2 Pro
2025
2 Pro
'25
15:44
Dear Knot Resolver users,
Knot Resolver 6.0.17 (early-access) has been released!
Improvements:
- kresctl migrate: new command for migrating the configuration to a
newer version (!1672)
- manager: basic support for non-Linux systems (macOS, FreeBSD) (!1758)
- cache: collect garbage based on usage statistics (!1726)
This results in using the cache space better, and in practice
it reduces latency especially in case of answers that are *not* fully
cached.
Incompatible changes:
See upgrading guide for incompatible configuration changes:
https://www.knot-resolver.cz/documentation/v6.0.17/upgrading.html
- Removed options from declarative configuration model (YAML). (!1672,
!1754)
These are mostly experimental and debugging/testing options that are
not useful for general users (remain in Lua):
- /dnssec/refresh-time
- /dnssec/hold-down-time
- /dnssec/time-skew-detection
- /dnssec/keep-removed
- /local-data/root-fallback-addresses*
- /logging/debugging
- /max-workers
- /network/tls/auto-discovery
- /webmgmt
- Renamed/moved options in the declarative configuration model (YAML).
(!1672)
- /cache/garbage-collector -> /cache/garbage-collector/enable
- /cache/prefetch/prediction -> /cache/prefetch/prediction/enable
- /defer/enabled -> /defer/enable
- /dns64: true|false -> /dns64/enable: true|false
- /dns64/rev-ttl -> /dns64/reverse-ttl
- /dnssec: true|false -> /dnssec/enable: true|false
- /dnssec/trust-anchor-sentinel -> /dnssec/sentinel
- /dnssec/trust-anchor-signal-query -> /dnssec/signal-query
- /logging/dnstap -> /logging/dnstap/enable
- /logging/dnssec-bogus -> /dnssec/log-bogus
- /monitoring/enabled -> /monitoring/metrics
- /monitoring/graphite -> /monitoring/graphite/enable
- /network/proxy_protocol -> /network/proxy_protocol/enable
- /network/tls/files-watchdog -> /network/tls/watchdog
- /rate-limiting -> /rate-limiting/enable
- Changed default values in declarative configuration model (YAML). (!1672)
- /logging/dnstap/log-queries: true -> false
- /logging/dnstap/log-responses: true -> false
- /logging/dnstap/log-tcp-rtt: true -> false
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.17/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.17.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.17.tar.xz.asc
Documentation:
https://www.knot-resolver.cz/documentation/v6.0.17/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
31 Pro
31 Pro
13:37
Aleš Mrázek via knot-resolver-users <knot-resolver-users(a)lists.nic.cz> wrote:
Is there a document available that describes which configuration file formats are accepted
by Knot Resolver 6.x.x?
On https://www.knot-resolver.cz/documentation/v6.0.17/upgrading-to-6.html#upgr… I
find:
| new declarative configuration in YAML that can be validated before running
Background of my question is that my current LUA configuration works right away besides
[1].
Does that mean, LUA configuration is still being supported?
Or do I need to migrate to YALM?
FYI: This is FreeBSD and kresctl tool isn't available here.
Here my issue [1]:
Serving local hints.add_hosts as done in 5.7.6 stopped working (LUA config):
--
-- local domains
--
hints.add_hosts('/usr/local/etc/knot-resolver/LOCALZONES/domain1.lan')
hints.add_hosts('/usr/local/etc/knot-resolver/LOCALZONES/domain2.lan')
policy.add(
policy.suffix(
policy.PASS, {
todname('1.0.10.in-addr.arpa'),
todname('2.0.10.in-addr.arpa'),
}
)
)
I see in the logs that both files have been loaded, but an example answer is:
; <<>> DiG 9.20.17 <<>> @10.0.1.100 www.domain1.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33129
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.domain1.lan. IN A
;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2025123100 1800 900 604800
86400
;; Query time: 26 msec
;; SERVER: 10.0.1.100#53(10.0.1.100) (UDP)
;; WHEN: Wed Dec 31 12:29:03 CET 2025
;; MSG SIZE rcvd: 122
Do I need to YALM configuration to get that working again?
Thanks in advance and regards,
Michael
14:55
Hi,
just another user here. But did you tried this in config.yaml?
lua:
script: |-
--
-- local domains
--
hints.add_hosts('/usr/local/etc/knot-resolver/LOCALZONES/domain1.lan')
hints.add_hosts('/usr/local/etc/knot-resolver/LOCALZONES/domain2.lan')
policy.add(
policy.suffix(
policy.PASS, {
todname('1.0.10.in-addr.arpa'),
todname('2.0.10.in-addr.arpa'),
}
)
)
17:33
On 31/12/2025 13.37, Michael Grimm via knot-resolver-users wrote:
Is there a document available that describes which
configuration file formats are accepted by Knot Resolver 6.x.x?
Onhttps://www.knot-resolver.cz/documentation/v6.0.17/upgrading-to-6.html#upgrading-to-6 I
find:
| new declarative configuration in YAML that can be validated before running
Background of my question is that my current LUA configuration works right away besides
[1].
Does that mean, LUA configuration is still being supported?
Or do I need to migrate to YAML?
With 6.x we strongly prefer YAML. It's actually one of the main
motivators for 6.x that Lua turned out to be a constant source of
confusion. (e.g. people often writing code that's a correct Lua script
but doesn't do what they intended) And the language is too powerful to
work with easily (e.g. "check correctness").
