diff options
Diffstat (limited to 'doc/configuration.rst')
-rw-r--r-- | doc/configuration.rst | 1204 |
1 files changed, 1204 insertions, 0 deletions
diff --git a/doc/configuration.rst b/doc/configuration.rst new file mode 100644 index 0000000..193bd78 --- /dev/null +++ b/doc/configuration.rst @@ -0,0 +1,1204 @@ +.. highlight:: none +.. _Configuration: + +************* +Configuration +************* + +Simple configuration +==================== + +The following example presents a simple configuration file +which can be used as a base for your Knot DNS setup:: + + # Example of a very simple Knot DNS configuration. + + server: + listen: 0.0.0.0@53 + listen: ::@53 + + zone: + - domain: example.com + storage: /var/lib/knot/zones/ + file: example.com.zone + + log: + - target: syslog + any: info + +Now let's walk through this configuration step by step: + +- The :ref:`server_listen` statement in the :ref:`server section<Server section>` + defines where the server will listen for incoming connections. + We have defined the server to listen on all available IPv4 and IPv6 addresses, + all on port 53. +- The :ref:`zone section` defines the zones that the server will + serve. In this case, we defined one zone named *example.com* which is stored + in the zone file :file:`/var/lib/knot/zones/example.com.zone`. +- The :ref:`log section` defines the log facilities for + the server. In this example, we told Knot DNS to send its log messages with + the severity ``info`` or more serious to the syslog (or systemd journal). + +For detailed description of all configuration items see +:ref:`Configuration Reference`. + +Zone templates +============== + +A zone template allows a single zone configuration to be shared among several +zones. There is no inheritance between templates; they are exclusive. The +``default`` template identifier is reserved for the default template:: + + template: + - id: default + storage: /var/lib/knot/master + semantic-checks: on + + - id: signed + storage: /var/lib/knot/signed + dnssec-signing: on + semantic-checks: on + master: [master1, master2] + + - id: slave + storage: /var/lib/knot/slave + + zone: + - domain: example1.com # Uses default template + + - domain: example2.com # Uses default template + semantic-checks: off # Override default settings + + - domain: example.cz + template: signed + master: master3 # Override masters to just master3 + + - domain: example1.eu + template: slave + master: master1 + + - domain: example2.eu + template: slave + master: master2 + +.. NOTE:: + Each template option can be explicitly overridden in zone-specific configuration. + +.. _ACL: + +Access control list (ACL) +========================= + +Some types of incoming DNS requests must be authorized before they can be +processed by the server. A zone can have configured :ref:`zone_acl` which is +a sequence of :ref:`rules <ACL section>` describing what requests are authorized. +By default if :ref:`automatic ACL <server_automatic-acl>` is not enabled, all requests, +which require authorization, are denied. + +Every ACL rule can allow or deny one or more request types based on the +source IP address, network subnet, or address range and/or if the request is +secured by a given TSIG key. See :doc:`keymgr -t<man_keymgr>` on how +to generate a TSIG key. + +If there are multiple ACL rules assigned to a zone, they are applied in the +specified order of the :ref:`zone_acl` configuration. The first rule that matches +the given request is applied and the remaining rules are ignored. Some examples:: + + acl: + - id: address_rule + address: [2001:db8::1, 192.168.2.0/24] + action: transfer + + - id: deny_rule + address: 192.168.2.100 + action: transfer + deny: on + + zone: + - domain: acl1.example.com + acl: [deny_rule, address_rule] # Allow some addresses with an exception + +:: + + key: + - id: key1 # The real TSIG key name + algorithm: hmac-sha256 + secret: 4Tc0K1QkcMCs7cOW2LuSWnxQY0qysdvsZlSb4yTN9pA= + + acl: + - id: deny_all + address: 192.168.3.0/24 + deny: on # No action specified and deny on implies denial of all actions + + - id: key_rule + key: key1 # Access based just on TSIG key + action: [transfer, notify] + + zone: + - domain: acl2.example.com + acl: [deny_all, key_rule] # Allow with the TSIG except for the subnet + +In the case of dynamic DNS updates, some additional conditions may be specified +for more granular filtering. See more in the section :ref:`Restricting dynamic updates`. + +.. NOTE:: + If more conditions (address ranges and/or a key) + are given in a single ACL rule, all of them have to be satisfied for the rule to