diff options
Diffstat (limited to 'doc')
44 files changed, 9580 insertions, 0 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am new file mode 100644 index 0000000..bbb33a8 --- /dev/null +++ b/doc/Makefile.am @@ -0,0 +1,212 @@ +MANPAGES_IN = \ + man/knot.conf.5in \ + man/knotc.8in \ + man/knotd.8in \ + man/keymgr.8in \ + man/kjournalprint.8in \ + man/kdig.1in \ + man/khost.1in \ + man/knsupdate.1in \ + man/knsec3hash.1in \ + man/kzonecheck.1in + +MANPAGES_RST = \ + man_knotc.rst \ + man_knotd.rst \ + man_keymgr.rst \ + man_kjournalprint.rst \ + man_kdig.rst \ + man_khost.rst \ + man_knsupdate.rst \ + man_knsec3hash.rst \ + man_kzonecheck.rst + +EXTRA_DIST = \ + conf.py \ + \ + appendices.rst \ + configuration.rst \ + index.rst \ + installation.rst \ + introduction.rst \ + migration.rst \ + modules.rst.in \ + operation.rst \ + reference.rst \ + requirements.rst \ + troubleshooting.rst \ + utilities.rst \ + \ + $(MANPAGES_IN) \ + $(MANPAGES_RST) \ + \ + logo.eps \ + logo.png \ + \ + theme_html + +SPHINX_V = $(SPHINX_V_@AM_V@) +SPHINX_V_ = $(SPHINX_V_@AM_DEFAULT_V@) +SPHINX_V_0 = -q +SPHINX_V_1 = -n + +AM_V_SPHINX = $(AM_V_SPHINX_@AM_V@) +AM_V_SPHINX_ = $(AM_V_SPHINX_@AM_DEFAULT_V@) +AM_V_SPHINX_0 = @echo " SPHINX $@"; + +AM_V_ECHO = @sh -c 'if $(AM_V_P); then echo $$1; fi' -- + +SPHINXBUILDDIR = $(builddir)/_build + +_SPHINXOPTS = -c $(srcdir) \ + -a \ + $(SPHINX_V) + +ALLSPHINXOPTS = $(_SPHINXOPTS) \ + -D version="$(VERSION)" \ + -D today="$(RELEASE_DATE)" \ + -D release="$(VERSION)" \ + $(SPHINXOPTS) \ + $(srcdir) + +man_SPHINXOPTS = $(_SPHINXOPTS) \ + -D version="@""VERSION@" \ + -D today="@""RELEASE_DATE@" \ + -D release="@""VERSION@" \ + $(SPHINXOPTS) \ + $(srcdir) + +.PHONY: html-local singlehtml pdf-local info-local man install-html-local install-singlehtml install-pdf-local install-info-local + +man_MANS = + +if HAVE_DAEMON +man_MANS += \ + man/knot.conf.5 \ + man/knotc.8 \ + man/knotd.8 +endif # HAVE_DAEMON + +if HAVE_UTILS +if HAVE_DAEMON +man_MANS += \ + man/keymgr.8 \ + man/kjournalprint.8 \ + man/kzonecheck.1 +endif # HAVE_DAEMON + +man_MANS += \ + man/kdig.1 \ + man/khost.1 \ + man/knsupdate.1 \ + man/knsec3hash.1 +endif # HAVE_UTILS + +man/knot.conf.5: man/knot.conf.5in +man/knotc.8: man/knotc.8in +man/knotd.8: man/knotd.8in +man/keymgr.8: man/keymgr.8in +man/kjournalprint.8: man/kjournalprint.8in +man/kdig.1: man/kdig.1in +man/khost.1: man/khost.1in +man/knsupdate.1: man/knsupdate.1in +man/knsec3hash.1: man/knsec3hash.1in +man/kzonecheck.1: man/kzonecheck.1in + +man_SUBST = $(AM_V_GEN)mkdir -p man; \ + sed -e 's,[@]VERSION@,$(VERSION),' \ + -e 's,[@]RELEASE_DATE@,$(RELEASE_DATE),' \ + -e 's,[@]config_dir@,$(config_dir),' \ + -e 's,[@]storage_dir@,$(storage_dir),' \ + -e 's,[@]run_dir@,$(run_dir),' \ + -e 's,[@]conf_mapsize@,$(conf_mapsize),' \ + $< > $@ + +.1in.1: + $(man_SUBST) + +.5in.5: + $(man_SUBST) + +.8in.8: + $(man_SUBST) + +if HAVE_DOCS + +if HAVE_SPHINXBUILD +html-local: + $(AM_V_SPHINX)$(SPHINXBUILD) -b html -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/html + $(AM_V_ECHO) + $(AM_V_ECHO) "Build finished. The HTML pages are in $(SPHINXBUILDDIR)/html/." + +install-html-local: + $(INSTALL) -d $(DESTDIR)/$(docdir) $(DESTDIR)/$(docdir)/_static $(DESTDIR)/$(docdir)/_sources + $(INSTALL) -D $(SPHINXBUILDDIR)/html/*.html $(DESTDIR)/$(docdir)/ + $(INSTALL_DATA) $(SPHINXBUILDDIR)/html/_sources/* $(DESTDIR)/$(docdir)/_sources/ + $(INSTALL_DATA) $(SPHINXBUILDDIR)/html/_static/* $(DESTDIR)/$(docdir)/_static/ + +singlehtml: + $(AM_V_SPHINX)$(SPHINXBUILD) -b singlehtml -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/singlehtml + $(AM_V_ECHO) + $(AM_V_ECHO) "Build finished. The HTML page is in $(SPHINXBUILDDIR)/singlehtml/." + +install-singlehtml: singlehtml + $(INSTALL) -d $(DESTDIR)/$(docdir) $(DESTDIR)/$(docdir)/_static + $(INSTALL_DATA) $(SPHINXBUILDDIR)/singlehtml/*.html $(DESTDIR)/$(docdir)/ + $(INSTALL_DATA) $(SPHINXBUILDDIR)/singlehtml/_static/* $(DESTDIR)/$(docdir)/_static/ + +if HAVE_PDFLATEX +pdf-local: + $(AM_V_SPHINX)$(SPHINXBUILD) -b latex -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/latex + $(MAKE) -C $(SPHINXBUILDDIR)/latex all-pdf + $(AM_V_ECHO) + $(AM_V_ECHO) "Build finished. The PDF file is in $(SPHINXBUILDDIR)/latex/." + +install-pdf-local: + $(INSTALL) -d $(DESTDIR)/$(docdir) + $(INSTALL_DATA) $(SPHINXBUILDDIR)/latex/knot.pdf $(DESTDIR)/$(docdir)/ + +else +pdf-local install-pdf-local: + $(AM_V_ECHO) "You need to install pdflatex and re-run configure to be" + $(AM_V_ECHO) "able to generate PDF documentation." +endif + +if HAVE_MAKEINFO +info-local: + $(AM_V_SPHINX)$(SPHINXBUILD) -b texinfo -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/texinfo + $(MAKE) -C $(SPHINXBUILDDIR)/texinfo info + $(AM_V_ECHO) + $(AM_V_ECHO) "Build finished. The Info file is in $(SPHINXBUILDDIR)/texinfo/." + +install-info-local: + $(INSTALL) -d $(DESTDIR)/$(infodir) + $(INSTALL_DATA) $(SPHINXBUILDDIR)/texinfo/knot.info $(DESTDIR)/$(infodir)/ + +else +info-local install-info-local: + $(AM_V_ECHO) "You need to install GNU Texinfo and re-run configure to be" + $(AM_V_ECHO) "able to generate info pages." +endif + +.NOTPARALLEL: man +man: $(man_MANS) +$(MANPAGES_IN): $(MANPAGES_RST) + $(AM_V_SPHINX)$(SPHINXBUILD) -b man -d $(SPHINXBUILDDIR)/doctrees $(man_SPHINXOPTS) $(SPHINXBUILDDIR)/man + @mkdir -p $(srcdir)/man + @for f in $(SPHINXBUILDDIR)/man/*; do \ + sed -e '/^\.TP$$/ {' -e 'n' -e 's/^\.B //' -e '}' "$$f" > "$(srcdir)/man/$$(basename $$f)in"; \ + done + $(AM_V_ECHO) + $(AM_V_ECHO) "Build finished. The man pages are in man/." + +else +html-local singlehtml pdf-local info-local man install-html-local install-singlehtml install-pdf-local install-info-local: + $(AM_V_ECHO) "Please install sphinx (python-sphinx) to generate Knot DNS documentation." +endif # HAVE_SPHINXBUILD + +endif # HAVE_DOCS + +clean-local: + -rm -rf $(SPHINXBUILDDIR) + -rm -f man/*.1 man/*.5 man/*.8 diff --git a/doc/Makefile.in b/doc/Makefile.in new file mode 100644 index 0000000..e550de9 --- /dev/null +++ b/doc/Makefile.in @@ -0,0 +1,887 @@ +# Makefile.in generated by automake 1.15 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2014 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_DAEMON_TRUE@am__append_1 = \ +@HAVE_DAEMON_TRUE@ man/knot.conf.5 \ +@HAVE_DAEMON_TRUE@ man/knotc.8 \ +@HAVE_DAEMON_TRUE@ man/knotd.8 + +@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@am__append_2 = \ +@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@ man/keymgr.8 \ +@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@ man/kjournalprint.8 \ +@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@ man/kzonecheck.1 + +@HAVE_UTILS_TRUE@am__append_3 = \ +@HAVE_UTILS_TRUE@ man/kdig.1 \ +@HAVE_UTILS_TRUE@ man/khost.1 \ +@HAVE_UTILS_TRUE@ man/knsupdate.1 \ +@HAVE_UTILS_TRUE@ man/knsec3hash.1 + +subdir = doc +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_cc_clang.m4 \ + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/ax_check_link_flag.m4 \ + $(top_srcdir)/m4/ax_compare_version.m4 \ + $(top_srcdir)/m4/code-coverage.m4 \ + $(top_srcdir)/m4/knot-lib-version.m4 \ + $(top_srcdir)/m4/knot-module.m4 $(top_srcdir)/m4/libtool.m4 \ + $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ + $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ + $(top_srcdir)/m4/sanitizer.m4 $(top_srcdir)/m4/visibility.m4 \ + $(top_srcdir)/m4/knot-version.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/src/config.h +CONFIG_CLEAN_FILES = modules.rst +CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +SOURCES = +DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +man1dir = $(mandir)/man1 +am__installdirs = "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" +man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/modules.rst.in +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CC_CLANG_VERSION = @CC_CLANG_VERSION@ +CFLAGS = @CFLAGS@ +CFLAG_VISIBILITY = @CFLAG_VISIBILITY@ +CODE_COVERAGE_ENABLED = @CODE_COVERAGE_ENABLED@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DNSTAP_CFLAGS = @DNSTAP_CFLAGS@ +DNSTAP_LIBS = @DNSTAP_LIBS@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GENHTML = @GENHTML@ +GREP = @GREP@ +HAVE_VISIBILITY = @HAVE_VISIBILITY@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +KNOT_VERSION_MAJOR = @KNOT_VERSION_MAJOR@ +KNOT_VERSION_MINOR = @KNOT_VERSION_MINOR@ +KNOT_VERSION_PATCH = @KNOT_VERSION_PATCH@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LDFLAG_EXCLUDE_LIBS = @LDFLAG_EXCLUDE_LIBS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PDFLATEX = @PDFLATEX@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PROTOC_C = @PROTOC_C@ +RANLIB = @RANLIB@ +RELEASE_DATE = @RELEASE_DATE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SPHINXBUILD = @SPHINXBUILD@ +STRIP = @STRIP@ +VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +cap_ng_CFLAGS = @cap_ng_CFLAGS@ +cap_ng_LIBS = @cap_ng_LIBS@ +conf_mapsize = @conf_mapsize@ +config_dir = @config_dir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dlopen_LIBS = @dlopen_LIBS@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +external_lmdb_LIBS = @external_lmdb_LIBS@ +fuzzer_CFLAGS = @fuzzer_CFLAGS@ +fuzzer_LDFLAGS = @fuzzer_LDFLAGS@ +gnutls_CFLAGS = @gnutls_CFLAGS@ +gnutls_LIBS = @gnutls_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libdnssec_SONAME = @libdnssec_SONAME@ +libdnssec_SOVERSION = @libdnssec_SOVERSION@ +libdnssec_VERSION_INFO = @libdnssec_VERSION_INFO@ +libedit_CFLAGS = @libedit_CFLAGS@ +libedit_LIBS = @libedit_LIBS@ +libexecdir = @libexecdir@ +libfstrm_CFLAGS = @libfstrm_CFLAGS@ +libfstrm_LIBS = @libfstrm_LIBS@ +libidn2_CFLAGS = @libidn2_CFLAGS@ +libidn2_LIBS = @libidn2_LIBS@ +libidn_CFLAGS = @libidn_CFLAGS@ +libidn_LIBS = @libidn_LIBS@ +libknot_SONAME = @libknot_SONAME@ +libknot_SOVERSION = @libknot_SOVERSION@ +libknot_VERSION_INFO = @libknot_VERSION_INFO@ +libmaxminddb_CFLAGS = @libmaxminddb_CFLAGS@ +libmaxminddb_LIBS = @libmaxminddb_LIBS@ +libprotobuf_c_CFLAGS = @libprotobuf_c_CFLAGS@ +libprotobuf_c_LIBS = @libprotobuf_c_LIBS@ +liburcu_CFLAGS = @liburcu_CFLAGS@ +liburcu_LIBS = @liburcu_LIBS@ +liburcu_PKGCONFIG = @liburcu_PKGCONFIG@ +libzscanner_SONAME = @libzscanner_SONAME@ +libzscanner_SOVERSION = @libzscanner_SOVERSION@ +libzscanner_VERSION_INFO = @libzscanner_VERSION_INFO@ +lmdb_CFLAGS = @lmdb_CFLAGS@ +lmdb_LIBS = @lmdb_LIBS@ +localedir = @localedir@ +localstatedir = @localstatedir@ +malloc_LIBS = @malloc_LIBS@ +mandir = @mandir@ +math_LIBS = @math_LIBS@ +mkdir_p = @mkdir_p@ +module_dir = @module_dir@ +module_instdir = @module_instdir@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +pkgconfigdir = @pkgconfigdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pthread_LIBS = @pthread_LIBS@ +run_dir = @run_dir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +storage_dir = @storage_dir@ +sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +MANPAGES_IN = \ + man/knot.conf.5in \ + man/knotc.8in \ + man/knotd.8in \ + man/keymgr.8in \ + man/kjournalprint.8in \ + man/kdig.1in \ + man/khost.1in \ + man/knsupdate.1in \ + man/knsec3hash.1in \ + man/kzonecheck.1in + +MANPAGES_RST = \ + man_knotc.rst \ + man_knotd.rst \ + man_keymgr.rst \ + man_kjournalprint.rst \ + man_kdig.rst \ + man_khost.rst \ + man_knsupdate.rst \ + man_knsec3hash.rst \ + man_kzonecheck.rst + +EXTRA_DIST = \ + conf.py \ + \ + appendices.rst \ + configuration.rst \ + index.rst \ + installation.rst \ + introduction.rst \ + migration.rst \ + modules.rst.in \ + operation.rst \ + reference.rst \ + requirements.rst \ + troubleshooting.rst \ + utilities.rst \ + \ + $(MANPAGES_IN) \ + $(MANPAGES_RST) \ + \ + logo.eps \ + logo.png \ + \ + theme_html + +SPHINX_V = $(SPHINX_V_@AM_V@) +SPHINX_V_ = $(SPHINX_V_@AM_DEFAULT_V@) +SPHINX_V_0 = -q +SPHINX_V_1 = -n +AM_V_SPHINX = $(AM_V_SPHINX_@AM_V@) +AM_V_SPHINX_ = $(AM_V_SPHINX_@AM_DEFAULT_V@) +AM_V_SPHINX_0 = @echo " SPHINX $@"; +AM_V_ECHO = @sh -c 'if $(AM_V_P); then echo $$1; fi' -- +SPHINXBUILDDIR = $(builddir)/_build +_SPHINXOPTS = -c $(srcdir) \ + -a \ + $(SPHINX_V) + +ALLSPHINXOPTS = $(_SPHINXOPTS) \ + -D version="$(VERSION)" \ + -D today="$(RELEASE_DATE)" \ + -D release="$(VERSION)" \ + $(SPHINXOPTS) \ + $(srcdir) + +man_SPHINXOPTS = $(_SPHINXOPTS) \ + -D version="@""VERSION@" \ + -D today="@""RELEASE_DATE@" \ + -D release="@""VERSION@" \ + $(SPHINXOPTS) \ + $(srcdir) + +man_MANS = $(am__append_1) $(am__append_2) $(am__append_3) +man_SUBST = $(AM_V_GEN)mkdir -p man; \ + sed -e 's,[@]VERSION@,$(VERSION),' \ + -e 's,[@]RELEASE_DATE@,$(RELEASE_DATE),' \ + -e 's,[@]config_dir@,$(config_dir),' \ + -e 's,[@]storage_dir@,$(storage_dir),' \ + -e 's,[@]run_dir@,$(run_dir),' \ + -e 's,[@]conf_mapsize@,$(conf_mapsize),' \ + $< > $@ + +all: all-am + +.SUFFIXES: +.SUFFIXES: .1 .1in .5 .5in .8 .8in +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign doc/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +modules.rst: $(top_builddir)/config.status $(srcdir)/modules.rst.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man1: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man1dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man1dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man1dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.1[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man1dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man1dir)" || exit $$?; }; \ + done; } + +uninstall-man1: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man1dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.1[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man1dir)'; $(am__uninstall_files_from_dir) +install-man5: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man5dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.5[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ + done; } + +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man5dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) +install-man8: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) +tags TAGS: + +ctags CTAGS: + +cscope cscopelist: + + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(MANS) +installdirs: + for dir in "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +@HAVE_DOCS_FALSE@install-pdf-local: +@HAVE_PDFLATEX_FALSE@install-pdf-local: +@HAVE_SPHINXBUILD_FALSE@install-pdf-local: +@HAVE_DOCS_FALSE@html-local: +@HAVE_SPHINXBUILD_FALSE@html-local: +@HAVE_DOCS_FALSE@install-html-local: +@HAVE_SPHINXBUILD_FALSE@install-html-local: +@HAVE_DOCS_FALSE@pdf-local: +@HAVE_PDFLATEX_FALSE@pdf-local: +@HAVE_SPHINXBUILD_FALSE@pdf-local: +@HAVE_DOCS_FALSE@install-info-local: +@HAVE_MAKEINFO_FALSE@install-info-local: +@HAVE_SPHINXBUILD_FALSE@install-info-local: +@HAVE_DOCS_FALSE@info-local: +@HAVE_MAKEINFO_FALSE@info-local: +@HAVE_SPHINXBUILD_FALSE@info-local: +clean: clean-am + +clean-am: clean-generic clean-libtool clean-local mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: html-local + +info: info-am + +info-am: info-local + +install-data-am: install-man + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: install-html-local + +install-info: install-info-am + +install-info-am: install-info-local + +install-man: install-man1 install-man5 install-man8 + +install-pdf: install-pdf-am + +install-pdf-am: install-pdf-local + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-am + +pdf-am: pdf-local + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man + +uninstall-man: uninstall-man1 uninstall-man5 uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: all all-am check check-am clean clean-generic clean-libtool \ + clean-local cscopelist-am ctags-am distclean distclean-generic \ + distclean-libtool distdir dvi dvi-am html html-am html-local \ + info info-am info-local install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am \ + install-html-local install-info install-info-am \ + install-info-local install-man install-man1 install-man5 \ + install-man8 install-pdf install-pdf-am install-pdf-local \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am pdf-local ps ps-am tags-am \ + uninstall uninstall-am uninstall-man uninstall-man1 \ + uninstall-man5 uninstall-man8 + +.PRECIOUS: Makefile + + +.PHONY: html-local singlehtml pdf-local info-local man install-html-local install-singlehtml install-pdf-local install-info-local + +man/knot.conf.5: man/knot.conf.5in +man/knotc.8: man/knotc.8in +man/knotd.8: man/knotd.8in +man/keymgr.8: man/keymgr.8in +man/kjournalprint.8: man/kjournalprint.8in +man/kdig.1: man/kdig.1in +man/khost.1: man/khost.1in +man/knsupdate.1: man/knsupdate.1in +man/knsec3hash.1: man/knsec3hash.1in +man/kzonecheck.1: man/kzonecheck.1in + +.1in.1: + $(man_SUBST) + +.5in.5: + $(man_SUBST) + +.8in.8: + $(man_SUBST) + +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@html-local: +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b html -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/html +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "Build finished. The HTML pages are in $(SPHINXBUILDDIR)/html/." + +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@install-html-local: +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -d $(DESTDIR)/$(docdir) $(DESTDIR)/$(docdir)/_static $(DESTDIR)/$(docdir)/_sources +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -D $(SPHINXBUILDDIR)/html/*.html $(DESTDIR)/$(docdir)/ +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/html/_sources/* $(DESTDIR)/$(docdir)/_sources/ +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/html/_static/* $(DESTDIR)/$(docdir)/_static/ + +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@singlehtml: +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b singlehtml -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/singlehtml +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "Build finished. The HTML page is in $(SPHINXBUILDDIR)/singlehtml/." + +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@install-singlehtml: singlehtml +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -d $(DESTDIR)/$(docdir) $(DESTDIR)/$(docdir)/_static +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/singlehtml/*.html $(DESTDIR)/$(docdir)/ +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/singlehtml/_static/* $(DESTDIR)/$(docdir)/_static/ + +@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@pdf-local: +@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b latex -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/latex +@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(MAKE) -C $(SPHINXBUILDDIR)/latex all-pdf +@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) +@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "Build finished. The PDF file is in $(SPHINXBUILDDIR)/latex/." + +@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@install-pdf-local: +@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -d $(DESTDIR)/$(docdir) +@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/latex/knot.pdf $(DESTDIR)/$(docdir)/ + +@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_FALSE@@HAVE_SPHINXBUILD_TRUE@pdf-local install-pdf-local: +@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_FALSE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "You need to install pdflatex and re-run configure to be" +@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_FALSE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "able to generate PDF documentation." + +@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@info-local: +@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b texinfo -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/texinfo +@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(MAKE) -C $(SPHINXBUILDDIR)/texinfo info +@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) +@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "Build finished. The Info file is in $(SPHINXBUILDDIR)/texinfo/." + +@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@install-info-local: +@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -d $(DESTDIR)/$(infodir) +@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/texinfo/knot.info $(DESTDIR)/$(infodir)/ + +@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_FALSE@@HAVE_SPHINXBUILD_TRUE@info-local install-info-local: +@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_FALSE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "You need to install GNU Texinfo and re-run configure to be" +@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_FALSE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "able to generate info pages." + +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@.NOTPARALLEL: man +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@man: $(man_MANS) +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@$(MANPAGES_IN): $(MANPAGES_RST) +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b man -d $(SPHINXBUILDDIR)/doctrees $(man_SPHINXOPTS) $(SPHINXBUILDDIR)/man +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ @mkdir -p $(srcdir)/man +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ @for f in $(SPHINXBUILDDIR)/man/*; do \ +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ sed -e '/^\.TP$$/ {' -e 'n' -e 's/^\.B //' -e '}' "$$f" > "$(srcdir)/man/$$(basename $$f)in"; \ +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ done +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_ECHO) "Build finished. The man pages are in man/." + +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_FALSE@html-local singlehtml pdf-local info-local man install-html-local install-singlehtml install-pdf-local install-info-local: +@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_FALSE@ $(AM_V_ECHO) "Please install sphinx (python-sphinx) to generate Knot DNS documentation." + +clean-local: + -rm -rf $(SPHINXBUILDDIR) + -rm -f man/*.1 man/*.5 man/*.8 + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/doc/appendices.rst b/doc/appendices.rst new file mode 100644 index 0000000..6a3a40b --- /dev/null +++ b/doc/appendices.rst @@ -0,0 +1,103 @@ +.. highlight:: none +.. _Appendicies: + +********** +Appendices +********** + +.. _compatible_pkcs11_devices: + +Compatible PKCS #11 Devices +=========================== + +This section has informative character. Knot DNS has been tested with several +devices which claim to support PKCS #11 interface. The following table +indicates which algorithms and operations have been observed to work. Please +notice minimal GnuTLS library version required for particular algorithm +support. + +.. |yes| replace:: **yes** +.. |no| replace:: no +.. |unknown| replace:: ? + +.. list-table:: + :header-rows: 1 + :stub-columns: 1 + + * - + - Key generate + - Key import + - ED25519 256-bit + - ECDSA 256-bit + - ECDSA 384-bit + - RSA 1024-bit + - RSA 2048-bit + - RSA 4096-bit + * - `Feitian ePass 2003 <http://www.ftsafe.com/product/epass/epass2003>`_ + - |yes| + - |no| + - |no| + - |no| + - |no| + - |yes| + - |yes| + - |no| + * - `SafeNet Network HSM (Luna SA 4) <http://www.safenet-inc.com/data-encryption/hardware-security-modules-hsms/luna-hsms-key-management/luna-sa-network-hsm/>`_ + - |yes| + - |no| + - |no| + - |no| + - |no| + - |yes| + - |yes| + - |yes| + * - `SoftHSM 2.0 <https://www.opendnssec.org/softhsm/>`_ + - |yes| + - |yes| + - |no| + - |yes| + - |yes| + - |yes| + - |yes| + - |yes| + * - `Trustway Proteccio NetHSM <http://www.bull.com/fr/cybers%C3%A9curit%C3%A9-trustway-proteccio-nethsm>`_ + - |yes| + - ECDSA only + - |no| + - |yes| + - |yes| + - |yes| + - |yes| + - |yes| + +.. in progress: key ID checks have to be disabled in code + * - `Yubikey NEO <https://www.yubico.com/products/yubikey-hardware/yubikey-neo/>`_ + - |no| + - |no| + - |no| + - |yes| + - |no| + - |yes| + - |yes| + - |no| + +The following table summarizes supported DNSSEC algorithm numbers and minimal +GnuTLS library version required. Any algorithm may work with older library, +however the supported operations may be limited (e.g. private key import). + +.. list-table:: + :header-rows: 1 + :stub-columns: 1 + + * - + - `Numbers <https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1>`_ + - GnuTLS version + * - ED25519 + - 15 + - 3.6.0 or newer + * - ECDSA + - 13, 14 + - 3.4.8 or newer + * - RSA + - 5, 7, 8, 10 + - 3.4.6 or newer diff --git a/doc/conf.py b/doc/conf.py new file mode 100644 index 0000000..40b0344 --- /dev/null +++ b/doc/conf.py @@ -0,0 +1,258 @@ +# -*- coding: utf-8 -*- +# +# Knot DNS documentation build configuration file, created by +# sphinx-quickstart on Tue Apr 15 13:48:28 2014. +# +# This file is execfile()d with the current directory set to its containing dir. +# +# Note that not all possible configuration values are present in this +# autogenerated file. +# +# All configuration values have a default; values that are commented out +# serve to show the default. + +import sys, os, time, logging + +sys.setrecursionlimit(1500) + +# If extensions (or modules to document with autodoc) are in another directory, +# add these directories to sys.path here. If the directory is relative to the +# documentation root, use os.path.abspath to make it absolute, like shown here. +sys.path.insert(0, os.path.abspath('.')) + +# -- General configuration ----------------------------------------------------- + +# If your documentation needs a minimal Sphinx version, state it here. +#needs_sphinx = '1.0' + +# Add any Sphinx extension module names here, as strings. They can be extensions +# coming with Sphinx (named 'sphinx.ext.*') or your custom ones. +extensions = [] + +# Add any paths that contain templates here, relative to this directory. +templates_path = ['_templates'] + +# The suffix of source filenames. +source_suffix = '.rst' + +# The encoding of source files. +#source_encoding = 'utf-8-sig' + +# The master toctree document. +master_doc = 'index' + +# General information about the project. +project = 'Knot DNS' +copyright_year = 2019 +current_year = time.localtime().tm_year +if current_year > copyright_year: + logging.warning('Copyright year is %d, but current year is %d.'%(copyright_year, current_year)) + logging.warning('Maybe you should update copyright_year in doc/conf.py?') +copyright = u'Copyright 2010–%d, CZ.NIC, z.s.p.o.' % copyright_year +author = 'CZ.NIC Labs <https://www.knot-dns.cz>' + +# The version info for the project you're documenting, acts as replacement for +# |version| and |release|, also used in various other places throughout the +# built documents. +# +# The short X.Y version. +#version = '' +# The full version, including alpha/beta/rc tags. +#release = '' + +# The language for content autogenerated by Sphinx. Refer to documentation +# for a list of supported languages. +#language = None + +# There are two options for replacing |today|: either, you set today to some +# non-false value, then it is used: +#today = False +# Else, today_fmt is used as the format for a strftime call. +#today_fmt = '%B %d, %Y' + +# List of patterns, relative to source directory, that match files and +# directories to ignore when looking for source files. +exclude_patterns = ['_build', 'modules'] + +# The reST default role (used for this markup: `text`) to use for all documents. +#default_role = None + +# If true, '()' will be appended to :func: etc. cross-reference text. +#add_function_parentheses = True + +# If true, the current module name will be prepended to all description +# unit titles (such as .. function::). +#add_module_names = True + +# If true, sectionauthor and moduleauthor directives will be shown in the +# output. They are ignored by default. +#show_authors = False + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'sphinx' + +# A list of ignored prefixes for module index sorting. +#modindex_common_prefix = [] + +# -- Options for HTML output --------------------------------------------------- + +# The theme to use for HTML and HTML Help pages. See the documentation for +# a list of builtin themes. +html_theme = 'theme_html' + +# Theme options are theme-specific and customize the look and feel of a theme +# further. For a list of options available for each theme, see the +# documentation. +#html_theme_options = {} + +# Add any paths that contain custom themes here, relative to this directory. +html_theme_path = ['.'] + +# The name for this set of Sphinx documents. If None, it defaults to +# "<project> v<release> documentation". +#html_title = None + +# A shorter title for the navigation bar. Default is the same as html_title. +#html_short_title = None + +# The name of an image file (relative to this directory) to place at the top +# of the sidebar. +html_logo = 'logo.png' + +# The name of an image file (within the static path) to use as favicon of the +# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 +# pixels large. +#html_favicon = None + +# Add any paths that contain custom static files (such as style sheets) here, +# relative to this directory. They are copied after the builtin static files, +# so a file named "default.css" will overwrite the builtin "default.css". +#html_static_path = ['_static'] + +# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, +# using the given strftime format. +#html_last_updated_fmt = '%b %d, %Y' + +# If true, SmartyPants will be used to convert quotes and dashes to +# typographically correct entities. +#html_use_smartypants = False + +# Custom sidebar templates, maps document names to template names. +#html_sidebars = {} + +# Additional templates that should be rendered to pages, maps page names to +# template names. +#html_additional_pages = {} + +# If false, no module index is generated. +html_domain_indices = False + +# If false, no index is generated. +html_use_index = False + +# If true, the index is split into individual pages for each letter. +#html_split_index = False + +# If true, links to the reST sources are added to the pages. +#html_show_sourcelink = True + +# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. +#html_show_sphinx = True + +# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. +#html_show_copyright = True + +# If true, an OpenSearch description file will be output, and all pages will +# contain a <link> tag referring to it. The value of this option must be the +# base URL from which the finished HTML is served. +#html_use_opensearch = '' + +# This is the file name suffix for HTML files (e.g. ".xhtml"). +#html_file_suffix = None + +# Output file base name for HTML help builder. +htmlhelp_basename = 'KnotDNSdoc' + +# -- Options for LaTeX output -------------------------------------------------- + +latex_elements = { +# The paper size ('letterpaper' or 'a4paper'). +'papersize': 'a4paper', + +# The font size ('10pt', '11pt' or '12pt'). +#'pointsize': '10pt', + +# Additional stuff for the LaTeX preamble. +#'preamble': '', + +# No empty pages between chapters +'classoptions': ',openany,oneside', + +# Language preferences +'babel': '\\usepackage[english]{babel}', +} + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, author, documentclass [howto/manual]). +latex_documents = [ + ('index', 'knot.tex', 'Knot DNS Documentation', copyright, 'manual'), +] + +# The name of an image file (relative to this directory) to place at the top of +# the title page. +latex_logo = 'logo.eps' + +# For "manual" documents, if this is true, then toplevel headings are parts, +# not chapters. +#latex_use_parts = False + +# If true, show page references after internal links. +#latex_show_pagerefs = False + +# If true, show URL addresses after external links. +#latex_show_urls = False + +# Documents to append as an appendix to all manuals. +#latex_appendices = [] + +# If false, no module index is generated. +latex_domain_indices = False + +# -- Options for manual page output -------------------------------------------- + +# One entry per manual page. List of tuples +# (source start file, name, description, authors, manual section). +man_pages = [ + ('reference', 'knot.conf', 'Knot DNS configuration file', author, 5), + ('man_knotc', 'knotc', 'Knot DNS control utility', author, 8), + ('man_knotd', 'knotd', 'Knot DNS server daemon', author, 8), + ('man_keymgr', 'keymgr', 'Knot DNS key management utility', author, 8), + ('man_kjournalprint', 'kjournalprint', 'Knot DNS journal print utility', author, 8), + ('man_kdig', 'kdig', 'Advanced DNS lookup utility', author, 1), + ('man_khost', 'khost', 'Simple DNS lookup utility', author, 1), + ('man_knsec3hash', 'knsec3hash', 'Simple utility to compute NSEC3 hash', author, 1), + ('man_knsupdate', 'knsupdate', 'Dynamic DNS update utility', author, 1), + ('man_kzonecheck', 'kzonecheck', 'Knot DNS zone check tool', author, 1), +] + +# If true, show URL addresses after external links. +#man_show_urls = False + +# -- Options for Texinfo output ------------------------------------------------ + +# Grouping the document tree into Texinfo files. List of tuples +# (source start file, target name, title, author, +# dir menu entry, description, category) +texinfo_documents = [ + ('index', 'knot', 'Knot DNS Documentation', author, + 'KnotDNS', 'Knot Authoritative DNS Server', 'Miscellaneous') +] + +# Documents to append as an appendix to all manuals. +#texinfo_appendices = [] + +# If false, no module index is generated. +#texinfo_domain_indices = True + +# How to display URL addresses: 'footnote', 'no', or 'inline'. +#texinfo_show_urls = 'footnote' diff --git a/doc/configuration.rst b/doc/configuration.rst new file mode 100644 index 0000000..1d69126 --- /dev/null +++ b/doc/configuration.rst @@ -0,0 +1,666 @@ +.. highlight:: none +.. _Configuration: + +************* +Configuration +************* + +Simple configuration +==================== + +The following example presents a simple configuration file +which can be used as a base for your Knot DNS setup:: + + # Example