Switched from bind, some issues with knot

Hi,

I switched to Knot from Bind and would like to clear few small questions. I'm using Knot DNS as primary, with OVH as secondary DNS. OVH asks to add an ownercheck subdomain, for verification purposes. I did this but it does not gets resolved. My configuration:

# uname -a
Linux server.domain.com 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

# firewall-cmd --permanent --zone=public --add-service=dns
# firewall-cmd --reload

# cat /etc/knot/knot.conf
log:
  - target: syslog
    any: error

server:
    listen: 198.40.136.42@53
    listen: 198.40.136.43@53
    max-udp-payload: 1280
    max-ipv6-udp-payload: 1280
    rundir: /run/knot
    user: knot:knot

zone:
  - domain: domain.com
    storage: /var/lib/knot/zones
    file: domain.com.zone

# cat /var/lib/knot/zones/domain.com.zone
$TTL 1d
$ORIGIN domain.com.
@               IN SOA      ns1.domain.com. hostmaster.domain.com. (
                14          ; serial
                6h          ; refresh
                1h          ; retry
                2w          ; expire
                1d )        ; negative cache
                IN A        198.27.60.138
                IN NS       ns1.domain.com.
                IN NS       ns2.domain.com.
ns1             IN A        198.40.136.42
ns2             IN A        198.40.136.43
ownercheck      IN TXT      d437c164

# systemctl start knot
Mar 20 00:43:46 server systemd: Starting Knot DNS server...
Mar 20 00:43:46 server knotc: Configuration is valid
Mar 20 00:44:36 server systemd: Started Knot DNS server.

I can connect fine to the actual 53 port, from my Mac:

$ nc -z 198.40.136.42 53
Connection to 198.40.136.42 port 53 [tcp/domain] succeeded!

Did I missed something obvious? I don't have Knot Resolver installed.

changed the description

I would check if there is another service running on port 53. For example ss -lnptu | grep ":53 "

And check if Knot really responds dig @198.40.136.42 domain.com. soa

It seems the problem is your firewall settings. Namely the service name dns. Try this one firewall-cmd --permanent --add-port=53/udp --add-port=53/tcp

Is already enabled, I'll do the rest of checks you recommended in a bit:

# firewall-cmd --list-all | grep services
  services: ssh dhcpv6-client ntp http https dns

# cat /usr/lib/firewalld/services/dns.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>DNS</short>
  <description>The Domain Name System (DNS) is used to provide and request host and domain names. Enable this option, if you plan to provide a domain name service (e.g. with bind).</description>
  <port protocol="tcp" port="53"/>
  <port protocol="udp" port="53"/>
</service>

# kzonecheck -v /var/lib/knot/zones/domain.com.zone
No semantic error found

@dsalzman It looks like everything is fine, I get the right server IP through Knot, when I check it from my Mac. No issues starting the service.

$ dig domain.com @198.40.136.42 +short
198.27.60.138
---
$ nslookup
> server 198.40.136.42
Default server: 198.40.136.42
Address: 198.40.136.42#53
> domain.com
Server:		198.40.136.42
Address:	198.40.136.42#53

Name:	domain.com
Address: 198.27.60.138
---
# ss -alnp | grep ':53'
udp    UNCONN     0      0      198.40.136.43:53                    *:*                   users:(("knotd",pid=28389,fd=23))
udp    UNCONN     0      0      198.40.136.43:53                    *:*                   users:(("knotd",pid=28389,fd=22))
udp    UNCONN     0      0      198.40.136.43:53                    *:*                   users:(("knotd",pid=28389,fd=21))
udp    UNCONN     0      0      198.40.136.43:53                    *:*                   users:(("knotd",pid=28389,fd=20))
udp    UNCONN     0      0      198.40.136.43:53                    *:*                   users:(("knotd",pid=28389,fd=19))
udp    UNCONN     0      0      198.40.136.43:53                    *:*                   users:(("knotd",pid=28389,fd=18))
udp    UNCONN     0      0      198.40.136.43:53                    *:*                   users:(("knotd",pid=28389,fd=17))
udp    UNCONN     0      0      198.40.136.43:53                    *:*                   users:(("knotd",pid=28389,fd=16))
udp    UNCONN     0      0      198.40.136.42:53                    *:*                   users:(("knotd",pid=28389,fd=14))
udp    UNCONN     0      0      198.40.136.42:53                    *:*                   users:(("knotd",pid=28389,fd=13))
udp    UNCONN     0      0      198.40.136.42:53                    *:*                   users:(("knotd",pid=28389,fd=12))
udp    UNCONN     0      0      198.40.136.42:53                    *:*                   users:(("knotd",pid=28389,fd=11))
udp    UNCONN     0      0      198.40.136.42:53                    *:*                   users:(("knotd",pid=28389,fd=10))
udp    UNCONN     0      0      198.40.136.42:53                    *:*                   users:(("knotd",pid=28389,fd=9))
udp    UNCONN     0      0      198.40.136.42:53                    *:*                   users:(("knotd",pid=28389,fd=8))
udp    UNCONN     0      0      198.40.136.42:53                    *:*                   users:(("knotd",pid=28389,fd=7))
tcp    LISTEN     0      10     198.40.136.43:53                    *:*                   users:(("knotd",pid=28389,fd=24))
tcp    LISTEN     0      10     198.40.136.42:53                    *:*                   users:(("knotd",pid=28389,fd=15))

