On 17/04/2024 15:33, Einar Bjarni Halldórsson via knot-dns-users wrote:
Hi Einar,
[snip]
Is there a good way to remotely add zones to a knot secondary?
You could use socket plumbing tools such as netcat or socat to connect a
local socket to a remote one. Alternatively, just ssh into the
On 15/01/2024 16:53, Einar Bjarni Halldórsson wrote:
Hi Einar,
But do I need the TSIG key configured both in remote section, and in acl
section?
I guess my point is, what is the purpose of the key attribute in remote section?
If you configure a TSIG key in the remote section, then the
On 05/05/2023 11:01, Einar Bjarni Halldórsson wrote:
Hello Einar,
Yesterday we got hit by the per-zone journal becoming full [1]
As a result we're looking into how we can monitor the status to warn us
if we're near the journal limits, but I can't find a way to report the
currant journal
On 10/12/2021 09:30, Daniel Salzman wrote:
Hi Daniel,
I plan some configuration extension to be able to group more remotes under one
identifier.
Just to find a nice way how to implement it. By the way, Knot DNS 1.x supported
that already :-D
I was also thinking about this, because I would
On 16/02/2022 22:56, Matthew Pounsett wrote:
Hi Matt,
I'm trying to find a way to poll for any zones where knot is currently
waiting on DS submission to the parent.
We have a script that notifies us when it detects CDS records at our
zones' apices. The script doesn't even have to run on the
On 15/12/2021 20:18, Chris wrote:
Hi Chris,
[snip config details]
How would I best make this change? Is it enough to simply change algorithm:
and knot will just do the right thing?
Yes, please! Just change the algorithm and let Knot do its thing. It
will do the right thing. Please do *not*
ched signers at RIPE NCC, and it worked perfectly.
You can read more about it here:
https://labs.ripe.net/author/anandb/dnssec-signer-migration/
Regards,
Anand Buddhdev
RIPE NCC
--
https://lists.nic.cz/mailman/listinfo/knot-dns-users
On 31/08/2021 11:49, mj wrote:
Hi MJ,
> Now the question. In most (if not all?) docs we read on the subject, the
> DS key looks something like:
>
>> knot-dns.cz. 3600 IN DS 54959 13 2
>> 268DE6EB7E0630953B8AF0F0037BF68FD10443BF01B5E17805AF94C2 6921897D
> or
>> dnssec-tools.org.
Hi MJ,
If you're using the same Knot instance to host a mix of primary (signed)
and secondary zones, then I suggest you set "zonefile-load" to "none" in
your template, and then override it with "difference-no-serial" for the
primary zones. Secondary zones don't need a zone file at all. Incoming
automatically increment
it by one whenever it needs to re-sign the zone, and the correct serial
will be stored in the journal. If you don't like the serial number to be
just incremented, you can use a different policy, by setting
"serial-policy" to either "unixtime" or
On 14/12/2020 10:26, Einar Bjarni Halldórsson wrote:
Hi Einar,
[snip]
> Are other people doing active-backup signers and how do you set it up?
We have a pair of signers, an active one, and a standby. Both get copies
of the zones, and sign them. However, we only do XFR out of the active
signer
On 05/11/2020 16:35, Thomas wrote:
Hi Thomas,
> I need to generate keys of algorithm 7. But I receive this error:
>
> # keymgr example generate algorithm=rsasha1-nsec3-sha1 size=2048 ksk=yes
> Unknown algorithm: rsasha1-nsec3-sha1
> Error (invalid parameter)
The man page says:
algorithm
On 13/10/2020 14:20, David Vasek wrote:
Hi David,
Since there was a complaint about this change, we plan to re-enable TCP
ports reuse in future releases. We also ponder making knotd exit if it
fails to bind to any of configured TCP ports. We would like hear from
you whether such a behaviour
On 07/08/2020 22:18, Thomas wrote:
Hi Thomas,
I have the requirement to re-sign my zones exactly every 24 hours. I'm
not sure how to achieve this, because I'm not clear about the
correlation of the following parameters:
You could just run "knotc zone-sign " every 24 hours from some
kind of
On 10/07/2020 04:16, Smile TV wrote:
Hi Chinhlk,
I am deploying a DNS system using the Knot DNS software.