of a very simple Knot DNS configuration. + + server: + listen: 0.0.0.0@53 + listen: ::@53 + + zone: + - domain: example.com + storage: /var/lib/knot/zones/ + file: example.com.zone + + log: + - target: syslog + any: info + +Now let's walk through this configuration step by step: + +- The :ref:`server_listen` statement in the :ref:`server section<Server section>` + defines where the server will listen for incoming connections. + We have defined the server to listen on all available IPv4 and IPv6 addresses, + all on port 53. +- The :ref:`zone section<Zone section>` defines the zones that the server will + serve. In this case, we defined one zone named *example.com* which is stored + in the zone file :file:`/var/lib/knot/zones/example.com.zone`. +- The :ref:`log section<Logging section>` defines the log facilities for + the server. In this example, we told Knot DNS to send its log messages with + the severity ``info`` or more serious to the syslog. + +For detailed description of all configuration items see +:ref:`Configuration Reference`. + +Zone templates +============== + +A zone template allows a single zone configuration to be shared among several zones. +The ``default`` template identifier is reserved for the default template:: + + template: + - id: default + storage: /var/lib/knot/master + semantic-checks: on + + - id: signed + storage: /var/lib/knot/signed + dnssec-signing: on + semantic-checks: on + master: [master1, master2] + + - id: slave + storage: /var/lib/knot/slave + + zone: + - domain: example1.com # Uses default template + + - domain: example2.com # Uses default template + semantic-checks: off # Override default settings + + - domain: example.cz + template: signed + master: master3 # Override masters to just master3 + + - domain: example1.eu + template: slave + master: master1 + + - domain: example2.eu + template: slave + master: master2 + +.. NOTE:: + Each template option can be explicitly overridden in zone-specific configuration. + +.. _ACL: + +Access control list (ACL) +========================= + +The Access control list is a list of rules specifying remotes which are allowed to send certain types of requests to the server. +Remotes can be specified by a single IP address or a network subnet. A TSIG +key can also be assigned (see :doc:`keymgr <man_keymgr>` on how to generate a TSIG key). + +Without any ACL rules, all the actions are denied for the zone. Each ACL rule +can allow one or more actions for a given address/subnet/TSIG, or deny them. + +If there are multiple ACL rules for a single zone, they are applied in the order +of appearance in the :ref:`zone_acl` configuration item of a zone or a template. +The first one to match the given remote is applied, the rest is ignored. + +See the following examples and :ref:`ACL section`. + +:: + + acl: + - id: address_rule + address: [2001:db8::1, 192.168.2.0/24] + action: transfer + + - id: deny_rule + address: 192.168.2.100 + action: transfer + deny: on + + zone: + - domain: acl1.example.com. + acl: [deny_rule, address_rule] # deny_rule first here to take precendence + +:: + + key: + - id: key1 # The real TSIG key name + algorithm: hmac-md5 + secret: Wg== + + acl: + - id: deny_all + address: 192.168.3.0/24 + deny: on # no action specified and deny on implies denial of all actions + + - id: key_rule + key: key1 # Access based just on TSIG key + action: [transfer, notify] + + zone: + - domain: acl2.example.com + acl: [deny_all, key_rule] + +.. NOTE:: + If more conditions (address ranges and/or a key) + are given in a single ACL rule, all of them have to be satisfied for the rule to match. + +Slave zone +========== + +Knot DNS doesn't strictly differ between master and slave zones. The +only requirement is to have a :ref:`master<zone_master>` statement set for +the given zone. Also note that you need to explicitly allow incoming zone +changed notifications via ``notify`` :ref:`acl_action` through zone's +:ref:`zone_acl` list, otherwise the update will be rejected by the server. +If the zone file doesn't exist it will be bootstrapped over AXFR:: + + remote: + - id: master + address: 192.168.1.1@53 + + acl: + - id: notify_from_master + address: 192.168.1.1 + action: notify + + zone: + - domain: example.com + storage: /var/lib/knot/zones/ + # file: example.com.zone # Default value + master: master + acl: notify_from_master + +Note that the :ref:`zone_master` option accepts a list of multiple remotes. +The remotes should be listed according to their preference. The first remote +has the highest preference, the other remotes are used for failover. When the +server receives a zone update notification from a listed remote, that remote +will be the most preferred one for the subsequent transfer. + +To use TSIG for transfers and notification messages authentication, configure +a TSIG key and assign the key both to the remote and the ACL rule. Notice that +the :ref:`remote <Remote section>` and :ref:`ACL <ACL section>` definitions are +independent:: + + key: + - id: slave1_key + algorithm: hmac-md5 + secret: Wg== + + remote: + - id: master + address: 192.168.1.1@53 + key: slave1_key + + acl: + - id: notify_from_master + address: 192.168.1.1 + key: slave1_key + action: notify + +.. NOTE:: + When transferring a lot of zones, the server may easily get into a state + when all available ports are in the TIME_WAIT state, thus the transfers + seize until the operating system closes the ports for good. There are + several ways to work around this: + + * Allow reusing of ports in TIME_WAIT (sysctl -w net.ipv4.tcp_tw_reuse=1) + * Shorten TIME_WAIT timeout (tcp_fin_timeout) + * Increase available local port count + +Master zone +=========== + +An ACL with the ``transfer`` action must be configured to allow outgoing zone +transfers. An ACL rule consists of a single address or a network subnet:: + + remote: + - id: slave1 + address: 192.168.2.1@53 + + acl: + - id: slave1_acl + address: 192.168.2.1 + action: transfer + + - id: others_acl + address: 192.168.3.0/24 + action: transfer + + zone: + - domain: example.com + storage: /var/lib/knot/zones/ + file: example.com.zone + notify: slave1 + acl: [slave1_acl, others_acl] + +Optionally, a TSIG key can be specified:: + + key: + - id: slave1_key + algorithm: hmac-md5 + secret: Wg== + + remote: + - id: slave1 + address: 192.168.2.1@53 + key: slave1_key + + acl: + - id: slave1_acl + address: 192.168.2.1 + key: slave1_key + action: transfer + + - id: others_acl + address: 192.168.3.0/24 + action: transfer + +Note that a slave zone may serve as a master zone at the same time:: + + remote: + - id: master + address: 192.168.1.1@53 + - id: slave1 + address: 192.168.2.1@53 + + acl: + - id: notify_from_master + address: 192.168.1.1 + action: notify + + - id: slave1_acl + address: 192.168.2.1 + action: transfer + + - id: others_acl + address: 192.168.3.0/24 + action: transfer + + zone: + - domain: example.com + storage: /var/lib/knot/zones/ + file: example.com.zone + master: master + notify: slave1 + acl: [notify_from_master, slave1_acl, others_acl] + +Dynamic updates +=============== + +Dynamic updates for the zone are allowed via proper ACL rule with the +``update`` action. If the zone is configured as a slave and a DNS update +message is accepted, the server forwards the message to its primary master. +The master's response is then forwarded back to the originator. + +However, if the zone is configured as a master, the update is accepted and +processed:: + + acl: + - id: update_acl + address: 192.168.3.0/24 + action: update + + zone: + - domain: example.com + file: example.com.zone + acl: update_acl + +.. _dnssec: + +Automatic DNSSEC signing +======================== + +Knot DNS supports automatic DNSSEC signing for static zones. The signing +can operate in two modes: + +1. :ref:`Automatic key management <dnssec-automatic-zsk-management>`. + In this mode, the server maintains signing keys. New keys are generated + according to assigned policy and are rolled automatically in a safe manner. + No zone operator intervention is necessary. + +2. :ref:`Manual key management <dnssec-manual-key-management>`. + In this mode, the server maintains zone signatures only. The signatures + are kept up-to-date and signing keys are rolled according to timing + parameters assigned to the keys. The keys must be generated and timing + parameters must be assigned by the zone operator. + +The DNSSEC signing process maintains some metadata which is stored in the +:abbr:`KASP (Key And Signature Policy)` database. This database is backed +by LMDB. + +.. WARNING:: + Make sure to set the KASP database permissions correctly. For manual key + management, the database must be *readable* by the server process. For + automatic key management, it must be *writeable*. If no HSM is used, + the database also contains private key material – don't set the permissions + too weak. + +.. _dnssec-automatic-zsk-management: + +Automatic ZSK management +------------------------ + +For automatic ZSK management a signing :ref:`policy<Policy section>` has to +be configured and assigned to the zone. The policy specifies how the zone +is signed (i.e. signing algorithm, key size, key lifetime, signature lifetime, +etc.). If no policy is specified or the ``default`` one is assigned, the +default signing parameters are used. + +A minimal zone configuration may look as follows:: + + zone: + - domain: myzone.test + dnssec-signing: on + +With a custom signing policy, the policy section will be added:: + + policy: + - id: rsa + algorithm: RSASHA256 + ksk-size: 2048 + zsk-size: 1024 + + zone: + - domain: myzone.test + dnssec-signing: on + dnssec-policy: rsa + +After configuring the server, reload the changes: + +.. code-block:: console + + $ knotc reload + +The server will generate initial signing keys and sign the zone properly. Check +the server logs to see whether everything went well. + +.. WARNING:: + This guide assumes that the zone *myzone.test* was not signed prior to + enabling the automatic key management. If the zone was already signed, all + existing keys must be imported using ``keymgr import-bind`` command + before enabling the automatic signing. Also the algorithm in the policy must + match the algorithm of all imported keys. Otherwise the zone will be re-signed + at all. + +.. _dnssec-automatic-ksk-management: + +Automatic KSK management +------------------------ + +For automatic KSK management, first configure ZSK management like above, and use +additional options in :ref:`policy section <Policy section>`, mostly specifying +desired (finite) lifetime for KSK: :: + + remote: + - id: test_zone_server + address: 192.168.12.1@53 + + submission: + - id: test_zone_sbm + parent: [test_zone_server] + + policy: + - id: rsa + algorithm: RSASHA256 + ksk-size: 2048 + zsk-size: 1024 + zsk-lifetime: 30d + ksk-lifetime: 365d + ksk-submission: test_zone_sbm + + zone: + - domain: myzone.test + dnssec-signing: on + dnssec-policy: rsa + +After the initially-generated KSK reaches its lifetime, new KSK is published and after +convenience delay the submission is started. The server publishes CDS and CDNSKEY records +and the user shall propagate them to the parent. The server periodically checks for +DS at the master and when positive, finishes the rollover. + +To share KSKs among zones, set the ksk-shared policy parameter. It is strongly discouraged to +change the policy ``id`` afterwards! The shared key's creation timestamp will be equal for all +zones, but other timers (e.g. activate, retire) may get out of sync. :: + + policy: + - id: shared + ... + ksk-shared: true + + zone: + - domain: firstzone.test + dnssec-signing: on + dnssec-policy: shared + + zone: + - domain: secondzone.test + dnssec-signing: on + dnssec-policy: shared + +.. _dnssec-manual-key-management: + +Manual key management +--------------------- + +For automatic DNSSEC signing with manual key management, a signing policy +with manual key management flag has to be set:: + + policy: + - id: manual + manual: on + + zone: + - domain: myzone.test + dnssec-signing: on + dnssec-policy: manual + +To generate signing keys, use the :doc:`keymgr <man_keymgr>` utility. +Let's use the Single-Type Signing scheme with two algorithms. Run: + +.. code-block:: console + + $ keymgr myzone.test. generate algorithm=ECDSAP256SHA256 + $ keymgr myzone.test. generate algorithm=ED25519 + +And reload the server. The zone will be signed. + +To perform a manual rollover of a key, the timing parameters of the key need +to be set. Let's roll the RSA key. Generate a new RSA key, but do not activate +it yet: + +.. code-block:: console + + $ keymgr myzone.test. generate algorithm=RSASHA256 size=1024 active=+1d + +Take the key ID (or key tag) of the old RSA key and disable it the same time +the new key gets activated: + +.. code-block:: console + + $ keymgr myzone.test. set <old_key_id> retire=+1d remove=+1d + +Reload the server again. The new key will be published (i.e. the DNSKEY record +will be added into the zone). Do not forget to update the DS record in the +parent zone to include a reference to the new RSA key. This must happen in one +day (in this case) including a delay required to propagate the new DS to +caches. + +Note that as the ``+1d`` time specification is computed from the current time, +the key replacement will not happen at once. First, a new key will be +activated. A few moments later, the old key will be deactivated and removed. +You can use exact time specification to make these two actions happen in one +go. + +.. WARNING:: + If you ever decide to switch from manual key management to automatic key management, + note that the automatic key management uses + :ref:`policy_zsk-lifetime` and :ref:`policy_ksk-lifetime` policy configuration + options to schedule key rollovers and it internally uses timestamps of keys differently + than in the manual case. As a consequence it might break if the ``retire`` or ``remove`` timestamps + are set for the manually generated keys currently in use. Make sure to set these timestamps + to zero using :doc:`keymgr <man_keymgr>`: + + .. code-block:: console + + $ keymgr myzone.test. set <key_id> retire=0 remove=0 + + and configure your policy suitably according to :ref:`dnssec-automatic-zsk-management` + and :ref:`dnssec-automatic-ksk-management`. + +.. _dnssec-signing: + +Zone signing +------------ + +The signing process consists of the following steps: + +#. Processing KASP database events. (e.g. performing a step of a rollover). +#. Updating the DNSKEY records. The whole DNSKEY set in zone apex is replaced + by the keys from the KASP database. Note that keys added into the zone file + manually will be removed. To add an extra DNSKEY record into the set, the + key must be imported into the KASP database (possibly deactivated). +#. Fixing the NSEC or NSEC3 chain. +#. Removing expired signatures, invalid signatures, signatures expiring + in a short time, and signatures issued by an unknown key. +#. Creating missing signatures. Unless the Single-Type Signing Scheme + is used, DNSKEY records in a zone apex are signed by KSK keys and + all other records are signed by ZSK keys. +#. Updating and re-signing SOA record. + +The signing is initiated on the following occasions: + +- Start of the server +- Zone reload +- Reaching the signature refresh period +- Key set changed due to rollover event +- Received DDNS update +- Forced zone re-sign via server control interface + +On a forced zone re-sign, all signatures in the zone are dropped and recreated. + +The ``knotc zone-status`` command can be used to see when the next scheduled +DNSSEC re-sign will happen. + +.. _dnssec-on-slave-signing: + +On-slave signing +---------------- + +It is possible to enable automatic DNSSEC zone signing even on a slave +server. If enabled, the zone is signed after every AXFR/IXFR transfer +from master, so that the slave always serves a signed up-to-date version +of the zone. + +It is strongly recommended to block any outside access to the master +server, so that only the slave's signed version of the zone is served. + +Enabled on-slave signing introduces events when the slave zone changes +while the master zone remains unchanged, such as a key rollover or +refreshing of RRSIG records, which cause inequality of zone SOA serial +between master and slave. The slave server handles this by saving the +master's SOA serial in a special variable inside KASP DB and appropriately +modifiying AXFR/IXFR queries/answers to keep the communication with +master consistent while applying the changes with a different serial. + +It is recommended to use UNIX time serial policy on master and incremental +serial policy on slave so that their SOA serials are equal most of the time. + +.. _query-modules: + +Query modules +============= + +Knot DNS supports configurable query modules that can alter the way +queries are processed. Each query requires a finite number of steps to +be resolved. We call this set of steps a *query plan*, an abstraction +that groups these steps into several stages. + +* Before-query processing +* Answer, Authority, Additional records packet sections processing +* After-query processing + +For example, processing an Internet-class query needs to find an +answer. Then based on the previous state, it may also append an +authority SOA or provide additional records. Each of these actions +represents a 'processing step'. Now, if a query module is loaded for a +zone, it is provided with an implicit query plan which can be extended +by the module or even changed altogether. + +A module is active if its name, which includes the ``mod-`` prefix, is assigned +to the zone/template :ref:`zone_module` option or to the ``default`` template +:ref:`template_global-module` option if activating for all queries. +If the module is configurable, a corresponding module section with +an identifier must be created and then referenced in the form of +``module_name/module_id``. See :ref:`Modules` for the list of available modules. + +.. NOTE:: + Query modules are processed in the order they are specified in the + zone/template configuration. In most cases, the recommended order is:: + + mod-synthrecord, mod-onlinesign, mod-rrl, mod-dnstap, mod-stats + +Performance Tuning +================== + +Numbers of Workers +------------------ + +There are three types of workers ready for parallel execution of performance-oriented tasks: +UDP workers, TCP workers, and Background workers. The first two types handle all network requests +coming through UDP and TCP protocol (respectively) and do all the response job for common +queries. Background workers process changes to the zone. + +By default, Knot determines well-fitting number of workers based on the number of CPU cores. +The user can specify the numbers of workers for each type with configuration/server section: +:ref:`server_udp-workers`, :ref:`server_tcp-workers`, :ref:`server_background-workers`. + +An indication on when to increase number of workers is a situation when the server is lagging behind +the expected performance, while the CPU usage is low. This is usually because of waiting for network +or I/O response during the operation. It may be caused by Knot design not fitting well the usecase. +The user should try increasing the number of workers (of the related type) slightly above 100 and if +the performance gets better, he can decide about further exact setting. + +Sysctl and NIC optimizations +---------------------------- + +There are several recommendations based on Knot developers' experience with their specific HW and SW +(mainstream Intel-based servers, Debian-based GNU/Linux distribution). They may or may not positively +(or negatively) influence performance in common use cases. + +If your NIC driver allows it (see /proc/interrupts for hint), set CPU affinity (/proc/irq/$IRQ/smp_affinity) +manually so that each NIC channel is served by unique CPU core(s). You must turn off irqbalance service +before to avoid configuration override. + +Configure sysctl as follows: :: + + socket_bufsize=1048576 + busy_latency=0 + backlog=40000 + optmem_max=20480 + + net.core.wmem_max = $socket_bufsize + net.core.wmem_default = $socket_bufsize + net.core.rmem_max = $socket_bufsize + net.core.rmem_default = $socket_bufsize + net.core.busy_read = $busy_latency + net.core.busy_poll = $busy_latency + net.core.netdev_max_backlog = $backlog + net.core.optmem_max = $optmem_max + +Disable huge pages. + +Configure your CPU to "performance" mode. This can be achieved depending on architecture, e.g. in BIOS, +or e.g. configuring /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor to "performance". + +Tune your NIC device with ethtool: :: + + ethtool -A $dev autoneg off rx off tx off + ethtool -K $dev tso off gro off ufo off + ethtool -G $dev rx 4096 tx 4096 + ethtool -C $dev rx-usecs 75 + ethtool -C $dev tx-usecs 75 + ethtool -N $dev rx-flow-hash udp4 sdfn + ethtool -N $dev rx-flow-hash udp6 sdfn + +On FreeBSD you can just: :: + + ifconfig ${dev} -rxcsum -txcsum -lro -tso + +Knot developers are open to hear about users' further suggestions about network devices tuning/optimization. diff --git a/doc/index.rst b/doc/index.rst new file mode 100644 index 0000000..c2bd3dd --- /dev/null +++ b/doc/index.rst @@ -0,0 +1,19 @@ +.. highlight:: none + +Welcome to Knot DNS's documentation! +==================================== + +.. toctree:: + :maxdepth: 2 + + introduction + requirements + installation + configuration + operation + troubleshooting + reference + modules + utilities + migration + appendices diff --git a/doc/installation.rst b/doc/installation.rst new file mode 100644 index 0000000..b518810 --- /dev/null +++ b/doc/installation.rst @@ -0,0 +1,92 @@ +.. highlight:: console +.. _Installation: + +************ +Installation +************ + +.. _Installation from a package_: + +Installation from a package +=========================== + +Knot DNS may already be included in your operating system distribution and +therefore can be installed from packages (Linux), ports (BSD), or via +Homebrew (macOS). This is always preferred unless you want to test the latest +features, contribute to Knot development, or you just know what you are doing. + +See the project `download <https://www.knot-dns.cz/download>`_ page for +the latest information. + +.. _Installation from source code: + +Installation from source code +============================= + +Required build environment +-------------------------- + +The build process relies on these standard tools: + +* make +* libtool +* pkg-config +* autoconf >= 2.65 +* python-sphinx (optional, for documentation building) + +GCC at least 4.1 is strictly required for atomic built-ins, but the latest +available version is recommended. Another requirements ``_GNU_SOURCE`` +and C99 support, otherwise it adapts to the compiler available features. +LLVM clang compiler since version 2.9 can be used as well. + +Getting the source code +----------------------- + +You can find the source code for the latest release on `www.knot-dns.cz <https://www.knot-dns.cz>`_. +Alternatively, you can fetch the whole project from the git repository +`https://gitlab.labs.nic.cz/knot/knot-dns.git <https://gitlab.labs.nic.cz/knot/knot-dns>`_. + +After obtaining the source code, compilation and installation is a quite +straightforward process using autotools. + +.. _Configuring and generating Makefiles: + +Configuring and generating Makefiles +------------------------------------ + +If compiling from the git source, you need to bootstrap the ``./configure`` file first:: + + $ autoreconf -i -f + +In most cases, you can just run configure without any options:: + + $ ./configure + +For all available configure options run:: + + $ ./configure --help + +Compilation +----------- + +After running ``./configure`` you can compile Knot DNS by running +``make`` command, which will produce binaries and other related +files:: + + $ make + +.. NOTE:: + The compilation with enabled optimizations may take a long time. In such + a case the ``--disable-fastparser`` configure option can help. + +Installation +------------ + +When you have finished building Knot DNS, it's time to install the +binaries and configuration files into the operation system hierarchy. +You can do so by executing:: + + $ make install + +When installing as a non-root user, you might have to gain elevated privileges by +switching to root user, e.g. ``sudo make install`` or ``su -c 'make install'``. diff --git a/doc/introduction.rst b/doc/introduction.rst new file mode 100644 index 0000000..4b1982d --- /dev/null +++ b/doc/introduction.rst @@ -0,0 +1,66 @@ +.. highlight:: none +.. _Introduction: + +************ +Introduction +************ + +What is Knot DNS +================ + +Knot DNS is a high-performance open-source DNS server. It +implements only the authoritative domain name service. Knot DNS +can reliably serve TLD domains as well as any other zones. + +Knot DNS benefits from its multi-threaded and mostly lock-free +implementation which allows it to scale well on SMP systems and +operate non-stop even when adding or removing zones. + +For more info and downloads see `www.knot-dns.cz <https://www.knot-dns.cz>`_. + +Knot DNS features +================= + +DNS features: + +* Master and slave operation +* Internet class (IN) +* DNS extension (EDNS0) +* TCP and UDP protocols +* Dynamic zone updates +* DNSSEC with NSEC and NSEC3 +* Transaction signature using TSIG +* Full and incremental zone transfers (AXFR, IXFR) +* Name server identification using NSID or Chaos TXT records +* Resource record types A, NS, CNAME, SOA, PTR, HINFO, MINFO, MX, + TXT, RP, AFSDB, RT, KEY, AAAA, LOC, SRV, NAPTR, KX, CERT, DNAME, APL, DS, + SSHFP, IPSECKEY, RRSIG, NSEC, DNSKEY, DHCID, NSEC3, NSEC3PARAM, TLSA, CDS, + CDNSKEY, SPF, NID, L32, L64, LP, EUI48, EUI64, URI, CAA, and Unknown + +Server features: + +* IPv4 and IPv6 support +* Semantic zone checks +* Server control interface +* Zone journal storage +* Persistent zone event timers +* YAML-based or database-based configuration +* Query processing modules with dynamic loading +* On-the-fly zone management and server reconfiguration +* Automatic DNSSEC signing with automatic key maganement and PKCS #11 interface + +Remarkable module extensions: + +* Response rate limiting +* Forward and reverse records synthesis +* DNS request traffic statistics +* Dnstap traffic logging +* Online DNSSEC signing +* GeoIP response tailoring supporting ECS and DNSSEC + +License +======= + +Knot DNS is licensed under the `GNU General Public License <https://www.gnu.org/copyleft/gpl.html>`_ +version 3 or (at your option) any later version. The full text of the license +is available in the ``COPYING`` file distributed with source code. diff --git a/doc/logo.eps b/doc/logo.eps new file mode 100644 index 0000000..5ce62ad --- /dev/null +++ b/doc/logo.eps @@ -0,0 +1,190 @@ +%!PS-Adobe-3.0 EPSF-3.0 +%%Creator: cairo 1.13.1 (http://cairographics.org) +%%CreationDate: Wed Jul 2 14:36:20 2014 +%%Pages: 1 +%%DocumentData: Clean7Bit +%%LanguageLevel: 2 +%%BoundingBox: 0 -1 285 116 +%%EndComments +%%BeginProlog +save +50 dict begin +/q { gsave } bind def +/Q { grestore } bind def +/cm { 6 array astore concat } bind def +/w { setlinewidth } bind def +/J { setlinecap } bind def +/j { setlinejoin } bind def +/M { setmiterlimit } bind def +/d { setdash } bind def +/m { moveto } bind def +/l { lineto } bind def +/c { curveto } bind def +/h { closepath } bind def +/re { exch dup neg 3 1 roll 5 3 roll moveto 0 rlineto + 0 exch rlineto 0 rlineto closepath } bind def +/S { stroke } bind def +/f { fill } bind def +/f* { eofill } bind def +/n { newpath } bind def +/W { clip } bind def +/W* { eoclip } bind def +/BT { } bind def +/ET { } bind def +/pdfmark where { pop globaldict /?pdfmark /exec load put } + { globaldict begin /?pdfmark /pop load def /pdfmark + /cleartomark load def end } ifelse +/BDC { mark 3 1 roll /BDC pdfmark } bind def +/EMC { mark /EMC pdfmark } bind def +/cairo_store_point { /cairo_point_y exch def /cairo_point_x exch def } def +/Tj { show currentpoint cairo_store_point } bind def +/TJ { + { + dup + type /stringtype eq + { show } { -0.001 mul 0 cairo_font_matrix dtransform rmoveto } ifelse + } forall + currentpoint cairo_store_point +} bind def +/cairo_selectfont { cairo_font_matrix aload pop pop pop 0 0 6 array astore + cairo_font exch selectfont cairo_point_x cairo_point_y moveto } bind def +/Tf { pop /cairo_font exch def /cairo_font_matrix where + { pop cairo_selectfont } if } bind def +/Td { matrix translate cairo_font_matrix matrix concatmatrix dup + /cairo_font_matrix exch def dup 4 get exch 5 get cairo_store_point + /cairo_font where { pop cairo_selectfont } if } bind def +/Tm { 2 copy 8 2 roll 6 array astore /cairo_font_matrix exch def + cairo_store_point /cairo_font where { pop cairo_selectfont } if } bind def +/g { setgray } bind def +/rg { setrgbcolor } bind def +/d1 { setcachedevice } bind def +%%EndProlog +%%BeginSetup +%%EndSetup +%%Page: 1 1 +%%BeginPageSetup +%%PageBoundingBox: 0 -1 285 116 +%%EndPageSetup +q 0 -1 285 117 rectclip q +q +0 115.13 285 -116 re W n +[ 1 0 0 1 0 -0.870003 ] concat + q +0 0.243137 0.517647 rg +114.34 58.441 m 114.34 41.012 106.602 25.391 94.359 14.828 c 95.051 18.352 + 95.41 21.98 95.41 25.699 c 95.41 37.102 92.039 47.73 86.262 56.648 c 83.98 + 53.48 81.379 50.539 78.52 47.891 c 82.18 41.32 84.262 33.75 84.262 25.699 + c 84.262 22.441 83.91 19.25 83.262 16.18 c 83.191 15.852 83.121 15.512 +83.039 15.18 c 82.961 14.859 82.879 14.52 82.801 14.199 c 82.469 14.289 +82.148 14.379 81.82 14.48 c 81.5 14.57 81.172 14.672 80.859 14.789 c 70.32 + 18.219 61.441 25.379 55.781 34.711 c 55.602 35.012 55.422 35.32 55.25 35.621 + c 55.07 35.922 54.91 36.219 54.738 36.52 c 52.961 39.77 51.57 43.27 50.621 + 46.941 c 50.539 47.27 50.461 47.59 50.379 47.922 c 50.289 48.238 50.219 + 48.578 50.148 48.91 c 49.5 51.98 49.16 55.18 49.16 58.441 c 49.16 61.699 + 49.5 64.891 50.148 67.961 c 46.629 68.941 42.922 69.5 39.102 69.559 c 38.379 + 65.961 38.012 62.238 38.012 58.441 c 38.012 54.629 38.379 50.91 39.102 +47.309 c 39.16 46.969 39.23 46.629 39.32 46.301 c 39.391 45.961 39.461 45.609 + 39.539 45.281 c 40.441 41.48 41.73 37.82 43.359 34.34 c 43.5 34.02 43.648 + 33.691 43.82 33.371 c 43.98 33.039 44.141 32.711 44.301 32.391 c 51.039 + 19.34 62.641 9.199 76.699 4.41 c 70.488 2.121 63.781 0.871 56.781 0.871 + c 28.219 0.871 4.512 21.68 0 48.969 c 0.25 48.738 0.5 48.52 0.762 48.301 + c 10.809 39.469 23.969 34.121 38.352 34.121 c 39.309 34.121 40.25 34.141 + 41.18 34.191 c 39.59 37.719 38.328 41.43 37.449 45.281 c 26.031 45.5 15.609 + 49.91 7.699 57.039 c 7.441 57.262 7.191 57.5 6.949 57.73 c 6.699 57.961 + 6.461 58.199 6.23 58.43 c 6.461 58.672 6.699 58.91 6.961 59.129 c 7.199 + 59.359 7.441 59.602 7.699 59.82 c 15.609 66.961 26.031 71.359 37.449 71.59 + c 37.75 71.602 38.051 71.602 38.352 71.602 c 38.488 71.602 l 38.84 71.602 + 39.191 71.59 39.539 71.59 c 43.359 71.488 47.07 70.922 50.621 69.941 c +50.941 69.84 51.27 69.75 51.59 69.648 c 51.922 69.551 52.238 69.449 52.559 + 69.352 c 58.719 67.34 64.309 64.07 69.012 59.828 c 71.672 62.43 74.012 +65.371 75.941 68.578 c 70.379 73.469 63.859 77.281 56.699 79.719 c 56.379 + 79.828 56.051 79.941 55.73 80.039 c 55.391 80.148 55.07 80.262 54.738 80.352 + c 51.078 81.449 47.281 82.191 43.359 82.531 c 43.012 82.57 42.641 82.59 + 42.281 82.621 c 41.91 82.641 41.551 82.66 41.18 82.68 c 40.25 82.73 39.309 + 82.75 38.352 82.75 c 23.98 82.75 10.82 77.398 0.77 68.578 c 0.512 68.352 + 0.25 68.129 0 67.898 c 4.512 95.191 28.211 116 56.781 116 c 63.781 116 +70.5 114.75 76.711 112.461 c 76.699 112.449 76.699 112.449 76.691 112.449 + c 62.629 107.66 51.039 97.531 44.301 84.48 c 48.262 84.078 52.09 83.301 + 55.77 82.148 c 61.43 91.48 70.309 98.648 80.852 102.078 c 81.16 102.18 +81.488 102.281 81.809 102.391 c 82.141 102.488 82.461 102.578 82.789 102.66 + c 82.871 102.34 82.949 102.012 83.031 101.68 c 83.109 101.352 83.18 101.031 + 83.25 100.691 c 83.898 97.621 84.25 94.43 84.25 91.16 c 84.25 83.121 82.172 + 75.559 78.52 68.98 c 78.359 68.68 78.18 68.371 78 68.078 c 77.828 67.781 + 77.66 67.48 77.469 67.191 c 75.512 64 73.16 61.039 70.488 58.43 c 70.262 + 58.191 70.012 57.949 69.762 57.73 c 69.52 57.5 69.27 57.262 69.02 57.039 + c 64.309 52.801 58.719 49.531 52.559 47.52 c 53.512 43.852 54.91 40.371 + 56.711 37.148 c 63.859 39.578 70.379 43.398 75.941 48.301 c 76.211 48.52 + 76.461 48.75 76.711 48.988 c 76.969 49.211 77.219 49.449 77.461 49.691 +c 80.281 52.328 82.828 55.27 85.051 58.441 c 85.262 58.73 85.461 59.031 +85.672 59.32 c 85.871 59.621 86.07 59.93 86.262 60.23 c 92.039 69.148 95.398 + 79.781 95.398 91.16 c 95.398 94.891 95.039 98.531 94.352 102.051 c 106.59 + 91.488 114.34 75.871 114.34 58.441 c f +167.582 59.031 m 155.629 59.031 l 143.207 74.242 l 143.207 59.031 l 133.41 + 59.031 l 133.41 91.512 l 143.207 91.512 l 143.207 76.98 l 154.973 91.512 + l 165.609 91.512 l 153.516 76.301 l h +167.582 59.031 m f +207.121 59.031 m 198.398 59.031 l 181.551 77.125 l 181.551 59.031 l 171.848 + 59.031 l 171.848 91.512 l 180.543 91.512 l 197.348 73.512 l 197.348 91.512 + l 207.121 91.512 l h +207.121 59.031 m f +240.051 75.297 m 240.051 76.516 239.867 77.629 239.512 78.637 c 239.152 + 79.645 238.609 80.52 237.883 81.262 c 237.152 82.004 236.27 82.578 235.223 + 82.992 c 234.176 83.406 232.965 83.613 231.59 83.613 c 228.965 83.613 226.902 + 82.852 225.402 81.316 c 223.902 79.785 223.152 77.777 223.152 75.297 c +223.152 72.812 223.902 70.801 225.41 69.262 c 226.918 67.723 228.98 66.949 + 231.59 66.949 c 233.387 66.949 234.914 67.309 236.184 68.02 c 237.445 68.73 + 238.406 69.715 239.066 70.973 c 239.723 72.23 240.051 73.672 240.051 75.297 + c 250.031 75.297 m 250.031 72.266 249.332 69.477 247.938 66.93 c 246.535 + 64.383 244.453 62.355 241.691 60.855 c 238.926 59.355 235.559 58.605 231.59 + 58.605 c 227.57 58.605 224.176 59.391 221.395 60.949 c 218.609 62.516 216.543 + 64.566 215.195 67.113 c 213.844 69.66 213.164 72.391 213.164 75.297 c 213.164 + 78.219 213.84 80.945 215.184 83.484 c 216.527 86.023 218.594 88.07 221.383 + 89.629 c 224.168 91.184 227.57 91.961 231.59 91.961 c 234.59 91.961 237.266 + 91.516 239.613 90.621 c 241.969 89.734 243.902 88.523 245.414 87.004 c +246.934 85.48 248.078 83.703 248.863 81.684 c 249.645 79.656 250.031 77.527 + 250.031 75.297 c f +284.535 83.617 m 272.629 83.617 l 272.629 59.031 l 262.852 59.031 l 262.852 + 83.617 l 250.949 83.617 l 250.949 91.512 l 284.535 91.512 l h +284.535 83.617 m f +156.848 38.824 m 156.848 41.465 156.344 43.523 155.336 45 c 154.328 46.477 + 153.117 47.465 151.703 47.965 c 150.289 48.465 148.848 48.715 147.379 48.715 + c 143.207 48.715 l 143.207 29.473 l 147.379 29.473 l 149.941 29.473 152.16 + 30.082 154.035 31.301 c 155.91 32.52 156.848 35.027 156.848 38.824 c 166.809 + 38.402 m 166.809 35.074 166.203 32.402 164.992 30.387 c 163.781 28.371 +162.355 26.738 160.715 25.488 c 158.387 23.66 155.129 22.746 150.941 22.746 + c 133.41 22.746 l 133.41 55.23 l 146.91 55.23 l 148.941 55.23 150.68 55.125 + 152.125 54.914 c 153.57 54.703 154.871 54.41 156.027 54.023 c 157.184 53.641 + 158.168 53.211 158.98 52.734 c 159.793 52.258 160.52 51.746 161.16 51.199 + c 162.27 50.293 163.242 49.223 164.078 47.992 c 164.914 46.754 165.578 +45.324 166.07 43.699 c 166.562 42.074 166.809 40.309 166.809 38.402 c f +207.168 22.746 m 198.449 22.746 l 181.598 40.84 l 181.598 22.746 l 171.895 + 22.746 l 171.895 55.23 l 180.59 55.23 l 197.395 37.23 l 197.395 55.23 l + 207.168 55.23 l h +207.168 22.746 m f +237.074 32.191 m 237.074 30.16 236.555 28.402 235.516 26.918 c 234.477 +25.434 233.027 24.297 231.168 23.508 c 229.309 22.719 227.176 22.324 224.77 + 22.324 c 224.098 22.324 223.273 22.367 222.297 22.453 c 221.32 22.539 220.023 + 22.777 218.406 23.168 c 216.789 23.559 215.105 24.137 213.355 24.902 c +213.355 32.871 l 214.996 31.855 216.609 31.012 218.195 30.34 c 219.781 29.668 + 221.48 29.332 223.293 29.332 c 224.965 29.332 226.047 29.609 226.539 30.164 + c 227.031 30.719 227.277 31.238 227.277 31.723 c 227.277 32.598 226.855 + 33.336 226.012 33.938 c 225.168 34.539 223.941 35.16 222.332 35.801 c 220.551 + 36.551 218.988 37.367 217.645 38.25 c 216.301 39.133 215.203 40.238 214.352 + 41.566 c 213.5 42.895 213.074 44.465 213.074 46.277 c 213.074 48.027 213.504 + 49.609 214.363 51.027 c 215.223 52.438 216.535 53.566 218.301 54.41 c 220.066 + 55.254 222.223 55.676 224.77 55.676 c 226.582 55.676 228.258 55.5 229.797 + 55.152 c 231.336 54.797 232.605 54.402 233.605 53.965 c 234.605 53.527 +235.293 53.184 235.668 52.934 c 235.668 45.316 l 234.34 46.27 232.859 47.121 + 231.227 47.871 c 229.594 48.621 227.848 48.996 225.988 48.996 c 224.77 +48.996 223.887 48.762 223.34 48.293 c 222.793 47.824 222.52 47.246 222.52 + 46.559 c 222.52 45.918 222.793 45.363 223.34 44.895 c 223.887 44.426 224.863 + 43.855 226.27 43.184 c 228.77 42.012 230.77 40.957 232.27 40.02 c 233.77 + 39.082 234.945 38 235.797 36.773 c 236.648 35.547 237.074 34.02 237.074 + 32.191 c f + Q +Q +Q Q +showpage +%%Trailer +end restore +%%EOF diff --git a/doc/logo.png b/doc/logo.png Binary files differnew file mode 100644 index 0000000..abdd9d5 --- /dev/null +++ b/doc/logo.png diff --git a/doc/man/kdig.1in b/doc/man/kdig.1in new file mode 100644 index 0000000..8bb2d01 --- /dev/null +++ b/doc/man/kdig.1in @@ -0,0 +1,378 @@ +.