We've moved docs about Lua stuff to developer part of docs, and some
parts of that might be not really up to date, too. Generally you
shouldn't use Lua unless you know what you're doing. And even in that
case it's expected that you use YAML for 99% of your config and only add
extra tweaks in Lua (via the lua: section in YAML mentioned in another
message in this thread).
FYI: This is FreeBSD and kresctl tool isn't
available here.
OK, that's a complication. In 6.0.17 we added FreeBSD support to code
added in 6.x, and now we're in contact with the maintainer of the
[port], but the last version I saw didn't seem to package all parts
needed for YAML (e.g. executables called knot-resolver and kresctl).
[port]: https://www.freshports.org/dns/knot-resolver
Here my issue [1]:
Serving local hints.add_hosts as done in 5.7.6 stopped working (LUA config):
--
-- local domains
--
hints.add_hosts('/usr/local/etc/knot-resolver/LOCALZONES/domain1.lan')
hints.add_hosts('/usr/local/etc/knot-resolver/LOCALZONES/domain2.lan')
policy.add(
policy.suffix(
policy.PASS, {
todname('1.0.10.in-addr.arpa'),
todname('2.0.10.in-addr.arpa'),
}
)
)
A good news is that 6.x is much better in doing what people expect
around local-data stuff. So you don't even need anything like this PASS
anymore in YAML, as only missing addresses will get blocked by these
default rules. It will suffice to just have:
local-data:
addresses-files:
- /usr/local/etc/knot-resolver/LOCALZONES/domain1.lan -
/usr/local/etc/knot-resolver/LOCALZONES/domain2.lan
--Vladimir
1 Led
1 Led
16:35
Vladimír Čunát via knot-resolver-users <knot-resolver-users(a)lists.nic.cz> wrote:
On 31/12/2025 13.37, Michael Grimm via
knot-resolver-users wrote:
> Does that mean, LUA configuration is still being
supported?
> Or do I need to migrate to YAML?
Generally you shouldn't use Lua unless you know
what you're doing. And even in that case it's expected that you use YAML for 99%
of your config and only add extra tweaks in Lua (via the lua: section in YAML mentioned in
another message in this thread).
Ok, understood
> FYI: This is FreeBSD and kresctl tool isn't
available here.
OK, that's a complication. In 6.0.17 we added
FreeBSD support to code added in 6.x, and now we're in contact with the maintainer of
the [port], but the last version I saw didn't seem to package all parts needed for
YAML (e.g. executables called knot-resolver and kresctl).
[port]: https://www.freshports.org/dns/knot-resolver
I will wait until Leo will have dealt with that.
And that might be the reason why I do not succeed in using this simple YAML configuration:
network:
listen:
- interface: &interfaces
- 10.0.1.100
local-data:
addresses-files:
- /usr/local/etc/knot-resolver/LOCALZONES/domain1.lan
- /usr/local/etc/knot-resolver/LOCALZONES/domain2.lan
Error:
kresd[68801]: [system] error while loading config:
/usr/local/etc/knot-resolver/kresd.yaml:2: function arguments expected near ':'
(workdir '/var/run/kresd')
I will wait for the next FreeBSD port, though. No big deal.
Thanks and a Happy New Year,
Michael
16:39
On 01/01/2026 16.35, Michael Grimm wrote:
And that might be the reason why I do not succeed in
using this simple YAML configuration:
The kresd executable doesn't consume YAML. You need the new
knot-resolver executable (written in Python), which is presumably
missing in your case, along with kresctl.
16:44
Vladimír Čunát via knot-resolver-users <knot-resolver-users(a)lists.nic.cz> wrote:
On 01/01/2026 16.35, Michael Grimm wrote:
> And that might be the reason why I do not succeed
in using this simple YAML configuration:
The kresd executable doesn't consume YAML. You
need the new knot-resolver executable (written in Python), which is presumably missing in
your case, along with kresctl.
Yes, both are missing.
Thanks and regards,
Michael
16:55
On 01/01/2026 16.44, Michael Grimm wrote:
The kresd executable doesn't consume YAML. You
need the new knot-resolver executable (written in Python), which is presumably missing in
your case, along with kresctl.
I can add that consequently also the init scripts need to be reworked, etc.
Because instead of you/init starting individual processes (kres-cache-gc
and multiple kresd), you only start a single process like for most
daemons and the herding happens automatically based on your
configuration and essentially the same way on all platforms (Docker,
FreeBSD, systemd).
Here's a nice picture of internal architecture:
https://www.knot-resolver.cz/documentation/v6.0.17/dev/architecture.html
8 Led
8 Led
16:04
Hi,
This Makefile does install the manager and kresctl - but does so in a very discouraged
way:
https://bz-attachments.freebsd.org/attachment.cgi?id=266939
It COULD be used for early testing - but be warned:
this install method certainly will wreck you ports maintaining.
Work in progress.
Open for any suggestion to make it work properly.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=292197
--
With kind regards,
Met vriendelijke groet,
Mit freundlichen Grüß,
Leo Vandewoestijne
<***(a)dns.company>
<www.dns.company>
11
days inactive
48
days old
knot-resolver-users@lists.nic.cz
8 comments
5 participants
participants (5)
-
Aleš Mrázek -
Jiri Masek -
Leo Vandewoestijne -
Michael Grimm -
Vladimír Čunát