I have read in the document and I did not see any DNS query log.
So let me ask DNS Knot software can collect DNS query log? If possible,
what is the configuration?
Look at the "dnstap"
On 22/05/2020 14:32, libor.peltan wrote:
Hi Libor,
We will release fixing version 2.9.5 soon.
Thanks! We eagerly await the fix.
[snip]
Many thanks to Anand Buddhdev from RIPE NCC for finding this bug.
To be honest, I was more of the messenger in this instance. The issue
was first
On 12/01/2020 21:13, Thomas wrote:
Hi Thomas,
> Is it safe to mix dynamic updates and manual editing of a zone?
Yes, but only if you follow the proper procedure, as follows:
knotc zone-freeze
knotc zone-flush
edit zone file, taking care to increment the serial number
knotc zone-reload
o get help with it. Also, when debugging, it looks
confusing to most people.
Regards,
Anand Buddhdev
DNS Engineer @ RIPE NCC
--
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
On 12/09/2018 10:18, Rick van Rein wrote:
> Every time we switch DNSSEC on for a single zone, it iterates over all
> zones (and logs something trivial about each).
What does it log?
--
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
Hi Innus,
What are you asking for is not possible with Knot DNS right now. It has
no facility to allow exchanging master/slave information between two or
more Knot servers. You do need to configure each Knot server individually.
Regards,
Anand
On 08/09/2018 14:17, Innus Ali wrote:
> Hi admin,
>
On 04/09/2018 01:48, Jim Popovitch wrote:
> Hello,
>
> How do I force a notify for a specific domain? (v2.4.0 Debian)
knotc zone-notify ...
Also, read the "knotc" man page to learn about the various ways in which
you can control and command knotd.
Regards,
Anand
--
Hi Daniel,
I don't run Knot DNS as a master, so I don't see this issue. Even if I
ran Knot DNS as a master, I'm not terribly bothered with NOTIFY over TCP.
Having said that, I don't think it's very fair to say that UDP is
unreliable, and there are various reasons for it:
1. NOTIFY is a hint,
On 15/03/2018 18:34, Vladimír Čunát wrote:
> For a first idea of usage I'd choose the "resident set size" measure -
> either VmRSS (current) or VmHWM (peak). (I'm assuming no noticeable
> swapping happens here.)
Hi Vladimir,
I looked at these values for our servers (64GB RAM, 4579 zones, a mix
Hello Aleš,
I'm assuming you're migrating from BIND. I use BIND, Knot and NSD, and
in my expreince, BIND uses the least amount of RAM, and NSD uses the
most. Knot is somewhere in-between. When switching from BIND to any
other name server, it's usually a good idea to give the server some more
RAM.
Hi Klaus,
If you run:
knotc --force zone-retransfer, does that then transfer the zone?
However, I agree with you that "zone-retransfer" should unconditionally
transfer the zone, and not just do a regular refresh.
Regards,
Anand
On 17/01/2018 00:26, Klaus Darilion wrote:
> zone-refresh
On 24/07/2017 10:43, Daniel Salzman wrote:
Hi Daniel,
> Yes, LMDB itself is designed to be shareable between different threads or
> processes,
> but it has some performance penalty (serialized write operation). Knot DNS
> doesn't
> expect there can be other unknown zones in the timer database.
Hello Knot developers,
Suppose I am running two Knot DNS instances. They're listening on
different interfaces, and slaving different sets of zones. If the
"storage" variable is the same for these two, then the two instances of
knotd will both try to write into storage/journal and storage/timers.
it for each zone you have
>> removed. It will be idempotent and less error prone in the end.
>>
>> Jan
>>
>> On Thu, Jul 20, 2017 at 5:30 PM, Anand Buddhdev <ana...@ripe.net> wrote:
>>> Hello Knot DNS developers,
>>>
>>> I have an obser
On 23/03/2017 11:54, Ondřej Surý wrote:
Hi CZNIC folk,
> Sources:
> https://secure.nic.cz/files/knot-dns/knot-2.4.2.tar.xz
This URL is returning a 404 not found error.
