Hello List!
Today, we release Knot DNS 1.4.6 with two minor fixes.
First issue we've fixed would only occur when doing DNSSEC key
rollover using the key metadata (via the dnssec-settime tool, for
example) - there was a possibility that the server would try to sign the
zone continuously for a limited amount of time. DNSSEC data would stay
valid all the time though.
The other fix concerns mainly RRL users with recvmmsg enabled - when
using SLIP other than 1, responses that should have been dropped were
actually sent as empty UDP datagrams. Such responses would not be
helpful to the attacker, as they are actually smaller than the queries,
but they could confuse legitimate clients. This applies for the
responses to malformed query messages as well, even if the RRL is
disabled.
All in all, if you do not use the automatic DNSSEC or RRL, there's
probably no need to update. Hopefully, this is the last release before
the 1.5RC1 comes out, so stay tuned.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/blob/v1.4.6/NEWS
Sources:
https://secure.nic.cz/files/knot-dns/knot-1.4.6.tar.gzhttps://secure.nic.cz/files/knot-dns/knot-1.4.6.tar.xz
GPG signatures:
https://secure.nic.cz/files/knot-dns/knot-1.4.6.tar.gz.aschttps://secure.nic.cz/files/knot-dns/knot-1.4.6.tar.xz.asc
Updated packages will be available shortly. Thank you for using Knot
DNS.
Regards,
Jan
--
Jan Kadlec, Knot DNS
CZ.NIC Labs http://www.knot-dns.cz
-------------------------------------------
Americká 23, 120 00 Praha 2, Czech Republic
WWW: http://labs.nic.czhttp://www.nic.cz
Hi there,
do you plan to enable/run Knot as a recursive server too ? We used our
master dns server as a recursive server too (only for our servers), but
after migrating from Bind to Knot it is not possible. For now I had to
change asking secondary dns server with bind, but ... :)
Thanks and best regards
J.Karliak.
Hi,
I've some problems with my domains, I was unreacheable because of knot
wasn't responding. I want to run debug, I've this in my knot.conf:
...
...
log {
syslog { any all; zone all; }
file "/var/log/knotd.debug" {
server debug;
zone debug;
}
...
...
but the "/var/log/knotd.debug" file is empty. Did I missed something ? :)
About knot : he was running, SOA querried to master server that my knot
makes slave, but didn't answered for my domains that he manage. After
restart knot all's fine... Anyway I made a few minutes ago update of the
knot, maybe some "old" bug fixed in the new version, now running
"knot-1.4.4-49.1.x86_64".
Thanks and best regards
J.Karliak.
Hi!
I use knot 1.4.4 and sign my zones with NSEC3.
Is NSEC3 with opt-out supported?
If yes, how can I activate opt-out?
I tried setting the flag in the NSEC3PARAM record but apparently this
does not activate opt-out.
Thanks
Klaus
Hi Everyone,
we're getting closer to the 1.5 release and because we're mostly
feature complete now, I think today might be a good opportunity to
share some of the new stuff we've created and hear out your opinions.
There's a ton of improvements that I can't cover in a few paragraphs,
but I've picked 3 of those that I think are the pillars for the bigger
plan for this year.
Just so you know, there is no tarball this time, but if you're brave
enough, you can actually try everything covered here. You can find the
code in our git repository under a tag "v1.5.0-alpha":
$ git clone -b v1.5.0-alpha https://gitlab.labs.nic.cz/labs/knot.git
1. Query processing and code base
We've known for a while that there were parts of the code that we
weren't happy with. It's not just that it was getting hard to patch
and read, but with we had a ton of ideas that we couldn't get
implemented because of the limitations (in fact, this effort bears
fruits as soon as of this release, but more on that later). One of
those places was query processing and dealing with queries in general.
Naturally, we've sat down and reworked this from scratch. Now, from
the user perspective it's not so exciting - yes we made it RFC
compliant in several cases and it's faster than ever (I'm running
benchmarks as we speak, so you might want to check out our webpage
later). It's still a preview and we're ironing things out, so don't
take the numbers as final.
For those who are interested in the details (thank you!), it's much
much more important because the code lays a solid foundation for the
cool stuff to come while being lightweight. How much? Around 10+k LOC
which is roughly 10-15% of our code base gone and we offset that by
adding almost 5k LOC worth of test cases. To put it in another words,
it means it does more with less and we're not done here.
2. Separating Knot DNS library
We also improved the Knot DNS build process overall. The code
providing basic building blocks for the server and utilities is now
held in the libknot library, which is by default linked dynamically to
these components. You will also notice the libzscanner library, our
high-performance zone scanner written in Ragel (with no dependencies
on Knot DNS). We plan to build some other projects on top of that and
provide public headers in the future (which is more likely to happen
for the libzscanner - if someone is interested). But currently, you
may benefit from a smaller size of the binaries.
3. Pluggable query processing modules + auto forward/reverse records
New features are always a compromise - usually between ease of use,
complexity and resource usage.