\" Man page generated from reStructuredText. +. +.TH "KDIG" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS" +.SH NAME +kdig \- Advanced DNS lookup utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkdig\fP [\fIcommon\-settings\fP] [\fIquery\fP [\fIsettings\fP]]... +.sp +\fBkdig\fP \fB\-h\fP +.SH DESCRIPTION +.sp +This utility sends one or more DNS queries to a nameserver. Each query can have +individual \fIsettings\fP, or it can be specified globally via \fIcommon\-settings\fP, +which must precede \fIquery\fP specification. +.SS Parameters +.INDENT 0.0 +.TP +\fIquery\fP +\fIname\fP | \fB\-q\fP \fIname\fP | \fB\-x\fP \fIaddress\fP | \fB\-G\fP \fItapfile\fP +.TP +\fIcommon\-settings\fP, \fIsettings\fP +[\fIquery_class\fP] [\fIquery_type\fP] [\fB@\fP\fIserver\fP]... [\fIoptions\fP] +.TP +\fIname\fP +Is a domain name that is to be looked up. +.TP +\fIserver\fP +Is a domain name or an IPv4 or IPv6 address of the nameserver to send a query +to. An additional port can be specified using address:port ([address]:port +for IPv6 address), address@port, or address#port notation. If no server is +specified, the servers from \fB/etc/resolv.conf\fP are used. +.UNINDENT +.sp +If no arguments are provided, \fBkdig\fP sends NS query for the root +zone. +.SS Query classes +.sp +A \fIquery_class\fP can be either a DNS class name (IN, CH) or generic class +specification \fBCLASS\fP\fIXXXXX\fP where \fIXXXXX\fP is a corresponding decimal +class number. The default query class is IN. +.SS Query types +.sp +A \fIquery_type\fP can be either a DNS resource record type +(A, AAAA, NS, SOA, DNSKEY, ANY, etc.) or one of the following: +.INDENT 0.0 +.TP +\fBTYPE\fP\fIXXXXX\fP +Generic query type specification where \fIXXXXX\fP is a corresponding decimal +type number. +.TP +\fBAXFR\fP +Full zone transfer request. +.TP +\fBIXFR=\fP\fIserial\fP +Incremental zone transfer request for specified starting SOA serial number. +.TP +\fBNOTIFY=\fP\fIserial\fP +Notify message with a SOA serial hint specified. +.TP +\fBNOTIFY\fP +Notify message with a SOA serial hint unspecified. +.UNINDENT +.sp +The default query type is A. +.SS Options +.INDENT 0.0 +.TP +\fB\-4\fP +Use the IPv4 protocol only. +.TP +\fB\-6\fP +Use the IPv6 protocol only. +.TP +\fB\-b\fP \fIaddress\fP +Set the source IP address of the query to \fIaddress\fP\&. The address must be a +valid address for local interface or :: or 0.0.0.0. An optional port +can be specified in the same format as the \fIserver\fP value. +.TP +\fB\-c\fP \fIclass\fP +An explicit \fIquery_class\fP specification. See possible values above. +.TP +\fB\-d\fP +Enable debug messages. +.TP +\fB\-h\fP, \fB\-\-help\fP +Print the program help. +.TP +\fB\-k\fP \fIkeyfile\fP +Use the TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The +file must contain the key in the same format as accepted by the +\fB\-y\fP option. +.TP +\fB\-p\fP \fIport\fP +Set the nameserver port number or service name to send a query to. The default +port is 53. +.TP +\fB\-q\fP \fIname\fP +Set the query name. An explicit variant of \fIname\fP specification. If no \fIname\fP +is provided, empty question section is set. +.TP +\fB\-t\fP \fItype\fP +An explicit \fIquery_type\fP specification. See possible values above. +.TP +\fB\-V\fP, \fB\-\-version\fP +Print the program version. +.TP +\fB\-x\fP \fIaddress\fP +Send a reverse (PTR) query for IPv4 or IPv6 \fIaddress\fP\&. The correct name, class +and type is set automatically. +.TP +\fB\-y\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP +Use the TSIG key named \fIname\fP to authenticate the request. The \fIalg\fP +part specifies the algorithm (the default is hmac\-sha256) and \fIkey\fP specifies +the shared secret encoded in Base64. +.TP +\fB\-E\fP \fItapfile\fP +Export a dnstap trace of the query and response messages received to the +file \fItapfile\fP\&. +.TP +\fB\-G\fP \fItapfile\fP +Generate message output from a previously saved dnstap file \fItapfile\fP\&. +.TP +\fB+\fP[\fBno\fP]\fBmultiline\fP +Wrap long records to more lines and improve human readability. +.TP +\fB+\fP[\fBno\fP]\fBshort\fP +Show record data only. +.TP +\fB+\fP[\fBno\fP]\fBgeneric\fP +Use the generic representation format when printing resource record types +and data. +.TP +\fB+\fP[\fBno\fP]\fBcrypto\fP +Display the DNSSEC keys and signatures values in hexdump, instead of omitting them. +.TP +\fB+\fP[\fBno\fP]\fBaaflag\fP +Set the AA flag. +.TP +\fB+\fP[\fBno\fP]\fBtcflag\fP +Set the TC flag. +.TP +\fB+\fP[\fBno\fP]\fBrdflag\fP +Set the RD flag. +.TP +\fB+\fP[\fBno\fP]\fBrecurse\fP +Same as \fB+\fP[\fBno\fP]\fBrdflag\fP +.TP +\fB+\fP[\fBno\fP]\fBraflag\fP +Set the RA flag. +.TP +\fB+\fP[\fBno\fP]\fBzflag\fP +Set the zero flag bit. +.TP +\fB+\fP[\fBno\fP]\fBadflag\fP +Set the AD flag. +.TP +\fB+\fP[\fBno\fP]\fBcdflag\fP +Set the CD flag. +.TP +\fB+\fP[\fBno\fP]\fBdnssec\fP +Set the DO flag. +.TP +\fB+\fP[\fBno\fP]\fBall\fP +Show all packet sections. +.TP +\fB+\fP[\fBno\fP]\fBqr\fP +Show the query packet. +.TP +\fB+\fP[\fBno\fP]\fBheader\fP +Show the packet header. +.TP +\fB+\fP[\fBno\fP]\fBcomments\fP +Show commented section names. +.TP +\fB+\fP[\fBno\fP]\fBopt\fP +Show the EDNS pseudosection. +.TP +\fB+\fP[\fBno\fP]\fBquestion\fP +Show the question section. +.TP +\fB+\fP[\fBno\fP]\fBanswer\fP +Show the answer section. +.TP +\fB+\fP[\fBno\fP]\fBauthority\fP +Show the authority section. +.TP +\fB+\fP[\fBno\fP]\fBadditional\fP +Show the additional section. +.TP +\fB+\fP[\fBno\fP]\fBtsig\fP +Show the TSIG pseudosection. +.TP +\fB+\fP[\fBno\fP]\fBstats\fP +Show trailing packet statistics. +.TP +\fB+\fP[\fBno\fP]\fBclass\fP +Show the DNS class. +.TP +\fB+\fP[\fBno\fP]\fBttl\fP +Show the TTL value. +.TP +\fB+\fP[\fBno\fP]\fBtcp\fP +Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR). +.TP +\fB+\fP[\fBno\fP]\fBfastopen\fP +Use TCP Fast Open (default with TCP). +.TP +\fB+\fP[\fBno\fP]\fBignore\fP +Don\(aqt use TCP automatically if a truncated reply is received. +.TP +\fB+\fP[\fBno\fP]\fBtls\fP +Use TLS with the Opportunistic privacy profile (\fI\%RFC 7858#section\-4.1\fP). +.TP +\fB+\fP[\fBno\fP]\fBtls\-ca\fP[=\fIFILE\fP] +Use TLS with a certificate validation. Certification authority certificates +are loaded from the specified PEM file (default is system certificate storage +if no argument is provided). +Can be specified multiple times. If the +tls\-hostname option is not provided, +the name of the target server (if specified) is used for strict authentication. +.TP +\fB+\fP[\fBno\fP]\fBtls\-pin\fP=\fIBASE64\fP +Use TLS with the Out\-of\-Band key\-pinned privacy profile (\fI\%RFC 7858#section\-4.2\fP). +The PIN must be a Base64 encoded SHA\-256 hash of the X.509 SubjectPublicKeyInfo. +Can be specified multiple times. +.TP +\fB+\fP[\fBno\fP]\fBtls\-hostname\fP=\fISTR\fP +Use TLS with a remote server hostname check. +.TP +\fB+\fP[\fBno\fP]\fBtls\-sni\fP=\fISTR\fP +Use TLS with a Server Name Indication. +.TP +\fB+\fP[\fBno\fP]\fBnsid\fP +Request the nameserver identifier (NSID). +.TP +\fB+\fP[\fBno\fP]\fBbufsize\fP=\fIB\fP +Set EDNS buffer size in bytes (default is 512 bytes). +.TP +\fB+\fP[\fBno\fP]\fBpadding\fP[=\fIB\fP] +Use EDNS(0) padding option to pad queries, optionally to a specific +size. The default is to pad queries with a sensible amount when using ++tls, and not to pad at all when queries are sent without TLS. With +no argument (i.e., just +padding) pad every query with a sensible +amount regardless of the use of TLS. With +nopadding, never pad. +.TP +\fB+\fP[\fBno\fP]\fBalignment\fP[=\fIB\fP] +Align the query to B\-byte\-block message using the EDNS(0) padding option +(default is no or 128 if no argument is specified). +.TP +\fB+\fP[\fBno\fP]\fBsubnet\fP=\fISUBN\fP +Set EDNS(0) client subnet SUBN=addr/prefix. +.TP +\fB+\fP[\fBno\fP]\fBedns\fP[=\fIN\fP] +Use EDNS version (default is 0). +.TP +\fB+\fP[\fBno\fP]\fBtimeout\fP=\fIT\fP +Set the wait\-for\-reply interval in seconds (default is 5 seconds). This timeout +applies to each query attempt. +.TP +\fB+\fP[\fBno\fP]\fBretry\fP=\fIN\fP +Set the number (>=0) of UDP retries (default is 2). This doesn\(aqt apply to +AXFR/IXFR. +.TP +\fB+\fP[\fBno\fP]\fBcookie\fP=\fIHEX\fP +Attach EDNS(0) cookie to the query. +.TP +\fB+\fP[\fBno\fP]\fBbadcookie\fP +Repeat a query with the correct cookie. +.TP +\fB+\fP[\fBno\fP]\fBednsopt\fP[=\fICODE\fP[:\fIHEX\fP]] +Send custom EDNS option. The \fICODE\fP is EDNS option code in decimal, \fIHEX\fP +is an optional hex encoded string to use as EDNS option value. This argument +can be used multiple times. +noednsopt clears all EDNS options specified by ++ednsopt. +.TP +\fB+noidn\fP +Disable the IDN transformation to ASCII and vice versa. IDNA2003 support depends +on libidn availability during project building! +.UNINDENT +.SH NOTES +.sp +Options \fB\-k\fP and \fB\-y\fP can not be used simultaneously. +.sp +Dnssec\-keygen keyfile format is not supported. Use \fBkeymgr(8)\fP instead. +.SH EXAMPLES +.INDENT 0.0 +.IP 1. 3 +Get A records for example.com: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ kdig example.com A +.ft P +.fi +.UNINDENT +.UNINDENT +.IP 2. 3 +Perform AXFR for zone example.com from the server 192.0.2.1: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ kdig example.com \-t AXFR @192.0.2.1 +.ft P +.fi +.UNINDENT +.UNINDENT +.IP 3. 3 +Get A records for example.com from 192.0.2.1 and reverse lookup for address +2001:DB8::1 from 192.0.2.2. Both using the TCP protocol: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ kdig +tcp example.com \-t A @192.0.2.1 \-x 2001:DB8::1 @192.0.2.2 +.ft P +.fi +.UNINDENT +.UNINDENT +.IP 4. 3 +Get SOA record for example.com, use TLS, use system certificates, check +for specified hostname, check for certificate pin, and print additional +debug info: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ kdig \-d @185.49.141.38 +tls\-ca +tls\-host=getdnsapi.net \e + +tls\-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SH FILES +.sp +\fB/etc/resolv.conf\fP +.SH SEE ALSO +.sp +\fBkhost(1)\fP, \fBknsupdate(1)\fP, \fBkeymgr(8)\fP\&. +.SH AUTHOR +CZ.NIC Labs <https://www.knot-dns.cz> +.SH COPYRIGHT +Copyright 2010–2019, CZ.NIC, z.s.p.o. +.\" Generated by docutils manpage writer. +. diff --git a/doc/man/keymgr.8in b/doc/man/keymgr.8in new file mode 100644 index 0000000..78a322f --- /dev/null +++ b/doc/man/keymgr.8in @@ -0,0 +1,286 @@ +.\" Man page generated from reStructuredText. +. +.TH "KEYMGR" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS" +.SH NAME +keymgr \- Knot DNS key management utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkeymgr\fP \fIbasic_option\fP [\fIparameters\fP\&...] +.sp +\fBkeymgr\fP [\fIconfig_option\fP \fIconfig_storage\fP] \fIzone\fP \fIcommand\fP \fIargument\fP\&... +.SH DESCRIPTION +.sp +The \fBkeymgr\fP utility serves for manual key management in Knot DNS server. +.sp +Functions for DNSSEC keys and KASP (Key And Signature Policy) +management are provided. +.sp +The DNSSEC and KASP configuration is stored in a so called KASP database. +The database is backed by LMDB. +.SS Basic options +.INDENT 0.0 +.TP +\fB\-h\fP, \fB\-\-help\fP +Print the program help. +.TP +\fB\-V\fP, \fB\-\-version\fP +Print the program version. +.TP +\fB\-t\fP, \fB\-\-tsig\fP \fItsig_name\fP [\fItsig_algorithm\fP] [\fItsig_bits\fP] +Generates a TSIG key. TSIG algorithm can be specified by string (default: hmac\-sha256), +bit length of the key by number (default: optimal length given by algorithm). The generated +TSIG key is only displayed on \fIstdout\fP: the command does not create a file, nor include the +key in a keystore. +.UNINDENT +.SS Config options +.INDENT 0.0 +.TP +\fB\-c\fP, \fB\-\-config\fP \fIfile\fP +Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP). +.TP +\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP +Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP). +The default configuration database, if exists, has a preference to the default +configuration file. +.TP +\fB\-d\fP, \fB\-\-dir\fP \fIpath\fP +Use specified KASP database path and default configuration. +.UNINDENT +.SS Commands +.INDENT 0.0 +.TP +\fBlist\fP [\fItimestamp_format\fP] +Prints the list of key IDs and parameters of keys belonging to the zone. +.TP +\fBgenerate\fP [\fIarguments\fP\&...] +Generates new DNSSEC key and stores it in KASP database. Prints the key ID. +This action takes some number of arguments (see below). Values for unspecified arguments are taken +from corresponding policy (if \fI\-c\fP or \fI\-C\fP options used) or from Knot policy defaults. +.TP +\fBimport\-bind\fP \fIBIND_key_file\fP +Imports a BIND\-style key into KASP database (converting it to PEM format). +Takes one argument: path to BIND key file (private or public, but both MUST exist). +.TP +\fBimport\-pub\fP \fIBIND_pubkey_file\fP +Imports a public key into KASP database. This key won\(aqt be rollovered nor used for signing. +Takes one argument: path to BIND public key file. +.TP +\fBimport\-pem\fP \fIPEM_file\fP [\fIarguments\fP\&...] +Imports a DNSSEC key from PEM file. The key parameters (same as for the generate action) need to be +specified (mainly algorithm, timers...) because they are not contained in the PEM format. +.TP +\fBimport\-pkcs11\fP \fIkey_id\fP [\fIarguments\fP\&...] +Imports a DNSSEC key from PKCS #11 storage. The key parameters (same as for the generate action) need to be +specified (mainly algorithm, timers...) because they are not available. In fact, no key +data is imported, only KASP database metadata is created. +.TP +\fBnsec3\-salt\fP [\fInew_salt\fP] +Prints the current NSEC3 salt used for signing. If \fInew_salt\fP is specified, the salt is overwritten. +The salt is printed and expected in hexadecimal, or dash if empty. +.TP +\fBset\fP \fIkey_spec\fP [\fIarguments\fP\&...] +Changes a timing argument (or ksk/zsk) of an existing key to a new value. \fIKey_spec\fP is either the +key tag or a prefix of the key ID; \fIarguments\fP are like for \fBgenerate\fP, but just the related ones. +.TP +\fBds\fP [\fIkey_spec\fP] +Generate DS record (all digest algorithms together) for specified key. \fIKey_spec\fP +is like for \fBset\fP, if unspecified, all KSKs are used. +.TP +\fBdnskey\fP [\fIkey_spec\fP] +Generate DNSKEY record for specified key. \fIKey_spec\fP +is like for \fBds\fP, if unspecified, all KSKs are used. +.TP +\fBdelete\fP \fIkey_spec\fP +Remove the specified key from zone. If the key was not shared, it is also deleted from keystore. +.TP +\fBshare\fP \fIkey_ID\fP +Import a key (specified by full key ID) from another zone as shared. After this, the key is +owned by both zones equally. +.UNINDENT +.SS Generate arguments +.sp +Arguments are separated by space, each of them is in format \(aqname=value\(aq. +.INDENT 0.0 +.TP +\fBalgorithm\fP +Either an algorithm number (e.g. 14), or text name without dashes (e.g. ECDSAP384SHA384). +.TP +\fBsize\fP +Key length in bits. +.TP +\fBksk\fP +If set to \fByes\fP, the key will be used for signing DNSKEY rrset. The generated key will also +have the Secure Entry Point flag set to 1. +.TP +\fBzsk\fP +If set to \fByes\fP, the key will be used for signing zone (except DNSKEY rrset). This flag can +be set concurrently with the \fBksk\fP flag. +.TP +\fBsep\fP +Overrides the standard setting of the Secure Entry Point flag for the generated key. +.UNINDENT +.sp +The following arguments are timestamps of key lifetime: +.INDENT 0.0 +.TP +\fBcreated\fP +Key created. +.TP +\fBpre_active\fP +Key started to be used for signing, not published (only for algorithm rollover). +.TP +\fBpublish\fP +Key published. +.TP +\fBready\fP +Key used for signing and submitted to the parent zone (only for KSK). +.TP +\fBactive\fP +Key used for signing. +.TP +\fBpost_active\fP +Key still used for singing, but another key is active (only for KSK). +.TP +\fBretire_active\fP +Key no longer published, but still used for signing (only for algorithm rollover). +.TP +\fBretire\fP +Key still published, but no longer used for signing. +.TP +\fBremove\fP +Key deleted. +.UNINDENT +.SS Timestamps +.INDENT 0.0 +.TP +0 +Zero timestamp means infinite future. +.TP +\fIUNIX_time\fP +Positive number of seconds since 1970 UTC. +.TP +\fIYYYYMMDDHHMMSS\fP +Date and time in this format without any punctuation. +.TP +\fIrelative_timestamp\fP +A sign character (\fB+\fP, \fB\-\fP), a number, and an optional time unit +(\fBy\fP, \fBmo\fP, \fBd\fP, \fBh\fP, \fBmi\fP, \fBs\fP). The default unit is one second. +E.g. +1mi, \-2mo. +.UNINDENT +.SS Output timestamp formats +.INDENT 0.0 +.TP +(none) +The timestamps are printed as UNIX timestamp. +.TP +\fBhuman\fP +The timestamps are printed relatively to now using time units (e.g. \-2y5mo, +1h13s). +.TP +\fBiso\fP +The timestamps are printed in the ISO8601 format (e.g. 2016\-12\-31T23:59:00). +.UNINDENT +.SH EXAMPLES +.INDENT 0.0 +.IP 1. 3 +Generate new TSIG key: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ keymgr \-t my_name hmac\-sha384 +.ft P +.fi +.UNINDENT +.UNINDENT +.IP 2. 3 +Generate new DNSSEC key: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ keymgr example.com. generate algorithm=ECDSAP256SHA256 size=256 \e + ksk=true created=1488034625 publish=20170223205611 retire=+10mo remove=+1y +.ft P +.fi +.UNINDENT +.UNINDENT +.IP 3. 3 +Import a DNSSEC key from BIND: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ keymgr example.com. import\-bind ~/bind/Kharbinge4d5.+007+63089.key +.ft P +.fi +.UNINDENT +.UNINDENT +.IP 4. 3 +Configure key timing: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ keymgr example.com. set 4208 active=+2mi retire=+4mi remove=+5mi +.ft P +.fi +.UNINDENT +.UNINDENT +.IP 5. 3 +Share a KSK from another zone: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ keymgr example.com. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9 +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SH SEE ALSO +.sp +\fI\%RFC 6781\fP \- DNSSEC Operational Practices. +\fI\%RFC 7583\fP \- DNSSEC Key Rollover Timing Considerations. +.sp +\fBknot.conf(5)\fP, +\fBknotc(8)\fP, +\fBknotd(8)\fP\&. +.SH AUTHOR +CZ.NIC Labs <https://www.knot-dns.cz> +.SH COPYRIGHT +Copyright 2010–2019, CZ.NIC, z.s.p.o. +.\" Generated by docutils manpage writer. +. diff --git a/doc/man/khost.1in b/doc/man/khost.1in new file mode 100644 index 0000000..d102136 --- /dev/null +++ b/doc/man/khost.1in @@ -0,0 +1,152 @@ +.\" Man page generated from reStructuredText. +. +.TH "KHOST" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS" +.SH NAME +khost \- Simple DNS lookup utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkhost\fP [\fIoptions\fP] \fIname\fP [\fIserver\fP] +.SH DESCRIPTION +.sp +This utility sends a DNS query for the \fIname\fP to the \fIserver\fP and prints a reply +in more user\-readable form. For more advanced DNS queries use \fBkdig\fP +instead. +.SS Parameters +.INDENT 0.0 +.TP +\fIname\fP +Is a domain name that is to be looked up. If the \fIname\fP is IPv4 or IPv6 +address the PTR query type is used. +.TP +\fIserver\fP +Is a name or an address of the nameserver to send a query to. The address +can be specified using [address]:port notation. If no server is specified, +the servers from \fB/etc/resolv.conf\fP are used. +.UNINDENT +.sp +If no arguments are provided, \fBkhost\fP prints a short help. +.SS Options +.INDENT 0.0 +.TP +\fB\-4\fP +Use the IPv4 protocol only. +.TP +\fB\-6\fP +Use the IPv6 protocol only. +.TP +\fB\-a\fP +Send ANY query with verbose mode. +.TP +\fB\-d\fP +Enable debug messages. +.TP +\fB\-h\fP, \fB\-\-help\fP +Print the program help. +.TP +\fB\-r\fP +Disable recursion. +.TP +\fB\-T\fP +Use the TCP protocol. +.TP +\fB\-v\fP +Enable verbose output. +.TP +\fB\-V\fP, \fB\-\-version\fP +Print the program version. +.TP +\fB\-w\fP +Wait forever for the reply. +.TP +\fB\-c\fP \fIclass\fP +Set the query class (e.g. CH, CLASS4). The default class is IN. +.TP +\fB\-t\fP \fItype\fP +Set the query type (e.g. NS, IXFR=12345, TYPE65535). The default is to send 3 +queries (A, AAAA and MX). +.TP +\fB\-R\fP \fIretries\fP +The number (>=0) of UDP retries to query a nameserver. The default is 1. +.TP +\fB\-W\fP \fIwait\fP +The time to wait for a reply in seconds. This timeout applies to each query +try. The default is 2 seconds. +.UNINDENT +.SH EXAMPLES +.INDENT 0.0 +.IP 1. 3 +Get the A, AAAA and MX records for example.com: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ khost example.com +.ft P +.fi +.UNINDENT +.UNINDENT +.IP 2. 3 +Get the reverse record for address 192.0.2.1: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ khost 192.0.2.1 +.ft P +.fi +.UNINDENT +.UNINDENT +.IP 3. 3 +Perform a verbose zone transfer for zone example.com: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ khost \-t AXFR \-v example.com +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SH FILES +.sp +\fB/etc/resolv.conf\fP +.SH SEE ALSO +.sp +\fBkdig(1)\fP, \fBknsupdate(1)\fP\&. +.SH AUTHOR +CZ.NIC Labs <https://www.knot-dns.cz> +.SH COPYRIGHT +Copyright 2010–2019, CZ.NIC, z.s.p.o. +.\" Generated by docutils manpage writer. +. diff --git a/doc/man/kjournalprint.8in b/doc/man/kjournalprint.8in new file mode 100644 index 0000000..796e54f --- /dev/null +++ b/doc/man/kjournalprint.8in @@ -0,0 +1,92 @@ +.\" Man page generated from reStructuredText. +. +.TH "KJOURNALPRINT" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS" +.SH NAME +kjournalprint \- Knot DNS journal print utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkjournalprint\fP [\fIoptions\fP] \fIjournal_db\fP \fIzone_name\fP +.SH DESCRIPTION +.sp +The program prints zone history stored in a journal database. As default, +changes are colored for terminal. +.SS Options +.INDENT 0.0 +.TP +\fB\-l\fP, \fB\-\-limit\fP \fIlimit\fP +Limits the number of displayed changes. +.TP +\fB\-d\fP, \fB\-\-debug\fP +Debug mode brief output. +.TP +\fB\-n\fP, \fB\-\-no\-color\fP +Removes changes coloring. +.TP +\fB\-z\fP, \fB\-\-zone\-list\fP +Instead of reading jurnal, display the list of zones in the DB. +(\fIzone_name\fP not needed) +.TP +\fB\-h\fP, \fB\-\-help\fP +Print the program help. +.TP +\fB\-V\fP, \fB\-\-version\fP +Print the program version. +.UNINDENT +.SS Parameters +.INDENT 0.0 +.TP +\fIjournal_db\fP +A path to the journal database. +.TP +\fIzone_name\fP +A name of the zone to print the history for. +.UNINDENT +.SH EXAMPLES +.sp +Last (most recent) 5 changes without colors: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ kjournalprint \-nl 5 /var/lib/knot/journal example.com. +.ft P +.fi +.UNINDENT +.UNINDENT +.SH SEE ALSO +.sp +\fBknotd(8)\fP, \fBknot.conf(5)\fP\&. +.SH AUTHOR +CZ.NIC Labs <https://www.knot-dns.cz> +.SH COPYRIGHT +Copyright 2010–2019, CZ.NIC, z.s.p.o. +.\" Generated by docutils manpage writer. +. diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in new file mode 100644 index 0000000..9eac7bc --- /dev/null +++ b/doc/man/knot.conf.5in @@ -0,0 +1,1401 @@ +.\" Man page generated from reStructuredText. +. +.TH "KNOT.CONF" "5" "@RELEASE_DATE@" "@VERSION@" "Knot DNS" +.SH NAME +knot.conf \- Knot DNS configuration file +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH DESCRIPTION +.sp +Configuration files for Knot DNS use simplified YAML format. Simplified means +that not all of the features are supported. +.sp +For the description of configuration items, we have to declare a meaning of +the following symbols: +.INDENT 0.0 +.IP \(bu 2 +\fIINT\fP – Integer +.IP \(bu 2 +\fISTR\fP – Textual string +.IP \(bu 2 +\fIHEXSTR\fP – Hexadecimal string (with \fB0x\fP prefix) +.IP \(bu 2 +\fIBOOL\fP – Boolean value (\fBon\fP/\fBoff\fP or \fBtrue\fP/\fBfalse\fP) +.IP \(bu 2 +\fITIME\fP – Number of seconds, an integer with possible time multiplier suffix +(\fBs\fP ~ 1, \fBm\fP ~ 60, \fBh\fP ~ 3600 or \fBd\fP ~ 24 * 3600) +.IP \(bu 2 +\fISIZE\fP – Number of bytes, an integer with possible size multiplier suffix +(\fBB\fP ~ 1, \fBK\fP ~ 1024, \fBM\fP ~ 1024^2 or \fBG\fP ~ 1024^3) +.IP \(bu 2 +\fIBASE64\fP – Base64 encoded string +.IP \(bu 2 +\fIADDR\fP – IPv4 or IPv6 address +.IP \(bu 2 +\fIDNAME\fP – Domain name +.IP \(bu 2 +\&... – Multi\-valued item, order of the values is preserved +.IP \(bu 2 +[ ] – Optional value +.IP \(bu 2 +| – Choice +.UNINDENT +.sp +There are 12 main sections (\fBmodule\fP, \fBserver\fP, \fBcontrol\fP, \fBlog\fP, +\fBstatistics\fP, \fBkeystore\fP, \fBpolicy\fP, \fBkey\fP, \fBacl\fP, \fBremote\fP, +\fBtemplate\fP, and \fBzone\fP) and module sections with the \fBmod\-\fP prefix. +Most of the sections (excluding \fBserver\fP, \fBcontrol\fP, and \fBstatistics\fP) +are sequences of settings blocks. Each settings block begins with a unique identifier, +which can be used as a reference from other sections (such identifier +must be defined in advance). +.sp +A multi\-valued item can be specified either as a YAML sequence: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +address: [10.0.0.1, 10.0.0.2] +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +or as more single\-valued items each on an extra line: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +address: 10.0.0.1 +address: 10.0.0.2 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +If an item value contains spaces or other special characters, it is necessary +to enclose such value within double quotes \fB"\fP \fB"\fP\&. +.SH COMMENTS +.sp +A comment begins with a \fB#\fP character and is ignored during processing. +Also each configuration section or sequence block allows a permanent +comment using the \fBcomment\fP item which is stored in the server beside the +configuration. +.SH INCLUDES +.sp +Another configuration file or files, matching a pattern, can be included at +the top level in the current file. If the path is not absolute, then it +is considered to be relative to the current file. The pattern can be +an arbitrary string meeting POSIX \fIglob\fP requirements, e.g. dir/*.conf. +Matching files are processed in sorted order. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +include: STR +.ft P +.fi +.UNINDENT +.UNINDENT +.SH MODULE SECTION +.sp +Dynamic modules loading configuration. +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +If configured with non\-empty \fB\(ga\-\-with\-moduledir=path\(ga\fP parameter, all +shared modules in this directory will be automatically loaded. +.UNINDENT +.UNINDENT +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +module: + \- id: STR + file: STR +.ft P +.fi +.UNINDENT +.UNINDENT +.SS id +.sp +A module identifier in the form of the \fBmod\-\fP prefix and module name suffix. +.SS file +.sp +A path to a shared library file with the module implementation. +.sp +\fIDefault:\fP \fB${libdir}/knot/modules\-${version}\fP/module_name.so +(or \fB${path}\fP/module_name.so if configured with \fB\-\-with\-moduledir=path\fP) +.sp +\fBWARNING:\fP +.INDENT 0.0 +.INDENT 3.5 +If the path is not absolute, the library is searched in the set of +system directories. See \fBman dlopen\fP for more details. +.UNINDENT +.UNINDENT +.SH SERVER SECTION +.sp +General options related to the server. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +server: + identity: [STR] + version: [STR] + nsid: [STR|HEXSTR] + rundir: STR + user: STR[:STR] + pidfile: STR + udp\-workers: INT + tcp\-workers: INT + background\-workers: INT + async\-start: BOOL + tcp\-handshake\-timeout: TIME + tcp\-idle\-timeout: TIME + tcp\-reply\-timeout: TIME + max\-tcp\-clients: INT + max\-udp\-payload: SIZE + max\-ipv4\-udp\-payload: SIZE + max\-ipv6\-udp\-payload: SIZE + edns\-client\-subnet: BOOL + answer\-rotation: BOOL + listen: ADDR[@INT] ... +.ft P +.fi +.UNINDENT +.UNINDENT +.SS identity +.sp +An identity of the server returned in the response to the query for TXT +record \fBid.server.\fP or \fBhostname.bind.\fP in the CHAOS class (\fI\%RFC 4892\fP). +Set empty value to disable. +.sp +\fIDefault:\fP FQDN hostname +.SS version +.sp +A version of the server software returned in the response to the query +for TXT record \fBversion.server.\fP or \fBversion.bind.\fP in the CHAOS +class (\fI\%RFC 4892\fP). Set empty value to disable. +.sp +\fIDefault:\fP server version +.SS nsid +.sp +A DNS name server identifier (\fI\%RFC 5001\fP). Set empty value to disable. +.sp +\fIDefault:\fP FQDN hostname +.SS rundir +.sp +A path for storing run\-time data (PID file, unix sockets, etc.). +.sp +\fIDefault:\fP \fB${localstatedir}/run/knot\fP (configured with \fB\-\-with\-rundir=path\fP) +.SS user +.sp +A system user with an optional system group (\fBuser:group\fP) under which the +server is run after starting and binding to interfaces. Linux capabilities +are employed if supported. +.sp +\fIDefault:\fP root:root +.SS pidfile +.sp +A PID file location. +.sp +\fIDefault:\fP \fI\%rundir\fP/knot.pid +.SS udp\-workers +.sp +A number of UDP workers (threads) used to process incoming queries +over UDP. +.sp +\fIDefault:\fP auto\-estimated optimal value based on the number of online CPUs +.SS tcp\-workers +.sp +A number of TCP workers (threads) used to process incoming queries +over TCP. +.sp +\fIDefault:\fP auto\-estimated optimal value based on the number of online CPUs +.SS background\-workers +.sp +A number of workers (threads) used to execute background operations (zone +loading, zone updates, etc.). +.sp +\fIDefault:\fP auto\-estimated optimal value based on the number of online CPUs +.SS async\-start +.sp +If enabled, server doesn\(aqt wait for the zones to be loaded and starts +responding immediately with SERVFAIL answers until the zone loads. +.sp +\fIDefault:\fP off +.SS tcp\-handshake\-timeout +.sp +Maximum time between newly accepted TCP connection and the first query. +This is useful to disconnect inactive connections faster than connections +that already made at least 1 meaningful query. +.sp +\fIDefault:\fP 5 +.SS tcp\-idle\-timeout +.sp +Maximum idle time between requests on a TCP connection. This also limits +receiving of a single query, each query must be received in this time limit. +.sp +\fIDefault:\fP 20 +.SS tcp\-reply\-timeout +.sp +Maximum time to wait for an outgoing connection or for a reply to an issued +request (SOA, NOTIFY, AXFR...). +.sp +\fIDefault:\fP 10 +.SS max\-tcp\-clients +.sp +A maximum number of TCP clients connected in parallel, set this below the file +descriptor limit to avoid resource exhaustion. +.sp +\fIDefault:\fP 100 +.SS max\-udp\-payload +.sp +Maximum EDNS0 UDP payload size default for both IPv4 and IPv6. +.sp +\fIDefault:\fP 4096 +.SS max\-ipv4\-udp\-payload +.sp +Maximum EDNS0 UDP payload size for IPv4. +.sp +\fIDefault:\fP 4096 +.SS max\-ipv6\-udp\-payload +.sp +Maximum EDNS0 UDP payload size for IPv6. +.sp +\fIDefault:\fP 4096 +.SS edns\-client\-subnet +.sp +Enable or disable EDNS Client Subnet support. If enabled, responses to queries +containing the EDNS Client Subnet option +always contain a valid EDNS Client Subnet option according to \fI\%RFC 7871\fP\&. +.sp +\fIDefault:\fP off +.SS answer\-rotation +.sp +Enable or disable sorted\-rrset rotation in the answer section of normal replies. +The rotation shift is simply determined by a query ID. +.sp +\fIDefault:\fP off +.SS listen +.sp +One or more IP addresses where the server listens for incoming queries. +Optional port specification (default is 53) can be appended to each address +using \fB@\fP separator. Use \fB0.0.0.0\fP for all configured IPv4 addresses or +\fB::\fP for all configured IPv6 addresses. +.sp +\fIDefault:\fP not set +.SH KEY SECTION +.sp +Shared TSIG keys used to authenticate communication with the server. