Hi Erwin,
The module generates responses online, so you must use online DNSSEC signing,
which is incompatible with
the pre-signing functionality.
You need to remove dnssec-signing (and dnssec-policy) from the default
template. Also note that mod-onlinesign
ignores NSEC3 setting (remove nsec3
Hello!
If knotc reload works, restart isn't needed :-)
Reload for the zone set reconfiguration is okay. Restart is necessary mostly
for socket or worker reconfiguration
when knotd needs extra privileges. In the documentation there is a comment for
such configuration items.
Daniel
On 4/17/24
Yes. You can forward the control socket using ssh (e.g. ssh -f -N -L
/tmp/knot.sock:/run/knot/knot.sock -o 'StreamLocalBindUnlink=yes' server) and
use knotc locally (knotc -s /tmp/knot.sock).
I don't think that native remote control support is worth implementation and
configuration when ssh is
On 3/24/24 17:45, Randy Bush wrote:
i am not positive this is the key question as my tcp fu is a bit rusty.
but why did seattle send the FIN at 219, 10% through the file?
I have experienced the same some time ago and I think this is what you
need to tune:
Hi Randy,
I cannot reproduce your problem. What does `keymgr sld.tld list` say?
Daniel
On 3/20/24 18:53, Randy Bush wrote:
i did generate keying as i would when signing a primary zone
# keymgr sld.tld generate algorithm=rsasha256 ksk=yes zsk=yes
Hi Matt,
Could you please send me the zone file?
Thanks!
On 3/14/24 20:20, Matthew Pounsett wrote:
I got a report of an NSEC error from someone who tried to connect to a mistyped hostname. I've done a bit of poking, and it looks like we're seeing a missing wildcard NSEC for domain names
Hi Martin,
The error is definitely caused by a configuration check to prevent users from
creating strange configurations :-D
We will revise the check as your configuration makes sense.
Daniel
On 3/7/24 22:00, Martin Huněk wrote:
Hi,
So I've tested chaining 2 catalog zones one after another
On 3/6/24 23:29, Michael Grimm via knot-dns-users wrote:
Daniel Salzman via knot-dns-users wrote:
CZ.NIC has released Knot DNS 3.3.5!
[…]
Changelog:
https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.3.5
"knotd: new DNSSEC key rollover log informs about next planned key action"
T
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.3.5!
This is a bugfix version with a few new features and enhancements.
For those who use dnssec-validation, upgrade is recommended.
Changelog:
https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.3.5
Download:
Hi Wes,
Do you see the `DNSSEC, cleared future timers of auto-managed key` log message?
Daniel
On 2/20/24 23:13, Wes Hardaker wrote:
Bastien Durel writes:
could you please have a deeper look into the history of the zone in
the log file (or share it) ? There should be the answer hidden
Hi Bastien,
What's the Knot version and your signing policy configuration?
Daniel
On 2/13/24 22:00, Bastien Durel wrote:
Le 13/02/2024 à 10:03, libor.peltan a écrit :
Hi Bastien,
could you please have a deeper look into the history of the zone in the log
file (or share it) ? There should
ocal/etc/knot/zones"
file:"%s"
master: primaryMWN
notify: remoteSERVERS
acl: aclTRANSACTIONS
semantic-checks: on
# primary zones hosted
#
zone:
- domain: ellael.org
[others snipped]
So the setup isn't just "Hidden Primary —> Secondary (2x)"!
Then you must have the acl action transfer in the secondary configuration as
well.
On 2/16/24 20:18, Michael Grimm wrote:
But I do need something similar at one of my secondary servers that
allows for a zone transfer from that given
Another issues are:
`via: 10.1.1.201` - this interface isn't configured and the
specification is not needed if there is just one IPv4 address - remove it
`block-notify-after-transfer: on` - this doesn't make sense too
On 2/16/24 16:14, Michael Grimm wrote:
remote:
- id:
primaryMWN
notify: remoteSERVERS
acl: aclTRANSACTIONS
semantic-checks: on
# primary zones hosted
#
zone:
- domain: ellael.org
[others snipped]
Thanks in advance,
Michael
On 16. Feb 2024, at 16:05, Danie
Okay. Please show me the configuration of the zone (template).
