Hi,
without DNS UPDATE OpenDNSSEC can be configured to read an unsigned zone
file, sign it and reload the zone [1]. With DNS UPDATE it gets more
complicated. It seems that you have to run a hidden primary that
receives that updates and transfers the unsigned zones to OpenDNSSEC
which in turn transfers the zones to a slave server. There are some
alternatives if you manipulate zone files with custom scripts.
While a hidden primary may be acceptable and zone transfers are probably
the most reliable solution, it is an overkill for my use case and adds
to much complexity. I could use Knot DNS to sign the zones, but it
doesn't automate KSK rollovers and I need to execute a custom binary to
update the keys at the registrar which is also not supported. Perhaps
Knot DNS could remove all DNSSEC RRs before it transfers the zone to
OpenDNSSEC, but it's kind of a hack and I'm not sure if this a good idea.
OpenDNSSEC also delayed support for dynamic updates to 2.x, which means
2014 and or later. So this is not an option.
Does anyone have suggestions to solve this problem?
Regards,
Matthias-Christian
[1] http://www.bortzmeyer.org/opendnssec-nsd.html
Hi,
I am new on this list, and have just installed and start using Knot for
the first time on freeBSD:
#uname -r
10.0-BETA1
Look pretty nice and light. very close to Bind/Unix daemon configuration
styles.
After I have started the daemon,
#knotd -d
and check his status:
#knotc status
OK
and check the version:
#knotd -V
Knot DNS, version 1.3.2
I tried to hide the version as above:
#
# This is a sample of a minimal configuration file for Knot DNS.
#
# For exhaustive list of all options see samples/knot.full.conf
# in the source directory or refer to user manual.
#
system {
# Identity of the server (see RFC 4892).
##identity on;
##
version "My First Knot Config..";
# Version of the server (see RFC 4892)
version on;
# User for running server
# May also specify user.group (e.g. knot.knot)
user root.knot;
# This is a default directory to place slave zone files, journals etc.
# default: ${localstatedir}/lib/knot, configured with --with-storage
# storage "/usr/local/var/lib/knot";
# Directory for storing run-time data
# e.g. PID file and control sockets
# default: ${localstatedir}/run/knot, configured with --with-rundir
# rundir "/usr/local/var/run/knot";
}
interfaces {
all_ipv4 {
address 0.0.0.0;
port 53;
}
all_ipv6 {
address [::];
port 53;
}
}
control {
# Default: knot.sock (relative to rundir)
listen-on "knot.sock";
# As an alternative, you can use an IPv4/v6 address and port
# Same syntax as for 'interfaces' items
# listen-on { address 127.0.0.1@5533; }
# Specifies ACL list for remote control
# Same syntax as for ACLs in zones
# List of remotes or groups delimited by comma
# Notice: keep in mind that ACLs bear no effect with UNIX sockets
# allow server0, admins;
}
#remotes {
# master0 {
# address 198.51.100.1@53;
# }
# slave0 {
# address 203.0.113.1@53;
# }
#}
zones {
# Example master zone
# example.com {
# file "/usr/local/etc/knot/example.com.zone";
# xfr-out slave0;
# notify-out slave0;
# }
#
# Example slave zone
# example.net {
# file "/usr/local/var/lib/knot/example.net.zone
# xfr-in master0;
# notify-in master0;
# }
}
log {
syslog {
# log errors of any category
any error; # for <category> and <severity> see above
# log also warnings and notices from category 'zone'
zone warning, notice;
# log info from server
server info;
}
# Log fatal, warnings and errors to stderr
stderr {
any error, warning;
}
After I have reloaded the daemon with:
#knotc reload
OK
The version remain the same.
Another question is, when I tried to run the command knotd -c knot.conf,
I received errors as above:
root@chris:/usr/local/etc/knot # knotd -c knot.conf
2013-10-25T19:46:00 Reading configuration
'/usr/local/etc/knot/knot.conf' ...