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +key: + \- id: DNAME + algorithm: hmac\-md5 | hmac\-sha1 | hmac\-sha224 | hmac\-sha256 | hmac\-sha384 | hmac\-sha512 + secret: BASE64 +.ft P +.fi +.UNINDENT +.UNINDENT +.SS id +.sp +A key name identifier. +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +This value MUST be exactly the same as the name of the TSIG key on the +opposite master/slave server(s). +.UNINDENT +.UNINDENT +.SS algorithm +.sp +A TSIG key algorithm. See +\fI\%TSIG Algorithm Numbers\fP\&. +.sp +Possible values: +.INDENT 0.0 +.IP \(bu 2 +\fBhmac\-md5\fP +.IP \(bu 2 +\fBhmac\-sha1\fP +.IP \(bu 2 +\fBhmac\-sha224\fP +.IP \(bu 2 +\fBhmac\-sha256\fP +.IP \(bu 2 +\fBhmac\-sha384\fP +.IP \(bu 2 +\fBhmac\-sha512\fP +.UNINDENT +.sp +\fIDefault:\fP not set +.SS secret +.sp +Shared key secret. +.sp +\fIDefault:\fP not set +.SH ACL SECTION +.sp +Access control list rule definitions. The ACLs are used to match incoming +connections to allow or deny requested operation (zone transfer request, DDNS +update, etc.). +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +acl: + \- id: STR + address: ADDR[/INT] | ADDR\-ADDR ... + key: key_id ... + action: notify | transfer | update ... + deny: BOOL +.ft P +.fi +.UNINDENT +.UNINDENT +.SS id +.sp +An ACL rule identifier. +.SS address +.sp +An ordered list of IP addresses, network subnets, or network ranges. The query +must match one of them. Empty value means that address match is not required. +.sp +\fIDefault:\fP not set +.SS key +.sp +An ordered list of \fI\%reference\fPs to TSIG keys. The query must +match one of them. Empty value means that transaction authentication is not used. +.sp +\fIDefault:\fP not set +.SS action +.sp +An ordered list of allowed (or denied) actions. +.sp +Possible values: +.INDENT 0.0 +.IP \(bu 2 +\fBnotify\fP – Allow incoming notify. +.IP \(bu 2 +\fBtransfer\fP – Allow zone transfer. +.IP \(bu 2 +\fBupdate\fP – Allow zone updates. +.UNINDENT +.sp +\fIDefault:\fP not set +.SS deny +.sp +If enabled, instead of allowing, deny the specified \fI\%action\fP, +\fI\%address\fP, \fI\%key\fP, or combination if these +items. If no action is specified, deny all actions. +.sp +\fIDefault:\fP off +.SH CONTROL SECTION +.sp +Configuration of the server control interface. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +control: + listen: STR + timeout: TIME +.ft P +.fi +.UNINDENT +.UNINDENT +.SS listen +.sp +A UNIX socket path where the server listens for control commands. +.sp +\fIDefault:\fP \fI\%rundir\fP/knot.sock +.SS timeout +.sp +Maximum time the control socket operations can take. Set 0 for infinity. +.sp +\fIDefault:\fP 5 +.SH STATISTICS SECTION +.sp +Periodic server statistics dumping. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +statistics: + timer: TIME + file: STR + append: BOOL +.ft P +.fi +.UNINDENT +.UNINDENT +.SS timer +.sp +A period after which all available statistics metrics will by written to the +\fI\%file\fP\&. +.sp +\fIDefault:\fP not set +.SS file +.sp +A file path of statistics output in the YAML format. +.sp +\fIDefault:\fP \fI\%rundir\fP/stats.yaml +.SS append +.sp +If enabled, the output will be appended to the \fI\%file\fP +instead of file replacement. +.sp +\fIDefault:\fP off +.SH KEYSTORE SECTION +.sp +DNSSEC keystore configuration. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +keystore: + \- id: STR + backend: pem | pkcs11 + config: STR +.ft P +.fi +.UNINDENT +.UNINDENT +.SS id +.sp +A keystore identifier. +.SS backend +.sp +A key storage backend type. +.sp +Possible values: +.INDENT 0.0 +.IP \(bu 2 +\fBpem\fP – PEM files. +.IP \(bu 2 +\fBpkcs11\fP – PKCS #11 storage. +.UNINDENT +.sp +\fIDefault:\fP pem +.SS config +.sp +A backend specific configuration. A directory with PEM files (the path can +be specified as a relative path to \fI\%kasp\-db\fP) or +a configuration string for PKCS #11 storage (\fI<pkcs11\-url> <module\-path>\fP). +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +Example configuration string for PKCS #11: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +"pkcs11:token=knot;pin\-value=1234 /usr/lib64/pkcs11/libsofthsm2.so" +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.sp +\fIDefault:\fP \fI\%kasp\-db\fP/keys +.SH SUBMISSION SECTION +.sp +Parameters of KSK submission checks. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +submission: + \- id: STR + parent: remote_id ... + check\-interval: TIME + timeout: TIME +.ft P +.fi +.UNINDENT +.UNINDENT +.SS id +.sp +A submission identifier. +.SS parent +.sp +A list of \fI\%references\fP to parent\(aqs DNS servers to be checked for +presence of corresponding DS records in the case of KSK submission. All of them must +have a corresponding DS for the rollover to continue. If none is specified, the +rollover must be pushed forward manually. +.sp +\fIDefault:\fP not set +.sp +\fBTIP:\fP +.INDENT 0.0 +.INDENT 3.5 +A DNSSEC\-validating resolver can be set as a parent. +.UNINDENT +.UNINDENT +.SS check\-interval +.sp +Interval for periodic checks of DS presence on parent\(aqs DNS servers, in the +case of the KSK submission. +.sp +\fIDefault:\fP 1 hour +.SS timeout +.sp +After this period, the KSK submission is automatically considered successful, even +if all the checks were negative or no parents are configured. Set 0 for infinity. +.sp +\fIDefault:\fP 0 +.SH POLICY SECTION +.sp +DNSSEC policy configuration. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +policy: + \- id: STR + keystore: STR + manual: BOOL + single\-type\-signing: BOOL + algorithm: rsasha1 | rsasha1\-nsec3\-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519 + ksk\-size: SIZE + zsk\-size: SIZE + ksk\-shared: BOOL + dnskey\-ttl: TIME + zsk\-lifetime: TIME + ksk\-lifetime: TIME + propagation\-delay: TIME + rrsig\-lifetime: TIME + rrsig\-refresh: TIME + nsec3: BOOL + nsec3\-iterations: INT + nsec3\-opt\-out: BOOL + nsec3\-salt\-length: INT + nsec3\-salt\-lifetime: TIME + ksk\-submission: submission_id + cds\-cdnskey\-publish: none | delete\-dnssec | rollover | always +.ft P +.fi +.UNINDENT +.UNINDENT +.SS id +.sp +A policy identifier. +.SS keystore +.sp +A \fI\%reference\fP to a keystore holding private key material +for zones. A special \fIdefault\fP value can be used for the default keystore settings. +.sp +\fIDefault:\fP default +.SS manual +.sp +If enabled, automatic key management is not used. +.sp +\fIDefault:\fP off +.SS single\-type\-signing +.sp +If enabled, Single\-Type Signing Scheme is used in the automatic key management +mode. +.sp +\fIDefault:\fP off +.SS algorithm +.sp +An algorithm of signing keys and issued signatures. See +\fI\%DNSSEC Algorithm Numbers\fP\&. +.sp +Possible values: +.INDENT 0.0 +.IP \(bu 2 +\fBrsasha1\fP +.IP \(bu 2 +\fBrsasha1\-nsec3\-sha1\fP +.IP \(bu 2 +\fBrsasha256\fP +.IP \(bu 2 +\fBrsasha512\fP +.IP \(bu 2 +\fBecdsap256sha256\fP +.IP \(bu 2 +\fBecdsap384sha384\fP +.IP \(bu 2 +\fBed25519\fP +.UNINDENT +.sp +\fIDefault:\fP ecdsap256sha256 +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +Ed25519 algorithm is only available when compiled with GnuTLS 3.6.0+. +.UNINDENT +.UNINDENT +.SS ksk\-size +.sp +A length of newly generated KSK or +CSK keys. +.sp +\fIDefault:\fP 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519) +.SS zsk\-size +.sp +A length of newly generated ZSK keys. +.sp +\fIDefault:\fP see default for \fI\%ksk\-size\fP +.SS ksk\-shared +.sp +If enabled, all zones with this policy assigned will share one KSK. +.sp +\fIDefault:\fP off +.SS dnskey\-ttl +.sp +A TTL value for DNSKEY records added into zone apex. +.sp +\fIDefault:\fP zone SOA TTL +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +Has infuence over ZSK key lifetime. +.UNINDENT +.UNINDENT +.SS zsk\-lifetime +.sp +A period between ZSK publication and the next rollover initiation. +.sp +\fIDefault:\fP 30 days +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +ZSK key lifetime is also infuenced by propagation\-delay and dnskey\-ttl +.sp +Zero (aka infinity) value causes no ZSK rollover as a result. +.UNINDENT +.UNINDENT +.SS ksk\-lifetime +.sp +A period between KSK publication and the next rollover initiation. +.sp +\fIDefault:\fP 0 +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +KSK key lifetime is also infuenced by propagation\-delay, dnskey\-ttl, +and KSK submission delay. +.sp +Zero (aka infinity) value causes no KSK rollover as a result. +.sp +This applies for CSK lifetime if single\-type\-signing is enabled. +.UNINDENT +.UNINDENT +.SS propagation\-delay +.sp +An extra delay added for each key rollover step. This value should be high +enough to cover propagation of data from the master server to all slaves. +.sp +\fIDefault:\fP 1 hour +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +Has infuence over ZSK key lifetime. +.UNINDENT +.UNINDENT +.SS rrsig\-lifetime +.sp +A validity period of newly issued signatures. +.sp +\fIDefault:\fP 14 days +.SS rrsig\-refresh +.sp +A period how long before a signature expiration the signature will be refreshed. +.sp +\fIDefault:\fP 7 days +.SS nsec3 +.sp +Specifies if NSEC3 will be used instead of NSEC. +.sp +\fIDefault:\fP off +.SS nsec3\-iterations +.sp +A number of additional times the hashing is performed. +.sp +\fIDefault:\fP 5 +.SS nsec3\-opt\-out +.sp +If set, NSEC3 records won\(aqt be created for insecure delegations. +This speeds up the zone signing and reduces overall zone size. +.sp +\fBWARNING:\fP +.INDENT 0.0 +.INDENT 3.5 +NSEC3 with the Opt\-Out bit set no longer works as a proof of non\-existence +in this zone. +.UNINDENT +.UNINDENT +.sp +\fIDefault:\fP off +.SS nsec3\-salt\-length +.sp +A length of a salt field in octets, which is appended to the original owner +name before hashing. +.sp +\fIDefault:\fP 8 +.SS nsec3\-salt\-lifetime +.sp +A validity period of newly issued salt field. +.sp +\fIDefault:\fP 30 days +.SS ksk\-submission +.sp +A reference to \fI\%submission\fP section holding parameters of +KSK submittion checks. +.sp +\fIDefault:\fP not set +.SS cds\-cdnskey\-publish +.sp +Controls if and how shall the CDS and CDNSKEY be published in the zone. +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +This only applies if the zone keys are automatically managed by the server. +.UNINDENT +.UNINDENT +.sp +Possible values: +.INDENT 0.0 +.IP \(bu 2 +\fBnone\fP – Never publish any CDS or CDNSKEY records in the zone. +.IP \(bu 2 +\fBdelete\-dnssec\fP – Publish special CDS and CDNSKEY records indicating turning off DNSSEC. +.IP \(bu 2 +\fBrollover\fP – Publish CDS and CDNSKEY records only in the submission phase of KSK rollover. +.IP \(bu 2 +\fBalways\fP – Always publish CDS and CDNSKEY records for the current KSK. +.UNINDENT +.sp +\fIDefault:\fP always +.SH REMOTE SECTION +.sp +Definitions of remote servers for outgoing connections (source of a zone +transfer, target for a notification, etc.). +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +remote: + \- id: STR + address: ADDR[@INT] ... + via: ADDR[@INT] ... + key: key_id +.ft P +.fi +.UNINDENT +.UNINDENT +.SS id +.sp +A remote identifier. +.SS address +.sp +An ordered list of destination IP addresses which are used for communication +with the remote server. The addresses are tried in sequence unless the +operation is successful. Optional destination port (default is 53) +can be appended to the address using \fB@\fP separator. +.sp +\fIDefault:\fP not set +.SS via +.sp +An ordered list of source IP addresses. The first address with the same family +as the destination address is used. Optional source port (default is random) +can be appended to the address using \fB@\fP separator. +.sp +\fIDefault:\fP not set +.SS key +.sp +A \fI\%reference\fP to the TSIG key which is used to authenticate +the communication with the remote server. +.sp +\fIDefault:\fP not set +.SH TEMPLATE SECTION +.sp +A template is a shareable zone setting which can be used for configuration of +many zones in one place. A special default template (with the \fIdefault\fP identifier) +can be used for global querying configuration or as an implicit configuration +if a zone doesn\(aqt have another template specified. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +template: + \- id: STR + timer\-db: STR + max\-timer\-db\-size: SIZE + journal\-db: STR + journal\-db\-mode: robust | asynchronous + max\-journal\-db\-size: SIZE + kasp\-db: STR + max\-kasp\-db\-size: SIZE + global\-module: STR/STR ... + # All zone options (excluding \(aqtemplate\(aq item) +.ft P +.fi +.UNINDENT +.UNINDENT +.SS id +.sp +A template identifier. +.SS timer\-db +.sp +Specifies a path of the persistent timer database. The path can be specified +as a relative path to the \fIdefault\fP template \fI\%storage\fP\&. +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +This option is only available in the \fIdefault\fP template. +.UNINDENT +.UNINDENT +.sp +\fIDefault:\fP \fI\%storage\fP/timers +.SS max\-timer\-db\-size +.sp +Hard limit for the timer database maximum size. +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +This option is only available in the \fIdefault\fP template. +.UNINDENT +.UNINDENT +.sp +\fIDefault:\fP 100 MiB +.SS journal\-db +.sp +Specifies a path of the persistent journal database. The path can be specified +as a relative path to the \fIdefault\fP template \fI\%storage\fP\&. +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +This option is only available in the \fIdefault\fP template. +.UNINDENT +.UNINDENT +.sp +\fIDefault:\fP \fI\%storage\fP/journal +.SS journal\-db\-mode +.sp +Specifies journal LMDB backend configuration, which influences performance +and durability. +.sp +Possible values: +.INDENT 0.0 +.IP \(bu 2 +\fBrobust\fP – The journal DB disk sychronization ensures DB durability but is +generally slower. +.IP \(bu 2 +\fBasynchronous\fP – The journal DB disk synchronization is optimized for +better performance at the expense of lower DB durability; this mode is +recommended only on slave nodes with many zones. +.UNINDENT +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +This option is only available in the \fIdefault\fP template. +.UNINDENT +.UNINDENT +.sp +\fIDefault:\fP robust +.SS max\-journal\-db\-size +.sp +Hard limit for the common journal DB. There is no cleanup logic in journal +to recover from reaching this limit: journal simply starts refusing changes +across all zones. Decreasing this value has no effect if lower than actual +DB file size. +.sp +It is recommended to limit \fI\%max\-journal\-usage\fP +per\-zone instead of max\-journal\-size in most cases. Please keep this value +larger than the sum of all zones\(aq journal usage limits. See more details +regarding journal behaviour\&. +.sp +This value also influences server\(aqs usage of virtual memory. +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +This option is only available in the \fIdefault\fP template. +.UNINDENT +.UNINDENT +.sp +\fIDefault:\fP 20 GiB (1 GiB for 32\-bit) +.SS kasp\-db +.sp +A KASP database path. Non\-absolute path is relative to +\fI\%storage\fP\&. +.sp +\fIDefault:\fP \fI\%storage\fP/keys +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +This option is only available in the \fIdefault\fP template. +.UNINDENT +.UNINDENT +.SS max\-kasp\-db\-size +.sp +Hard limit for the KASP database maximum size. +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +This option is only available in the \fIdefault\fP template. +.UNINDENT +.UNINDENT +.sp +\fIDefault:\fP 500 MiB +.SS global\-module +.sp +An ordered list of references to query modules in the form of \fImodule_name\fP or +\fImodule_name/module_id\fP\&. These modules apply to all queries. +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +This option is only available in the \fIdefault\fP template. +.UNINDENT +.UNINDENT +.sp +\fIDefault:\fP not set +.SH ZONE SECTION +.sp +Definition of zones served by the server. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +zone: + \- domain: DNAME + template: template_id + storage: STR + file: STR + master: remote_id ... + ddns\-master: remote_id + notify: remote_id ... + acl: acl_id ... + semantic\-checks: BOOL + disable\-any: BOOL + zonefile\-sync: TIME + zonefile\-load: none | difference | difference\-no\-serial | whole + journal\-content: none | changes | all + max\-journal\-usage: SIZE + max\-journal\-depth: INT + max\-zone\-size : SIZE + dnssec\-signing: BOOL + dnssec\-policy: STR + request\-edns\-option: INT:[HEXSTR] + serial\-policy: increment | unixtime | dateserial + min\-refresh\-interval: TIME + max\-refresh\-interval: TIME + module: STR/STR ... +.ft P +.fi +.UNINDENT +.UNINDENT +.SS domain +.sp +A zone name identifier. +.SS template +.sp +A \fI\%reference\fP to a configuration template. +.sp +\fIDefault:\fP not set or \fIdefault\fP (if the template exists) +.SS storage +.sp +A data directory for storing zone files, journal database, and timers database. +.sp +\fIDefault:\fP \fB${localstatedir}/lib/knot\fP (configured with \fB\-\-with\-storage=path\fP) +.SS file +.sp +A path to the zone file. Non\-absolute path is relative to +\fI\%storage\fP\&. It is also possible to use the following formatters: +.INDENT 0.0 +.IP \(bu 2 +\fB%c[\fP\fIN\fP\fB]\fP or \fB%c[\fP\fIN\fP\fB\-\fP\fIM\fP\fB]\fP – Means the \fIN\fPth +character or a sequence of characters beginning from the \fIN\fPth and ending +with the \fIM\fPth character of the textual zone name (see \fB%s\fP). The +indexes are counted from 0 from the left. All dots (including the terminal +one) are considered. If the character is not available, the formatter has no effect. +.IP \(bu 2 +\fB%l[\fP\fIN\fP\fB]\fP – Means the \fIN\fPth label of the textual zone name +(see \fB%s\fP). The index is counted from 0 from the right (0 ~ TLD). +If the label is not available, the formatter has no effect. +.IP \(bu 2 +\fB%s\fP – Means the current zone name in the textual representation. +The zone name doesn\(aqt include the terminating dot (the result for the root +zone is the empty string!). +.IP \(bu 2 +\fB%%\fP – Means the \fB%\fP character. +.UNINDENT +.sp +\fBWARNING:\fP +.INDENT 0.0 +.INDENT 3.5 +Beware of special characters which are escaped or encoded in the \eDDD form +where DDD is corresponding decimal ASCII code. +.UNINDENT +.UNINDENT +.sp +\fIDefault:\fP \fI\%storage\fP/\fB%s\fP\&.zone +.SS master +.sp +An ordered list of \fI\%references\fP to zone master servers. +.sp +\fIDefault:\fP not set +.SS ddns\-master +.sp +A \fI\%reference\fP to zone primary master server. +If not specified, the first \fI\%master\fP server is used. +.sp +\fIDefault:\fP not set +.SS notify +.sp +An ordered list of \fI\%references\fP to remotes to which notify +message is sent if the zone changes. +.sp +\fIDefault:\fP not set +.SS acl +.sp +An ordered list of \fI\%references\fP to ACL rules which can allow +or disallow zone transfers, updates or incoming notifies. +.sp +\fIDefault:\fP not set +.SS semantic\-checks +.sp +If enabled, extra zone semantic checks are turned on. +.sp +Several checks are enabled by default and cannot be turned off. An error in +mandatory checks causes zone not to be loaded. An error in extra checks is +logged only. +.sp +Mandatory checks: +.INDENT 0.0 +.IP \(bu 2 +SOA record missing in the zone (\fI\%RFC 1034\fP) +.IP \(bu 2 +An extra record together with CNAME record except for RRSIG and DS (\fI\%RFC 1034\fP) +.IP \(bu 2 +Multiple CNAME record with the same owner +.IP \(bu 2 +DNAME record having a record under it (\fI\%RFC 2672\fP) +.UNINDENT +.sp +Extra checks: +.INDENT 0.0 +.IP \(bu 2 +Missing NS record at the zone apex +.IP \(bu 2 +Missing glue A or AAAA record +.IP \(bu 2 +Invalid DNSKEY, DS, or NSEC3PARAM record +.IP \(bu 2 +CDS or CDNSKEY inconsistency +.IP \(bu 2 +Missing, invalid, or unverifiable RRSIG record +.IP \(bu 2 +Invalid NSEC(3) record +.IP \(bu 2 +Broken or non\-cyclic NSEC(3) chain +.UNINDENT +.sp +\fIDefault:\fP off +.SS disable\-any +.sp +If enabled, all authoritative ANY queries sent over UDP will be answered +with an empty response and with the TC bit set. Use this option to minimize +the risk of DNS reflection attack. +.sp +\fIDefault:\fP off +.SS zonefile\-sync +.sp +The time after which the current zone in memory will be synced with a zone file +on the disk (see \fI\%file\fP). The server will serve the latest +zone even after a restart using zone journal, but the zone file on the disk will +only be synced after \fBzonefile\-sync\fP time has expired (or after manual zone +flush). This is applicable when the zone is updated via IXFR, DDNS or automatic +DNSSEC signing. In order to completely disable automatic zone file synchronization, +set the value to \-1. In that case, it is still possible to force a manual zone flush +using the \fB\-f\fP option. +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +If you are serving large zones with frequent updates where +the immediate sync with a zone file is not desirable, increase the value. +.UNINDENT +.UNINDENT +.sp +\fIDefault:\fP 0 (immediate) +.SS zonefile\-load +.sp +Selects how the zone file contents are applied during zone load. +.sp +Possible values: +.INDENT 0.0 +.IP \(bu 2 +\fBnone\fP – The zone file is not used at all. +.IP \(bu 2 +\fBdifference\fP – If the zone contents are already available during server start or reload, +the difference is computed between them and the contents of the zone file. This difference +is then checked for semantic errors and +applied to the current zone contents. +.IP \(bu 2 +\fBdifference\-no\-serial\fP – Same as \fBdifference\fP, but the SOA serial in the zone file is +ignored, the server takes care of incrementing the serial automatically. +.IP \(bu 2 +\fBwhole\fP – Zone contents are loaded from the zone file. +.UNINDENT +.sp +When \fBdifference\fP is configured and there are no zone contents yet (cold start of Knot +and no zone contents in journal), it behaves the same way like \fBwhole\fP\&. +.sp +\fIDefault:\fP whole +.SS journal\-content +.sp +Selects how the journal shall be used to store zone and its changes. +.sp +Possible values: +.INDENT 0.0 +.IP \(bu 2 +\fBnone\fP – The journal is not used at all. +.IP \(bu 2 +\fBchanges\fP – Zone changes history is stored in journal. +.IP \(bu 2 +\fBall\fP – Zone contents and history is stored in journal. +.UNINDENT +.sp +\fIDefault:\fP changes +.SS max\-journal\-usage +.sp +Policy how much space in journal DB will the zone\(aqs journal occupy. +.sp +\fIDefault:\fP 100 MiB +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +Journal DB may grow far above the sum of max\-journal\-usage across +all zones, because of DB free space fragmentation. +.UNINDENT +.UNINDENT +.SS max\-journal\-depth +.sp +Maximum history length of journal. +.sp +\fIMinimum:\fP 2 +.sp +\fIDefault:\fP 2^64 +.SS max\-zone\-size +.sp +Maximum size of the zone. The size is measured as size of the zone records +in wire format without compression. The limit is enforced for incoming zone +transfers and dynamic updates. +.sp +For incremental transfers (IXFR), the effective limit for the total size of +the records in the transfer is twice the configured value. However the final +size of the zone must satisfy the configured value. +.sp +\fIDefault:\fP 2^64 +.SS dnssec\-signing +.sp +If enabled, automatic DNSSEC signing for the zone is turned on. +.sp +\fIDefault:\fP off +.SS dnssec\-policy +.sp +A \fI\%reference\fP to DNSSEC signing policy. A special \fIdefault\fP +value can be used for the default policy settings. +.sp +\fIRequired\fP +.SS request\-edns\-option +.sp +An arbitrary EDNS0 option which is included into a server request (AXFR, IXFR, +SOA, or NOTIFY). The value is in the option_code:option_data format. +.sp +\fIDefault:\fP not set +.SS serial\-policy +.sp +Specifies how the zone serial is updated after a dynamic update or +automatic DNSSEC signing. If the serial is changed by the dynamic update, +no change is made. +.sp +Possible values: +.INDENT 0.0 +.IP \(bu 2 +\fBincrement\fP – The serial is incremented according to serial number arithmetic. +.IP \(bu 2 +\fBunixtime\fP – The serial is set to the current unix time. +.IP \(bu 2 +\fBdateserial\fP – The 10\-digit serial (YYYYMMDDnn) is incremented, the first +8 digits match the current iso\-date. +.UNINDENT +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +In case of \fBunixtime\fP, if the resulting serial is lower or equal than current zone +(this happens e.g. in case of migrating from other policy or frequent updates) +the serial is incremented instead. +.sp +Use dateserial only if you expect less than 100 updates per day per zone. +.UNINDENT +.UNINDENT +.sp +\fIDefault:\fP increment +.SS min\-refresh\-interval +.sp +Forced minimum zone refresh interval to avoid flooding master. +.sp +\fIDefault:\fP 2 +.SS max\-refresh\-interval +.sp +Forced maximum zone refresh interval. +.sp +\fIDefault:\fP not set +.SS module +.sp +An ordered list of references to query modules in the form of \fImodule_name\fP or +\fImodule_name/module_id\fP\&. These modules apply only to the current zone queries. +.sp +\fIDefault:\fP not set +.SH LOGGING SECTION +.sp +Server can be configured to log to the standard output, standard error +output, syslog (or systemd journal if systemd is enabled) or into an arbitrary +file. +.sp +There are 6 logging severity levels: +.INDENT 0.0 +.IP \(bu 2 +\fBcritical\fP – Non\-recoverable error resulting in server shutdown. +.IP \(bu 2 +\fBerror\fP – Recoverable error, action should be taken. +.IP \(bu 2 +\fBwarning\fP – Warning that might require user action. +.IP \(bu 2 +\fBnotice\fP – Server notice or hint. +.IP \(bu 2 +\fBinfo\fP – Informational message. +.IP \(bu 2 +\fBdebug\fP – Debug messages (must be turned on at compile time). +.UNINDENT +.sp +In the case of missing log section, \fBwarning\fP or more serious messages +will be logged to both standard error output and syslog. The \fBinfo\fP and +\fBnotice\fP messages will be logged to standard output. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +log: + \- target: stdout | stderr | syslog | STR + server: critical | error | warning | notice | info | debug + control: critical | error | warning | notice | info | debug + zone: critical | error | warning | notice | info | debug + any: critical | error | warning | notice | info | debug +.ft P +.fi +.UNINDENT +.UNINDENT +.SS target +.sp +A logging output. +.sp +Possible values: +.INDENT 0.0 +.IP \(bu 2 +\fBstdout\fP – Standard output. +.IP \(bu 2 +\fBstderr\fP – Standard error output. +.IP \(bu 2 +\fBsyslog\fP – Syslog. +.IP \(bu 2 +\fIfile_name\fP – A specific file. +.UNINDENT +.SS server +.sp +Minimum severity level for messages related to general operation of the server +that are logged. +.sp +\fIDefault:\fP not set +.SS control +.sp +Minimum severity level for messages related to server control that are logged. +.sp +\fIDefault:\fP not set +.SS zone +.sp +Minimum severity level for messages related to zones that are logged. +.sp +\fIDefault:\fP not set +.SS any +.sp +Minimum severity level for all message types that are logged. +.sp +\fIDefault:\fP not set +.SH AUTHOR +CZ.NIC Labs <https://www.knot-dns.cz> +.SH COPYRIGHT +Copyright 2010–2019, CZ.NIC, z.s.p.o. +.\" Generated by docutils manpage writer. +. diff --git a/doc/man/knotc.8in b/doc/man/knotc.8in new file mode 100644 index 0000000..88fedb9 --- /dev/null +++ b/doc/man/knotc.8in @@ -0,0 +1,324 @@ +.\" Man page generated from reStructuredText. +. +.TH "KNOTC" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS" +.SH NAME +knotc \- Knot DNS control utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBknotc\fP [\fIparameters\fP] \fIaction\fP [\fIaction_args\fP] +.SH DESCRIPTION +.sp +If no \fIaction\fP is specified, the program is executed in interactive mode. +.SS Parameters +.INDENT 0.0 +.TP +\fB\-c\fP, \fB\-\-config\fP \fIfile\fP +Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP). +.TP +\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP +Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP). +The default configuration database, if exists, has a preference to the default +configuration file. +.TP +\fB\-m\fP, \fB\-\-max\-conf\-size\fP \fIMiB\fP +Set maximum configuration size (default is @conf_mapsize@ MiB, maximum 10000 MiB). +.TP +\fB\-s\fP, \fB\-\-socket\fP \fIpath\fP +Use a control UNIX socket path (default is \fB@run_dir@/knot.sock\fP). +.TP +\fB\-t\fP, \fB\-\-timeout\fP \fIseconds\fP +Use a control timeout in seconds. Set 0 for infinity (default is 10). +.TP +\fB\-f\fP, \fB\-\-force\fP +Forced operation. Overrides some checks. +.TP +\fB\-v\fP, \fB\-\-verbose\fP +Enable debug output. +.TP +\fB\-h\fP, \fB\-\-help\fP +Print the program help. +.TP +\fB\-V\fP, \fB\-\-version\fP +Print the program version. +.UNINDENT +.SS Actions +.INDENT 0.0 +.TP +\fBstatus\fP [\fIdetail\fP] +Check if the server is running. Details are \fBversion\fP for the running +server version, \fBworkers\fP for the numbers of worker threads, +or \fBconfigure\fP for the configure summary. +.TP +\fBstop\fP +Stop the server if running. +.TP +\fBreload\fP +Reload the server configuration and modified zone files. All open zone +transactions will be aborted! +.TP +\fBstats\fP [\fImodule\fP[\fB\&.\fP\fIcounter\fP]] +Show global statistics counter(s). To print also counters with value 0, use +force option. +.TP +\fBzone\-status\fP \fIzone\fP [\fIfilter\fP] +Show the zone status. Filters are \fB+role\fP, \fB+serial\fP, \fB+transaction\fP, +\fB+events\fP, and \fB+freeze\fP\&. +.TP +\fBzone\-check\fP [\fIzone\fP\&...] +Test if the server can load the zone. Semantic checks are executed if enabled +in the configuration. (*) +.TP +\fBzone\-memstats\fP [\fIzone\fP\&...] +Estimate memory use for the zone. (*) +.TP +\fBzone\-reload\fP [\fIzone\fP\&...] +Trigger a zone reload from a disk without checking its modification time. For +slave zone, the refresh from a master server is scheduled; for master zone, +the notification of slave servers is scheduled. An open zone transaction +will be aborted! +.TP +\fBzone\-refresh\fP [\fIzone\fP\&...] +Trigger a check for the zone serial on the zone\(aqs master. If the master has a +newer zone, a transfer is scheduled. This command is valid for slave zones. +.TP +\fBzone\-retransfer\fP [\fIzone\fP\&...] +Trigger a zone transfer from the zone\(aqs master. The server doesn\(aqt check the +serial of the master\(aqs zone. This command is valid for slave zones. +.TP +\fBzone\-notify\fP [\fIzone\fP\&...] +Trigger a NOTIFY message to all configured remotes. This can help in cases +when previous NOTIFY had been lost or the slaves offline. +.TP +\fBzone\-flush\fP [\fIzone\fP\&...] [\fB+outdir\fP \fIdirectory\fP] +Trigger a zone journal flush into the zone file. If output dir is specified, +instead of flushing the zonefile, the zone is dumped to a file in the specified +directory. +.TP +\fBzone\-sign\fP [\fIzone\fP\&...] +Trigger a DNSSEC re\-sign of the zone. Existing signatures will be dropped. +This command is valid for zones with DNSSEC signing enabled. +.TP +\fBzone\-ksk\-submitted\fP \fIzone\fP\&... +Use when the zone\(aqs KSK rollover is in submittion phase. By calling this command +the user confirms manually that the parent zone contains DS record for the new +KSK in submission phase and the old KSK can be retired. +.TP +\fBzone\-freeze\fP [\fIzone\fP\&...] +Temporarily postpone zone\-changing events (load, refresh, update, flush, and +DNSSEC signing). +.TP +\fBzone\-thaw\fP [\fIzone\fP\&...] +Dismiss zone freeze. +.TP +\fBzone\-read\fP \fIzone\fP [\fIowner\fP [\fItype\fP]] +Get zone data that are currently being presented. +.TP +\fBzone\-begin\fP \fIzone\fP\&... +Begin a zone transaction. +.TP +\fBzone\-commit\fP \fIzone\fP\&... +Commit the zone transaction. All changes are applied to the zone. +.TP +\fBzone\-abort\fP \fIzone\fP\&... +Abort the zone transaction. All changes are discarded. +.TP +\fBzone\-diff\fP \fIzone\fP +Get zone changes within the transaction. +.TP +\fBzone\-get\fP \fIzone\fP [\fIowner\fP [\fItype\fP]] +Get zone data within the transaction. +.TP +\fBzone\-set\fP \fIzone\fP \fIowner\fP [\fIttl\fP] \fItype\fP \fIrdata\fP +Add zone record within the transaction. The first record in a rrset +requires a ttl value specified. +.TP +\fBzone\-unset\fP \fIzone\fP \fIowner\fP [\fItype\fP [\fIrdata\fP]] +Remove zone data within the transaction. +.TP +\fBzone\-purge\fP \fIzone\fP\&... [\fIfilter\fP\&...] +Purge zone data, zone file, journal, timers, and/or KASP data of specified zones. +Available filters are \fB+expire\fP, \fB+zonefile\fP, \fB+journal\fP, \fB+timers\fP, +and \fB+kaspdb\fP\&. If no filter is specified, all filters are enabled. +If the zone is no longer configured, add \fB+orphan\fP filter (zone file cannot +be purged in this case). +.TP +\fBzone\-stats\fP \fIzone\fP [\fImodule\fP[\fB\&.