On 2/16/24 16:03, Michael Grimm wrote:
Yes, I understand that, now ;-)
But my main concern is this: "Those errors are only logged when a zone gets
updated"
Regards,
Michael
On 16. Feb 2024, at 15:57, Daniel Salz
Note that `knotc zone-notify` works on a primary. If you want an explicit
refresh on a secondary, call `knotc zone-refresh`.
On 2/16/24 15:55, Michael Grimm wrote:
Daniel Salzman wrote
Is there another primary above the hidden master?
I am not sure if I do understand your question
Hi Michael,
Is there another primary above the hidden master?
Daniel
On 2/16/24 15:26, Michael Grimm wrote:
Hi,
after successful migration of my hidden primary NSD and OpenDNSSEC signer to
Knot DNS, I started to migrate my secondary NSDs to Knot DNS as well.
Thanks to excellent
Hi Michael,
There is no universal rule for propagation delay calculation, as the value is
deployment-dependent.
For example, the value depends on the latency (affects big zone XFR) between
primary and secondary servers,
or if someone has a long chain of servers where each level adds some
Hi Erik,
Did you find what the problem was? Keymgr doesn't use a session d-bus.
Daniel
On 6/13/23 08:26, Erik P. Ostlyngen wrote:
Hi,
I'm evaluating the Knot DNS server as a DNSSEC signer engine. I'm
currently running version 3.2.6 together with SoftHSM version 2.6.1 on
an Ubuntu 20.04 linux
Hi,
I don't see any obvious mistake. The NOTAUTH response means that your DDNS
request wasn't authorized.
Enable the debug logging to get more information.
Daniel
On 9/5/23 19:38, JeeF Software spol. s r.o. wrote:
Hi Knot-DNS Support,
I'm trying simple DDNS scenario (no keys, no DNSSEC)
I guess you don't have the policy specified for the zone(s) via `dnssec-policy:
ecdsa`?
Daniel
On 2/12/24 11:21, Michael Grimm wrote:
Restarted, multiple times.
This happens to all of my domains, as well.
Regards,
Michael
On 12. Feb 2024, at 11:18, Daniel Salzman wrote:
Have you
Have you reloaded or restarted Knot after the reconfiguration?
Daniel
On 2/12/24 11:14, Michael Grimm wrote:
Hi,
I am still very new to knot ;-)
FYI: This is Knot DNS 3.3.3 because 3.3.4 hasn't been shown up in FreeBSD's
ports collectioon, yet.
Here are my settings regarding dnssec policy:
Hi,
CZ.NIC doesn't offer any GUI for Knot DNS.
Daniel
On 11/23/22 14:57, Turritopsis Dohrnii Teo En Ming wrote:
Subject: GUI Frontends for Knot DNS Server
Good day from Singapore,
Are there any GUI frontends for configuring Knot DNS Server?
I prefer GUI configuration interface. It is more
Hi,
the zone re-sign event covers all DNSSEC-related actions (key rollover, RRSIG
updates, NSEC3 updates,...).
I don't think it's important to understand what will happen during the next
re-sign.
ksk-lifetime - A period between KSK generation and the next rollover initiation.
zsk-lifetime - A
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.3.4!
This is a bugfix version with some enhancements.
Changelog:
https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.3.4
Download:
https://www.knot-dns.cz/download/
Documentation:
https://www.knot-dns.cz/documentation/
Support:
Hi Einar,
If TSIG is used in both directions (outbound NOTIFY, inbound XFR), I would
recommend reconfiguration to:
server:
automatic-acl: on
remote:
- id: remote01
address: 127.0.0.1
key: my_key
zone:
- domain: example.com
notify: [ remote01 ]
Daniel
On 1/15/24 12:03,
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.2.12!
This version only backports some fixes from 3.3.3.
Changelog:
https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.2.12
Download:
https://www.knot-dns.cz/download/
Documentation:
https://www.knot-dns.cz/documentation/
Support:
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.3.3!
This is mostly a bugfix version. Upgrade is recommended for QUIC and TCP/XDP
users.