match. + +.. TIP:: + In order to restrict regular DNS queries, use module :ref:`queryacl<mod-queryacl>`. + +Secondary (slave) zone +====================== + +Knot DNS doesn't strictly differ between primary (formerly known as master) +and secondary (formerly known as slave) zones. The only requirement for a secondary +zone is to have a :ref:`zone_master` statement set. For effective zone synchronization, +incoming zone change notifications (NOTIFY), which require authorization, can be +enabled using :ref:`automatic ACL <server_automatic-acl>` or :ref:`explicit ACL <zone_acl>` +configuration. Optional transaction authentication (TSIG) is supported for both +zone transfers and zone notifications:: + + server: + automatic-acl: on # Enabled automatic ACL + + key: + - id: xfr_notify_key # Common TSIG key for XFR an NOTIFY + algorithm: hmac-sha256 + secret: VFRejzw8h4M7mb0xZKRFiZAfhhd1eDGybjqHr2FV3vc= + + remote: + - id: primary + address: [2001:DB8:1::1, 192.168.1.1] # Primary server IP addresses + # via: [2001:DB8:2::1, 10.0.0.1] # Local source addresses (optional) + key: xfr_notify_key # TSIG key (optional) + + zone: + - domain: example.com + master: primary # Primary remote(s) + +An example of explicit ACL with different TSIG keys for zone transfers +and notifications:: + + key: + - id: notify_key # TSIG key for NOTIFY + algorithm: hmac-sha256 + secret: uBbhV4aeSS4fPd+wF2ZIn5pxOMF35xEtdq2ibi2hHEQ= + + - id: xfr_key # TSIG key for XFR + algorithm: hmac-sha256 + secret: VFRejzw8h4M7mb0xZKRFiZAfhhd1eDGybjqHr2FV3vc= + + remote: + - id: primary + address: [2001:DB8:1::1, 192.168.1.1] # Primary server IP addresses + # via: [2001:DB8:2::1, 10.0.0.1] # Local source addresses if needed + key: xfr_key # Optional TSIG key + + acl: + - id: notify_from_primary # ACL rule for NOTIFY from primary + address: [2001:DB8:1::1, 192.168.1.1] # Primary addresses (optional) + key: notify_key # TSIG key (optional) + action: notify + + zone: + - domain: example.com + master: primary # Primary remote(s) + acl: notify_from_primary # Explicit ACL(s) + +Note that the :ref:`zone_master` option accepts a list of remotes, which are +queried for a zone refresh sequentially in the specified order. When the server +receives a zone change notification from a listed remote, only that remote is +used for a subsequent zone transfer. + +.. NOTE:: + When transferring a lot of zones, the server may easily get into a state + where all available ports are in the TIME_WAIT state, thus transfers + cease until the operating system closes the ports for good. There are + several ways to work around this: + + * Allow reusing of ports in TIME_WAIT (sysctl -w net.ipv4.tcp_tw_reuse=1) + * Shorten TIME_WAIT timeout (tcp_fin_timeout) + * Increase available local port count + +Primary (master) zone +===================== + +A zone is considered primary if it doesn't have :ref:`zone_master` set. As +outgoing zone transfers (XFR) require authorization, it must be enabled +using :ref:`automatic ACL <server_automatic-acl>` or :ref:`explicit ACL <zone_acl>` +configuration. Outgoing zone change notifications (NOTIFY) to remotes can be +set by configuring :ref:`zone_notify`. Transaction authentication +(TSIG) is supported for both zone transfers and zone notifications:: + + server: + automatic-acl: on # Enabled automatic ACL + + key: + - id: xfr_notify_key # Common TSIG key for XFR an NOTIFY + algorithm: hmac-sha256 + secret: VFRejzw8h4M7mb0xZKRFiZAfhhd1eDGybjqHr2FV3vc= + + remote: + - id: secondary + address: [2001:DB8:1::1, 192.168.1.1] # Secondary server IP addresses + # via: [2001:DB8:2::1, 10.0.0.1] # Local source addresses (optional) + key: xfr_notify_key # TSIG key (optional) + + acl: + - id: local_xfr # Allow XFR to localhost without TSIG + address: [::1, 127.0.0.1] + action: transfer + + zone: + - domain: example.com + notify: secondary # Secondary remote(s) + acl: local_xfr # Explicit ACL for local XFR + +Note that the :ref:`zone_notify` option accepts a list of remotes, which are +all notified sequentially in the specified order. + +A secondary zone may serve as a primary zone for a different set of remotes +at the same time. + +.. _dynamic updates: + +Dynamic updates +=============== + +Dynamic updates for the zone are allowed via proper ACL rule with the +``update`` action. If the zone is configured as a secondary and a DNS update +message is accepted, the server forwards the message to its first primary +:ref:`zone_master` or :ref:`zone_ddns-master` if configured. +The primary master's response is then forwarded back to the originator. + +However, if the zone is configured