... | @@ -24,7 +24,7 @@ Example: |
... | @@ -24,7 +24,7 @@ Example: |
|
```
|
|
```
|
|
These lines in the configuration file signalize a catalog zone. This zone won't answer normal DNS queries from the outside. It will instead be interpreted as a catalog zone: all the `PTR` records will be used as a basis to configure the member zones. Configuration of each member zone will be taken from the template named `tpl_standard` (in this case). This specific template can be used to define a set of secondaries to send NOTIFY to, or to configure DNSSEC signing parameters.
|
|
These lines in the configuration file signalize a catalog zone. This zone won't answer normal DNS queries from the outside. It will instead be interpreted as a catalog zone: all the `PTR` records will be used as a basis to configure the member zones. Configuration of each member zone will be taken from the template named `tpl_standard` (in this case). This specific template can be used to define a set of secondaries to send NOTIFY to, or to configure DNSSEC signing parameters.
|
|
|
|
|
|
Knot DNS complies with the current (ongoing) proposal for an RFC standard regarding catalog zones.
|
|
Knot DNS complies with the current (ongoing) [proposal of RFC](https://tools.ietf.org/html/draft-ietf-dnsop-dns-catalog-zones-00) standard regarding catalog zones.
|
|
|
|
|
|
Other use cases of catalog zones are planned for future versions of Knot DNS. For example, it might be possible to generate catalog zones in addition to just interpreting them.
|
|
Other use cases of catalog zones are planned for future versions of Knot DNS. For example, it might be possible to generate catalog zones in addition to just interpreting them.
|
|
|
|
|
... | @@ -44,7 +44,7 @@ This feature is especially useful when another implementation is used to sign th |
... | @@ -44,7 +44,7 @@ This feature is especially useful when another implementation is used to sign th |
|
|
|
|
|
Previously, querying the server for ANY or RRSIG types lead to an answer with as many RRSets as there are for the queried name. This resulted in a high answer-to-query size ratio which could be abused in amplification attacks.
|
|
Previously, querying the server for ANY or RRSIG types lead to an answer with as many RRSets as there are for the queried name. This resulted in a high answer-to-query size ratio which could be abused in amplification attacks.
|
|
|
|
|
|
Because the legitimate use of such queries isn't frequent, it's preferable to answer them in a minimized way, according to RFC 8482. Knot DNS answers those queries with just one, arbitrarily chosen, type (partially since version 2.9.4, fully since 3.0). Therefore, the amplification factor isn't any higher than querying a specific RR type.
|
|
Because the legitimate use of such queries isn't frequent, it's preferable to answer them in a minimized way, according to [RFC 8482](https://tools.ietf.org/html/rfc8482). Knot DNS answers those queries with just one, arbitrarily chosen, type (partially since version 2.9.4, fully since 3.0). Therefore, the amplification factor isn't any higher than querying a specific RR type.
|
|
|
|
|
|
## kzonesign utility
|
|
## kzonesign utility
|
|
|
|
|
... | @@ -87,4 +87,4 @@ With the implementation of powerful packet handling by XDP, we introduce a new t |
... | @@ -87,4 +87,4 @@ With the implementation of powerful packet handling by XDP, we introduce a new t |
|
|
|
|
|
## Trust Anchor Roll-over
|
|
## Trust Anchor Roll-over
|
|
|
|
|
|
Trust anchor management is mostly useful when a signed zone is a sub-zone of an unsigned zone. When trust anchors management is used according to RFC 5011, it's required to set the `revoked` flag to the former key during a key roll-over. Knot DNS 3.0 makes this possible, although it requires manual configuration. |
|
Trust anchor management is mostly useful when a signed zone is a sub-zone of an unsigned zone. When trust anchors management is used according to [RFC 5011](https://tools.ietf.org/html/rfc501), it's required to set the `revoked` flag to the former key during a key roll-over. Knot DNS 3.0 makes this possible, although it requires manual configuration. |
|
\ No newline at end of file |
|
\ No newline at end of file |