheduled events for zones switched from
slave mode to master mode are handled correctly. And compilation of
Dnstap features on FreeBSD works now.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/blob/v1.6.2/NEWS
Sources:
https://secure.nic.cz/files/knot-dns/knot-1.6.2.tar.xzhttps://secure.nic.cz/files/knot-dns/knot-1.6.2.tar.gz
GPG signatures:
https://secure.nic.cz/files/knot-dns/knot-1.6.2.tar.xz.aschttps://secure.nic.cz/files/knot-dns/knot-1.6.2.tar.gz.asc
Thank you for using Knot DNS.
Best Regards,
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW: https://labs.nic.czhttps://www.nic.cz
Hello everyone!
After months of keeping our secrets, we would like to share with you a preview
of a new DNSSEC implementation in Knot DNS. The new DNSSEC will be one of the
key features for the upcoming Knot DNS 2.0.
If you are watching our source repository, you may have noticed a tag v1.99.0
appearing silently at the end of 2014. At that time, Knot DNS was already
using the newly implemented DNSSEC, but the only visible change was a
different key format. And internally, GnuTLS/Nettle was replaced OpenSSL for
cryptographic operations.
Today, CZ.NIC Labs releases Knot DNS 1.99.1. The next step towards the 2.0.
Knot DNS 1.99.1 adds initial support for DNSSEC KASP (Key And Signature
Policy). This is our vision of real-world DNSSEC deployment. Essentially, you
define a policy (used algorithm, key sizes, key lifetime, signature lifetime,
etc.) and the server will do the heavy lifting. It will generate keys and
publish/roll them correctly, so you don't have to compute and set timing
meta-data on private keys manually.
At the moment, the KASP support is quite limited: Single algorithm, single
KSK, and single ZSK can be specified in the policy. The server is able to
generate initial keys and perform ZSK rollovers (key pre-publish method).
More features are coming soon.
A documentation on KASP [1] is currently available on the project wiki,
including the reference manual for a new management utility keymgr [2].
[1] https://gitlab.labs.nic.cz/labs/knot/wikis/kasp-setup
[2] https://gitlab.labs.nic.cz/labs/knot/wikis/kasp-keymgr-reference
Source archives are available as usual:
https://secure.nic.cz/files/knot-dns/knot-1.99.1.tar.xzhttps://secure.nic.cz/files/knot-dns/knot-1.99.1.tar.gz
Please note, that Knot DNS 1.99.1 is not ready to replace Knot DNS 1.6.x.
We are looking forward to hear some feedback from you. And we are happy to
answer all your questions and concerns.
Best regards,
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW: https://labs.nic.czhttps://www.nic.cz
Good evening,
I don't seem to be able to configure Knot 1.6.1 to sign a zone it slaves
in:
example.com {
file "/usr/local/etc/knot/aa/example.com.zone";
xfr-in home;
dnssec-keydir "/usr/local/etc/knot/aa";
dnssec-enable on;
}
If I omit the two 'dnssec-*' parameters, the zone is slaved in. Adding
them, however, results in no transfer; log shows:
notice: [example.com] automatic DNSSEC signing enabled, disabling incoming XFRs
Is it currently possible with Knot to sign a slaved zone?
Regards,
-JP