Regards,
Anand
___
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
On 21/10/16 13:26, Ondřej Surý wrote:
Hi Ondrej,
> we are working on a tool to sneak peek into timers
> database and manipulate the timers database.
[snip]
Thanks for this information. My reason for asking was to trigger
discussion about what *should* be in the timer database, to enable Knot
Hi,
This is mainly a question for the Knot developers. Suppose I have:
template:
- id: default
acl: acl1
zone:
- domain: zone
acl: acl2
Does "zone" get "acl2" or "acl1, acl2" applied to it?
Regards,
Anand
___
knot-dns-users mailing list
and other packages that are neither in CentOS
6 base, nor in EPEL 6. CentOS 6 is still widely used, and we would love
to be able to run the latest Knot on it. Any chance you could get the
requisite packages into EPEL please? :)
Regards,
Anand Buddhdev
On 21/06/16 13:55, Jan Včelák wrote:
Hi Jan,
This setting is useful to operators who wish to emit large DNS UDP
responses over IPv6, and have them fragmented at 1280 bytes. Sure,
fragments have their own issues, and are blocked in many places, but an
operator should be allowed to make this
On 26/05/16 14:22, Ondřej Surý wrote:
Hi Ondrej,
> would it be perhaps possible to conduct the experiment whether this
> has a real operational impact at the root? Perhaps running Knot DNS
> 2.2.1 on a singular instance of the root server for a set period of time
> and compare the numbers of TCP
On 24/05/16 15:10, Jan Včelak wrote:
Hi Jan,
> CZ.NIC Labs has just released a patched version of Knot DNS. The 2.2.1
> version contains some important bug fixes and a few small improvements.
>
> Let's jump directly into it:
>
> - The previous version was inconsistent in setting the TC flag
On 06/04/16 23:06, Gert Doering wrote:
Hi Gert,
> TBH, I don't really care about the QNAME in the response. This is protocol
> stuff which people don't *see*, unless they are actually looking for it.
>
> I care about the *answer*:
Why? Why do you need/want the case to be preserved? There's no
On 08/02/16 13:41, Jan Včelak wrote:
Hello Jan,
> Thank you for a complex write-up. :)
You're welcome!
>> Note that 118-second delay before the zone refreshes start. Note that
>> during this delay, Knot made hundreds of DNS queries (A and )
>> towards the locally-configured caching
On 09/11/15 09:34, Jakub Štollmann wrote:
Hi Jakub,
> We are deploying IPv6 in our company. For easy switching we decided to
> use multiple views (with IPv6 and without). The problem is that we have
> 2 bind and one knot server (one bind primary, 2 slaves). I have looked
> for options how to do
On 10/05/15 10:10, Amar Cosic wrote:
Hello Amar,
anyone can point me to documentation or manual what is right way to update
slaves. What I want to is when I change record X on master that slaves also
pick that change without me manualy have to do this.
First of all, you have to make sure
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 23/04/15 16:49, Jan Včelák wrote:
Hello everyone!
Today, CZ.NIC Labs releases Knot DNS 2.0.0-beta.
Whee!
/me runs off to the build server...
I'll try to provide a review very soon.
Regards,
Anand
-BEGIN PGP SIGNATURE-
Comment:
I'm generating my Knot's config from a Jinja2 template, and I'm having a
problem with one thing. For example, if I have a list of elements,
[e1,e2,e3,e4], and I want to generate a groups config for these based
on a condition, and I do:
groups {
mygroup {
{% for x in list %}
{% if condition %}
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 14/01/15 20:30, Eugene Bolshakoff wrote:
Hi Eugene,
I understand that it's happening because of recursion in bind, but
how can I solve this problem in knot?
You can't. Knot doesn't do recursion.
Regards,
Anand
-BEGIN PGP SIGNATURE-
Hi Knot developers,
I have another question about journals. I've noticed that for one zone,
the journal size is 9M (with my configured limit at 10M).
Now, I see this each time in the logs:
2014-12-15T07:56:02 notice: [103.in-addr.arpa] journal is full, flushing
2014-12-15T08:13:09 notice:
43 matches
Mail list logo