\fP\fIcounter\fP]] +Show zone statistics counter(s). To print also counters with value 0, use +force option. +.TP +\fBconf\-init\fP +Initialize the configuration database. (*) +.TP +\fBconf\-check\fP +Check the server configuration. (*) +.TP +\fBconf\-import\fP \fIfilename\fP +Import a configuration file into the configuration database. Ensure the +server is not using the configuration database! (*) +.TP +\fBconf\-export\fP [\fIfilename\fP] +Export the configuration database into a config file or stdout. (*) +.TP +\fBconf\-list\fP [\fIitem\fP] +List the configuration database sections or section items. +.TP +\fBconf\-read\fP [\fIitem\fP] +Read the item from the active configuration database. +.TP +\fBconf\-begin\fP +Begin a writing configuration database transaction. Only one transaction +can be opened at a time. +.TP +\fBconf\-commit\fP +Commit the configuration database transaction. +.TP +\fBconf\-abort\fP +Rollback the configuration database transaction. +.TP +\fBconf\-diff\fP [\fIitem\fP] +Get the item difference in the transaction. +.TP +\fBconf\-get\fP [\fIitem\fP] +Get the item data from the transaction. +.TP +\fBconf\-set\fP \fIitem\fP [\fIdata\fP\&...] +Set the item data in the transaction. +.TP +\fBconf\-unset\fP [\fIitem\fP] [\fIdata\fP\&...] +Unset the item data in the transaction. +.UNINDENT +.SS Note +.sp +Empty or \fB\-\-\fP \fIzone\fP parameter means all zones or all zones with a transaction. +.sp +Use \fB@\fP \fIowner\fP to denote the zone name. +.sp +Type \fIitem\fP parameter in the form of \fIsection\fP[\fB[\fP\fIid\fP\fB]\fP][\fB\&.\fP\fIname\fP]. +.sp +(*) indicates a local operation which requires a configuration. +.SS Interactive mode +.sp +The utility provides interactive mode with basic line editing functionality, +command completion, and command history. +.sp +Interactive mode behavior can be customized in \fI~/.editrc\fP\&. Refer to +\fBeditrc(5)\fP for details. +.sp +Command history is saved in \fI~/.knotc_history\fP\&. +.SH EXAMPLES +.SS Reload the whole server configuration +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ knotc reload +.ft P +.fi +.UNINDENT +.UNINDENT +.SS Flush the example.com and example.org zones +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ knotc zone\-flush example.com example.org +.ft P +.fi +.UNINDENT +.UNINDENT +.SS Get the current server configuration +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ knotc conf\-read server +.ft P +.fi +.UNINDENT +.UNINDENT +.SS Get the list of the current zones +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ knotc conf\-read zone.domain +.ft P +.fi +.UNINDENT +.UNINDENT +.SS Get the master remotes for the example.com zone +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ knotc conf\-read \(aqzone[example.com].master\(aq +.ft P +.fi +.UNINDENT +.UNINDENT +.SS Add example.org zone with a zonefile location +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ knotc conf\-begin +$ knotc conf\-set \(aqzone[example.org]\(aq +$ knotc conf\-set \(aqzone[example.org].file\(aq \(aq/var/zones/example.org.zone\(aq +$ knotc conf\-commit +.ft P +.fi +.UNINDENT +.UNINDENT +.SS Get the SOA record for each configured zone +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ knotc zone\-read \-\- @ SOA +.ft P +.fi +.UNINDENT +.UNINDENT +.SH SEE ALSO +.sp +\fBknotd(8)\fP, \fBknot.conf(5)\fP, \fBeditrc(5)\fP\&. +.SH AUTHOR +CZ.NIC Labs <https://www.knot-dns.cz> +.SH COPYRIGHT +Copyright 2010–2019, CZ.NIC, z.s.p.o. +.\" Generated by docutils manpage writer. +. diff --git a/doc/man/knotd.8in b/doc/man/knotd.8in new file mode 100644 index 0000000..2ae6450 --- /dev/null +++ b/doc/man/knotd.8in @@ -0,0 +1,76 @@ +.\" Man page generated from reStructuredText. +. +.TH "KNOTD" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS" +.SH NAME +knotd \- Knot DNS server daemon +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBknotd\fP [\fIparameters\fP] +.SH DESCRIPTION +.SS Parameters +.INDENT 0.0 +.TP +\fB\-c\fP, \fB\-\-config\fP \fIfile\fP +Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP). +.TP +\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP +Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP). +The default configuration database, if exists, has a preference to the default +configuration file. +.TP +\fB\-m\fP, \fB\-\-max\-conf\-size\fP \fIMiB\fP +Set maximum configuration size (default is @conf_mapsize@ MiB, maximum 10000 MiB). +.TP +\fB\-s\fP, \fB\-\-socket\fP \fIpath\fP +Use a remote control UNIX socket path (default is \fB@run_dir@/knot.sock\fP). +.TP +\fB\-d\fP, \fB\-\-daemonize\fP [\fIdirectory\fP] +Run the server as a daemon. New root directory may be specified +(default is \fB/\fP). +.TP +\fB\-v\fP, \fB\-\-verbose\fP +Enable debug output. +.TP +\fB\-h\fP, \fB\-\-help\fP +Print the program help. +.TP +\fB\-V\fP, \fB\-\-version\fP +Print the program version. +.UNINDENT +.SH SEE ALSO +.sp +\fBknot.conf(5)\fP, \fBknotc(8)\fP, \fBkeymgr(8)\fP, +\fBkjournalprint(8)\fP\&. +.SH AUTHOR +CZ.NIC Labs <https://www.knot-dns.cz> +.SH COPYRIGHT +Copyright 2010–2019, CZ.NIC, z.s.p.o. +.\" Generated by docutils manpage writer. +. diff --git a/doc/man/knsec3hash.1in b/doc/man/knsec3hash.1in new file mode 100644 index 0000000..a450097 --- /dev/null +++ b/doc/man/knsec3hash.1in @@ -0,0 +1,87 @@ +.\" Man page generated from reStructuredText. +. +.TH "KNSEC3HASH" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS" +.SH NAME +knsec3hash \- Simple utility to compute NSEC3 hash +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBknsec3hash\fP \fIsalt\fP \fIalgorithm\fP \fIiterations\fP \fIname\fP +.SH DESCRIPTION +.sp +This utility generates a NSEC3 hash for a given domain name and parameters of NSEC3 hash. +.SS Parameters +.INDENT 0.0 +.TP +\fIsalt\fP +Specifies a binary salt encoded as a hexadecimal string. +.TP +\fIalgorithm\fP +Specifies a hashing algorithm by number. Currently, the only supported algorithm is SHA\-1 (number 1). +.TP +\fIiterations\fP +Specifies the number of additional iterations of the hashing algorithm. +.TP +\fIname\fP +Specifies the domain name to be hashed. +.UNINDENT +.SH EXAMPLES +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ knsec3hash c01dcafe 1 10 knot\-dns.cz +7PTVGE7QV67EM61ROS9238P5RAKR2DM7 (salt=c01dcafe, hash=1, iterations=10) +.ft P +.fi +.UNINDENT +.UNINDENT +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ knsec3hash \- 1 0 net +A1RT98BS5QGC9NFI51S9HCI47ULJG6JH (salt=\-, hash=1, iterations=0) +.ft P +.fi +.UNINDENT +.UNINDENT +.SH SEE ALSO +.sp +\fI\%RFC 5155\fP – DNS Security (DNSSEC) Hashed Authenticated Denial of Existence. +.sp +\fBknotc(8)\fP, \fBknotd(8)\fP\&. +.SH AUTHOR +CZ.NIC Labs <https://www.knot-dns.cz> +.SH COPYRIGHT +Copyright 2010–2019, CZ.NIC, z.s.p.o. +.\" Generated by docutils manpage writer. +. diff --git a/doc/man/knsupdate.1in b/doc/man/knsupdate.1in new file mode 100644 index 0000000..10c0b87 --- /dev/null +++ b/doc/man/knsupdate.1in @@ -0,0 +1,198 @@ +.\" Man page generated from reStructuredText. +. +.TH "KNSUPDATE" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS" +.SH NAME +knsupdate \- Dynamic DNS update utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBknsupdate\fP [\fIoptions\fP] [\fIfilename\fP] +.SH DESCRIPTION +.sp +This utility sends Dynamic DNS update messages to a DNS server. Update content +is read from a file (if the parameter \fIfilename\fP is given) or from the standard +input. +.sp +The format of updates is textual and is made up of commands. Every command is +placed on the separate line of the input. Lines starting with a semicolon are +comments and are not processed. +.SS Options +.INDENT 0.0 +.TP +\fB\-d\fP +Enable debug messages. +.TP +\fB\-h\fP, \fB\-\-help\fP +Print the program help. +.TP +\fB\-k\fP \fIkeyfile\fP +Use the TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The +file should contain the key in the same format, which is accepted by the +\fB\-y\fP option. +.TP +\fB\-p\fP \fIport\fP +Set the port to use for connections to the server (if not explicitly specified +in the update). The default is 53. +.TP +\fB\-r\fP \fIretries\fP +The number of retries for UDP requests. The default is 3. +.TP +\fB\-t\fP \fItimeout\fP +The total timeout (for all UDP update tries) of the update request in seconds. +The default is 12. If set to zero, the timeout is infinite. +.TP +\fB\-v\fP +Use a TCP connection. +.TP +\fB\-V\fP, \fB\-\-version\fP +Print the program version. +.TP +\fB\-y\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP +Use the TSIG key with a name \fIname\fP to authenticate the request. The \fIalg\fP +part specifies the algorithm (the default is hmac\-sha256) and \fIkey\fP specifies +the shared secret encoded in Base64. +.UNINDENT +.SS Commands +.INDENT 0.0 +.TP +\fBserver\fP \fIname\fP [\fIport\fP] +Specifies a receiving server of the dynamic update message. The \fIname\fP parameter +can be either a host name or an IP address. If the \fIport\fP is not specified, +the default port is used. The default port value can be controlled using +the \fB\-p\fP program option. +.TP +\fBlocal\fP \fIaddress\fP [\fIport\fP] +Specifies outgoing \fIaddress\fP and \fIport\fP\&. If no local is specified, the +address and port are set by the system automatically. The default port number +is 0. +.TP +\fBzone\fP \fIname\fP +Specifies that all updates are done within a zone \fIname\fP\&. If not used, +the default zone is the root zone. +.TP +\fBorigin\fP \fIname\fP +Specifies fully qualified domain name suffix which is appended to non\-fqd +owners in update commands. The default origin is the root zone. +.TP +\fBclass\fP \fIname\fP +Sets \fIname\fP as the default class for all updates. If not used, the default +class is IN. +.TP +\fBttl\fP \fIvalue\fP +Sets \fIvalue\fP as the default TTL (in seconds). If not used, the default value +is 0. +.TP +\fBkey\fP [\fIalg\fP:]\fIname\fP \fIkey\fP +Specifies the TSIG \fIkey\fP named \fIname\fP to authenticate the request. An optional +\fIalg\fP algorithm can be specified. This command has the same effect as +the program option \fB\-y\fP\&. +.TP +[\fBprereq\fP] \fBnxdomain\fP \fIname\fP +Adds a prerequisite for a non\-existing record owned by \fIname\fP\&. +.TP +[\fBprereq\fP] \fByxdomain\fP \fIname\fP +Adds a prerequisite for an existing record owned by \fIname\fP\&. +.TP +[\fBprereq\fP] \fBnxrrset\fP \fIname\fP [\fIclass\fP] \fItype\fP +Adds a prerequisite for a non\-existing record of the \fItype\fP owned by \fIname\fP\&. +Internet \fIclass\fP is expected. +.TP +[\fBprereq\fP] \fByxrrset\fP \fIname\fP [\fIclass\fP] \fItype\fP [\fIdata\fP] +Adds a prerequisite for an existing record of the \fItype\fP owned by \fIname\fP +with optional \fIdata\fP\&. Internet \fIclass\fP is expected. +.TP +[\fBupdate\fP] \fBadd\fP \fIname\fP [\fIttl\fP] [\fIclass\fP] \fItype\fP \fIdata\fP +Adds a request to add a new resource record into the zone. +Please note that if the \fIname\fP is not fully qualified domain name, the +current origin name is appended to it. +.TP +[\fBupdate\fP] \fBdel\fP[\fBete\fP] \fIname\fP [\fIttl\fP] [\fIclass\fP] [\fItype\fP] [\fIdata\fP] +Adds a request to remove all (or matching \fIclass\fP, \fItype\fP or \fIdata\fP) +resource records from the zone. There is the same requirement for the \fIname\fP +parameter as in \fBupdate add\fP command. The \fIttl\fP item is ignored. +.TP +\fBshow\fP +Displays current content of the update message. +.TP +\fBsend\fP +Sends the current update message and cleans the list of updates. +.TP +\fBanswer\fP +Displays the last answer from the server. +.TP +\fBdebug\fP +Enable debugging. This command has the same meaning as the \fB\-d\fP program option. +.TP +\fBquit\fP +Quit the program. +.UNINDENT +.SH NOTES +.sp +Options \fB\-k\fP and \fB\-y\fP can not be used simultaneously. +.sp +Dnssec\-keygen keyfile format is not supported. Use \fBkeymgr(8)\fP instead. +.sp +Zone name/server guessing is not supported if the zone name/server is not specified. +.sp +Empty line doesn\(aqt send the update. +.SH EXAMPLES +.INDENT 0.0 +.IP 1. 3 +Send one update of the zone example.com to the server 192.168.1.1. The update +contains two new records: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ knsupdate +> server 192.168.1.1 +> zone example.com. +> origin example.com. +> ttl 3600 +> add test1.example.com. 7200 A 192.168.2.2 +> add test2 TXT "hello" +> show +> send +> answer +> quit +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SH SEE ALSO +.sp +\fBkdig(1)\fP, \fBkhost(1)\fP, \fBkeymgr(8)\fP\&. +.SH AUTHOR +CZ.NIC Labs <https://www.knot-dns.cz> +.SH COPYRIGHT +Copyright 2010–2019, CZ.NIC, z.s.p.o. +.\" Generated by docutils manpage writer. +. diff --git a/doc/man/kzonecheck.1in b/doc/man/kzonecheck.1in new file mode 100644 index 0000000..cb8fe22 --- /dev/null +++ b/doc/man/kzonecheck.1in @@ -0,0 +1,73 @@ +.\" Man page generated from reStructuredText. +. +.TH "KZONECHECK" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS" +.SH NAME +kzonecheck \- Knot DNS zone check tool +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkzonecheck\fP [\fIoptions\fP] \fIfilename\fP +.SH DESCRIPTION +.sp +The utility checks zone file syntax and runs semantic checks on the zone +content. The executed checks are the same as the checks run by the Knot +DNS server. +.sp +Please, refer to the \fBsemantic\-checks\fP configuration option in +\fBknot.conf(5)\fP for the full list of available semantic checks. +.SS Options +.INDENT 0.0 +.TP +\fB\-o\fP, \fB\-\-origin\fP \fIorigin\fP +Zone origin. If not specified, the origin is determined from the file name +(possibly removing the \fB\&.zone\fP suffix). +.TP +\fB\-t\fP, \fB\-\-time\fP \fItime\fP +Current time specification. Use UNIX timestamp, YYYYMMDDHHmmSS +format, or [+/\-]\fItime\fP[unit] format, where unit can be \fBY\fP, \fBM\fP, +\fBD\fP, \fBh\fP, \fBm\fP, or \fBs\fP\&. Default is current UNIX timestamp. +.TP +\fB\-v\fP, \fB\-\-verbose\fP +Enable debug output. +.TP +\fB\-h\fP, \fB\-\-help\fP +Print the program help. +.TP +\fB\-V\fP, \fB\-\-version\fP +Print the program version. +.UNINDENT +.SH SEE ALSO +.sp +\fBknotd(8)\fP, \fBknot.conf(5)\fP\&. +.SH AUTHOR +CZ.NIC Labs <https://www.knot-dns.cz> +.SH COPYRIGHT +Copyright 2010–2019, CZ.NIC, z.s.p.o. +.\" Generated by docutils manpage writer. +. diff --git a/doc/man_kdig.rst b/doc/man_kdig.rst new file mode 100644 index 0000000..c1b3961 --- /dev/null +++ b/doc/man_kdig.rst @@ -0,0 +1,324 @@ +.. highlight:: console + +kdig – Advanced DNS lookup utility +================================== + +Synopsis +-------- + +:program:`kdig` [*common-settings*] [*query* [*settings*]]... + +:program:`kdig` **-h** + +Description +----------- + +This utility sends one or more DNS queries to a nameserver. Each query can have +individual *settings*, or it can be specified globally via *common-settings*, +which must precede *query* specification. + +Parameters +.......... + +*query* + *name* | **-q** *name* | **-x** *address* | **-G** *tapfile* + +*common-settings*, *settings* + [*query_class*] [*query_type*] [**@**\ *server*]... [*options*] + +*name* + Is a domain name that is to be looked up. + +*server* + Is a domain name or an IPv4 or IPv6 address of the nameserver to send a query + to. An additional port can be specified using address:port ([address]:port + for IPv6 address), address@port, or address#port notation. If no server is + specified, the servers from :file:`/etc/resolv.conf` are used. + +If no arguments are provided, :program:`kdig` sends NS query for the root +zone. + +Query classes +............. + +A *query_class* can be either a DNS class name (IN, CH) or generic class +specification **CLASS**\ *XXXXX* where *XXXXX* is a corresponding decimal +class number. The default query class is IN. + +Query types +........... + +A *query_type* can be either a DNS resource record type +(A, AAAA, NS, SOA, DNSKEY, ANY, etc.) or one of the following: + +**TYPE**\ *XXXXX* + Generic query type specification where *XXXXX* is a corresponding decimal + type number. + +**AXFR** + Full zone transfer request. + +**IXFR=**\ *serial* + Incremental zone transfer request for specified starting SOA serial number. + +**NOTIFY=**\ *serial* + Notify message with a SOA serial hint specified. + +**NOTIFY** + Notify message with a SOA serial hint unspecified. + +The default query type is A. + +Options +....... + +**-4** + Use the IPv4 protocol only. + +**-6** + Use the IPv6 protocol only. + +**-b** *address* + Set the source IP address of the query to *address*. The address must be a + valid address for local interface or :: or 0.0.0.0. An optional port + can be specified in the same format as the *server* value. + +**-c** *class* + An explicit *query_class* specification. See possible values above. + +**-d** + Enable debug messages. + +**-h**, **--help** + Print the program help. + +**-k** *keyfile* + Use the TSIG key stored in a file *keyfile* to authenticate the request. The + file must contain the key in the same format as accepted by the + **-y** option. + +**-p** *port* + Set the nameserver port number or service name to send a query to. The default + port is 53. + +**-q** *name* + Set the query name. An explicit variant of *name* specification. If no *name* + is provided, empty question section is set. + +**-t** *type* + An explicit *query_type* specification. See possible values above. + +**-V**, **--version** + Print the program version. + +**-x** *address* + Send a reverse (PTR) query for IPv4 or IPv6 *address*. The correct name, class + and type is set automatically. + +**-y** [*alg*:]\ *name*:*key* + Use the TSIG key named *name* to authenticate the request. The *alg* + part specifies the algorithm (the default is hmac-sha256) and *key* specifies + the shared secret encoded in Base64. + +**-E** *tapfile* + Export a dnstap trace of the query and response messages received to the + file *tapfile*. + +**-G** *tapfile* + Generate message output from a previously saved dnstap file *tapfile*. + +**+**\ [\ **no**\ ]\ **multiline** + Wrap long records to more lines and improve human readability. + +**+**\ [\ **no**\ ]\ **short** + Show record data only. + +**+**\ [\ **no**\ ]\ **generic** + Use the generic representation format when printing resource record types + and data. + +**+**\ [\ **no**\ ]\ **crypto** + Display the DNSSEC keys and signatures values in hexdump, instead of omitting them. + +**+**\ [\ **no**\ ]\ **aaflag** + Set the AA flag. + +**+**\ [\ **no**\ ]\ **tcflag** + Set the TC flag. + +**+**\ [\ **no**\ ]\ **rdflag** + Set the RD flag. + +**+**\ [\ **no**\ ]\ **recurse** + Same as **+**\ [\ **no**\ ]\ **rdflag** + +**+**\ [\ **no**\ ]\ **raflag** + Set the RA flag. + +**+**\ [\ **no**\ ]\ **zflag** + Set the zero flag bit. + +**+**\ [\ **no**\ ]\ **adflag** + Set the AD flag. + +**+**\ [\ **no**\ ]\ **cdflag** + Set the CD flag. + +**+**\ [\ **no**\ ]\ **dnssec** + Set the DO flag. + +**+**\ [\ **no**\ ]\ **all** + Show all packet sections. + +**+**\ [\ **no**\ ]\ **qr** + Show the query packet. + +**+**\ [\ **no**\ ]\ **header** + Show the packet header. + +**+**\ [\ **no**\ ]\ **comments** + Show commented section names. + +**+**\ [\ **no**\ ]\ **opt** + Show the EDNS pseudosection. + +**+**\ [\ **no**\ ]\ **question** + Show the question section. + +**+**\ [\ **no**\ ]\ **answer** + Show the answer section. + +**+**\ [\ **no**\ ]\ **authority** + Show the authority section. + +**+**\ [\ **no**\ ]\ **additional** + Show the additional section. + +**+**\ [\ **no**\ ]\ **tsig** + Show the TSIG pseudosection. + +**+**\ [\ **no**\ ]\ **stats** + Show trailing packet statistics. + +**+**\ [\ **no**\ ]\ **class** + Show the DNS class. + +**+**\ [\ **no**\ ]\ **ttl** + Show the TTL value. + +**+**\ [\ **no**\ ]\ **tcp** + Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR). + +**+**\ [\ **no**\ ]\ **fastopen** + Use TCP Fast Open (default with TCP). + +**+**\ [\ **no**\ ]\ **ignore** + Don't use TCP automatically if a truncated reply is received. + +**+**\ [\ **no**\ ]\ **tls** + Use TLS with the Opportunistic privacy profile (:rfc:`7858#section-4.1`). + +**+**\ [\ **no**\ ]\ **tls-ca**\[\ =\ *FILE*\] + Use TLS with a certificate validation. Certification authority certificates + are loaded from the specified PEM file (default is system certificate storage + if no argument is provided). + Can be specified multiple times. If the +tls-hostname option is not provided, + the name of the target server (if specified) is used for strict authentication. + +**+**\ [\ **no**\ ]\ **tls-pin**\ =\ *BASE64* + Use TLS with the Out-of-Band key-pinned privacy profile (:rfc:`7858#section-4.2`). + The PIN must be a Base64 encoded SHA-256 hash of the X.509 SubjectPublicKeyInfo. + Can be specified multiple times. + +**+**\ [\ **no**\ ]\ **tls-hostname**\ =\ *STR* + Use TLS with a remote server hostname check. + +**+**\ [\ **no**\ ]\ **tls-sni**\ =\ *STR* + Use TLS with a Server Name Indication. + +**+**\ [\ **no**\ ]\ **nsid** + Request the nameserver identifier (NSID). + +**+**\ [\ **no**\ ]\ **bufsize**\ =\ *B* + Set EDNS buffer size in bytes (default is 512 bytes). + +**+**\ [\ **no**\ ]\ **padding**\[\ =\ *B*\] + Use EDNS(0) padding option to pad queries, optionally to a specific + size. The default is to pad queries with a sensible amount when using + +tls, and not to pad at all when queries are sent without TLS. With + no argument (i.e., just +padding) pad every query with a sensible + amount regardless of the use of TLS. With +nopadding, never pad. + +**+**\ [\ **no**\ ]\ **alignment**\[\ =\ *B*\] + Align the query to B\-byte-block message using the EDNS(0) padding option + (default is no or 128 if no argument is specified). + +**+**\ [\ **no**\ ]\ **subnet**\ =\ *SUBN* + Set EDNS(0) client subnet SUBN=addr/prefix. + +**+**\ [\ **no**\ ]\ **edns**\[\ =\ *N*\] + Use EDNS version (default is 0). + +**+**\ [\ **no**\ ]\ **timeout**\ =\ *T* + Set the wait-for-reply interval in seconds (default is 5 seconds). This timeout + applies to each query attempt. + +**+**\ [\ **no**\ ]\ **retry**\ =\ *N* + Set the number (>=0) of UDP retries (default is 2). This doesn't apply to + AXFR/IXFR. + +**+**\ [\ **no**\ ]\ **cookie**\ =\ *HEX* + Attach EDNS(0) cookie to the query. + +**+**\ [\ **no**\ ]\ **badcookie** + Repeat a query with the correct cookie. + +**+**\ [\ **no**\ ]\ **ednsopt**\[\ =\ *CODE*\[:*HEX*\]\] + Send custom EDNS option. The *CODE* is EDNS option code in decimal, *HEX* + is an optional hex encoded string to use as EDNS option value. This argument + can be used multiple times. +noednsopt clears all EDNS options specified by + +ednsopt. + +**+noidn** + Disable the IDN transformation to ASCII and vice versa. IDNA2003 support depends + on libidn availability during project building! + +Notes +----- + +Options **-k** and **-y** can not be used simultaneously. + +Dnssec-keygen keyfile format is not supported. Use :manpage:`keymgr(8)` instead. + +Examples +-------- + +1. Get A records for example.com:: + + $ kdig example.com A + +2. Perform AXFR for zone example.com from the server 192.0.2.1:: + + $ kdig example.com -t AXFR @192.0.2.1 + +3. Get A records for example.com from 192.0.2.1 and reverse lookup for address + 2001:DB8::1 from 192.0.2.2. Both using the TCP protocol:: + + $ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2 + +4. Get SOA record for example.com, use TLS, use system certificates, check + for specified hostname, check for certificate pin, and print additional + debug info:: + + $ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \ + +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com + +Files +----- + +:file:`/etc/resolv.conf` + +See Also +-------- + +:manpage:`khost(1)`, :manpage:`knsupdate(1)`, :manpage:`keymgr(8)`. diff --git a/doc/man_keymgr.rst b/doc/man_keymgr.rst new file mode 100644 index 0000000..03409b6 --- /dev/null +++ b/doc/man_keymgr.rst @@ -0,0 +1,216 @@ +.. highlight:: console + +keymgr – Key management utility +=============================== + +Synopsis +-------- + +:program:`keymgr` *basic_option* [*parameters*...] + +:program:`keymgr` [*config_option* *config_storage*] *zone* *command* *argument*... + +Description +----------- + +The :program:`keymgr` utility serves for manual key management in Knot DNS server. + +Functions for DNSSEC keys and KASP (Key And Signature Policy) +management are provided. + +The DNSSEC and KASP configuration is stored in a so called KASP database. +The database is backed by LMDB. + +Basic options +............. + +**-h**, **--help** + Print the program help. + +**-V**, **--version** + Print the program version. + +**-t**, **--tsig** *tsig_name* [*tsig_algorithm*] [*tsig_bits*] + Generates a TSIG key. TSIG algorithm can be specified by string (default: hmac-sha256), + bit length of the key by number (default: optimal length given by algorithm). The generated + TSIG key is only displayed on `stdout`: the command does not create a file, nor include the + key in a keystore. + +Config options +.............. + +**-c**, **--config** *file* + Use a textual configuration file (default is :file:`@config_dir@/knot.conf`). + +**-C**, **--confdb** *directory* + Use a binary configuration database directory (default is :file:`@storage_dir@/confdb`). + The default configuration database, if exists, has a preference to the default + configuration file. + +**-d**, **--dir** *path* + Use specified KASP database path and default configuration. + +Commands +........ + +**list** [*timestamp_format*] + Prints the list of key IDs and parameters of keys belonging to the zone. + +**generate** [*arguments*...] + Generates new DNSSEC key and stores it in KASP database. Prints the key ID. + This action takes some number of arguments (see below). Values for unspecified arguments are taken + from corresponding policy (if *-c* or *-C* options used) or from Knot policy defaults. + +**import-bind** *BIND_key_file* + Imports a BIND-style key into KASP database (converting it to PEM format). + Takes one argument: path to BIND key file (private or public, but both MUST exist). + +**import-pub** *BIND_pubkey_file* + Imports a public key into KASP database. This key won't be rollovered nor used for signing. + Takes one argument: path to BIND public key file. + +**import-pem** *PEM_file* [*arguments*...] + Imports a DNSSEC key from PEM file. The key parameters (same as for the generate action) need to be + specified (mainly algorithm, timers...) because they are not contained in the PEM format. + +**import-pkcs11** *key_id* [*arguments*...] + Imports a DNSSEC key from PKCS #11 storage. The key parameters (same as for the generate action) need to be + specified (mainly algorithm, timers...) because they are not available. In fact, no key + data is imported, only KASP database metadata is created. + +**nsec3-salt** [*new_salt*] + Prints the current NSEC3 salt used for signing. If *new_salt* is specified, the salt is overwritten. + The salt is printed and expected in hexadecimal, or dash if empty. + +**set** *key_spec* [*arguments*...] + Changes a timing argument (or ksk/zsk) of an existing key to a new value. *Key_spec* is either the + key tag or a prefix of the key ID; *arguments* are like for **generate**, but just the related ones. + +**ds** [*key_spec*] + Generate DS record (all digest algorithms together) for specified key. *Key_spec* + is like for **set**, if unspecified, all KSKs are used. + +**dnskey** [*key_spec*] + Generate DNSKEY record for specified key. *Key_spec* + is like for **ds**, if unspecified, all KSKs are used. + +**delete** *key_spec* + Remove the specified key from zone. If the key was not shared, it is also deleted from keystore. + +**share** *key_ID* + Import a key (specified by full key ID) from another zone as shared. After this, the key is + owned by both zones equally. + +Generate arguments +.................. + +Arguments are separated by space, each of them is in format 'name=value'. + +**algorithm** + Either an algorithm number (e.g. 14), or text name without dashes (e.g. ECDSAP384SHA384). + +**size** + Key length in bits. + +**ksk** + If set to **yes**, the key will be used for signing DNSKEY rrset. The generated key will also + have the Secure Entry Point flag set to 1. + +**zsk** + If set to **yes**, the key will be used for signing zone (except DNSKEY rrset). This flag can + be set concurrently with the **ksk** flag. + +**sep** + Overrides the standard setting of the Secure Entry Point flag for the generated key. + +The following arguments are timestamps of key lifetime: + +**created** + Key created. + +**pre_active** + Key started to be used for signing, not published (only for algorithm rollover). + +**publish** + Key published. + +**ready** + Key used for signing and submitted to the parent zone (only for KSK). + +**active** + Key used for signing. + +**post_active** + Key still used for singing, but another key is active (only for KSK). + +**retire_active** + Key no longer published, but still used for signing (only for algorithm rollover). + +**retire** + Key still published, but no longer used for signing. + +**remove** + Key deleted. + +Timestamps +.......... + +0 + Zero timestamp means infinite future. + +*UNIX_time* + Positive number of seconds since 1970 UTC. + +*YYYYMMDDHHMMSS* + Date and time in this format without any punctuation. + +*relative_timestamp* + A sign character (**+**, **-**), a number, and an optional time unit + (**y**, **mo**, **d**, **h**, **mi**, **s**). The default unit is one second. + E.g. +1mi, -2mo. + +Output timestamp formats +........................ + +(none) + The timestamps are printed as UNIX timestamp. + +**human** + The timestamps are printed relatively to now using time units (e.g. -2y5mo, +1h13s). + +**iso** + The timestamps are printed in the ISO8601 format (e.g. 2016-12-31T23:59:00). + +Examples +-------- + +1. Generate new TSIG key:: + + $ keymgr -t my_name hmac-sha384 + +2. Generate new DNSSEC key:: + + $ keymgr example.com. generate algorithm=ECDSAP256SHA256 size=256 \ + ksk=true created=1488034625 publish=20170223205611 retire=+10mo remove=+1y + +3. Import a DNSSEC key from BIND:: + + $ keymgr example.com. import-bind ~/bind/Kharbinge4d5.+007+63089.key + +4. Configure key timing:: + + $ keymgr example.com. set 4208 active=+2mi retire=+4mi remove=+5mi + +5. Share a KSK from another zone:: + + $ keymgr example.com. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9 + +See Also +-------- + +:rfc:`6781` - DNSSEC Operational Practices. +:rfc:`7583` - DNSSEC Key Rollover Timing Considerations. + +:manpage:`knot.conf(5)`, +:manpage:`knotc(8)`, +:manpage:`knotd(8)`. diff --git a/doc/man_khost.rst b/doc/man_khost.rst new file mode 100644 index 0000000..b6e2d6b --- /dev/null +++ b/doc/man_khost.rst @@ -0,0 +1,102 @@ +.. highlight:: console + +khost – Simple DNS lookup utility +================================= + +Synopsis +-------- + +:program:`khost` [*options*] *name* [*server*] + +Description +----------- + +This utility sends a DNS query for the *name* to the *server* and prints a reply +in more user-readable form. For more advanced DNS queries use :program:`kdig` +instead. + +Parameters +.......... + +*name* + Is a domain name that is to be looked up. If the *name* is IPv4 or IPv6 + address the PTR query type is used. + +*server* + Is a name or an address of the nameserver to send a query to. The address + can be specified using [address]:port notation. If no server is specified, + the servers from :file:`/etc/resolv.conf` are used. + +If no arguments are provided, :program:`khost` prints a short help. + +Options +....... + +**-4** + Use the IPv4 protocol only. + +**-6** + Use the IPv6 protocol only. + +**-a** + Send ANY query with verbose mode. + +**-d** + Enable debug messages. + +**-h**, **--help** + Print the program help. + +**-r** + Disable recursion. + +**-T** + Use the TCP protocol. + +**-v** + Enable verbose output. + +**-V**, **--version** + Print the program version. + +**-w** + Wait forever for the reply. + +**-c** *class* + Set the query class (e.g. CH, CLASS4). The default class is IN. + +**-t** *type* + Set the query type (e.g. NS, IXFR=12345, TYPE65535). The default is to send 3 + queries (A, AAAA and MX). + +**-R** *retries* + The number (>=0) of UDP retries to query a nameserver. The default is 1. + +**-W** *wait* + The time to wait for a reply in seconds. This timeout applies to each query + try. The default is 2 seconds. + +Examples +-------- + +1. Get the A, AAAA and MX records for example.com:: + + $ khost example.com + +2. Get the reverse record for address 192.0.2.1:: + + $ khost 192.0.2.1 + +3. Perform a verbose zone transfer for zone example.com:: + + $ khost -t AXFR -v example.com + +Files +----- + +:file:`/etc/resolv.conf` + +See Also +-------- + +:manpage:`kdig(1)`, :manpage:`knsupdate(1)`. diff --git a/doc/man_kjournalprint.rst b/doc/man_kjournalprint.rst new file mode 100644 index 0000000..f8868dd --- /dev/null +++ b/doc/man_kjournalprint.rst @@ -0,0 +1,58 @@ +.. highlight:: console + +kjournalprint – Knot DNS journal print utility +============================================== + +Synopsis +-------- + +:program:`kjournalprint` [*options*] *journal_db* *zone_name* + +Description +----------- + +The program prints zone history stored in a journal database. As default, +changes are colored for terminal. + +Options +....... + +**-l**, **--limit** *limit* + Limits the number of displayed changes. + +**-d**, **--debug** + Debug mode brief output. + +**-n**, **--no-color** + Removes changes coloring. + +**-z**, **--zone-list** + Instead of reading jurnal, display the list of zones in the DB. + (*zone_name* not needed) + +**-h**, **--help** + Print the program help. + +**-V**, **--version** + Print the program version. + +Parameters +.......... + +*journal_db* + A path to the journal database. + +*zone_name* + A name of the zone to print the history for. + +Examples +-------- + +Last (most recent) 5 changes without colors:: + + $ kjournalprint -nl 5 /var/lib/knot/journal example.com. + +See Also +-------- + +:manpage:`knotd(8)`, :manpage:`knot.conf(5)`. diff --git a/doc/man_knotc.rst b/doc/man_knotc.rst new file mode 100644 index 0000000..ebfe4f1 --- /dev/null +++ b/doc/man_knotc.rst @@ -0,0 +1,274 @@ +.. highlight:: console + +knotc – Knot DNS control utility +================================ + +Synopsis +-------- + +:program:`knotc` [*parameters*] *action* [*action_args*] + +Description +----------- + +If no *action* is specified, the program is executed in interactive mode. + +Parameters +.......... + +**-c**, **--config** *file* + Use a textual configuration file (default is :file:`@config_dir@/knot.conf`). + +**-C**, **--confdb** *directory* + Use a binary configuration database directory (default is :file:`@storage_dir@/confdb`). + The default configuration database, if exists, has a preference to the default + configuration file. + +**-m**, **--max-conf-size** *MiB* + Set maximum configuration size (default is @conf_mapsize@ MiB, maximum 10000 MiB). + +**-s**, **--socket** *path* + Use a control UNIX socket path (default is :file:`@run_dir@/knot.sock`). + +**-t**, **--timeout** *seconds* + Use a control timeout in seconds. Set 0 for infinity (default is 10). + +**-f**, **--force** + Forced operation. Overrides some checks. + +**-v**, **--verbose** + Enable debug output. + +**-h**, **--help** + Print the program help. + +**-V**, **--version** + Print the program version. + +Actions +....... + +**status** [*detail*] + Check if the server is running. Details are **version** for the running + server version, **workers** for the numbers of worker threads, + or **configure** for the configure summary. + +**stop** + Stop the server if running. + +**reload** + Reload the server configuration and modified zone files. All open zone + transactions will be aborted! + +**stats** [*module*\ [\ **.