2013-10-25T19:46:00 [error] Cannot bind to socket (errno 48).
2013-10-25T19:46:00 [error] Could not bind to UDP interface 0.0.0.0 port 53.
2013-10-25T19:46:00 [error] Cannot bind to socket (errno 48).
2013-10-25T19:46:00 [error] Could not bind to UDP interface :: port 53.
2013-10-25T19:46:00 [warning] Server started, but no zones served.
and the errors makes me to pkill knot the process and start the daemon
again.
I my doing wrong?
Sorry for the configuration statements in the mail.
--
Kind Regards
Eric Kom
Senior IT Manager - Metropolitan Schools
_________________________________________
/ You are scrupulously honest, frank, and \
| straightforward. Therefore you have few |
\ friends. /
-----------------------------------------
\
\
.--.
|o_o |
|:_/ |
// \ \
(| Kom | )
/'\_ _/`\
\___)=(___/
2 Hennie Van Till, White River, 1240
Tel: 013 750 2255 | Fax: 013 750 0105 | Cell: 078 879 1334
erickom(a)kom.za.net | erickom(a)metropolitancollege.co.za
www.kom.za.net | www.kom.za.org | www.erickom.co.za
Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5
Zdravim,
mozno sa to uz tu riesilo.
Planujete novu verziu 1.3.1 propagovat aj do FreeBSD portov ? Aktualne
je tam verzia 1.3.0 rc1.
Samozrejme je moznost si to skompilovat rucne, ale preferoval by som
porty ak mate v plane ich udrzovat :)
--
Robert
I was just giving kdig and khost a spin, when I noticed some very long output for a simple query with khost. Looks like the aliases is expanded multiple times:
erwin@panda:/home/erwin % khost www.droso.dkwww.droso.dk. is an alias for koala.droso.dk.
koala.droso.dk. has IPv4 address 213.239.220.246
www.droso.dk. is an alias for koala.droso.dk.
koala.droso.dk. has IPv6 address 2a01:4f8:a0:7163::2
www.droso.dk. is an alias for koala.droso.dk.
erwin@panda:/home/erwin % host www.droso.dkwww.droso.dk is an alias for koala.droso.dk.
koala.droso.dk has address 213.239.220.246
koala.droso.dk has IPv6 address 2a01:4f8:a0:7163::2
I would say once is enough :-)
Cheers,
Erwin
--
Med venlig hilsen/Best Regards
Erwin Lansing
Network and System Administrator
DK Hostmaster A/S
Kalvebod Brygge 45, 3. sal
1560 København V
Tlf. 33 64 60 60
Fax.: 33 64 60 66
Email: erwin(a)dk-hostmaster.dk
Homepage: http://www.dk-hostmaster.dk
.dk Danmarks plads på Internettet
-------------------------------------------------------------------------
This is an email from DK Hostmaster A/S. This message may contain
confidential information and is intended solely for the use of the
intended addressee. If you are not the intended addressee please notify
the sender immediately and delete this e-mail from your system. You are
not permitted to disclose, distribute or copy the information in this
e-mail.
--------------------------------------------------------------------------
Hello Knot developers,
I'm trying out Knot 1.3.0 final, and testing the new options for
system.identity, system.version and system.nsid.
At first, I did this:
system {
identity yes;
version yes;
nsid yes;
}
The alert ones will note that I didn't use "on", but accidentally used
"yes", so Knot parsed them all as strings, and gave me unexpected but
correct results.
; <<>> DiG 9.9.3-P2 <<>> +norec +nsid @193.0.0.198 ch txt id.server
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15951
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; NSID: 79 65 73 (y) (e) (s)
;; QUESTION SECTION:
;id.server. CH TXT
;; ANSWER SECTION:
id.server. 0 CH TXT "yes"
; <<>> DiG 9.9.3-P2 <<>> +norec +nsid @193.0.0.198 ch txt version.server
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56914
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; NSID: 79 65 73 (y) (e) (s)
;; QUESTION SECTION:
;version.server. CH TXT
;; ANSWER SECTION:
version.server. 0 CH TXT "yes"
Note that the NSID value is also "yes".