My question is, how are the DNS changes pushed to public servers with Knot? I had to stop Bind services on the old server, in order to let propagate the new settings from new server with Knot.

@dsalzman feel free to make this issue confidential, if you want me to post true server settings. I replaced the real values with random ones.

@dsalzman everything started to work, it took forever to propagate. :) I have a sidebar question, if you don't mind. What would be the use of Knot Resolver, in my case? All I want is to publish my own DNS server settings, do I need the Resolver?

If I understand your intention correctly, you don't need to configure a DNS resolver.

@dsalzman If I understand correctly, Knot Resolver is a caching DNS resolver that can help speed up and secure DNS resolution on my server. I will never use that, but I want to forward these DNS resolutions to 1.1.1.1. That's why I'm using:

# nmcli con mod enp3s0 ipv4.dns 1.1.1.1

Are there any advanced tutorials you recommend for securing Knot DNS? I'm reading the documentation now, did a search and there are not many guides on Knot.

closed

Yes, Knot Resolver is a caching DNS resolver. You can install it locally instead of 1.1.1.1. But it's another story :-)

Unfortunately, I'm not aware of any advanced tutorial on this topic.

@dsalzman I tried enabling DNSSec:

zone:
  - domain: domain.com
    storage: /var/lib/knot/zones
    file: domain.com.zone
    dnssec-signing: on

I get this error:

# systemctl restart knot
Mar 20 16:49:20 server systemd[1]: Starting Knot DNS server...
Mar 20 16:49:29 server knotd[7514]: error: [domain.com.] DNSSEC, failed to initialize (operation not permitted)
Mar 20 16:49:29 server knotd[7514]: error: [domain.com.] zone event 'load' failed (operation not permitted)
Mar 20 16:49:29 server systemd[1]: Started Knot DNS server.

Probably you have to change the default storage:

template:
 - id: default
   storage: /var/lib/knot

What is the output from knotc status configure and stat -c"%A %G %U" /var/lib/knot?

@dsalzman here is the info you required, there are no keys present into /var/lib/knot/keys directory:

# cat /etc/knot/knot.conf
server:
    listen: 127.0.0.1@53
    listen: 198.40.136.42@53
    listen: 198.40.136.43@53
    max-udp-payload: 1280
    max-ipv6-udp-payload: 1280
    user: knot:knot

log:
  - target: syslog
    any: error

template:
  - id: default
    storage: /var/lib/knot/master
  - id: signed
    storage: /var/lib/knot/signed
    dnssec-signing: on

zone:
  - domain: domain.com
    template: signed
    file: domain.com.zone

# ls -lah /var/lib/knot
total 4.0K
drwxrwxr-x.  5 root knot   46 Mar 21 13:39 .
drwxr-xr-x. 26 root root 4.0K Mar 21 13:05 ..
drwxrwx---.  2 root knot    6 Mar 21 13:39 keys
drwxr-x---.  2 root knot    6 Mar 21 13:05 master
drwxr-x---.  2 root knot   28 Mar 21 13:08 signed

# ls -lah /var/lib/knot/keys
total 0
drwxrwx---. 2 root knot  6 Mar 21 13:39 .
drwxrwxr-x. 5 root knot 46 Mar 21 13:39 ..

# ls -lah /var/lib/knot/signed
total 4.0K
drwxr-x---. 2 root knot   28 Mar 21 13:08 .
drwxrwxr-x. 5 root knot   46 Mar 21 13:39 ..
-rw-r-----. 1 root knot 1.8K Mar 21 13:08 domain.com.zone

# systemctl start knot
Mar 21 13:12:23 server systemd: Starting Knot DNS server...
Mar 21 13:12:24 server knotc: Configuration is valid
Mar 21 13:12:24 server knotd: error: [domain.com.] DNSSEC, failed to initialize (operation not permitted)
Mar 21 13:12:24 server knotd: error: [domain.com.] zone event 'load' failed (operation not permitted)
Mar 21 13:12:24 server systemd: Started Knot DNS server.