**\ *counter*\ ]] + Show global statistics counter(s). To print also counters with value 0, use + force option. + +**zone-status** *zone* [*filter*] + Show the zone status. Filters are **+role**, **+serial**, **+transaction**, + **+events**, and **+freeze**. + +**zone-check** [*zone*...] + Test if the server can load the zone. Semantic checks are executed if enabled + in the configuration. (*) + +**zone-memstats** [*zone*...] + Estimate memory use for the zone. (*) + +**zone-reload** [*zone*...] + Trigger a zone reload from a disk without checking its modification time. For + slave zone, the refresh from a master server is scheduled; for master zone, + the notification of slave servers is scheduled. An open zone transaction + will be aborted! + +**zone-refresh** [*zone*...] + Trigger a check for the zone serial on the zone's master. If the master has a + newer zone, a transfer is scheduled. This command is valid for slave zones. + +**zone-retransfer** [*zone*...] + Trigger a zone transfer from the zone's master. The server doesn't check the + serial of the master's zone. This command is valid for slave zones. + +**zone-notify** [*zone*...] + Trigger a NOTIFY message to all configured remotes. This can help in cases + when previous NOTIFY had been lost or the slaves offline. + +**zone-flush** [*zone*...] [**+outdir** *directory*] + Trigger a zone journal flush into the zone file. If output dir is specified, + instead of flushing the zonefile, the zone is dumped to a file in the specified + directory. + +**zone-sign** [*zone*...] + Trigger a DNSSEC re-sign of the zone. Existing signatures will be dropped. + This command is valid for zones with DNSSEC signing enabled. + +**zone-ksk-submitted** *zone*... + Use when the zone's KSK rollover is in submittion phase. By calling this command + the user confirms manually that the parent zone contains DS record for the new + KSK in submission phase and the old KSK can be retired. + +**zone-freeze** [*zone*...] + Temporarily postpone zone-changing events (load, refresh, update, flush, and + DNSSEC signing). + +**zone-thaw** [*zone*...] + Dismiss zone freeze. + +**zone-read** *zone* [*owner* [*type*]] + Get zone data that are currently being presented. + +**zone-begin** *zone*... + Begin a zone transaction. + +**zone-commit** *zone*... + Commit the zone transaction. All changes are applied to the zone. + +**zone-abort** *zone*... + Abort the zone transaction. All changes are discarded. + +**zone-diff** *zone* + Get zone changes within the transaction. + +**zone-get** *zone* [*owner* [*type*]] + Get zone data within the transaction. + +**zone-set** *zone* *owner* [*ttl*] *type* *rdata* + Add zone record within the transaction. The first record in a rrset + requires a ttl value specified. + +**zone-unset** *zone* *owner* [*type* [*rdata*]] + Remove zone data within the transaction. + +**zone-purge** *zone*... [*filter*...] + Purge zone data, zone file, journal, timers, and/or KASP data of specified zones. + Available filters are **+expire**, **+zonefile**, **+journal**, **+timers**, + and **+kaspdb**. If no filter is specified, all filters are enabled. + If the zone is no longer configured, add **+orphan** filter (zone file cannot + be purged in this case). + +**zone-stats** *zone* [*module*\ [\ **.**\ *counter*\ ]] + Show zone statistics counter(s). To print also counters with value 0, use + force option. + +**conf-init** + Initialize the configuration database. (*) + +**conf-check** + Check the server configuration. (*) + +**conf-import** *filename* + Import a configuration file into the configuration database. Ensure the + server is not using the configuration database! (*) + +**conf-export** [*filename*] + Export the configuration database into a config file or stdout. (*) + +**conf-list** [*item*] + List the configuration database sections or section items. + +**conf-read** [*item*] + Read the item from the active configuration database. + +**conf-begin** + Begin a writing configuration database transaction. Only one transaction + can be opened at a time. + +**conf-commit** + Commit the configuration database transaction. + +**conf-abort** + Rollback the configuration database transaction. + +**conf-diff** [*item*] + Get the item difference in the transaction. + +**conf-get** [*item*] + Get the item data from the transaction. + +**conf-set** *item* [*data*...] + Set the item data in the transaction. + +**conf-unset** [*item*] [*data*...] + Unset the item data in the transaction. + +Note +.... + +Empty or **--** *zone* parameter means all zones or all zones with a transaction. + +Use **@** *owner* to denote the zone name. + +Type *item* parameter in the form of *section*\ [**[**\ *id*\ **]**\ ][**.**\ *name*]. + +(*) indicates a local operation which requires a configuration. + +Interactive mode +................ + +The utility provides interactive mode with basic line editing functionality, +command completion, and command history. + +Interactive mode behavior can be customized in `~/.editrc`. Refer to +:manpage:`editrc(5)` for details. + +Command history is saved in `~/.knotc_history`. + +Examples +-------- + +Reload the whole server configuration +..................................... + +:: + + $ knotc reload + +Flush the example.com and example.org zones +........................................... + +:: + + $ knotc zone-flush example.com example.org + +Get the current server configuration +.................................... + +:: + + $ knotc conf-read server + +Get the list of the current zones +................................. + +:: + + $ knotc conf-read zone.domain + +Get the master remotes for the example.com zone +............................................... + +:: + + $ knotc conf-read 'zone[example.com].master' + +Add example.org zone with a zonefile location +............................................. + +:: + + $ knotc conf-begin + $ knotc conf-set 'zone[example.org]' + $ knotc conf-set 'zone[example.org].file' '/var/zones/example.org.zone' + $ knotc conf-commit + +Get the SOA record for each configured zone +........................................... + +:: + + $ knotc zone-read -- @ SOA + +See Also +-------- + +:manpage:`knotd(8)`, :manpage:`knot.conf(5)`, :manpage:`editrc(5)`. diff --git a/doc/man_knotd.rst b/doc/man_knotd.rst new file mode 100644 index 0000000..8adce89 --- /dev/null +++ b/doc/man_knotd.rst @@ -0,0 +1,48 @@ +.. highlight:: console + +knotd – Knot DNS server daemon +============================== + +Synopsis +-------- + +:program:`knotd` [*parameters*] + +Description +----------- + +Parameters +.......... + +**-c**, **--config** *file* + Use a textual configuration file (default is :file:`@config_dir@/knot.conf`). + +**-C**, **--confdb** *directory* + Use a binary configuration database directory (default is :file:`@storage_dir@/confdb`). + The default configuration database, if exists, has a preference to the default + configuration file. + +**-m**, **--max-conf-size** *MiB* + Set maximum configuration size (default is @conf_mapsize@ MiB, maximum 10000 MiB). + +**-s**, **--socket** *path* + Use a remote control UNIX socket path (default is :file:`@run_dir@/knot.sock`). + +**-d**, **--daemonize** [*directory*] + Run the server as a daemon. New root directory may be specified + (default is :file:`/`). + +**-v**, **--verbose** + Enable debug output. + +**-h**, **--help** + Print the program help. + +**-V**, **--version** + Print the program version. + +See Also +-------- + +:manpage:`knot.conf(5)`, :manpage:`knotc(8)`, :manpage:`keymgr(8)`, +:manpage:`kjournalprint(8)`. diff --git a/doc/man_knsec3hash.rst b/doc/man_knsec3hash.rst new file mode 100644 index 0000000..1c2c95b --- /dev/null +++ b/doc/man_knsec3hash.rst @@ -0,0 +1,49 @@ +.. highlight:: console + +knsec3hash – NSEC hash computation utility +========================================== + +Synopsis +-------- + +:program:`knsec3hash` *salt* *algorithm* *iterations* *name* + +Description +----------- + +This utility generates a NSEC3 hash for a given domain name and parameters of NSEC3 hash. + +Parameters +.......... + +*salt* + Specifies a binary salt encoded as a hexadecimal string. + +*algorithm* + Specifies a hashing algorithm by number. Currently, the only supported algorithm is SHA-1 (number 1). + +*iterations* + Specifies the number of additional iterations of the hashing algorithm. + +*name* + Specifies the domain name to be hashed. + +Examples +-------- + +:: + + $ knsec3hash c01dcafe 1 10 knot-dns.cz + 7PTVGE7QV67EM61ROS9238P5RAKR2DM7 (salt=c01dcafe, hash=1, iterations=10) + +:: + + $ knsec3hash - 1 0 net + A1RT98BS5QGC9NFI51S9HCI47ULJG6JH (salt=-, hash=1, iterations=0) + +See Also +-------- + +:rfc:`5155` – DNS Security (DNSSEC) Hashed Authenticated Denial of Existence. + +:manpage:`knotc(8)`, :manpage:`knotd(8)`. diff --git a/doc/man_knsupdate.rst b/doc/man_knsupdate.rst new file mode 100644 index 0000000..c93f48f --- /dev/null +++ b/doc/man_knsupdate.rst @@ -0,0 +1,164 @@ +.. highlight:: console + +knsupdate – Dynamic DNS update utility +====================================== + +Synopsis +-------- + +:program:`knsupdate` [*options*] [*filename*] + +Description +----------- + +This utility sends Dynamic DNS update messages to a DNS server. Update content +is read from a file (if the parameter *filename* is given) or from the standard +input. + +The format of updates is textual and is made up of commands. Every command is +placed on the separate line of the input. Lines starting with a semicolon are +comments and are not processed. + +Options +....... + +**-d** + Enable debug messages. + +**-h**, **--help** + Print the program help. + +**-k** *keyfile* + Use the TSIG key stored in a file *keyfile* to authenticate the request. The + file should contain the key in the same format, which is accepted by the + **-y** option. + +**-p** *port* + Set the port to use for connections to the server (if not explicitly specified + in the update). The default is 53. + +**-r** *retries* + The number of retries for UDP requests. The default is 3. + +**-t** *timeout* + The total timeout (for all UDP update tries) of the update request in seconds. + The default is 12. If set to zero, the timeout is infinite. + +**-v** + Use a TCP connection. + +**-V**, **--version** + Print the program version. + +**-y** [*alg*:]\ *name*:*key* + Use the TSIG key with a name *name* to authenticate the request. The *alg* + part specifies the algorithm (the default is hmac-sha256) and *key* specifies + the shared secret encoded in Base64. + +Commands +........ + +**server** *name* [*port*] + Specifies a receiving server of the dynamic update message. The *name* parameter + can be either a host name or an IP address. If the *port* is not specified, + the default port is used. The default port value can be controlled using + the **-p** program option. + +**local** *address* [*port*] + Specifies outgoing *address* and *port*. If no local is specified, the + address and port are set by the system automatically. The default port number + is 0. + +**zone** *name* + Specifies that all updates are done within a zone *name*. If not used, + the default zone is the root zone. + +**origin** *name* + Specifies fully qualified domain name suffix which is appended to non-fqd + owners in update commands. The default origin is the root zone. + +**class** *name* + Sets *name* as the default class for all updates. If not used, the default + class is IN. + +**ttl** *value* + Sets *value* as the default TTL (in seconds). If not used, the default value + is 0. + +**key** [*alg*:]\ *name* *key* + Specifies the TSIG *key* named *name* to authenticate the request. An optional + *alg* algorithm can be specified. This command has the same effect as + the program option **-y**. + +[**prereq**] **nxdomain** *name* + Adds a prerequisite for a non-existing record owned by *name*. + +[**prereq**] **yxdomain** *name* + Adds a prerequisite for an existing record owned by *name*. + +[**prereq**] **nxrrset** *name* [*class*] *type* + Adds a prerequisite for a non-existing record of the *type* owned by *name*. + Internet *class* is expected. + +[**prereq**] **yxrrset** *name* [*class*] *type* [*data*] + Adds a prerequisite for an existing record of the *type* owned by *name* + with optional *data*. Internet *class* is expected. + +[**update**] **add** *name* [*ttl*] [*class*] *type* *data* + Adds a request to add a new resource record into the zone. + Please note that if the *name* is not fully qualified domain name, the + current origin name is appended to it. + +[**update**] **del**\[**ete**] *name* [*ttl*] [*class*] [*type*] [*data*] + Adds a request to remove all (or matching *class*, *type* or *data*) + resource records from the zone. There is the same requirement for the *name* + parameter as in **update add** command. The *ttl* item is ignored. + +**show** + Displays current content of the update message. + +**send** + Sends the current update message and cleans the list of updates. + +**answer** + Displays the last answer from the server. + +**debug** + Enable debugging. This command has the same meaning as the **-d** program option. + +**quit** + Quit the program. + +Notes +----- + +Options **-k** and **-y** can not be used simultaneously. + +Dnssec-keygen keyfile format is not supported. Use :manpage:`keymgr(8)` instead. + +Zone name/server guessing is not supported if the zone name/server is not specified. + +Empty line doesn't send the update. + +Examples +-------- + +1. Send one update of the zone example.com to the server 192.168.1.1. The update + contains two new records:: + + $ knsupdate + > server 192.168.1.1 + > zone example.com. + > origin example.com. + > ttl 3600 + > add test1.example.com. 7200 A 192.168.2.2 + > add test2 TXT "hello" + > show + > send + > answer + > quit + +See Also +-------- + +:manpage:`kdig(1)`, :manpage:`khost(1)`, :manpage:`keymgr(8)`. diff --git a/doc/man_kzonecheck.rst b/doc/man_kzonecheck.rst new file mode 100644 index 0000000..1858bca --- /dev/null +++ b/doc/man_kzonecheck.rst @@ -0,0 +1,45 @@ +.. highlight:: console + +kzonecheck – Knot DNS zone file checking tool +============================================= + +Synopsis +-------- + +:program:`kzonecheck` [*options*] *filename* + +Description +----------- + +The utility checks zone file syntax and runs semantic checks on the zone +content. The executed checks are the same as the checks run by the Knot +DNS server. + +Please, refer to the ``semantic-checks`` configuration option in +:manpage:`knot.conf(5)` for the full list of available semantic checks. + +Options +....... + +**-o**, **--origin** *origin* + Zone origin. If not specified, the origin is determined from the file name + (possibly removing the ``.zone`` suffix). + +**-t**, **--time** *time* + Current time specification. Use UNIX timestamp, YYYYMMDDHHmmSS + format, or [+/-]\ *time*\ [unit] format, where unit can be **Y**, **M**, + **D**, **h**, **m**, or **s**. Default is current UNIX timestamp. + +**-v**, **--verbose** + Enable debug output. + +**-h**, **--help** + Print the program help. + +**-V**, **--version** + Print the program version. + +See Also +-------- + +:manpage:`knotd(8)`, :manpage:`knot.conf(5)`. diff --git a/doc/migration.rst b/doc/migration.rst new file mode 100644 index 0000000..30eb5b0 --- /dev/null +++ b/doc/migration.rst @@ -0,0 +1,146 @@ +.. highlight:: none +.. _Migration: + +********* +Migration +********* + +.. _Upgrade 2.4.x to 2.5.x: + +Upgrade 2.4.x to 2.5.x +====================== + +This chapter describes some steps necessary after upgrading Knot DNS from +version 2.4.x to 2.5.x. + +.. _Building changes: + +Building changes +---------------- + +The ``--enable-dnstap`` configure option now enables the dnstap support in +kdig only! To build the dnstap query module, ``--with-module-dnstap`` have +to be used. + +Since Knot DNS version 2.5.0 each query module can be configured to be: + +- disabled: ``--with-module-``\ MODULE_NAME\ ``=no`` +- embedded: ``--with-module-``\ MODULE_NAME\ ``=yes`` +- external: ``--with-module-``\ MODULE_NAME\ ``=shared`` (excluding + ``dnsproxy`` and ``onlinesign``) + +The ``--with-timer-mapsize`` configure option was replaced with the runtime +:ref:`template_max-timer-db-size` configuration option. + +.. _KASP DB migration: + +KASP DB migration +----------------- + +Knot DNS version 2.4.x and earlier uses JSON files to store DNSSEC keys metadata, +one for each zone. 2.5.x versions store those in binary format in a LMDB, all zones +together. The migration is possible with the +`pykeymgr <https://gitlab.labs.nic.cz/knot/knot-dns/blob/2.6/src/utils/pykeymgr/pykeymgr.in>`_ +script:: + + $ pykeymgr -i path/to/keydir + +The path to KASP DB directory is configuration-dependent, usually it is the ``keys`` +subdirectory in the zone storage. + +In rare installations, the JSON files might be spread across more directories. In such +case, it is necessary to put them together into one directory and migrate at once. + +.. _Configuration changes 2.5: + +Configuration changes +--------------------- + +It is no longer possible to configure KASP DB per zone or in a non-default +template. Ensure just one common KASP DB configuration in the default +template. + +As Knot DNS version 2.5.0 brings dynamically loaded modules, some modules +were renamed for technical reasons. So it is necessary to rename all +occurrences (module section names and references from zones or templates) +of the following module names in the configuration:: + + mod-online-sign -> mod-onlinesign + + mod-synth-record -> mod-synthrecord + +.. _Upgrade 2.5.x to 2.6.x: + +Upgrade 2.5.x to 2.6.x +====================== + +Upgrading from Knot DNS version 2.5.x to 2.6.x is almost seamless. + +.. _Configuration changes 2.6: + +Configuration changes +--------------------- + +The ``dsa`` and ``dsa-nsec3-sha1`` algorithm values are no longer supported +by the :ref:`policy_algorithm` option. + +The ``ixfr-from-differences`` zone/template option was deprecated in favor of +the :ref:`zone_zonefile-load` option. + +.. _Upgrade 2.6.x to 2.7.x: + +Upgrade 2.6.x to 2.7.x +====================== + +Upgrading from Knot DNS version 2.6.x to 2.7.x is seamless if no obsolete +configuration or module rosedb is used. + +.. _Knot DNS for BIND users: + +Knot DNS for BIND users +======================= + +.. _Automatic DNSSEC signing: + +Automatic DNSSEC signing +------------------------ + +Migrating automatically signed zones from BIND to Knot DNS requires copying +up-to-date zone files from BIND, importing existing private keys, and updating +server configuration: + +1. To obtain current content of the zone which is being migrated, + request BIND to flush the zone into the zone file: ``rndc flush + example.com``. + + .. NOTE:: + If dynamic updates (DDNS) are enabled for the given zone, you + might need to freeze the zone before flushing it. That can be done + similarly:: + + $ rndc freeze example.com + +2. Copy the fresh zone file into the zones :ref:`storage<zone_storage>` + directory of Knot DNS. + +3. Import all existing zone keys into the KASP database. Make sure that all + the keys were imported correctly:: + + $ keymgr example.com. import-bind path/to/Kexample.com.+013+11111 + $ keymgr example.com. import-bind path/to/Kexample.com.+013+22222 + $ ... + $ keymgr example.com. list + + .. NOTE:: + If the server configuration file or database is not at the default location, + add a configuration parameter (-c or -C). + + .. NOTE:: + The server can be run under a dedicated user account, usually ``knot``. + As the server requires read-write access to the KASP database, the + permissions must be set correctly. This can be achieved for instance by + executing all KASP database management commands under sudo:: + + $ sudo -u knot keymgr ... + +4. Follow :ref:`Automatic DNSSEC signing` steps to configure DNSSEC signing. diff --git a/doc/modules.rst.in b/doc/modules.rst.in new file mode 100644 index 0000000..727e9e0 --- /dev/null +++ b/doc/modules.rst.in @@ -0,0 +1,8 @@ +.. highlight:: none +.. _Modules: + +******* +Modules +******* + +@DOC_MODULES@ diff --git a/doc/operation.rst b/doc/operation.rst new file mode 100644 index 0000000..25cb964 --- /dev/null +++ b/doc/operation.rst @@ -0,0 +1,722 @@ +.. highlight:: console +.. _Operation: + +********* +Operation +********* + +The Knot DNS server part ``knotd`` can run either in the foreground, or in the background +using the ``-d`` option. When run in the foreground, it doesn't create a PID file. +Other than that, there are no differences and you can control both the same way. + +The tool ``knotc`` is designed as a user front-end, making it easier to control running +server daemon. If you want to control the daemon directly, use ``SIGINT`` to quit +the process or ``SIGHUP`` to reload the configuration. + +If you pass neither configuration file (``-c`` parameter) nor configuration +database (``-C`` parameter), the server will first attempt to use the default +configuration database stored in ``/var/lib/knot/confdb`` or the +default configuration file stored in ``/etc/knot/knot.conf``. Both the +default paths can be reconfigured with ``--with-storage=path`` or +``--with-configdir=path`` respectively. + +Example of server start as a daemon:: + + $ knotd -d -c knot.conf + +Example of server shutdown:: + + $ knotc -c knot.conf stop + +For a complete list of actions refer to the program help (``-h`` parameter) +or to the corresponding manual page. + +Also, the server needs to create :ref:`server_rundir` and :ref:`zone_storage` +directories in order to run properly. + +.. _Configuration database: + +Configuration database +====================== + +In the case of a huge configuration file, the configuration can be stored +in a binary database. Such a database can be simply initialized:: + + $ knotc conf-init + +or preloaded from a file:: + + $ knotc conf-import input.conf + +Also the configuration database can be exported into a textual file:: + + $ knotc conf-export output.conf + +.. WARNING:: + The import and export commands access the configuration database + directly, without any interaction with the server. So it is strictly + recommended to perform these operations when the server is not running. + +.. _Dynamic configuration: + +Dynamic configuration +===================== + +The configuration database can be accessed using the server control interface +while the server is running. To get the full power of the dynamic configuration, +the server must be started with a specified configuration database location +or with the default database initialized. Otherwise all the changes to the +configuration will be temporary (until the server is stopped). + +.. NOTE:: + The database can be :ref:`imported<Configuration database>` in advance. + +Most of the commands get an item name and value parameters. The item name is +in the form of ``section[identifier].name``. If the item is multivalued, +more values can be specified as individual (command line) arguments. + +.. CAUTION:: + Beware of the possibility of pathname expansion by the shell. For this reason, + it is advisable to slash square brackets or to quote command parameters if + not executed in the interactive mode. + +To get the list of configuration sections or to get the list of section items:: + + $ knotc conf-list + $ knotc conf-list 'server' + +To get the whole configuration or to get the whole configuration section or +to get all section identifiers or to get a specific configuration item:: + + $ knotc conf-read + $ knotc conf-read 'remote' + $ knotc conf-read 'zone.domain' + $ knotc conf-read 'zone[example.com].master' + +.. WARNING:: + The following operations don't work on OpenBSD! + +Modifying operations require an active configuration database transaction. +Just one transaction can be active at a time. Such a transaction then can +be aborted or committed. A semantic check is executed automatically before +every commit:: + + $ knotc conf-begin + $ knotc conf-abort + $ knotc conf-commit + +To set a configuration item value or to add more values or to add a new +section identifier or to add a value to all identified sections:: + + $ knotc conf-set 'server.identity' 'Knot DNS' + $ knotc conf-set 'server.listen' '0.0.0.0@53' '::@53' + $ knotc conf-set 'zone[example.com]' + $ knotc conf-set 'zone.slave' 'slave2' + +.. NOTE:: + Also the include operation can be performed. A non-absolute file + location is relative to the server binary path, not to the control binary + path! + + :: + + $ knotc conf-set 'include' '/tmp/new_zones.conf' + +To unset the whole configuration or to unset the whole configuration section +or to unset an identified section or to unset an item or to unset a specific +item value:: + + $ knotc conf-unset + $ knotc conf-unset 'zone' + $ knotc conf-unset 'zone[example.com]' + $ knotc conf-unset 'zone[example.com].master' + $ knotc conf-unset 'zone[example.com].master' 'remote2' 'remote5' + +To get the change between the current configuration and the active transaction +for the whole configuration or for a specific section or for a specific +identified section or for a specific item:: + + $ knotc conf-diff + $ knotc conf-diff 'zone' + $ knotc conf-diff 'zone[example.com]' + $ knotc conf-diff 'zone[example.com].master' + +An example of possible configuration initialization:: + + $ knotc conf-begin + $ knotc conf-set 'server.listen' '0.0.0.0@53' '::@53' + $ knotc conf-set 'remote[master_server]' + $ knotc conf-set 'remote[master_server].address' '192.168.1.1' + $ knotc conf-set 'template[default]' + $ knotc conf-set 'template[default].storage' '/var/lib/knot/zones/' + $ knotc conf-set 'template[default].master' 'master_server' + $ knotc conf-set 'zone[example.com]' + $ knotc conf-diff + $ knotc conf-commit + +.. _Running a slave server: + +Slave mode +========== + +Running the server as a slave is very straightforward as you usually +bootstrap zones over AXFR and thus avoid any manual zone operations. +In contrast to AXFR, when the incremental transfer finishes, it stores +the differences in the journal file and doesn't update the zone file +immediately but after the :ref:`zone_zonefile-sync` period elapses. + +.. _Running a master server: + +Master mode +=========== + +If you just want to check the zone files before starting, you can use:: + + $ knotc zone-check example.com + +For an approximate estimation of server's memory consumption, you can use:: + + $ knotc zone-memstats example.com + +This action prints the count of resource records, percentage of signed +records and finally estimation of memory consumption for each zone, unless +specified otherwise. Please note that the estimated values may differ from the +actual consumption. Also, for slave servers with incoming transfers +enabled, be aware that the actual memory consumption might be double +or higher during transfers. + +.. _Editing zones: + +Reading and editing zones +========================= + +Knot DNS allows you to read or change zone contents online using server +control interface. + +.. WARNING:: + Avoid concurrent zone file modification, and/or dynamic updates, and/or + zone changing over control interface. Otherwise, the zone could be inconsistent. + +To get contents of all configured zones, or a specific zone contents, or zone +records with a specific owner, or even with a specific record type:: + + $ knotc zone-read -- + $ knotc zone-read example.com + $ knotc zone-read example.com ns1 + $ knotc zone-read example.com ns1 NS + +.. NOTE:: + If the record owner is not a fully qualified domain name, then it is + considered as a relative name to the zone name. + +To start a writing transaction on all zones or on specific zones:: + + $ knotc zone-begin -- + $ knotc zone-begin example.com example.net + +Now you can list all nodes within the transaction using the ```zone-get``` +command, which always returns current data with all changes included. The +command has the same syntax as ```zone-read```. + +Within the transaction, you can add a record to a specific zone or to all +zones with an open transaction:: + + $ knotc zone-set example.com ns1 3600 A 192.168.0.1 + $ knotc zone-set -- ns1 3600 A 192.168.0.1 + +To remove all records with a specific owner, or a specific rrset, or a +specific record data:: + + $ knotc zone-unset example.com ns1 + $ knotc zone-unset example.com ns1 A + $ knotc zone-unset example.com ns1 A 192.168.0.2 + +To see the difference between the original zone and the current version:: + + $ knotc zone-diff example.com + +Finally, either commit or abort your transaction:: + + $ knotc zone-commit example.com + $ knotc zone-abort example.com + +A full example of setting up a completely new zone from scratch:: + + $ knotc conf-begin + $ knotc conf-set zone.domain example.com + $ knotc conf-commit + $ knotc zone-begin example.com + $ knotc zone-set example.com @ 7200 SOA ns hostmaster 1 86400 900 691200 3600 + $ knotc zone-set example.com ns 3600 A 192.168.0.1 + $ knotc zone-set example.com www 3600 A 192.168.0.100 + $ knotc zone-commit example.com + +.. NOTE:: + If quotes are necessary for record data specification, don't forget to escape them:: + + $ knotc zone-set example.com @ 3600 TXT \"v=spf1 a:mail.example.com -all\" + +.. _Editing zone file: + +Reading and editing the zone file safely +======================================== + +It's always possible to read and edit the zone contents via zone file manipulation. +However, it may lead to confusion if zone contents are continuously changing or +in case of operator's mistake. This paragraph describes a safe way to modify zone +by editing the zone file, taking advantage of zone freeze/thaw feature.:: + + $ knotc zone-freeze example.com. + $ while ! knotc zone-status example.com. +freeze | grep -q 'freeze: yes'; do sleep 1; done + $ knotc zone-flush example.com. + +After calling freeze to the zone, there still may be running zone operations (e.g. signing), +causing freeze pending. So we watch the zone status until frozen. Then we can flush the +frozen zone contents. + +Now we open a text editor and perform desired changes to the zone file. It's necessary +to **increase SOA serial** in this step to keep consistency. Finally, we can load the +modified zone file and if successful, thaw the zone.:: + + $ knotc zone-reload example.com. + $ knotc zone-thaw example.com. + +.. _Zone loading: + +Zone loading +============ + +The process how the server loads a zone is influenced by the configuration of the +:ref:`zonefile-load <zone_zonefile-load>` and :ref:`journal-content <zone_journal-content>` +parameters (also DNSSEC signing applies), the existence of a zone file and journal +(and their relative out-of-dateness), and whether it is a cold start of the server +or a zone reload (e.g. invoked by the knotc interface). Please note that zone transfers +are not taken into account here – they are planned after the zone is loaded +(including AXFR bootstrap). + +If the zone file exists and is not excluded by the configuration, it is first loaded +and according to its SOA serial number relevant journal changesets are applied. +If this is a zone reload and we have "`zonefile-load: difference`", the difference +between old and new contents is computed and stored into the journal like an update. +The zone file should be either unchaged since last load or changed with incremented +SOA serial. In the case of a