Changelog:
https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.3.3
Download:
https://www.knot-dns.cz/download/
Documentation:
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.2.11!
This version only backports some fixes from 3.3.2.
Changelog:
https://gitlab.nic.cz/knot/knot-dns/-/releases/v3.2.11
Download:
https://www.knot-dns.cz/download/
Documentation:
https://www.knot-dns.cz/documentation/
Support:
message already. Users of such data should be
aware of potential issues.
Daniel
On 10/23/23 23:10, Robert Edmonds wrote:
Daniel Salzman wrote:
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.3.2!
This version fixes various issues and introduces some features regarding IXFR.
Users of PKCS #11
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.3.2!
This version fixes various issues and introduces some features regarding IXFR.
Users of PKCS #11 keystore might appreciate improved signing performance using
more thread.
Note that the offline KSK mode requires explicit setting of
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.3.1 and 3.2.10!
These versions fix several bugs. Upgrade is recommended.
Changelogs:
https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.3.1/NEWS
https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.2.10/NEWS
Download:
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.3.0!
This version brings full DNS/XFR over QUIC support, multi-signer operation
mode, and many more. See the changelog.
Debian and Ubuntu users can download the packages from a new repository
https://pkg.labs.nic.cz/doc/?project=knot-dns
Hi,
The implementation of catalog zones in Knot DNS 3.0.x isn't mature
enough, and it doesn't fully comply with the fresh RFC
https://www.rfc-editor.org/rfc/rfc9432.html, which was released yesterday.
Daniel
On 07. 07. 23 13:09, Daniel Gröber wrote:
Hi Tuomo and David,
On Fri, Jul 07,
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.2.8!
This is a bug fix version. Upgrade is recommended for users of version 3.2.7
with journal enabled.
Changelog:
https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.2.8/NEWS
Download:
https://www.knot-dns.cz/download/
Documentation:
Hi Matt!
Thanks for the feedback. We have removed this requirement, so feel free
to use the patched version 3.2.7.1687014568.95c08b477-cznic.1 until 3.2.8 or
3.3.0 is released.
Best,
Daniel
On 6/17/23 16:01, Matthew Pounsett wrote:
The 3.0 documentation for catalog zones says the following:
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.2.7!
This is a bugfix version with some improvements.
Please note that the 3.3.0 version will be released in August and the 3.1
branch will no longer be officially supported.
Changelog:
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.2.6!
This is mostly a bugfix version with a few improvements.
Changelog:
https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.2.6/NEWS
Download:
https://www.knot-dns.cz/download/
Documentation:
https://www.knot-dns.cz/documentation/
Support:
policy
with the PKCS11
keystore in the default template.
I'm considering extending keymgr listing with the keystore type. Also it's
possible to forbid
generation for zones which aren't configured or to print some warning, but it
would be inconvenient.
Daniel
On 2/10/23 12:43, Daniel Salzman
Good news JP, I have reproduced the issue with Keyper HSM.
Daniel
On 2/9/23 18:05, Jan-Piet Mens wrote:
"Unfortunately", even with softhsm I cannot reproduce that.
I was a bit afraid of that, as it puts the blame on the HSM proper and
therefore becomes almost completely undebuggable (is that
"Unfortunately", even with softhsm I cannot reproduce that.
On 2/9/23 16:57, Jan-Piet Mens wrote:
I'm trying to reproduce the issue without HSM but everything is ok so far.
I can confirm that. With a key store on disk, as soon as the zone is configured
and I `knotc reload' the XFR takes place
Okay, I just needed to know the exact conditions.
On 2/9/23 16:22, Jan-Piet Mens wrote:
Do yo really use 3.2.0 or a newer 3.2.x version?
It really is a 3.2.0 version, sadly (do you hear me crying?), because software
upgrades here take ages to pass.
-JP
--
--
Hello JP!
Do yo really use 3.2.0 or a newer 3.2.x version?
I'm trying to reproduce the issue without HSM but everything is ok so far. Will
use softhsm...
Daniel
On 2/9/23 12:55, Jan-Piet Mens wrote:
Hello!
