1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
.TH "kresd" "8" "@date@" "CZ.NIC" "Knot Resolver @version@"
.\"
.\" kresd.8 -- kresd daemon manpage
.\"
.\" Copyright (c) 2019, CZ.NIC. All rights reserved.
.\"
.\" SPDX-License-Identifier: GPL-3.0-or-later
.\"
.\"
.SH "NAME"
.B kresd
\- full caching DNSSEC-enabled Knot Resolver @version@.
.SH "SYNOPSIS"
.B kresd
.RB [ \-a | \-\-addr
.IR addr[@port] ]
.RB [ \-t | \-\-tls
.IR addr[@port] ]
.RB [ \-S | \-\-fd
.IR fd ]
.RB [ \-T | \-\-tlsfd
.IR fd ]
.RB [ \-c | \-\-config
.IR config ]
.RB [ \-n | \-\-noninteractive ]
.RB [ \-q | \-\-quiet ]
.RB [ \-v | \-\-verbose ]
.RB [ \-V | \-\-version ]
.RB [ \-h | \-\-help ]
.IR [rundir]
.SH "DESCRIPTION"
.B Knot Resolver is a DNSSEC-enabled full caching resolver.
.P
Default mode of operation: when it receives a DNS query it iteratively
asks authoritative nameservers starting from root zone (.) and ending
with a nameservers authoritative for queried name. Automatic DNSSEC means
verification of integrity of authoritative responses by following
keys and signatures starting from root. Root trust anchor is automatically
bootstrapped from IANA, or you can provide a file with root trust anchors
(same format as Unbound or BIND9 root keys file).
The daemon also caches intermediate answers into cache, which by default
uses LMDB memory-mapped database. This has a significant advantage over
in-memory caches as the process may be stopped and restarted without
loss of cache entries. In multi-user scenario a shared cache
is potential privacy/security issue, with kresd each user can have resolver cache
in their private directory and use it in similar fashion to keychain.
.P
To use a locally running
.B kresd
for resolving put
.sp
.RS 6n
nameserver 127.0.0.1
.RE
.sp
into
.IR resolv.conf (5)
and start
.B kresd
.P
The daemon may be configured also as a plain forwarder using query policies.
This requires using a config file. Please refer to documentation for
configuration file options. It is available at
\fIhttps://knot-resolver.readthedocs.io\fR or in package documentation
(available as knot-resolver-doc package in most distributions).
The available CLI options are:
.TP
.B \-a\fI addr[@port]\fR, \fB\-\-addr=\fI<addr[@port]>
Listen on given address (and port) pair. If no port is given, \fI53\fR is used as a default.
Option may be passed multiple times to listen on more addresses.
.TP
.B \-t\fI addr[@port]\fR, \fB\-\-tls=\fI<addr[@port]>
Listen using TLS on given address (and port) pair. If no port is
given, \fI853\fR is used as a default. Option may be passed multiple
times to listen on more addresses.
.TP
.B \-S\fI fd\fR, \fB\-\-fd=\fI<fd>
Listen on given file descriptor(s), passed by supervisor.
Option may be passed multiple times to listen on more file descriptors.
.TP
.B \-T\fI fd\fR, \-\-tlsfd=\fI<fd>
Listen using TLS on given file descriptor(s), passed by supervisor.
Option may be passed multiple times to listen on more file descriptors.
.TP
.B \-c\fI config\fR, \fB\-\-config=\fI<config>
Set the config file with settings for kresd to read instead of reading the
file at the default location (\fIconfig\fR).
.TP
.B \-f\fI N\fR, \fB\-\-forks=\fI<N>
This option is deprecated since 5.0.0!
With this option, the daemon is started in non-interactive mode and instead creates a
UNIX socket in \fIrundir\fR that the operator can connect to for interactive session.
A number greater than 1 forks the daemon N times, all forks will bind to same addresses
and the kernel will load-balance between them on Linux with \fISO_REUSEPORT\fR support.
If you want multiple concurrent processes supervised in this way,
they should be supervised independently (see \fBkresd.systemd(7)\fR).
.TP
.B \-n\fR, \fB\-\-noninteractive
Daemon will refrain from entering into read-eval-print loop for stdin+stdout.
.TP
.B \-q\fR, \fB\-\-quiet
Daemon will refrain from printing the command prompt.
.TP
.B \-v\fR, \fB\-\-verbose
Increase verbosity. If given multiple times, more information is logged.
This is in addition to the verbosity (if any) from the config file.
.TP
.B \-h
Show short commandline option help.
.TP
.B \-V
Show the version.
.SH "SEE ALSO"
@man_seealso_systemd@\fIhttps://knot-resolver.readthedocs.io/en/v@version@/\fR
.SH "AUTHORS"
.B kresd
developers are mentioned in the AUTHORS file in the distribution.
|