But what if we could make the core as lightweight as possible and let
the user choose? The new processing API is built like a Lego (don't
step on it though), it breaks down the processing into independent
parts that together form a plan for query processing. So what we did
was, we've created an interface for loadable modules and let it
add/remove or change the query processing plan as the module sees fit.
This allows to keep complexity at bay (for those who don't want extra
stuff) and provide a playground for new ideas. We actually have a
first module - it can synthesize per-answer forward/reverse records
for IPv4/IPv6 addresses from a template in configuration file (see
4.11 in the documentation on further information). For the impatient,
an example speaks the best:
We have an IPv6 reverse zone we need to take care of, but the problem
is the address space is too big to generate a zone file. So we create
an empty zone, put in static records we want and let the module to
synthesize other records per-answer (if they fit in the template and
aren't present in the zone):
# Configuration:
1.6.b.0.0.0.0.0.0.2.6.2.ip6.arpa {
query_module {
synth_record "reverse dynamic- example. 400 2620:0:b61::/52";
}
Now if we load Knot DNS, and kdig for a reverse record, we get a
following reply:
$ kdig PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.6.b.0.0.0.0.0.0.2.6.2.ip6.arpa.
;; QUESTION SECTION:
;; 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.6.b.0.0.0.0.0.0.2.6.2.ip6.arpa.
0 IN PTR
;; ANSWER SECTION:
..snip.. 400 IN PTR dynamic-2620-0000-0b61-0000-0000-0000-0000-0001.example.
Forward records can be dealt with in a similar fashion, see the manual
4.11 for more examples and information.
To sum it up, modules could be a way to accommodate for the "should
this be a in a nameserver?" sort of things. If you don't like it, just
don't put it in the configuration and you're good. As of now the
module API is open (no "how to" though), and so are we for ideas.
Phew, this was longer than I expected and I barely scratched the surface.
As you see, this version is going to be a lot about tidying up and
opening up the possibilities.
So what's your take on this?
Best,
Marek
--
Marek Vavrusa, Knot DNS
CZ.NIC Labs http://www.knot-dns.cz
-------------------------------------------
Americká 23, 120 00 Praha 2, Czech Republic
WWW: http://labs.nic.czhttp://www.nic.cz
Hi Everyone,
while we in the CZ.NIC Labs are all focused on the next big thing, I
thought now it might be a good time to get out another of our
(admittedly highly irregular) monthly patch releases. Bug fixes aside,
there are a couple improvements that we hope will make your life
easier. Here's the breakdown:
- 'knotc reload' does not immediately refresh/notify unchanged zones.
This fixes the flurry of refresh messages after each reload and makes
it lightweight enough to be used frequently. Note that new/changed
zones are still added and old zones are removed. However, if you want
to refresh zones explicitly, you need to call 'knotc refresh' after
reload now.
- 'knotc -f refresh' now truly forces a zone refresh. To put it in
another words, it's akin to the 'retransfer' command that you missed
in the Knot DNS and instead of checking for new zone, it starts a full
transfer of the zone right away.
- 'knotc' remote commands are now logged in the daemon logfile
Now, there are several bugfixes as well. See the NEWS for a complete
list, but here's a selection of the most notable - in several cases
notify messages weren't sent after a zone resign, progressive
bootstrap retry regression was fixed, few issues with journal and
maximum entry size. There is also a slight behaviour change in the
zone file parser and the daemon itself. First - zone file parser now
accepts asterisk in the domain name labels (wildcards aside). As for
the daemon, if a zone is in a slave mode and fails to load for some
reason, it immediately tries to reboostrap from the master server
instead of just reporting an error.
I'd also like to thank to Robert S. Edmonds for amending various
spelling errors and typos in manpages and documentation, thanks!
So that's it, I hope the improvements make this update a little
worthwhile before new stuff
comes out later this spring.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/blob/v1.4.4/NEWS
Sources:
https://secure.nic.cz/files/knot-dns/knot-1.4.4.tar.gzhttps://secure.nic.cz/files/knot-dns/knot-1.4.4.tar.xz
GPG signatures:
https://secure.nic.cz/files/knot-dns/knot-1.4.4.tar.gz.aschttps://secure.nic.cz/files/knot-dns/knot-1.4.4.tar.xz.asc
Kind Regards,
Marek
--
Marek Vavrusa, Knot DNS
CZ.NIC Labs http://www.knot-dns.cz
-------------------------------------------
Americká 23, 120 00 Praha 2, Czech Republic
WWW: http://labs.nic.czhttp://www.nic.cz
Hi there,
I migrated our primary DNS from Bind to Knot. I runned some tests by
nic.cz's dnscheck, but there is an error:
DNSSEC signature RRSIG(fnhk.cz/IN/SOA/64431) fails to validate the RR set:
key 1: keytag does not match key 2:RSA Verification failed
Link to test:
http://dnscheck.labs.nic.cz/?time=1395821962&id=102810&view=advanced&test=s…
Knot doesn't complains to anything in the system log, fnhk.cz zone is
succefully signed.
What did I missed ?
Thanks and best regards
J.Karliak.