Knot 3.2.0 with a Thales HSM configured this way: (btw, I am not obfuscating
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.2.5!
This is mostly a bugfix version.
Changelog:
https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.2.5/NEWS
Download:
https://www.knot-dns.cz/download/
Documentation:
https://www.knot-dns.cz/documentation/
Support:
Perfect! Thanks for the feedback.
Daniel
On 2/1/23 12:40, Jan-Piet Mens wrote:
It's been a bit, and I don't know whether I actually thanked you for the
feature, but I've just successfully tested generating a key and finding the key
label in the HSM:
$ keymgr -c knot.conf example.com generate
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.2.4!
This version improves catalog zone performance and fixes some issues mostly
related to zone transfers.
Update from previous 3.2.x versions is recommended if primary nameserver isn't
Knot DNS.
Changelog:
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.2.3!
This version fixes broken knsupdate and some QUIC-related issues.
Changelog:
https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.2.3/NEWS
Download:
https://www.knot-dns.cz/download/
Documentation:
https://www.knot-dns.cz/documentation/
Thanks for the report :-/ Will be fixed soon.
Daniel
Dne 2022-11-06 10:57, Bastien Durel napsal:
Hello,
Since I upgraded to 3.2.2-cznic.1~bullseye, my scripts using knsupdate
fails, on every machine they run on.
I can reproduce this with gdb, here is the trace I get in this case :
Starting
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.2.2!
This version brings a few new features and some fixes.
Changelog:
https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.2.2/NEWS
Download:
https://www.knot-dns.cz/download/
Documentation:
https://www.knot-dns.cz/documentation/
Support:
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.2.1!
This version adds compatibility with libbpf 1.0 and fixes mostly XDP-related
issues.
Changelog:
https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.2.1/NEWS
Download:
https://www.knot-dns.cz/download/
Documentation:
Hi André,
I understand your concerns but still you can explicitly set rrsig-refresh.
Based on our experience DNS deployments are very diverse. So what is the right
default value?
Regards,
Daniel
On 8/31/22 13:53, André Keller wrote:
Hi Libor,
On 31.08.22 13:14, libor.peltan wrote:
What
Bastien,
You can find fixed packages (3.2.0-cznic.2) in our repositories soon.
Daniel
On 8/23/22 14:51, Bastien Durel wrote:
Le 23/08/2022 à 14:12, Daniel Salzman a écrit :
Bastien,
We propose this change
https://gitlab.nic.cz/knot/knot-dns/-/commit/5337b5e9e09919f619c655575c8d7173fa1b0066
Bastien,
We propose this change
https://gitlab.nic.cz/knot/knot-dns/-/commit/5337b5e9e09919f619c655575c8d7173fa1b0066
Are you ok with that?
Daniel
On 8/23/22 11:03, Bastien Durel wrote:
Le mardi 23 août 2022 à 10:10 +0200, Bastien Durel a écrit :
Le mardi 23 août 2022 à 07:38 +0200, Daniel
softhsm.
Daniel
On 8/22/22 16:23, Bastien Durel wrote:
Le lundi 22 août 2022 à 16:18 +0200, Daniel Salzman a écrit :
Bastien,
Are you sure that the same configuration is used? The error can only
arise when opening a PKCS #11 token
and it only depends on the configuration.
Hello,
Yes, I upgraded
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.2.0!
This version brings various XDP-related features and improvements (namely QUIC
and TCP)
and many more. See the changelog.
As usual, today Knot DNS 3.0 reached its End-of-life. The official repositories
are being updated this way:
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.1.9!
It's a maintenance version with some fixes and improvements.
Please note that 3.2.0 will be released in two weeks and 3.0 will no
longer be officially supported.
Changelog:
https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.1.9/NEWS
Hello JP,
Your suggestion seems simple but you don't know the label length limit
of the device and
you don't know what happens when you try to set a longer label than
supported. Is it trimmed or an error is returned?
Another problem is that the key id is a result of the key generation so
Hello JP,
I've just realised that the maximum PKCS#11 key label length probably isn't
enough to cover all possible zone names.
Some devices are limited to 32 characters. And the theoretical maximum length
of a textual dname is more than 1000 characters!