as a primary, the update is accepted and +processed:: + + acl: + - id: update_acl + address: 192.168.3.0/24 + action: update + + zone: + - domain: example.com. + acl: update_acl + +.. NOTE:: + To forward DDNS requests signed with a locally unknown key, an ACL rule for + the action ``update`` without a key must be configured for the zone. E.g.:: + + acl: + - id: fwd_foreign_key + action: update + # possible non-key options + + zone: + - domain: example.com. + acl: fwd_foreign_key + +.. _Restricting dynamic updates: + +Restricting dynamic updates +--------------------------- + +There are several additional ACL options for dynamic DNS updates which affect +the request classification based on the update contents. + +Updates can be restricted to specific resource record types:: + + acl: + - id: type_rule + action: update + update-type: [A, AAAA, MX] # Updated records must match one of the specified types + +Another possibility is restriction on the owner name of updated records. The option +:ref:`acl_update-owner` is used to select the source of domain +names which are used for the comparison. And the option :ref:`acl_update-owner-match` +specifies the required relation between the record owner and the reference domain +names. Example:: + + acl: + - id: owner_rule1 + action: update + update-owner: name # Updated record owners are restricted by the next conditions + update-owner-match: equal # The record owner must exactly match one name from the next list + update-owner-name: [foo, bar.] # Reference domain names + +.. NOTE:: + If the specified owner name is non-FQDN (e.g. ``foo``), it's considered relatively + to the effective zone name. So it can apply to more zones + (e.g. ``foo.example.com.`` or ``foo.example.net.``). Alternatively, if the + name is FQDN (e.g. ``bar.``), the rule only applies to this name. + +If the reference domain name is the zone name, the following variant can be used:: + + acl: + - id: owner_rule2 + action: update + update-owner: zone # The reference name is the zone name + update-owner-match: sub # Any record owner matches except for the zone name itself + + template: + - id: default + acl: owner_rule2 + + zone: + - domain: example.com. + - domain: example.net. + +The last variant is for the cases where the reference domain name is a TSIG key name, +which must be used for the transaction security:: + + key: + - id: example.com # Key names are always considered FQDN + ... + - id: steve.example.net + ... + - id: jane.example.net + ... + + acl: + - id: owner_rule3_com + action: update + update-owner: key # The reference name is the TSIG key name + update-owner-match: sub # The record owner must be a subdomain of the key name + key: [example.com] # One common key for updating all non-apex records + + - id: owner_rule3_net + action: update + update-owner: key # The reference name is the TSIG key name + update-owner-match: equal # The record owner must exactly match the used key name + key: [steve.example.net, jane.example.net] # Keys for updating specific zone nodes + + zone: + - domain: example.com. + acl: owner_rule3_com + - domain: example.net. + acl: owner_rule3_net + +.. _dnssec: + +Automatic DNSSEC signing +======================== + +Knot DNS supports automatic DNSSEC signing of zones. The signing +can operate in two modes: + +1. :ref:`Automatic key management <dnssec-automatic-zsk-management>`. + In this mode, the server maintains signing keys. New keys are generated + according to assigned policy and are rolled automatically in a safe manner. + No zone operator intervention is necessary. + +2. :ref:`Manual key management <dnssec-manual-key-management>`. + In this mode, the server maintains zone signatures only. The signatures + are kept up-to-date and signing keys are rolled according to timing + parameters assigned to the keys. The keys must be generated and timing + parameters must be assigned by the zone operator. + +The DNSSEC signing process maintains some metadata which is stored in the +:abbr:`KASP (Key And Signature Policy)` database. This database is backed +by LMDB. + +.. WARNING:: + Make sure to set the KASP database permissions correctly. For manual key + management, the database must be *readable* by the server process. For + automatic key management, it must be *writeable*. If no HSM is used, + the database also contains private key material – don't set the permissions + too weak. + +.. _dnssec-automatic-zsk-management: + +Automatic ZSK management +------------------------ + +For automatic ZSK management a signing :ref:`policy<Policy section>` has to +be configured and assigned to the