# knotc status configure
  Knot DNS 2.8.0

    Target:   linux-gnu x86_64
    Compiler: gcc -std=gnu99
    CFLAGS:   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -DNDEBUG -Wno-unused -Wall -Wshadow -Werror=format-security -Werror=implicit -Wstrict-prototypes
    LIBS:      -Wl,-z,relro
    LibURCU:  -lurcu
    GnuTLS:   -lgnutls   -I/usr/include/p11-kit-1
    Libedit:  -ledit -ltinfo   -I/usr/include/editline
    LMDB:     shared  -llmdb
    Config:   500 MiB default mapsize

    Prefix:      /usr
    Run dir:     /run/knot
    Storage dir: /var/lib/knot
    Config dir:  /etc/knot
    Module dir:

    Static modules: cookies dnsproxy geoip noudp onlinesign queryacl rrl stats synthrecord whoami
    Shared modules:

    Knot DNS libraries:     yes
    Knot DNS daemon:        yes
    Knot DNS utilities:     yes
    Knot DNS documentation: yes

    Use recvmmsg:           yes
    Use SO_REUSEPORT(_LB):  yes
    Memory allocator:       auto
    Fast zone parser:       yes
    Utilities with IDN:     libidn2
    Utilities with Dnstap:  yes
    MaxMind DB support:     yes
    Systemd integration:    yes
    POSIX capabilities:     yes
    PKCS #11 support:       no
    Ed25519 support:        no
    Code coverage:          no
    Sanitizer:              no
    LibFuzzer:              no
    OSS-Fuzz:               no

The problem is that storage in the default template has extended use. If https://www.knot-dns.cz/docs/2.8/singlehtml/index.html#kasp-db is not specified, the default value is /var/lib/knot/master/keys in your case. And this directory is not writable by knot.

We will probably move global database options to another section to mitigate this ambiguity.

@dsalzman Looking at documentation: https://www.knot-dns.cz/docs/2.8/singlehtml/index.html#zone-storage

The default storage path is /var/lib/knot, therefore /var/lib/knot/keys exists with proper permissions. I'm trying to understand why you suggest the default value is /var/lib/knot/master/keys?

I already specify the storage setting at compile time:

./configure --sysconfdir=/etc --localstatedir=/var/lib --libexecdir=/usr/lib/knot --with-rundir=/run/knot --with-storage=/var/lib/knot --disable-static --enable-recvmmsg --enable-dnstap --enable-reuseport

Is the template ID forcing the directory change? In this case, is it recommended to use the default template storage as /var/lib/knot? Will the signed template inherit the /var/lib/knot/keys directory use?

@dsalzman removing the default template fixed the error, which I presume will pull the proper default settings and inherit everything into signed template:

template:
  - id: signed
    storage: /var/lib/knot/signed
    dnssec-signing: on

zone:
  - domain: domain.com
    file: domain.com.zone
    template: signed

Now I have a different error:

Mar 21 16:41:11 server systemd: Starting Knot DNS server...
Mar 21 16:41:11 server knotc: Configuration is valid
Mar 21 16:41:11 server systemd: Started Knot DNS server.
Mar 21 16:41:11 server knotd: error: [domain.com.] zone event 'journal flush' failed (operation not permitted)

Never mind, running the logs in debug showed another permission error, I'm going to change the directory permissions into rpm package I'm building and avoid these issues permanently.

@dsalzman thank you for your patience, is the Knot learning curve. Really happy I made the switch from Bind, I'm mostly happy how fast the Knot devs fix bugs, allowing me to build quickly new Knot rpm packages that others can use also.

There is one more question related to DNSSEC. Knot changed dramatically the domain.com.zone file. I presume the safe way to work on a zone file with the the Knot editor? There is something not clear for me into documentation, the zone-freeze is only to be able editing the actual zone file? I prefer to use this method, let me know if appropriate:

knotc zone-begin domain.com
knotc zone-set domain.com ns1 86400 A 198.40.136.42
knotc zone-commit domain.com
knotc zone-abort domain.com

When do I use the zone-freeze?