Also, the additional key metadata (e.g.
Hello,
There are no plans for this yet. But we have two similar merge requests for
JSON in kdig and stats :-)
If you wish, you can play with keymgr.
Daniel
On 5/10/22 09:55, Jan-Piet Mens wrote:
Hello,
keymgr(8) lists keys in plain text which is fine for processing with awk(1)
et.al. Are
Hi,
When a key is imported using import-pem or import-pkcs11, its publish and
active timers are set to now,
which is the time zero for the key lifetime. So, imported KSK shouldn't be
rolled immediately but
after the ksk-lifetime period. You only have to ensure that the DNSSEC policy
Hello JP,
It's by design as nobody cared yet :-) I think it's easy to implement it.
Unfortunately,
it requires a slight modification of the libdnssec API, so it won't be possible
to backport it to 3.1.
Daniel
On 5/6/22 16:12, Jan-Piet Mens wrote:
I note that the key label is not set when
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.1.8 and 3.0.11!
Both versions fix quite a serious bug in the TSIG processing when the server
can crash
if the TSIG is malformed. If you don't use TSIG, you are not affected.
Special thanks go to 0x34d for finding this bug!
In addition to
recommend that you work around by using any unaffected version, e.g. 3.1.7.
Please let us know any following interesting findings.
Thank you,
Libor
Dne 23. 04. 22 v 19:45 Daniel Salzman napsal(a):
Hi Thomas,
what changed since the time when it worked? Still the same Knot version?
Daniel
On 4
Hi Thomas,
what changed since the time when it worked? Still the same Knot version?
Daniel
On 4/22/22 23:12, Thomas wrote:
Hi,
for the transition of a TLD I need to import the current providers KSK into my zone. I
use the "keymgr import-pub" command for this. I have done that a few times
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.1.7!
This version primarily fixes incomplete implementation of the Offline KSK
signing mode in the IXFR and DDNS processing.
Please note that the online signing still doesn't support Offline KSK! Also
various fixes and improvements
It has been implemented
https://knot.readthedocs.io/en/master/reference.html#remotes-section
Daniel
On 2022-03-09 14:50, Anand Buddhdev wrote:
On 10/12/2021 09:30, Daniel Salzman wrote:
Hi Daniel,
I plan some configuration extension to be able to group more remotes
under one identifier
Hi Matt,
On 2/16/22 22:56, Matthew Pounsett wrote:
I'm trying to find a way to poll for any zones where knot is currently
waiting on DS submission to the parent.
I'm aware of the structured logging sent to systemd-journald but I see
this as not particularly useful for monitoring, as the event
Hi Günther,
The purpose of the warning is to inform you that if you upgraded to 3.2 (in the
future),
all your zones, which don't have fixed NSEC3 iterations, would be re-signed
with a new NSEC3 chain.
The solution is simple, just add `nsec3-iterations: 10` to each policy
configured.
Or
Hi Einar,
Memory consumption is a difficult topic. Could you try setting
`server.background-workers: 1`? In some cases it helps.
I don't think the problem is in the journal.
BTW, we did some memory optimizations in the development version (3.2). Do you
instal Knot from ports or as a binary
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.1.6!
It's mostly a maintenance version with some new features for those who need
them.
Changelog:
https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.1.6/NEWS
Download:
https://www.knot-dns.cz/download/
Documentation:
Einar,
One way to change the serial is:
$ knotc zone-read example.com @ SOA
[example.com.] example.com. 3600 SOA dns1.example.com. hostmaster.example.com.
2022012100 10800 3600 1209600 7200
$ knotc zone-begin example.com
OK
$ knotc zone-set example.com @ 3600 SOA "dns1.example.com.
Hi Einar,
On 1/20/22 2:03 PM, Einar Bjarni Halldórsson wrote:
> Hi,
>
> For many months now, we've been preparing new signers for our internal zones
> and eventually .is.
>
> We've got the first of our test zones live on the production signers, but
> some things are troubling us.
>
> This is
odule: [ "mod-cookies", "mod-rrl/default" ]
>
> If this is the inconsistency, then i was wrong about signing enabled
> only on the master?