zone. The policy specifies how the zone +is signed (i.e. signing algorithm, key size, key lifetime, signature lifetime, +etc.). If no policy is specified or the ``default`` one is assigned, the +default signing parameters are used. + +A minimal zone configuration may look as follows:: + + zone: + - domain: myzone.test + dnssec-signing: on + +With a custom signing policy, the policy section will be added:: + + policy: + - id: custom_policy + signing-threads: 4 + algorithm: ECDSAP256SHA256 + zsk-lifetime: 60d + + zone: + - domain: myzone.test + dnssec-signing: on + dnssec-policy: custom_policy + +After configuring the server, reload the changes: + +.. code-block:: console + + $ knotc reload + +The server will generate initial signing keys and sign the zone properly. Check +the server logs to see whether everything went well. + +.. _dnssec-automatic-ksk-management: + +Automatic KSK management +------------------------ + +For automatic KSK management, first configure ZSK management like above, and use +additional options in :ref:`policy section <Policy section>`, mostly specifying +desired (finite) lifetime for KSK: :: + + remote: + - id: parent_zone_server + address: 192.168.12.1@53 + + submission: + - id: parent_zone_sbm + parent: [parent_zone_server] + + policy: + - id: custom_policy + signing-threads: 4 + algorithm: ECDSAP256SHA256 + zsk-lifetime: 60d + ksk-lifetime: 365d + ksk-submission: parent_zone_sbm + + zone: + - domain: myzone.test + dnssec-signing: on + dnssec-policy: custom_policy + +After the initially-generated KSK reaches its lifetime, new KSK is published and after +convenience delay the submission is started. The server publishes CDS and CDNSKEY records +and the user shall propagate them to the parent. The server periodically checks for +DS at the parent zone and when positive, finishes the rollover. + +.. _dnssec-manual-key-management: + +Manual key management +--------------------- + +For automatic DNSSEC signing with manual key management, a signing policy +with manual key management flag has to be set:: + + policy: + - id: manual + manual: on + + zone: + - domain: myzone.test + dnssec-signing: on + dnssec-policy: manual + +To generate signing keys, use the :doc:`keymgr<man_keymgr>` utility. +For example, we can use Single-Type Signing: + +.. code-block:: console + + $ keymgr myzone.test. generate algorithm=ECDSAP256SHA256 ksk=yes zsk=yes + +And reload the server. The zone will be signed. + +To perform a manual rollover of a key, the timing parameters of the key need +to be set. Let's roll the key. Generate a new key, but do not activate +it yet: + +.. code-block:: console + + $ keymgr myzone.test. generate algorithm=ECDSAP256SHA256 ksk=yes zsk=yes active=+1d + +Take the key ID (or key tag) of the old key and disable it the same time +the new key gets activated: + +.. code-block:: console + + $ keymgr myzone.test. set <old_key_id> retire=+2d remove=+3d + +Reload the server again. The new key will be published (i.e. the DNSKEY record +will be added into the zone). Remember to update the DS record in the +parent zone to include a reference to the new key. This must happen within one +day (in this case) including a delay required to propagate the new DS to +caches. + +.. WARNING:: + If you ever decide to switch from manual key management to automatic key management, + note that the automatic key management uses + :ref:`policy_zsk-lifetime` and :ref:`policy_ksk-lifetime` policy configuration + options to schedule key rollovers and it internally uses timestamps of keys differently + than in the manual case. As a consequence it might break if the ``retire`` or ``remove`` timestamps + are set for the manually generated keys currently in use. Make sure to set these timestamps + to zero using :doc:`keymgr<man_keymgr>`: + + .. code-block:: console + + $ keymgr myzone.test. set <key_id> retire=0 remove=0 + + and configure your policy suitably according to :ref:`dnssec-automatic-zsk-management` + and :ref:`dnssec-automatic-ksk-management`. + +.. _dnssec-signing: + +Zone signing +------------ + +The signing process consists of the following steps: + +#. Processing KASP database events. (e.g. performing a step of a rollover). +#. Updating the DNSKEY records. The whole DNSKEY set in zone apex is replaced + by the keys from the KASP database. Note that keys added into the zone file + manually will be removed. To add an extra DNSKEY record into the set, the + key must be imported into the KASP database (possibly deactivated). +#. Fixing the NSEC or NSEC3 chain. +#. Removing expired signatures, invalid signatures, signatures