So I realised my mistake, and changes the values from "yes" to "on", and
HUPped the server. Now I get:
;; Warning: Message parser reports malformed message packet.
; <<>> DiG 9.9.3-P2 <<>> +norec +nsid @193.0.0.198 ch txt id.server
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27835
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: Messages has 7 extra bytes at end
;; QUESTION SECTION:
;id.server. CH TXT
;; ANSWER SECTION:
id.server. 0 CH TXT "admin.authdns.ripe.net"
;; Warning: Message parser reports malformed message packet.
; <<>> DiG 9.9.3-P2 <<>> +norec +nsid @193.0.0.198 ch txt version.server
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60856
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: Messages has 7 extra bytes at end
;; QUESTION SECTION:
;version.server. CH TXT
;; ANSWER SECTION:
version.server. 0 CH TXT "Knot DNS 1.3.0"
Note the warnings from dig about the extra bytes at the end. It seems
that if you change the value of NSID and reconfigure the server, it does
not appear to pick up the new value correctly. Stopping Knot completely
and starting it fixes it, but there appears to be a bug during
reconfiguration.
Hi Everyone,
as promised last week, I am proud to announce the 1.3.0 final is out!
It's been a long release cycle since the last final release, but it
brought lots and lots of bugfixes and a slew of new features.
Let me reiterate briefly what's new since the 1.2.0 - one of the most
visible features is the new zone file parser,
which eliminated the whole zone compilation process and sped up both
startup and preparation.
There's also a magical configure option --enable-fastparser which
makes it even faster (about 2x), very close to loading a binary zone.
We also brought our own alternative to DNS utilities like dig, host
and nsupdate which aim to be compatible with the ISC counterparts,
but also bring some nimble enhancements like pretty comments and output for dig.
No smaller are changes to the configuration. Features like groups of
remotes, include in config, UNIX sockets for remote control, new knotc
commands and general build scripts overhaul that make it nicer for the
package maintainers and users.
There also was a major refactoring effort under the bonnet (and more
to come), which shows in a lower memory consumption, maintainability
and trim code base. For many many more, check our web pages or have a
look at the NEWS file for an exhaustive list of changes and bugfixes.
Back on the ground, we fixed several bugs since rc5 last week. Namely
answering from names at or below insecure delegation points,
new defaults for CH TXT special zones, randomly disconnected transfers
and secondary groups not being initialized when dropping privileges.
Also the bootstrap retry timer is now progressive.
Many thanks for Anand Buddhdev, Jonathan Hoppe, Johan Ihren, Erwin
Lansing and many others who have sent constructive reports, ideas,
encouragements and actual code (How cool is that?).
As always, you can find the full changelog at:
https://gitlab.labs.nic.cz/knot/blob/v1.3.0/NEWS
Sources:
https://secure.nic.cz/files/knot-dns/knot-1.3.0.tar.gzhttps://secure.nic.cz/files/knot-dns/knot-1.3.0.tar.bz2https://secure.nic.cz/files/knot-dns/knot-1.3.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-dns/knot-1.3.0.tar.gz.aschttps://secure.nic.cz/files/knot-dns/knot-1.3.0.tar.bz2.aschttps://secure.nic.cz/files/knot-dns/knot-1.3.0.tar.xz.asc
Packages available at www.knot-dns.cz will be updated soon as well.
Cheers,
Marek
--
Marek Vavruša Knot DNS
CZ.NIC Labs http://www.knot-dns.cz
-------------------------------------------
Americká 23, 120 00 Praha 2, Czech Republic
WWW: http://labs.nic.czhttp://www.nic.cz