No, the signing is configured correctly.
I have tried almost the same configuration and dnsviz didn't complain. It's
strange.
Hi Juergen,
The warning usually appears if the configuration of all nameservers is
inconsistent.
For example cookies are enabled on some nameservers only.
Daniel
On 12/22/21 1:07 PM, J. Echter wrote:
> Hi,
>
> i have knot dns setup with dns cookie module enabled but if i check with
>
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.1.5!
- This version brings some new features useful for operators of many zones and
fixes a few bugs.
- Our Docker images are newly build with some hardening flags set, enabled
dnstap in kdig, and with fast zone parser enabled.
- Please
Hi Chris,
On 12/15/21 10:28 PM, Chris wrote:
> On 2021-12-15 13:01, Anand Buddhdev wrote:
>> On 15/12/2021 20:18, Chris wrote:
>>
>> Hi Chris,
>>
>> [snip config details]
>>
>>> How would I best make this change? Is it enough to simply change algorithm:
>>> and knot will just do the right thing?
Welcome Einar,
On 12/14/21 12:36 AM, Einar Bjarni Halldórsson wrote:
> Hi,
>
> We're preparing to migrate our zones from OpenDNSSEC 1.4 to Knot DNS 3.1 (and
> eventually the .is zone).
> We've already migrated one unsigned zone to the new signers, but next on the
> list is first currently
Hi Matt,
I plan some configuration extension to be able to group more remotes under one
identifier.
Just to find a nice way how to implement it. By the way, Knot DNS 1.x supported
that already :-D
Best,
Daniel
On 12/9/21 6:53 PM, Matthew Pounsett wrote:
> Just to clarify some semantics of the
What about rolling to a non-EC algorithm with the present keystore and
importing temporary (RSA?) keys to the HSM?
On 11/9/21 5:12 PM, Bastien Durel wrote:
> Le mardi 09 novembre 2021 à 17:09 +0100, Daniel Salzman a écrit :
>> Sorry, it's not correct. You have to import the pem fil
Sorry, it's not correct. You have to import the pem files to HSM first and then
import-pkcs11 metadata from the HSM to KASP DB.
What is your HSM?
On 11/9/21 5:05 PM, Daniel Salzman wrote:
> Hi Bastien,
>
> you have to import the present keys (pem files) to the HSM keystore. Try
Hi Bastien,
you have to import the present keys (pem files) to the HSM keystore. Try using
`keymgr import-pkcs11`
Daniel
On 11/9/21 4:56 PM, Bastien Durel wrote:
> Hello,
>
> Is there a way to perform a key rollover using a new keystore for the
> new KSK ?
>
> I'd like to switch from KASP DB
Hi Rhonda,
The dns-benchmarking project isn't easy to use. It's a script hell :-)
I would recommend using kxdpgun directly without the framework overhead.
Best,
Daniel
On 11/4/21 11:04 AM, Rhonda D'Vine wrote:
> Hi,
>
> I'm trying to dig into the dns-benchmark tools, but am running into a
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.1.4 and 3.0.10!
These versions primarily fixes a very old bug which can cause the server to
crash if a query requests EDNS0/NSID option.
Special thanks go to Romain Labolle!
Changelog:
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.1.3!
This is mostly a bugfix version.
Changelog:
https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.1.3/NEWS
Download:
https://www.knot-dns.cz/download/
Documentation:
https://www.knot-dns.cz/documentation/
Support:
Hi,
You have to configure the source address for communication with the
remote https://www.knot-dns.cz/docs/3.1/html/reference.html#via
Daniel
On 2021-09-27 23:49, Schindler, Stefan wrote:
Hi all
My server recently gained two more IPv6 & IPv4 addresses. That broke
my transfer setup because
that it is a softhsm issue. Your clarification on this
would be much appreciated.
On Fri, Sep 24, 2021 at 6:52 AM Daniel Salzman mailto:daniel.salz...@nic.cz>> wrote:
I expect the algorithm support in SoftHSM depends on the version of the
cryptographic library (OpenSSL). We will try to
-pkcs-11-devices
<https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#compatible-pkcs-11-devices>
say otherwise, and, when one tries to deal with either of the EdDSA algorithms
under knot 3.1 with softhsm, it does not work.