The former problem with insufficient permissions relates to KASP database access. If the path is not explicitly configured via https://www.knot-dns.cz/docs/2.8/singlehtml/index.html#kasp-db, the default value is used storage/keys. However, your storage was:

template:
  - id: default
    storage: /var/lib/knot/master

then /var/lib/knot/master/keys :-) The same rule applies to journal database.

The latter problem with insufficient permissions during zone flush relates to

# ls -lah /var/lib/knot
...
drwxr-x---.  2 root knot   28 Mar 21 13:08 signed

So Knot (running under user knot) wasn't allowed to write new zone file to this directory.

As for zone-freeze, this command is important for situations when you want to manually change zone contents (zone file modification or using knotc operations) and it's possible that the server can concurrently change the zone (ddns, dnssec signing). So, you must postpone all server-initiated events.

@dsalzman how to wipe completely a zone with knotc, so I can start from scratch? I tried:

knotc zone-begin domain.com
knotc zone-unset domain.com @
...
knotc zone-commit domain.com
knotc zone-reload domain.com

But there are still several lines present, which would not delete.

knotc -f zone-purge domain.com which, by default, wipes everything for the zone (zone contents, zone file, timers, journal, kaspdb)

@dsalzman I have another issue, I'm trying to use conf-set and it would not apply the changes:

# ls -lah /etc/knot
total 16K
drwxr-x---.  2 knot root   23 Mar 22 15:56 .
drwxr-xr-x. 77 root root 8.0K Mar 21 22:58 ..
-rw-r-----.  1 knot root  476 Mar 22 15:55 knot.conf

# knotc conf-begin
# knotc conf-set 'server.identity' 'Knot DNS'
# knotc conf-diff
+server.identity = Knot DNS
# knotc conf-commit
# systemctl restart knot
# grep identity /etc/knot/knot.conf
#

Permissions are OK, but information is not added into knot.conf?

Logs:

Mar 22 13:39:41 server knotd: info: control, received command 'conf-begin'
Mar 22 13:39:54 server knotd: info: control, received command 'conf-set'
Mar 22 13:39:58 server knotd: info: control, received command 'conf-diff'
Mar 22 13:39:59 server knotd: info: control, received command 'conf-commit'

@dsalzman I found another issue, you cannot create a new zone from scratch:

install -d -m 0750 -o knot -g root /var/lib/knot/signed
knotc conf-begin
knotc conf-set 'template[signed]'
knotc conf-set 'template[signed].storage' '/var/lib/knot/signed'
knotc conf-set 'template[signed].dnssec-signing' 'on'
knotc conf-set 'zone[alpha.com]'
knotc conf-set 'zone[alpha.com.].file' 'alpha.com.zone'
knotc conf-set 'zone[alpha.com].template' 'signed'
knotc conf-diff
knotc conf-commit

knotc zone-begin alpha.com
knotc zone-set alpha.com @ 7200 SOA ns1 hostmaster 1 86400 900 691200 3600
knotc zone-commit alpha.com
error: [alpha.com] (no keys for signing)

If I create a zone file with only SOA on it, all above commands work.

cat > /var/lib/knot/signed/alpha.com.zone << 'EOF'
alpha.com. 7200 SOA ns1.alpha.com. hostmaster.alpha.com. 1 86400 900 691200 3600
EOF
chmod 0640 /var/lib/knot/signed/alpha.com.zone
chown knot:root /var/lib/knot/signed/alpha.com.zone

Is this a known limitation? I would like to add new zones from scratch, using only knotc commands. Even if I create an empty file, it will complain about the missing SOA:

Mar 22 16:25:01 server knotd: info: starting server
Mar 22 16:25:01 server knotd: error: [alpha.com.] check, missing SOA at the zone apex
Mar 22 16:25:01 server knotd: error: [alpha.com.] failed to parse zone file (failed)
Mar 22 16:25:01 server knotd: error: [alpha.com.] zone event 'load' failed (failed)
Mar 22 16:25:01 server knotd: info: server started in the foreground, PID 32061
Mar 22 16:25:01 server systemd: Started Knot DNS server.

For effective operation of dynamic configuration, the server must be started with explicit configuration database location -C path_to_confdb (usually /var/lib/knot/confdb), or it must be initialized using knotc conf-init in advance. Then the configuration file is untouched!

The last issue seems to be a bug. I will investigate that!

mentioned in commit 5d1d9abb

mentioned in commit 382273c4

mentioned in commit 82788f1f

Should be fixed in master and 2.8 branches.

@dsalzman glad I was able to find a bug.

mentioned in commit 147bd9ec

mentioned in commit 124a3005