decreased SOA serial, the load is interrupted with +an error; if unchanged, it is increased by the server. + +If the procedure described above succeeds without errors, the resulting zone contents are (after potential DNSSEC signing) +used as the new zone. + +The option "`journal-content: all`" lets the server, beside better performance, to keep +track of the zone contents also across server restarts. It makes the cold start +effectively work like a zone reload with the old contents loaded from the journal +(unless this is the very first start with the zone not yet saved into the journal). + +.. _Journal behaviour: + +Journal behaviour +================= + +The zone journal keeps some history of changes made to the zone. It is useful for +responding to IXFR queries. Also if :ref:`zone file flush <zone_zonefile-sync>` is disabled, +journal keeps diff between the zone file and zone for the case of server shutdown. +The history is stored in changesets – diffs of zone contents between two +(usually subsequent) zone serials. + +Journals of all zones are stored in a common LMDB database. Huge changesets are +split into 70 KiB [#fn-hc]_ blocks to prevent fragmentation of the DB. +Journal does each operation in one transaction to keep consistency of the DB and performance. +The exception is when store transaction exceeds 5 % of the whole DB mapsize, it is split into multiple ones +and some dirty-chunks-management involves. + +Each zone journal has own :ref:`usage limit <zone_max-journal-usage>` +on how much DB space it may occupy. Before hitting the limit, +changesets are stored one-by-one and whole history is linear. While hitting the limit, +the zone is flushed into the zone file, and oldest changesets are deleted as needed to free +some space. Actually, twice [#fn-hc]_ the needed amount is deleted to +prevent too frequent deletes. Further zone file flush is invoked after the journal runs out of deletable +"flushed changesets". + +If :ref:`zone file flush <zone_zonefile-sync>` is disabled, then instead of flushing the zone, the journal tries to +save space by merging older changesets into one. It works well if the changes rewrite +each other, e.g. periodically changing few zone records, re-signing whole zone... +The difference between the zone file and the zone is thus preserved, even if journal deletes some +older changesets. + +If the journal is used to store both zone history and contents, a special changeset +is present with zone contents. When the journal gets full, the changes are merged into this +special changeset. + +There is also a :ref:`safety hard limit <template_max-journal-db-size>` for overall +journal database size, but it's strongly recommended to set the per-zone limits in +a way to prevent hitting this one. For LMDB, it's hard to recover from the +database-full state. For wiping one zone's journal, see *knotc zone-purge +journal* +command. + +.. [#fn-hc] This constant is hardcoded. + +.. _Handling, zone file, journal, changes, serials: + +Handling zone file, journal, changes, serials +============================================= + +Some configuration options regarding the zone file and journal, together with operation +procedures, might lead to unexpected results. This chapter shall point out +some interference and both recommend and warn before some combinations thereof. +Unfortunately, there is no optimal combination of configuration options, +every approach has some disadvantages. + +Example 1 +--------- + +Keep the zone file updated:: + + zonefile-sync: 0 + zonefile-load: whole + journal-content: changes + +This is actually setting default values. The user can always check the current zone +contents in the zonei file, and also modify it (recommended with server turned-off or +taking the :ref:`safe way<Editing zone file>`). Journal serves here just as a source of +history for slaves' IXFR. Some users dislike that the server overwrites their prettily +prepared zone file. + +Example 2 +--------- + +Zonefileless setup:: + + zonefile-sync: -1 + zonefile-load: none + journal-content: all + +Zone contents are stored just in the journal. The zone is updated by DDNS, +zone transfer, or via the control interface. The user might have filled the +zone contents initially from a zone file by setting "zonefile-load: whole" temporarily. +It's also a good setup for slaves. Anyway, it's recommended to carefully tune +the journal-size-related options to avoid surprises of journal getting full. + +Example 3 +--------- + +Input-only zone file:: + + zonefile-sync: -1 + zonefile-load: difference + journal-content: changes + +The user can make changes to the zone by editing the zone file, and his pretty zone file +gets never overwritten and filled with DNSSEC-related autogenerated records – they are +only stored in the journal. + +The zone file's SOA serial must be properly set to a number which is higher than the +current SOA serial in the zone (not in the zone file) if manually updated! + +.. NOTE:: + In the case of "zonefile-load: difference-no-serial", the SOA serial is + handled by the server automatically during server reload. + +.. _DNSSEC Key rollovers: + +DNSSEC key rollovers +==================== + +This section describes the process of DNSSEC key rollover and its implementation +in Knot DNS, and how the operator might watch and check that it's working correctly. +The prerequisite is automatic zone signing with enabled +:ref:`automatic key management<dnssec-automatic-ksk-management>`. + +The KSK and ZSK rollovers are triggered by the respective zone key getting old according +to the settings (see :ref:`KSK<policy_ksk-lifetime>` and :ref:`ZSK<policy_zsk-lifetime>` lifetimes). + +The algorithm rollover happens when the policy :ref:`algorithm<policy_algorithm>` +field is updated to a different value. + +The signing scheme rollover happens when the policy :ref:`singing scheme<policy_single-type-signing>` +field is changed. + +It's also possible to change the algorithm and signing scheme in one rollover. + +The operator may check the next rollover phase time by watching the next zone signing time, +either in the log or via ``knotc zone-status``. There is no special log for finishing a rollover. + +.. NOTE:: + There are never two key rollovers running in parallel for one zone. If + a rollover is triggered while another is in progress, it waits until the + first one is finished. + +The ZSK rollover is performed with Pre-publish method, KSK rollover uses Double-Signature +scheme, as described in :rfc:`6781`. + +.. _DNSSEC KSK rollover example: + +KSK rollover example +-------------------- + +Let's start with the following set of keys:: + + 2017-10-24T15:40:48 info: [example.com.] DNSSEC, key, tag 4700, algorithm RSASHA256, KSK, public, active + 2017-10-24T15:40:48 info: [example.com.] DNSSEC, key, tag 30936, algorithm RSASHA256, public, active + +The last fields hint the key state: ``public`` denotes a key that will be presented +as the DNSKEY record, ``ready`` means that CDS/CDNSKEY records were created, +``active`` tells us if the key is used for signing. + +Upon the zone's KSK lifetime expiration, the rollover continues along the +lines of :rfc:`6781#section-4.1.2`:: + + 2017-10-24T15:41:17 info: [example.com.] DNSSEC, signing zone + 2017-10-24T15:41:18 info: [example.com.] DNSSEC, KSK rollover started + 2017-10-24T15:41:18 info: [example.com.] DNSSEC, key, tag 6674, algorithm RSASHA256, KSK, public + 2017-10-24T15:41:18 info: [example.com.] DNSSEC, key, tag 4700, algorithm RSASHA256, KSK, public, active + 2017-10-24T15:41:18 info: [example.com.] DNSSEC, key, tag 30936, algorithm RSASHA256, public, active + 2017-10-24T15:41:18 info: [example.com.] DNSSEC, signing started + 2017-10-24T15:41:18 info: [example.com.] DNSSEC, successfully signed + 2017-10-24T15:41:18 info: [example.com.] DNSSEC, next signing at 2017-10-24T15:41:22 + ... + 2017-10-24T15:41:22 info: [example.com.] DNSSEC, signing zone + 2017-10-24T15:41:22 info: [example.com.] DNSSEC, key, tag 4700, algorithm RSASHA256, KSK, public, active + 2017-10-24T15:41:22 info: [example.com.] DNSSEC, key, tag 6674, algorithm RSASHA256, KSK, public, ready, active + 2017-10-24T15:41:22 info: [example.com.] DNSSEC, key, tag 30936, algorithm RSASHA256, public, active + 2017-10-24T15:41:22 info: [example.com.] DNSSEC, signing started + 2017-10-24T15:41:22 info: [example.com.] DNSSEC, successfully signed + 2017-10-24T15:41:22 info: [example.com.] DNSSEC, next signing at 2017-10-24T15:41:23 + 2017-10-24T15:41:22 notice: [example.com.] DNSSEC, KSK submission, waiting for confirmation + +At this point new KSK has to be submitted to the parent zone. Knot detects the updated parent's DS +record automatically (and waits for additional period of the DS's TTL before retiring the old key) +if :ref:`parent DS check<Submission section>` is configured, otherwise the +operator must confirm it manually with ``knotc zone-ksk-submitted``:: + + 2017-10-24T15:41:23 notice: [example.com.] DNSSEC, KSK submission, confirmed + 2017-10-24T15:41:23 info: [example.com.] DNSSEC, signing zone + 2017-10-24T15:41:23 info: [example.com.] DNSSEC, key, tag 6674, algorithm RSASHA256, KSK, public, active + 2017-10-24T15:41:23 info: [example.com.] DNSSEC, key, tag 4700, algorithm RSASHA256, KSK, public, active + 2017-10-24T15:41:23 info: [example.com.] DNSSEC, key, tag 30936, algorithm RSASHA256, public, active + 2017-10-24T15:41:23 info: [example.com.] DNSSEC, signing started + 2017-10-24T15:41:23 info: [example.com.] DNSSEC, zone is up-to-date + 2017-10-24T15:41:23 info: [example.com.] DNSSEC, next signing at 2017-10-24T15:41:28 + ... + 2017-10-24T15:41:28 info: [example.com.] DNSSEC, signing zone + 2017-10-24T15:41:28 info: [example.com.] DNSSEC, key, tag 4700, algorithm RSASHA256, KSK, public + 2017-10-24T15:41:28 info: [example.com.] DNSSEC, key, tag 6674, algorithm RSASHA256, KSK, public, active + 2017-10-24T15:41:28 info: [example.com.] DNSSEC, key, tag 30936, algorithm RSASHA256, public, active + 2017-10-24T15:41:28 info: [example.com.] DNSSEC, signing started + 2017-10-24T15:41:28 info: [example.com.] DNSSEC, successfully signed + 2017-10-24T15:41:28 info: [example.com.] DNSSEC, next signing at 2017-10-24T15:41:33 + ... + 2017-10-24T15:41:33 info: [example.com.] DNSSEC, signing zone + 2017-10-24T15:41:33 info: [example.com.] DNSSEC, key, tag 6674, algorithm RSASHA256, KSK, public, active + 2017-10-24T15:41:33 info: [example.com.] DNSSEC, key, tag 30936, algorithm RSASHA256, public, active + 2017-10-24T15:41:33 info: [example.com.] DNSSEC, signing started + 2017-10-24T15:41:33 info: [example.com.] DNSSEC, successfully signed + 2017-10-24T15:41:33 info: [example.com.] DNSSEC, next signing at 2017-10-24T15:41:47 + +.. TIP:: + If systemd is available, the KSK submission event is logged into journald + in a structured way. The intended use case is to trigger a user-created script. + Example:: + + journalctl -f -t knotd -o json | python3 -c ' + import json, sys + for line in sys.stdin: + k = json.loads(line); + if "KEY_SUBMISSION" in k: + print("%s, zone=%s, keytag=%s" % (k["__REALTIME_TIMESTAMP"], k["ZONE"], k["KEY_SUBMISSION"])) + ' + +Algorithm rollover example +-------------------------- + +Let's start with the following set of keys:: + + 2017-10-24T14:53:06 info: [example.com.] DNSSEC, key, tag 65225, algorithm RSASHA256, KSK, public, active + 2017-10-24T14:53:06 info: [example.com.] DNSSEC, key, tag 47014, algorithm RSASHA256, public, active + +When the zone's DNSSEC policy algorithm is changed to ``ECDSAP256SHA256`` and the +server is reloaded, the rollover continues along the lines of :rfc:`6781#section-4.1.4`:: + + 2017-10-24T14:53:26 info: [example.com.] DNSSEC, algorithm rollover started + 2017-10-24T14:53:26 info: [example.com.] DNSSEC, key, tag 34608, algorithm ECDSAP256SHA256, KSK + 2017-10-24T14:53:26 info: [example.com.] DNSSEC, key, tag 13674, algorithm ECDSAP256SHA256, active + 2017-10-24T14:53:26 info: [example.com.] DNSSEC, key, tag 65225, algorithm RSASHA256, KSK, public, active + 2017-10-24T14:53:26 info: [example.com.] DNSSEC, key, tag 47014, algorithm RSASHA256, public, active + 2017-10-24T14:53:26 info: [example.com.] DNSSEC, signing started + 2017-10-24T14:53:26 info: [example.com.] DNSSEC, successfully signed + 2017-10-24T14:53:26 info: [example.com.] DNSSEC, next signing at 2017-10-24T14:53:34 + ... + 2017-10-24T14:53:34 info: [example.com.] DNSSEC, signing zone + 2017-10-24T14:53:34 info: [example.com.] DNSSEC, key, tag 34608, algorithm ECDSAP256SHA256, KSK, public, active + 2017-10-24T14:53:34 info: [example.com.] DNSSEC, key, tag 13674, algorithm ECDSAP256SHA256, public, active + 2017-10-24T14:53:34 info: [example.com.] DNSSEC, key, tag 65225, algorithm RSASHA256, KSK, public, active + 2017-10-24T14:53:34 info: [example.com.] DNSSEC, key, tag 47014, algorithm RSASHA256, public, active + 2017-10-24T14:53:34 info: [example.com.] DNSSEC, signing started + 2017-10-24T14:53:34 info: [example.com.] DNSSEC, successfully signed + 2017-10-24T14:53:34 info: [example.com.] DNSSEC, next signing at 2017-10-24T14:53:44 + ... + 2017-10-24T14:53:44 info: [example.com.] DNSSEC, signing zone + 2017-10-24T14:53:44 info: [example.com.] DNSSEC, key, tag 34608, algorithm ECDSAP256SHA256, KSK, public, ready, active + 2017-10-24T14:53:44 info: [example.com.] DNSSEC, key, tag 13674, algorithm ECDSAP256SHA256, public, active + 2017-10-24T14:53:44 info: [example.com.] DNSSEC, key, tag 65225, algorithm RSASHA256, KSK, public, active + 2017-10-24T14:53:44 info: [example.com.] DNSSEC, key, tag 47014, algorithm RSASHA256, public, active + 2017-10-24T14:53:44 info: [example.com.] DNSSEC, signing started + 2017-10-24T14:53:44 info: [example.com.] DNSSEC, successfully signed + 2017-10-24T14:53:44 info: [example.com.] DNSSEC, next signing at 2017-10-31T13:52:37 + 2017-10-24T14:53:44 notice: [example.com.] DNSSEC, KSK submission, waiting for confirmation + +Again, KSK submission follows as in :ref:`KSK rollover example<DNSSEC ksk rollover example>`:: + + 2017-10-24T14:54:20 notice: [example.com.] DNSSEC, KSK submission, confirmed + 2017-10-24T14:54:20 info: [example.com.] DNSSEC, signing zone + 2017-10-24T14:54:20 info: [example.com.] DNSSEC, key, tag 34608, algorithm ECDSAP256SHA256, KSK, public, active + 2017-10-24T14:54:20 info: [example.com.] DNSSEC, key, tag 13674, algorithm ECDSAP256SHA256, public, active + 2017-10-24T14:54:20 info: [example.com.] DNSSEC, key, tag 65225, algorithm RSASHA256, KSK, public, active + 2017-10-24T14:54:20 info: [example.com.] DNSSEC, key, tag 47014, algorithm RSASHA256, public, active + 2017-10-24T14:54:20 info: [example.com.] DNSSEC, signing started + 2017-10-24T14:54:21 info: [example.com.] DNSSEC, zone is up-to-date + 2017-10-24T14:54:21 info: [example.com.] DNSSEC, next signing at 2017-10-24T14:54:30 + ... + 2017-10-24T14:54:30 info: [example.com.] DNSSEC, signing zone + 2017-10-24T14:54:30 info: [example.com.] DNSSEC, key, tag 34608, algorithm ECDSAP256SHA256, KSK, public, active + 2017-10-24T14:54:30 info: [example.com.] DNSSEC, key, tag 13674, algorithm ECDSAP256SHA256, public, active + 2017-10-24T14:54:30 info: [example.com.] DNSSEC, key, tag 65225, algorithm RSASHA256, KSK + 2017-10-24T14:54:30 info: [example.com.] DNSSEC, key, tag 47014, algorithm RSASHA256, active + 2017-10-24T14:54:30 info: [example.com.] DNSSEC, signing started + 2017-10-24T14:54:30 info: [example.com.] DNSSEC, successfully signed + 2017-10-24T14:54:30 info: [example.com.] DNSSEC, next signing at 2017-10-24T14:54:40 + ... + 2017-10-24T14:54:40 info: [example.com.] DNSSEC, signing zone + 2017-10-24T14:54:40 info: [example.com.] DNSSEC, key, tag 34608, algorithm ECDSAP256SHA256, KSK, public, active + 2017-10-24T14:54:40 info: [example.com.] DNSSEC, key, tag 13674, algorithm ECDSAP256SHA256, public, active + 2017-10-24T14:54:40 info: [example.com.] DNSSEC, signing started + 2017-10-24T14:54:40 info: [example.com.] DNSSEC, successfully signed + 2017-10-24T14:54:40 info: [example.com.] DNSSEC, next signing at 2017-10-31T13:53:26 + +.. _DNSSEC Shared KSK: + +DNSSEC shared KSK +================= + +Knot DNS allows, with automatic DNSSEC key management, to configure a shared KSK for multiple zones. +By enabling :ref:`policy_ksk-shared`, we tell Knot to share all newly-created KSKs +among all the zones with the same :ref:`DNSSEC signing policy<Policy section>` assigned. + +The feature works as follows. Each zone still manages its keys separately. If a new KSK shall be +generated for the zone, it first checks if it can grab another zone's shared KSK instead - +that is the last generated KSK in any of the zones with the same policy assigned. +Anyway, only the cryptographic material is shared, the key may have different timers +in each zone. + +.. rubric:: Consequences: + +If we have an initial setting with brand new zones without any DNSSEC keys, +the initial keys for all zones are generated. With shared KSK, they will all have the same KSK, +but different ZSKs. The KSK rollovers may take place at slightly different time for each of the zones, +but the resulting new KSK will be shared again among all of them. + +If we have zones already having their keys, turning on the shared KSK feature triggers no action. +But when a KSK rollover takes place, they will use the same new key afterwards. + +.. _DNSSEC Delete algorithm: + +DNSSEC delete algorithm +======================= + +This is a way how to "disconnect" a signed zone from DNSSEC-aware parent zone. +More precisely, we tell the parent zone to remove our zone's DS record by +publishing a special formatted CDNSKEY and CDS record. This is mostly useful +if we want to turn off DNSSEC on our zone so it becomes insecure, but not bogus. + +With automatic DNSSEC signing and key management by Knot, this is as easy as +configuring :ref:`policy_cds-cdnskey-publish` option and reloading the configuration. +We check if the special CDNSKEY and CDS records with the rdata "0 3 0 AA==" and "0 0 0 00", +respectively, appeared in the zone. + +After the parent zone notices and reflects the change, we wait for TTL expire +(so all resolvers' caches get updated), and finally we may do anything with the +zone, e.g. turning off DNSSEC, removing all the keys and signatures as desired. + +.. _DNSSEC Export Import KASP DB: + +Export/import KASP DB +====================== + +If you would like make a backup of your KASP DB or transfer your cryptographic +keys to a different server, +you may utilize the ``mdb_dump`` and ``mdb_load`` tools provided by the +`lmdb-utils <https://packages.ubuntu.com/bionic/lmdb-utils>`_ +package on Ubuntu and Debian or by the `lmdb <https://rpms.remirepo.net/rpmphp/zoom.php?rpm=lmdb>`_ +package on Fedora, CentOS and RHEL. +These tools allow you to convert the contents of any LMDB database to a portable plain text format +which can be imported to any other LMDB database. Note that the `keys` subdirectory of the +:ref:`template_kasp-db` directory containing the \*.pem files has to be copied separately. + +.. NOTE:: + Make sure to freeze DNSSEC events on a running server prior to applying the following + commands to its KASP DB. Use the ``knotc zone-freeze`` and ``knotc zone-thaw`` commands + as described in :ref:`Editing zone file`. + +Use the ``mdb_dump -a`` command with the configured :ref:`template_kasp-db` directory +as an argument to convert the contents of the LMDB database to a portable text format: + +.. code-block:: console + + $ mdb_dump -a /path/to/keys + +Save the output of the command to a text file. You may then import the file +into a different LMDB database using the ``mdb_load -f`` command, supplying the path +to the file and the path to the database directory as arguments: + +.. code-block:: console + + $ mdb_load -f /path/to/dump_file /path/to/keys + +.. NOTE:: + Depending on your use case, it might be necessary to call ``knotc zone-sign`` + (e.g. to immediately sign the zones with the new imported keys) or ``knotc zone-reload`` + (e.g. to refresh DNSSEC signatures generated by the :ref:`geoip module<mod-geoip>`) + after importing new content into the KASP DB of a running server. + +.. _Controlling running daemon: + +Daemon controls +=============== + +Knot DNS was designed to allow server reconfiguration on-the-fly +without interrupting its operation. Thus it is possible to change +both configuration and zone files and also add or remove zones without +restarting the server. This can be done with:: + + $ knotc reload + +If you want to refresh the slave zones, you can do this with:: + + $ knotc zone-refresh + +.. _Statistics: + +Statistics +========== + +The server provides some general statistics and optional query module statistics +(see :ref:`mod-stats<mod-stats>`). + +Server statistics or global module statistics can be shown by:: + + $ knotc stats + $ knotc stats server # Show all server counters + $ knotc stats mod-stats # Show all mod-stats counters + $ knotc stats server.zone-count # Show specific server counter + +Per zone statistics can be shown by:: + + $ knotc zone-stats example.com mod-stats + +To show all supported counters even with 0 value use the force option. + +A simple periodic statistic dumping to a YAML file can also be enabled. See +:ref:`statistics_section` for the configuration details. + +As the statistics data can be accessed over the server control socket, +it is possible to create an arbitrary script (Python is supported at the moment) +which could, for example, publish the data in the JSON format via HTTP(S) +or upload the data to a more efficient time series database. Take a look into +the python folder of the project for these scripts. diff --git a/doc/reference.rst b/doc/reference.rst new file mode 100644 index 0000000..93bca65 --- /dev/null +++ b/doc/reference.rst @@ -0,0 +1,1558 @@ +.. highlight:: none +.. _Configuration Reference: + +*********************** +Configuration Reference +*********************** + +.. _Description: + +Description +=========== + +Configuration files for Knot DNS use simplified YAML format. Simplified means +that not all of the features are supported. + +For the description of configuration items, we have to declare a meaning of +the following symbols: + +- *INT* – Integer +- *STR* – Textual string +- *HEXSTR* – Hexadecimal string (with ``0x`` prefix) +- *BOOL* – Boolean value (``on``/``off`` or ``true``/``false``) +- *TIME* – Number of seconds, an integer with possible time multiplier suffix + (``s`` ~ 1, ``m`` ~ 60, ``h`` ~ 3600 or ``d`` ~ 24 * 3600) +- *SIZE* – Number of bytes, an integer with possible size multiplier suffix + (``B`` ~ 1, ``K`` ~ 1024, ``M`` ~ 1024^2 or ``G`` ~ 1024^3) +- *BASE64* – Base64 encoded string +- *ADDR* – IPv4 or IPv6 address +- *DNAME* – Domain name +- ... – Multi-valued item, order of the values is preserved +- [ ] – Optional value +- \| – Choice + +There are 12 main sections (``module``, ``server``, ``control``, ``log``, +``statistics``, ``keystore``, ``policy``, ``key``, ``acl``, ``remote``, +``template``, and ``zone``) and module sections with the ``mod-`` prefix. +Most of the sections (excluding ``server``, ``control``, and ``statistics``) +are sequences of settings blocks. Each settings block begins with a unique identifier, +which can be used as a reference from other sections (such identifier +must be defined in advance). + +A multi-valued item can be specified either as a YAML sequence:: + + address: [10.0.0.1, 10.0.0.2] + +or as more single-valued items each on an extra line:: + + address: 10.0.0.1 + address: 10.0.0.2 + +If an item value contains spaces or other special characters, it is necessary +to enclose such value within double quotes ``"`` ``"``. + +.. _Comments: + +Comments +======== + +A comment begins with a ``#`` character and is ignored during processing. +Also each configuration section or sequence block allows a permanent +comment using the ``comment`` item which is stored in the server beside the +configuration. + +.. _Includes: + +Includes +======== + +Another configuration file or files, matching a pattern, can be included at +the top level in the current file. If the path is not absolute, then it +is considered to be relative to the current file. The pattern can be +an arbitrary string meeting POSIX *glob* requirements, e.g. dir/\*.conf. +Matching files are processed in sorted order. + +:: + + include: STR + +.. _Module section: + +Module section +============== + +Dynamic modules loading configuration. + +.. NOTE:: + If configured with non-empty ```--with-moduledir=path``` parameter, all + shared modules in this directory will be automatically loaded. + +:: + + module: + - id: STR + file: STR + +.. _module_id: + +id +-- + +A module identifier in the form of the ``mod-`` prefix and module name suffix. + +.. _module_file: + +file +---- + +A path to a shared library file with the module implementation. + +*Default:* ``${libdir}/knot/modules-${version}``/module_name.so +(or ``${path}``/module_name.so if configured with ``--with-moduledir=path``) + +.. WARNING:: + If the path is not absolute, the library is searched in the set of + system directories. See ``man dlopen`` for more details. + +.. _Server section: + +Server section +============== + +General options related to the server. + +:: + + server: + identity: [STR] + version: [STR] + nsid: [STR|HEXSTR] + rundir: STR + user: STR[:STR] + pidfile: STR + udp-workers: INT + tcp-workers: INT + background-workers: INT + async-start: BOOL + tcp-handshake-timeout: TIME + tcp-idle-timeout: TIME + tcp-reply-timeout: TIME + max-tcp-clients: INT + max-udp-payload: SIZE + max-ipv4-udp-payload: SIZE + max-ipv6-udp-payload: SIZE + edns-client-subnet: BOOL + answer-rotation: BOOL + listen: ADDR[@INT] ... + +.. _server_identity: + +identity +-------- + +An identity of the server returned in the response to the query for TXT +record ``id.server.`` or ``hostname.bind.`` in the CHAOS class (:rfc:`4892`). +Set empty value to disable. + +*Default:* FQDN hostname + +.. _server_version: + +version +------- + +A version of the server software returned in the response to the query +for TXT record ``version.server.`` or ``version.bind.`` in the CHAOS +class (:rfc:`4892`). Set empty value to disable. + +*Default:* server version + +.. _server_nsid: + +nsid +---- + +A DNS name server identifier (:rfc:`5001`). Set empty value to disable. + +*Default:* FQDN hostname + +.. _server_rundir: + +rundir +------ + +A path for storing run-time data (PID file, unix sockets, etc.). + +*Default:* ``${localstatedir}/run/knot`` (configured with ``--with-rundir=path``) + +.. _server_user: + +user +---- + +A system user with an optional system group (``user:group``) under which the +server is run after starting and binding to interfaces. Linux capabilities +are employed if supported. + +*Default:* root:root + +.. _server_pidfile: + +pidfile +------- + +A PID file location. + +*Default:* :ref:`rundir<server_rundir>`/knot.pid + +.. _server_udp-workers: + +udp-workers +----------- + +A number of UDP workers (threads) used to process incoming queries +over UDP. + +*Default:* auto-estimated optimal value based on the number of online CPUs + +.. _server_tcp-workers: + +tcp-workers +----------- + +A number of TCP workers (threads) used to process incoming queries +over TCP. + +*Default:* auto-estimated optimal value based on the number of online CPUs + +.. _server_background-workers: + +background-workers +------------------ + +A number of workers (threads) used to execute background operations (zone +loading, zone updates, etc.). + +*Default:* auto-estimated optimal value based on the number of online CPUs + +.. _server_async-start: + +async-start +----------- + +If enabled, server doesn't wait for the zones to be loaded and starts +responding immediately with SERVFAIL answers until the zone loads. + +*Default:* off + +.. _server_tcp-handshake-timeout: + +tcp-handshake-timeout +--------------------- + +Maximum time between newly accepted TCP connection and the first query. +This is useful to disconnect inactive connections faster than connections +that already made at least 1 meaningful query. + +*Default:* 5 + +.. _server_tcp-idle-timeout: + +tcp-idle-timeout +---------------- + +Maximum idle time between requests on a TCP connection. This also limits +receiving of a single query, each query must be received in this time limit. + +*Default:* 20 + +.. _server_tcp-reply-timeout: + +tcp-reply-timeout +----------------- + +Maximum time to wait for an outgoing connection or for a reply to an issued +request (SOA, NOTIFY, AXFR...). + +*Default:* 10 + +.. _server_max-tcp-clients: + +max-tcp-clients +--------------- + +A maximum number of TCP clients connected in parallel, set this below the file +descriptor limit to avoid resource exhaustion. + +*Default:* 100 + +.. _server_max-udp-payload: + +max-udp-payload +--------------- + +Maximum EDNS0 UDP payload size default for both IPv4 and IPv6. + +*Default:* 4096 + +.. _server_max-ipv4-udp-payload: + +max-ipv4-udp-payload +-------------------- + +Maximum EDNS0 UDP payload size for IPv4. + +*Default:* 4096 + +.. _server_max-ipv6-udp-payload: + +max-ipv6-udp-payload +-------------------- + +Maximum EDNS0 UDP payload size for IPv6. + +*Default:* 4096 + +.. _server_edns-client-subnet: + +edns-client-subnet +------------------ + +Enable or disable EDNS Client Subnet support. If enabled, responses to queries +containing the EDNS Client Subnet option +always contain a valid EDNS Client Subnet option according to :rfc:`7871`. + +*Default:* off + +.. _server_answer-rotation: + +answer-rotation +--------------- + +Enable or disable sorted-rrset rotation in the answer section of normal replies. +The rotation shift is simply determined by a query ID. + +*Default:* off + +.. _server_listen: + +listen +------ + +One or more IP addresses where the server listens for incoming queries. +Optional port specification (default is 53) can be appended to each address +using ``@`` separator. Use ``0.0.0.0`` for all configured IPv4 addresses or +``::`` for all configured IPv6 addresses. + +*Default:* not set + +.. _Key section: + +Key section +=========== + +Shared TSIG keys used to authenticate communication with the server. + +:: + + key: + - id: DNAME + algorithm: hmac-md5 | hmac-sha1 | hmac-sha224 | hmac-sha256 | hmac-sha384 | hmac-sha512 + secret: BASE64 + +.. _key_id: + +id +-- + +A key name identifier. + +.. NOTE:: + This value MUST be exactly the same as the name of the TSIG key on the + opposite master/slave server(s). + +.. _key_algorithm: + +algorithm +--------- + +A TSIG key algorithm. See +`TSIG Algorithm Numbers <https://www.iana.org/assignments/tsig-algorithm-names/tsig-algorithm-names.xhtml>`_. + +Possible values: + +- ``hmac-md5`` +- ``hmac-sha1`` +- ``hmac-sha224`` +- ``hmac-sha256`` +- ``hmac-sha384`` +- ``hmac-sha512`` + +*Default:* not set + +.. _key_secret: + +secret +------ + +Shared key secret. + +*Default:* not set + +.. _ACL section: + +ACL section +=========== + +Access control list rule definitions. The ACLs are used to match incoming +connections to allow or deny requested operation (zone transfer request, DDNS +update, etc.). + +:: + + acl: + - id: STR + address: ADDR[/INT] | ADDR-ADDR ... + key: key_id ... + action: notify | transfer | update ... + deny: BOOL + +.. _acl_id: + +id +-- + +An ACL rule identifier. + +.. _acl_address: + +address +------- + +An ordered list of IP addresses, network subnets, or network ranges. The query +must match one of them. Empty value means that address match is not required. + +*Default:* not set + +.. _acl_key: + +key +--- + +An ordered list of :ref:`reference<key_id>`\ s to TSIG keys. The query must +match one of them. Empty value means that transaction authentication is not used. + +*Default:* not set + +.. _acl_action: + +action +------ + +An ordered list of allowed (or denied) actions. + +Possible values: + +- ``notify`` – Allow incoming notify. +- ``transfer`` – Allow zone transfer. +- ``update`` – Allow zone updates. + +*Default:* not set + +.. _acl_deny: + +deny +---- + +If enabled, instead of allowing, deny the specified :ref:`action<acl_action>`, +:ref:`address<acl_address>`, :ref:`key<acl_key>`, or combination if these +items. If no action is specified, deny all actions. + +*Default:* off + +.. _Control section: + +Control section +=============== + +Configuration of the server control interface. + +:: + + control: + listen: STR + timeout: TIME + +.. _control_listen: + +listen +------ + +A UNIX socket path where the server listens for control commands. + +*Default:* :ref:`rundir<server_rundir>`/knot.sock + +.. _control_timeout: + +timeout +------- + +Maximum time the control socket operations can take. Set 0 for infinity. + +*Default:* 5 + +.. _statistics_section: + +Statistics section +================== + +Periodic server statistics dumping. + +:: + + statistics: + timer: TIME + file: STR + append: BOOL + +.. _statistics_timer: + +timer +----- + +A period after which all available statistics metrics will by written to the +:ref:`file<statistics_file>`. + +*Default:* not set + +.. _statistics_file: + +file +---- + +A file path of statistics output in the YAML format. + +*Default:* :ref:`rundir<server_rundir>`/stats.yaml + +.. _statistics_append: + +append +------ + +If enabled, the output will be appended to the :ref:`file<statistics_file>` +instead of file replacement. + +*Default:* off + +.. _Keystore section: + +Keystore section +================ + +DNSSEC keystore configuration. + +:: + + keystore: + - id: STR + backend: pem | pkcs11 + config: STR + +.. _keystore_id: + +id +-- + +A keystore identifier. + + +.. _keystore_backend: + +backend +------- + +A key storage backend type. + +Possible values: + +- ``pem`` – PEM files. +- ``pkcs11`` – PKCS #11 storage. + +*Default:* pem + +.. _keystore_config: + +config +------ + +A backend specific configuration. A directory with PEM files (the path can +be specified as a relative path to :ref:`kasp-db<template_kasp-db>`) or +a configuration string for PKCS #11 storage (`<pkcs11-url> <module-path>`). + +.. NOTE:: + Example configuration string for PKCS #11:: + + "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so" + +*Default:* :ref:`kasp-db<template_kasp-db>`/keys + +.. _Submission section: + +Submission section +================== + +Parameters of KSK submission checks. + +:: + + submission: + - id: STR + parent: remote_id ... + check-interval: TIME + timeout: TIME + +.. _submission_id: + +id +-- + +A submission identifier. + +.. _submission_parent: + +parent +------ + +A list of :ref:`references<remote_id>` to parent's DNS servers to be checked for +presence of corresponding DS records in the case of KSK submission. All of them must +have a corresponding DS for the rollover to continue. If none is specified, the +rollover must be pushed forward manually. + +*Default:* not set + +.. TIP:: + A DNSSEC-validating resolver can be set as a parent. + +.. _submission_check-interval: + +check-interval +-------------- + +Interval for periodic checks of DS presence on parent's DNS servers, in the +case of the KSK submission. + +*Default:* 1 hour + +.. _submission_timeout: + +timeout +------- + +After this period, the KSK submission is automatically considered successful, even +if all the checks were negative or no parents are configured. Set 0 for infinity. + +*Default:* 0 + +.. _Policy section: + +Policy section +============== + +DNSSEC policy configuration. + +:: + + policy: + - id: STR + keystore: STR + manual: BOOL + single-type-signing: BOOL + algorithm: rsasha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519 + ksk-size: SIZE + zsk-size: SIZE + ksk-shared: BOOL + dnskey-ttl: TIME + zsk-lifetime: TIME + ksk-lifetime: TIME + propagation-delay: TIME + rrsig-lifetime: TIME + rrsig-refresh: TIME + nsec3: BOOL + nsec3-iterations: INT + nsec3-opt-out: BOOL + nsec3-salt-length: INT + nsec3-salt-lifetime: TIME + ksk-submission: submission_id + cds-cdnskey-publish: none | delete-dnssec | rollover | always + +.. _policy_id: + +id +-- + +A policy identifier. + +.. _policy_keystore: + +keystore +-------- + +A :ref:`reference<keystore_id>` to a keystore holding private key material +for zones. A special *default* value can be used for the default keystore settings. + +*Default:* default + +.. _policy_manual: + +manual +------ + +If enabled, automatic key management is not used. + +*Default:* off + +.. _policy_single-type-signing: + +single-type-signing +------------------- + +If enabled, Single-Type Signing Scheme is used in the automatic key management +mode. + +*Default:* off + +.. _policy_algorithm: + +algorithm +--------- + +An algorithm of signing keys and issued signatures. See +`DNSSEC Algorithm Numbers <https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1>`_. + +Possible values: + +- ``rsasha1`` +- ``rsasha1-nsec3-sha1`` +- ``rsasha256`` +- ``rsasha512`` +- ``ecdsap256sha256`` +- ``ecdsap384sha384`` +- ``ed25519`` + +*Default:* ecdsap256sha256 + +.. NOTE:: + Ed25519 algorithm is only available when compiled with GnuTLS 3.6.0+. + +.. _policy_ksk-size: + +ksk-size +-------- + +A length of newly generated :abbr:`KSK (Key Signing Key)` or +:abbr:`CSK (Combined Signing Key)` keys. + +*Default:* 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519) + +.. _policy_zsk-size: + +zsk-size +-------- + +A length of newly generated :abbr:`ZSK (Zone Signing Key)` keys. + +*Default:* see default for :ref:`ksk-size<policy_ksk-size>` + +.. _policy_ksk-shared: + +ksk-shared +---------- + +If enabled, all zones with this policy assigned will share one KSK. + +*Default:* off + +dnskey-ttl +---------- + +A TTL value for DNSKEY records added into zone apex. + +*Default:* zone SOA TTL + +.. NOTE:: + Has infuence over ZSK key lifetime. + +.. _policy_zsk-lifetime: + +zsk-lifetime +------------ + +A period between ZSK publication and the next rollover initiation. + +*Default:* 30 days + +.. NOTE:: + ZSK key lifetime is also infuenced by propagation-delay and dnskey-ttl + + Zero (aka infinity) value causes no ZSK rollover as a result. + +.. _policy_ksk-lifetime: + +ksk-lifetime +------------ + +A period between KSK publication and the next rollover initiation. + +*Default:* 0 + +.. NOTE:: + KSK key lifetime is also infuenced by propagation-delay, dnskey-ttl, + and KSK submission delay. + + Zero (aka infinity) value causes no KSK rollover as a result. + + This applies for CSK lifetime if single-type-signing is enabled. + +.. _policy_propagation-delay: + +propagation-delay +----------------- + +An extra delay added for each key rollover step. This value should be high +enough to cover propagation of data from the master server to all slaves. + +*Default:* 1 hour + +.. NOTE:: + Has infuence over ZSK key lifetime. + +.. _policy_rrsig-lifetime: + +rrsig-lifetime +-------------- + +A validity period of newly issued signatures. + +*Default:* 14 days + +.. _policy_rrsig-refresh: + +rrsig-refresh +------------- + +A period how long before a signature expiration the signature will be refreshed. + +*Default:* 7 days + +.. _policy_nsec: + +nsec3 +----- + +Specifies if NSEC3 will be used instead of NSEC. + +*Default:* off + +.. _policy_nsec3-iterations: + +nsec3-iterations +---------------- + +A number of additional times the hashing is performed. + +*Default:* 5 + +.. _policy_nsec3-opt-out: + +nsec3-opt-out +------------- + +If set, NSEC3 records won't be created for insecure delegations. +This speeds up the zone signing and reduces overall zone size. + +.. WARNING:: + NSEC3 with the Opt-Out bit set no longer works as a proof of non-existence + in this zone. + +*Default:* off + +.. _policy_nsec3-salt-length: + +nsec3-salt-length +----------------- + +A length of a salt field in octets, which is appended to the original owner +name before hashing. + +*Default:* 8 + +.. _policy_nsec3-salt-lifetime: + +nsec3-salt-lifetime +------------------- + +A validity period of newly issued salt field. + +*Default:* 30 days + +.. _policy_ksk-submission-check: + +ksk-submission +-------------- + +A reference to :ref:`submission<submission_id>` section holding parameters of +KSK submittion checks. + +*Default:* not set + +.. _policy_cds-cdnskey-publish: + +cds-cdnskey-publish +------------------- + +Controls if and how shall the CDS and CDNSKEY be published in the zone. + +.. NOTE:: + This only applies if the zone keys are automatically managed by the server. + +Possible values: + +- ``none`` – Never publish any CDS or CDNSKEY records in the zone. +- ``delete-dnssec`` – Publish special CDS and CDNSKEY records indicating turning off DNSSEC. +- ``rollover`` – Publish CDS and CDNSKEY records only in the submission phase of KSK rollover. +- ``always`` – Always publish CDS and CDNSKEY records for the current KSK. + +*Default:* always + +.. _Remote section: + +Remote section +============== + +Definitions of remote servers for outgoing connections (source of a zone +transfer, target for a notification, etc.). + +:: + + remote: + - id: STR + address: ADDR[@INT] ... + via: ADDR[@INT] ... + key: key_id + +.. _remote_id: + +id +-- + +A remote identifier. + +.. _remote_address: + +address +------- + +An ordered list of destination IP addresses which are used for communication +with the remote server. The addresses are tried in sequence unless the +operation is successful. Optional destination port (default is 53) +can be appended to the address using ``@`` separator. + +*Default:* not set + +.. _remote_via: + +via +--- + +An ordered list of source IP addresses. The first address with the same family +as the destination address is used. Optional source port (default is random) +can be appended to the address using ``@`` separator. + +*Default:* not set + +.. _remote_key: + +key +--- + +A :ref:`reference<key_id>` to the TSIG key which is used to authenticate +the communication with the remote server. + +*Default:* not set + +.. _Template section: + +Template section +================ + +A template is a shareable zone setting which can be used for configuration of +many zones in one place. A special default template (with the *default* identifier) +can be used for global querying configuration or as an implicit configuration +if a zone doesn't have another template specified. + +:: + + template: + - id: STR + timer-db: STR + max-timer-db-size: SIZE + journal-db: STR + journal-db-mode: robust | asynchronous + max-journal-db-size: SIZE + kasp-db: STR + max-kasp-db-size: SIZE + global-module: STR/STR ... + # All zone options (excluding 'template' item) + +.. _template_id: + +id +-- + +A template identifier. + +.. _template_timer-db: + +timer-db +-------- + +Specifies a path of the persistent timer database. The path can be specified +as a relative path to the *default* template :ref:`storage<zone_storage>`. + +.. NOTE:: + This option is only available in the *default* template. + +*Default:* :ref:`storage<zone_storage>`/timers + +.. _template_max-timer-db-size: + +max-timer-db-size +----------------- + +Hard limit for the timer database maximum size. + +.. NOTE:: + This option is only available in the *default* template. + +*Default:* 100 MiB + +.. _template_journal-db: + +journal-db +---------- + +Specifies a path of the persistent journal database. The path can be specified +as a relative path to the *default* template :ref:`storage<zone_storage>`. + +.. NOTE:: + This option is only available in the *default* template. + +*Default:* :ref:`storage<zone_storage>`/journal + +.. _template_journal-db-mode: + +journal-db-mode +--------------- + +Specifies journal LMDB backend configuration, which influences performance +and durability. + +Possible values: + +- ``robust`` – The journal DB disk sychronization ensures DB durability but is + generally slower. +- ``asynchronous`` – The journal DB disk synchronization is optimized for + better performance at the expense of lower DB durability; this mode is + recommended only on slave nodes with many zones. + +.. NOTE:: + This option is only available in the *default* template. + +*Default:* robust + +.. _template_max-journal-db-size: + +max-journal-db-size +------------------- + +Hard limit for the common journal DB. There is no cleanup logic in journal +to recover from reaching this limit: journal simply starts refusing changes +across all zones. Decreasing this value has no effect if lower than actual +DB file size. + +It is recommended to limit :ref:`max-journal-usage<zone_max-journal-usage>` +per-zone instead of max-journal-size in most cases. Please keep this value +larger than the sum of all zones' journal usage limits. See more details +regarding :ref:`journal behaviour<Journal behaviour>`. + +This value also influences server's usage of virtual memory. + +.. NOTE:: + This option is only available in the *default* template. + +*Default:* 20 GiB (1 GiB for 32-bit) + +.. _template_kasp-db: + +kasp-db +------- + +A KASP database path. Non-absolute path is relative to +:ref:`storage<zone_storage>`. + +*Default:* :ref:`storage<zone_storage>`/keys + +.. NOTE:: + This option is only available in the *default* template. + +.. _template_max-kasp-db-size: + +max-kasp-db-size +---------------- + +Hard limit for the KASP database maximum size. + +.. NOTE:: + This option is only available in the *default* template. + +*Default:* 500 MiB + +.. _template_global-module: + +global-module +------------- + +An ordered list of references to query modules in the form of *module_name* or +*module_name/module_id*. These modules apply to all queries. + +.. NOTE:: + This option is only available in the *default* template. + +*Default:* not set + +.. _Zone section: + +Zone section +============ + +Definition of zones served by the server. + +:: + + zone: + - domain: DNAME + template: template_id + storage: STR + file: STR + master: remote_id ... + ddns-master: remote_id + notify: remote_id ... + acl: acl_id ... + semantic-checks: BOOL + disable-any: BOOL + zonefile-sync: TIME + zonefile-load: none | difference | difference-no-serial | whole + journal-content: none | changes | all + max-journal-usage: SIZE + max-journal-depth: INT + max-zone-size : SIZE + dnssec-signing: BOOL + dnssec-policy: STR + request-edns-option: INT:[HEXSTR] + serial-policy: increment | unixtime | dateserial + min-refresh-interval: TIME + max-refresh-interval: TIME + module: STR/STR ... + +.. _zone_domain: + +domain +------ + +A zone name identifier. + +.. _zone_template: + +template +-------- + +A :ref:`reference<template_id>` to a configuration template. + +*Default:* not set or *default* (if the template exists) + +.. _zone_storage: + +storage +------- + +A data directory for storing zone files, journal database, and timers database. + +*Default:* ``${localstatedir}/lib/knot`` (configured with ``--with-storage=path``) + +.. _zone_file: + +file +---- + +A path to the zone file. Non-absolute path is relative to +:ref:`storage<zone_storage>`. It is also possible to use the following formatters: + +- ``%c[``\ *N*\ ``]`` or ``%c[``\ *N*\ ``-``\ *M*\ ``]`` – Means the *N*\ th + character or a sequence of characters beginning from the *N*\ th and ending + with the *M*\ th character of the textual zone name (see ``%s``). The + indexes are counted from 0 from the left. All dots (including the terminal + one) are considered. If the character is not available, the formatter has no effect. +- ``%l[``\ *N*\ ``]`` – Means the *N*\ th label of the textual zone name + (see ``%s``). The index is counted from 0 from the right (0 ~ TLD). + If the label is not available, the formatter has no effect. +- ``%s`` – Means the current zone name in the textual representation. + The zone name doesn't include the terminating dot (the result for the root + zone is the empty string!). +- ``%%`` – Means the ``%`` character. + +.. WARNING:: + Beware of special characters which are escaped or encoded in the \\DDD form + where DDD is corresponding decimal ASCII code. + +*Default:* :ref:`storage<zone_storage>`/``%s``\ .zone + +.. _zone_master: + +master +------ + +An ordered list of :ref:`references<remote_id>` to zone master servers. + +*Default:* not set + +.. _zone_ddns-master: + +ddns-master +----------- + +A :ref:`reference<remote_id>` to zone primary master server. +If not specified, the first :ref:`master<zone_master>` server is used. + +*Default:* not set + +.. _zone_notify: + +notify +------ + +An ordered list of :ref:`references<remote_id>` to remotes to which notify +message is sent if the zone changes. + +*Default:* not set + +.. _zone_acl: + +acl +--- + +An ordered list of :ref:`references<acl_id>` to ACL rules which can allow +or disallow zone transfers, updates or incoming notifies. + +*Default:* not set + +.. _zone_semantic-checks: + +semantic-checks +--------------- + +If enabled, extra zone semantic checks are turned on. + +Several checks are enabled by default and cannot be turned off. An error in +mandatory checks causes zone not to be loaded. An error in extra checks is +logged only. + +Mandatory checks: + +- SOA record missing in the zone (:rfc:`1034`) +- An extra record together with CNAME record except for RRSIG and DS (:rfc:`1034`) +- Multiple CNAME record with the same owner +- DNAME record having a record under it (:rfc:`2672`) + +Extra checks: + +- Missing NS record at the zone apex +- Missing glue A or AAAA record +- Invalid DNSKEY, DS, or NSEC3PARAM record +- CDS or CDNSKEY inconsistency +- Missing, invalid, or unverifiable RRSIG record +- Invalid NSEC(3) record +- Broken or non-cyclic NSEC(3) chain + +*Default:* off + +.. _zone_disable-any: + +disable-any +----------- + +If enabled, all authoritative ANY queries sent over UDP will be answered +with an empty response and with the TC bit set. Use this option to minimize +the risk of DNS reflection attack. + +*Default:* off + +.. _zone_zonefile-sync: + +zonefile-sync +------------- + +The time after which the current zone in memory will be synced with a zone file +on the disk (see :ref:`file<zone_file>`). The server will serve the latest +zone even after a restart using zone journal, but the zone file on the disk will +only be synced after ``zonefile-sync`` time has expired (or after manual zone +flush). This is applicable when the zone is updated via IXFR, DDNS or automatic +DNSSEC signing. In order to completely disable automatic zone file synchronization, +set the value to -1. In that case, it is still possible to force a manual zone flush +using the ``-f`` option. + +.. NOTE:: + If you are serving large zones with frequent updates where + the immediate sync with a zone file is not desirable, increase the value. + +*Default:* 0 (immediate) + +.. _zone_zonefile-load: + +zonefile-load +------------- + +Selects how the zone file contents are applied during zone load. + +Possible values: + +- ``none`` – The zone file is not used at all. +- ``difference`` – If the zone contents are already available during server start or reload, + the difference is computed between them and the contents of the zone file. This difference + is then checked for semantic errors and + applied to the current zone contents. +- ``difference-no-serial`` – Same as ``difference``, but the SOA serial in the zone file is + ignored, the server takes care of incrementing the serial automatically. +- ``whole`` – Zone contents are loaded from the zone file. + +When ``difference`` is configured and there are no zone contents yet (cold start of Knot +and no zone contents in journal), it behaves the same way like ``whole``. + +*Default:* whole + +.. _zone_journal-content: + +journal-content +--------------- + +Selects how the journal shall be used to store zone and its changes. + +Possible values: + +- ``none`` – The journal is not used at all. +- ``changes`` – Zone changes history is stored in journal. +- ``all`` – Zone contents and history is stored in journal. + +*Default:* changes + +.. _zone_max-journal-usage: + +max-journal-usage +----------------- + +Policy how much space in journal DB will the zone's journal occupy. + +*Default:* 100 MiB + +.. NOTE:: + Journal DB may grow far above the sum of max-journal-usage across + all zones, because of DB free space fragmentation. + +.. _zone_max_journal_depth: + +max-journal-depth +----------------- + +Maximum history length of journal. + +*Minimum:* 2 + +*Default:* 2^64 + +.. _zone_max_zone_size: + +max-zone-size +------------- + +Maximum size of the zone. The size is measured as size of the zone records +in wire format without compression. The limit is enforced for incoming zone +transfers and dynamic updates. + +For incremental transfers (IXFR), the effective limit for the total size of +the records in the transfer is twice the configured value. However the final +size of the zone must satisfy the configured value. + +*Default:* 2^64 + +.. _zone_dnssec-signing: + +dnssec-signing +-------------- + +If enabled, automatic DNSSEC signing for the zone is turned on. + +*Default:* off + +.. _zone_dnssec-policy: + +dnssec-policy +------------- + +A :ref:`reference<policy_id>` to DNSSEC signing policy. A special *default* +value can be used for the default policy settings. + +*Required* + +.. _zone_request_edns_option: + +request-edns-option +------------------- + +An arbitrary EDNS0 option which is included into a server request (AXFR, IXFR, +SOA, or NOTIFY). The value is in the option_code:option_data format. + +*Default:* not set + +.. _zone_serial-policy: + +serial-policy +------------- + +Specifies how the zone serial is updated after a dynamic update or +automatic DNSSEC signing. If the serial is changed by the dynamic update, +no change is made. + +Possible values: + +- ``increment`` – The serial is incremented according to serial number arithmetic. +- ``unixtime`` – The serial is set to the current unix time. +- ``dateserial`` – The 10-digit serial (YYYYMMDDnn) is incremented, the first + 8 digits match the current iso-date. + +.. NOTE:: + In case of ``unixtime``, if the resulting serial is lower or equal than current zone + (this happens e.g. in case of migrating from other policy or frequent updates) + the serial is incremented instead. + + Use dateserial only if you expect less than 100 updates per day per zone. + +*Default:* increment + +.. _zone_min-refresh-interval: + +min-refresh-interval +-------------------- + +Forced minimum zone refresh interval to avoid flooding master. + +*Default:* 2 + +.. _zone_max-refresh-interval: + +max-refresh-interval +-------------------- + +Forced maximum zone refresh interval. + +*Default:* not set + +.. _zone_module: + +module +------ + +An ordered list of references to query modules in the form of *module_name* or +*module_name/module_id*. These modules apply only to the current zone queries. + +*Default:* not set + +.. _Logging section: + +Logging section +=============== + +Server can be configured to log to the standard output, standard error +output, syslog (or systemd journal if systemd is enabled) or into an arbitrary +file. + +There are 6 logging severity levels: + +- ``critical`` – Non-recoverable error resulting in server shutdown. +- ``error`` – Recoverable error, action should be taken. +- ``warning`` – Warning that might require user action. +- ``notice`` – Server notice or hint. +- ``info`` – Informational message. +- ``debug`` – Debug messages (must be turned on at compile time). + +In the case of missing log section, ``warning`` or more serious messages +will be logged to both standard error output and syslog. The ``info`` and +``notice`` messages will be logged to standard output. + +:: + + log: + - target: stdout | stderr | syslog | STR + server: critical | error | warning | notice | info | debug + control: critical | error | warning | notice | info | debug + zone: critical | error | warning | notice | info | debug + any: critical | error | warning | notice | info | debug + +.. _log_target: + +target +------ + +A logging output. + +Possible values: + +- ``stdout`` – Standard output. +- ``stderr`` – Standard error output. +- ``syslog`` – Syslog. +- *file\_name* – A specific file. + +.. _log_server: + +server +------ + +Minimum severity level for messages related to general operation of the server +that are logged. + +*Default:* not set + +.. _log_control: + +control +------- + +Minimum severity level for messages related to server control that are logged. + +*Default:* not set + +.. _log_zone: + +zone +---- + +Minimum severity level for messages related to zones that are logged. + +*Default:* not set + +.. _log_any: + +any +--- + +Minimum severity level for all message types that are logged. + +*Default:* not set diff --git a/doc/requirements.rst b/doc/requirements.rst new file mode 100644 index 0000000..0192fe9 --- /dev/null +++ b/doc/requirements.rst @@ -0,0 +1,96 @@ +.. highlight:: none +.. _Requirements: + +************ +Requirements +************ + +Hardware +======== + +Knot DNS requirements are not very demanding for typical +installations, and a commodity server or a virtual solution will be +sufficient in most cases. + +However, please note that there are some scenarios that will require +administrator's attention and some testing of exact requirements before +deploying Knot DNS to a production environment. These cases include +deployment for a large number of zones (DNS hosting), large number +of records in one or more zones (TLD), or large number of requests. + +CPU requirements +---------------- + +The server scales with processing power and also with the number of +available cores/CPUs. Enabling Hyper-threading is convenient if supported. + +There is no lower bound on the CPU requirements, but it should support +memory barriers and CAS (i586 and newer). + +Network card +------------ + +The best results have been achieved with multi-queue network cards. The +number of multi-queues should equal the total number of CPU cores (with +Hyper-threading enabled). + +Memory requirements +------------------- + +The server implementation focuses on performance and thus can be quite +memory demanding. The rough estimate for memory requirements is +3 times the size of the zone in the plain-text format. Again this is only +an estimate and you are advised to do your own measurements before +deploying Knot DNS to production. + +.. NOTE:: + To ensure uninterrupted serving of the zone, Knot DNS + employs the Read-Copy-Update mechanism instead of locking and thus + requires twice the amount of memory for the duration of incoming + transfers. + +Operating system +================ + +Knot DNS itself is written in a portable way and can be compiled +and run on most UNIX-like systems, such as Linux, \*BSD, and macOS. + +Required libraries +================== + +Knot DNS requires a few libraries to be available: + +* libedit +* gnutls >= 3.3 +* liburcu >= 0.5.4 +* lmdb >= 0.9.15 + +.. NOTE:: + The LMDB library is included with Knot DNS source code. However, linking + with the system library is preferred. + +Optional libraries +================== + +International Domain Names support (IDNA2008 or IDNA2003) in **kdig**: + +* libidn2 (or libidn) + +Systemd's startup notification mechanism and journald logging: + +* libsystemd + +Dnstap support in **kdig** or module :ref:`dnstap<mod-dnstap>`: + +* fstrm (and protobuf-c if building from source code) + +Linux :manpage:`capabilities(7)` support, which allows the server to be started +as a non-root user/group, binding to privileged ports (53), and giving up all +its capabilities, resulting in a completely unprivileged process: + +* libcap-ng >= 0.6.4 + +MaxMind database for **geodb** support in module :ref:`geoip<mod-geoip>`: + +* libmaxminddb0 + diff --git a/doc/theme_html/static/admon_caution_48.png b/doc/theme_html/static/admon_caution_48.png Binary files differnew file mode 100644 index 0000000..9016ec0 --- /dev/null +++ b/doc/theme_html/static/admon_caution_48.png diff --git a/doc/theme_html/static/admon_important_48.png b/doc/theme_html/static/admon_important_48.png Binary files differnew file mode 100644 index 0000000..7021f4c --- /dev/null +++ b/doc/theme_html/static/admon_important_48.png diff --git a/doc/theme_html/static/admon_note_48.png b/doc/theme_html/static/admon_note_48.png Binary files differnew file mode 100644 index 0000000..e72e336 --- /dev/null +++ b/doc/theme_html/static/admon_note_48.png diff --git a/doc/theme_html/static/admon_tip_48.png b/doc/theme_html/static/admon_tip_48.png Binary files differnew file mode 100644 index 0000000..f679193 --- /dev/null +++ b/doc/theme_html/static/admon_tip_48.png diff --git a/doc/theme_html/static/admon_warning_48.png b/doc/theme_html/static/admon_warning_48.png Binary files differnew file mode 100644 index 0000000..2c338d5 --- /dev/null +++ b/doc/theme_html/static/admon_warning_48.png diff --git a/doc/theme_html/static/admons.css b/doc/theme_html/static/admons.css new file mode 100644 index 0000000..d9f3406 --- /dev/null +++ b/doc/theme_html/static/admons.css @@ -0,0 +1,69 @@ +/* === Style for admonitions === */ + +/* Settings from 'basic' theme (modified only) */ + +div.admonition { + margin-top: 10px; + margin-bottom: 10px; + padding: 7px; + padding-left: 54px;/* based on icon size */ + padding-right: 24px;/* based on icon size */ +} + +/* Settings from 'classic' theme (modified only) */ + +div.admonition p { + display: block; +} + +p.admonition-title { + padding-bottom: 11px;/* based on icon size */ + padding-top: 11px;/* based on icon size */ +} + +p.admonition-title:after { + content: none; /* do not add colon */ +} + +/* Icon settings for all admonitions */ +div.admonition { + /* background-image: url('abstract_admon_48.png'); */ + background-repeat: no-repeat; + background-position: 2px 2px; +} + +/* Specific admonitions */ +div.admonition-todo { + background-color: #CAE2B6; + border: solid 1px #439427; +} + +div.warning { + background-image: url('admon_warning_48.png'); + background-color: #FFE4E4; + border: solid 3px #990D1C; +} + +div.caution { + background-image: url('admon_caution_48.png'); + background-color: #FFE4E4; + border: solid 1px #990D1C; +} + +div.important { + background-image: url('admon_important_48.png'); + background-color: #FBECC8; + border: solid 1px #D68612; +} + +div.note { + background-image: url('admon_note_48.png'); + background-color: white; + border: solid 1px #D1D3D4; +} + +div.tip { + background-image: url('admon_tip_48.png'); + background-color: #F2E4FD; + border: solid 1px #D1C2E6; +} diff --git a/doc/theme_html/static/main.css b/doc/theme_html/static/main.css new file mode 100644 index 0000000..d7eb5d1 --- /dev/null +++ b/doc/theme_html/static/main.css @@ -0,0 +1,6 @@ +@import url("nature.css"); + +/* Addendum for admonitions */ +@import url("admons.css"); + +/* Other overrides here */ diff --git a/doc/theme_html/theme.conf b/doc/theme_html/theme.conf new file mode 100644 index 0000000..eb8c607 --- /dev/null +++ b/doc/theme_html/theme.conf @@ -0,0 +1,4 @@ +[theme] +inherit = nature +stylesheet = main.css +pygments_style = sphinx diff --git a/doc/troubleshooting.rst b/doc/troubleshooting.rst new file mode 100644 index 0000000..b596738 --- /dev/null +++ b/doc/troubleshooting.rst @@ -0,0 +1,110 @@ +.. highlight:: console +.. _Troubleshooting: + +*************** +Troubleshooting +*************** + +First of all, check the logs. Enabling at least the ``warning`` message +severity may help you to identify some problems. See the :ref:`Logging section` +for details. + +.. _Submitting a bugreport: + +Reporting bugs +============== + +If you are unable to solve the problem by yourself, you can submit a +bugreport to the Knot DNS developers. For security or sensitive issues +contact the developers directly on +`knot-dns@labs.nic.cz <mailto:knot-dns@labs.nic.cz>`_. +All other bugs and questions may be directed to the public Knot DNS users +mailing list +(`knot-dns-users@lists.nic.cz <mailto:knot-dns-users@lists.nic.cz>`_) or +may be entered into the +`issue tracking system <https://gitlab.labs.nic.cz/knot/knot-dns/issues>`_. + +Before anything else, please try to answer the following questions: + +* Has it been working? +* What has changed? System configuration, software updates, network + configuration, firewall rules modification, hardware replacement, etc. + +The bugreport should contain the answers for the previous questions and in +addition at least the following information: + +* Knot DNS version and type of installation (distribution package, from source, + etc.) +* Operating system, platform, kernel version +* Relevant basic hardware information (processor, amount of memory, available + network devices, etc.) +* Description of the bug +* Log output with the highest verbosity (category ``any``, severity ``debug``) +* Steps to reproduce the bug (if known) +* Backtrace (if the bug caused a crash or a hang; see the next section) + +If possible, please provide a minimal configuration file and zone files which +can be used to reproduce the bug. + +.. _Generating backtrace: + +Generating backtrace +==================== + +Backtrace carries basic information about the state of the program and how +the program got where it is. It helps determining the location of the bug in +the source code. + +If you run Knot DNS from distribution packages, make sure the debugging +symbols for the package are installed. The symbols are usually distributed +in a separate package. + +There are several ways to get the backtrace. One possible way is to extract +the backtrace from a core dump file. Core dump is a memory snapshot generated +by the operating system when a process crashes. The generating of core dumps +must be usually enabled:: + + $ ulimit -c unlimited # Enable unlimited core dump size + $ knotd ... # Reproduce the crash + ... + $ gdb knotd <core-dump-file> # Start gdb on the core dump + (gdb) info threads # Get a summary of all threads + (gdb) thread apply all bt full # Extract backtrace from all threads + (gdb) quit + +To save the backtrace into a file, the following GDB commands can be used:: + + (gdb) set pagination off + (gdb) set logging file backtrace.txt + (gdb) set logging on + (gdb) info threads + (gdb) thread apply all bt full + (gdb) set logging off + +To generate a core dump of a running process, the `gcore` utility can be used:: + + $ gcore -o <output-file> $(pidof knotd) + +Please note that core dumps can be intercepted by an error-collecting system +service (systemd-coredump, ABRT, Apport, etc.). If you are using such a service, +consult its documentation about core dump retrieval. + +If the error is reproducible, it is also possible to start and inspect the +server directly in the debugger:: + + $ gdb --args knotd -c /etc/knot.conf + (gdb) run + ... + +Alternatively, the debugger can be attached to a running server +process. This is generally useful when troubleshooting a stuck process:: + + $ knotd ... + $ gdb --pid $(pidof knotd) + (gdb) continue + ... + +If you fail to get a backtrace of a running process using the previous method, +you may try the single-purpose ``pstack`` utility:: + + $ pstack $(pidof knotd) > backtrace.txt diff --git a/doc/utilities.rst b/doc/utilities.rst new file mode 100644 index 0000000..2180942 --- /dev/null +++ b/doc/utilities.rst @@ -0,0 +1,21 @@ +.. highlight:: none +.. _Utilities: + +Utilities +========= + +Knot DNS comes with a few DNS client utilities and a few utilities to control +the server. This section collects manual pages for all provided binaries: + +.. toctree:: + :titlesonly: + + man_kdig + man_keymgr + man_khost + man_kjournalprint + man_knotc + man_knotd + man_knsec3hash + man_knsupdate + man_kzonecheck |
