... | ... | @@ -44,4 +44,42 @@ Previously, a query on ANY or RRSIG type was answered with as many RRSets as exi |
|
|
|
|
|
## kzonesign utility
|
|
|
|
|
|
Opposing to other, more modular DNS implemetations, Knot DNS prefers zone signing directly inside the daemon, with benefits such as speed or automatic key roll-overs timing. However, for testing or unusual use-cases, `kzonesign` utility is now available, working similarly to `dnssec-signzone`: it loads a zone file, signs the zone, and dumps it back to a text zone file. A difference is, that the signing paremeters are not taken from CLI, but from Knot-like configuration file. |
|
|
\ No newline at end of file |
|
|
Opposing to other, more modular DNS implemetations, Knot DNS prefers zone signing directly inside the daemon, with benefits such as speed or automatic key roll-overs timing. However, for testing or unusual use-cases, `kzonesign` utility is now available, working similarly to `dnssec-signzone`: it loads a zone file, signs the zone, and dumps it back to a text zone file. A difference is, that the signing paremeters are not taken from CLI, but from Knot-like configuration file.
|
|
|
|
|
|
## Backup of persistent data
|
|
|
|
|
|
Besides zone file and configuration, Knot DNS stores more data like journal (change-sets of last zone updates), signing keys with their metadata, and zone timers (last NOTIFY, last refresh, etc.). Those data are spread across the filesystem and their backup is problematic: it's needed to freeze all zones before the backup to prevent changes in the meantime, which would lead in inconsistencies. New Knot version allows data backup (and restore) safely to selected folder with a single command.
|
|
|
|
|
|
An example:
|
|
|
```
|
|
|
$ knotc zone-backup +backupdir /mnt/backup/auth_dns
|
|
|
```
|
|
|
|
|
|
## Deterministic ECDSA
|
|
|
|
|
|
The ECDSA signing algorithm has advantages in high cryptographic security with short keys and signatures. Its specific is that verification of the signatures takes far more time than creating them. During signing, it also uses a random generator, so the signatures of the same data by the same key are different each time. These properties can be avoided by using Deterministic ECDSA, which generates the same signature each time, thus enabling verification by re-creation and comparison, if the private key is available. This speeds up loading an already signed zone. It also might protect against attacks based on random generator weakening.
|
|
|
|
|
|
An example:
|
|
|
```
|
|
|
policy:
|
|
|
algorithm: ECDSAP256SHA256
|
|
|
reproducible-sign: on
|
|
|
|
|
|
```
|
|
|
|
|
|
## DoH querying with kdig
|
|
|
|
|
|
The `kdig` utility, intended mostly for admins to check the functonality of DNS servers and resolvers, now enables DNS-over-HTTPS (DoH) queries.
|
|
|
|
|
|
Example:
|
|
|
```
|
|
|
$ kdig @193.17.47.1 +https=/doh example.com.
|
|
|
```
|
|
|
|
|
|
## kxdpgun utility
|
|
|
|
|
|
With the implementation of powerful packet handling by XDP, new testing and benchmarking utility is introduced, able to generate up to tens of millions queries per second in extreme cases. `kxdpgun` allows to configure speed and further parameters of a benchmark, and views statistics, such that an overview of return codes, at the end of the run. Knot DNS team is already using this tool to measure their and other implementations of DNS servers.
|
|
|
|
|
|
## Trust Anchor Roll-over
|
|
|
|
|
|
Mostly in situations, when a signed zone is a sub-zone of an unsigned one, Trust Anchor management is used according to RFC 5011. During such key roll-over, it's required to set the 'revoked' flag. Knot DNS 3.0 enables this, although just manually. |
|
|
\ No newline at end of file |