On Fri, Sep 24, 2021 at 12:46 AM Daniel Salzman mailto:danie
Hello,
This is a better place for such questions ;-)
Knot Resolver Users List
On 24. 09. 21 13:21, Günther J. Niederwimmer wrote:
Hello List,
I would like to install KNOT-resolver, first test it with DNS over TLS, but
that doesn't work?
My system is an oracle Linux 8.4
I have a Letsencrypt
Hi Luveh,
I just found this command (executed on Fedora 34):
# pkcs11-tool --modul /usr/lib64/pkcs11/libsofthsm2.so -M
Using slot 0 with a present token (0x5069fb60)
Supported mechanisms:
AES-CBC, keySize={16,32}, encrypt, decrypt, wrap
AES-CBC-ENCRYPT-DATA, derive
AES-CBC-PAD,
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.0.9!
This version only backports some fixes from the 3.1 branch.
Changelog:
https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.0.9/NEWS
Download:
https://www.knot-dns.cz/download/
Documentation:
https://www.knot-dns.cz/documentation/
Support:
Hi,
If there isn't any bug in the implementation, Knot DNS deletes old keys
from (soft)HSM as well. It would be very impractical otherwise!
Daniel
On 2021-09-08 19:13, Luveh Keraph wrote:
Thanks. The situation that I am addressing is that of a key roll over.
My guess is that when such an
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.1.2!
I would highlight new fancy keymgr mode `keymgr -b list [human | iso]`
:-)
Knot DNS 3.0.9 will follow soon.
Changelog:
https://gitlab.labs.nic.cz/knot/knot-dns/raw/v3.1.2/NEWS
Migration:
Hi,
The extra white space is just a redundant separation of a long hex string. You
can ignore it.
Daniel
On 8/31/21 11:49 AM, mj wrote:
> Hi,
>
> We have a (hopefully last) follow-up question on the knot-generated dnssec
> keys for our domain.
>
> Our policy is is set to algorithm:
‐‐‐ Original Message ‐‐‐
>
> On Monday, August 16th, 2021 at 7:36 AM, Daniel Salzman
> wrote:
>
>> Hi Laura,
>>
>> Knot DNS uses GnuTLS PKCS #11 API, which is based on p11-kit. So
>> use_file_caching isn't supported.
>>
>> As Libor already wrote, s
Hi Laura,
Knot DNS uses GnuTLS PKCS #11 API, which is based on p11-kit. So
use_file_caching isn't supported.
As Libor already wrote, setting background workers to 1 might help. Some HSMs
don't work well with parallel signing workers.
Best,
Daniel
On 8/10/21 6:29 PM, Laura Smith wrote:
> I
Hello Knot DNS users,
CZ.NIC has released Knot DNS 3.1.1!
This version fixes several bugs and reverts one recent change in libzscanner.
It emerged that the previous implementation of how omitted TTL is interpreted
is closer
to what the users expect. I'm sorry for this confusion!
Changelog:
Hi Laura,
What does Knot log (in the debug level)? E.g.:
2021-08-07T17:15:32+0200 debug: control, item 'server.versionX'
2021-08-07T17:15:32+0200 debug: control, command 'conf-set' (invalid item)
Daniel
On 07. 08. 21 15:40, Laura Smith wrote:
Hi,
For various reasons I need to write a Go
lity?
> Because for some reason a lot of ISP resolvers support RSA only while I would
> like to future-proof my zone with ED25519 at the same time.
>
> Cheers,
> Stefan
>
>
> Am Do., 22. Juli 2021 um 19:56 Uhr schrieb Daniel Salzman
> mailto:daniel.salz...@nic.cz>&g
Hi,
I think I know some medicine for your broken XFR ;-)
Try adding `no-edns: on` to the remote section of the MS primary server. It's
an undocumented option for better interoperability with broken software.
It seems the option is still needed :-/
Daniel
On 8/3/21 11:11 AM, mj wrote:
> Hi,
>
1 - 100 of 307 matches
Mail list logo