expiring + in a short time, and signatures issued by an unknown key. +#. Creating missing signatures. Unless the Single-Type Signing Scheme + is used, DNSKEY records in a zone apex are signed by KSK keys and + all other records are signed by ZSK keys. +#. Updating and re-signing SOA record. + +The signing is initiated on the following occasions: + +- Start of the server +- Zone reload +- Reaching the signature refresh period +- Key set changed due to rollover event +- Received DDNS update +- Forced zone re-sign via server control interface + +On a forced zone re-sign, all signatures in the zone are dropped and recreated. + +The ``knotc zone-status`` command can be used to see when the next scheduled +DNSSEC re-sign will happen. + +.. _dnssec-on-slave-signing: + +On-secondary (on-slave) signing +------------------------------- + +It is possible to enable automatic DNSSEC zone signing even on a secondary +server. If enabled, the zone is signed after every AXFR/IXFR transfer +from primary, so that the secondary always serves a signed up-to-date version +of the zone. + +It is strongly recommended to block any outside access to the primary +server, so that only the secondary server's signed version of the zone is served. + +Enabled on-secondary signing introduces events when the secondary zone changes +while the primary zone remains unchanged, such as a key rollover or +refreshing of RRSIG records, which cause inequality of zone SOA serial +between primary and secondary. The secondary server handles this by saving the +primary's SOA serial in a special variable inside KASP DB and appropriately +modifying AXFR/IXFR queries/answers to keep the communication with +primary server consistent while applying the changes with a different serial. + +.. _catalog-zones: + +Catalog zones +============= + +Catalog zones (:rfc:`9432`) are a concept whereby a list of zones to be configured is maintained +as contents of a separate, special zone. This approach has the benefit of simple +propagation of a zone list to secondary servers, especially when the list is +frequently updated. + +Terminology first. *Catalog zone* is a meta-zone which shall not be a part +of the DNS tree, but it contains information about the set of member zones and +is transferable to secondary servers using common AXFR/IXFR techniques. +A *catalog-member zone* (or just *member zone*) is a zone based on +information from the catalog zone and not from configuration file/database. +*Member properties* are some additional information related to each member zone, +also distributed with the catalog zone. + +A catalog zone is handled almost in the same way as a regular zone: +It can be configured using all the standard options (but for example +DNSSEC signing is useless as the zone won't be queried by clients), including primary/secondary configuration +and ACLs. A catalog zone is indicated by setting the option +:ref:`zone_catalog-role`. Standard DNS queries to a catalog zone are answered +with REFUSED as though the zone doesn't exist unless there is a matching ACL +rule for action transfer configured. +The name of the catalog zone is arbitrary. It's possible to configure +multiple catalog zones. + +.. WARNING:: + Don't choose a name for a catalog zone below a name of any other + existing zones configured on the server as it would effectively "shadow" + part of your DNS subtree. + +Upon catalog zone (re)load or change, all the PTR records in the format +``unique-id.zones.catalog. 0 IN PTR member.com.`` (but not ``too.deep.zones.catalog.``!) +are processed and member zones created, with zone names taken from the +PTR records' RData, and zone settings taken from the configuration +templates specified by :ref:`zone_catalog-template`. + +The owner names of the PTR records shall follow this scheme: + +.. code-block:: console + + <unique-id>.zones.<catalog-zone>. + +where the mentioned labels shall match: + +- *<unique-id>* — Single label that is recommended to be unique among member zones. +- ``zones`` — Required label. +- *<catalog-zone>* — Name of the catalog zone. + +Additionally, records in the format +``group.unique-id.zones.catalog. 0 IN TXT "conf-template"`` +are processed as a definition of the member's *group* property. The +``unique-id`` must match the one of the PTR record defining the member. +It's required that at most one group is defined for each member. If multiple +groups are defined, one group is picked at random. + +All other records and other member properties are ignored. They remain in the catalog +zone, however, and might be for example transferred to a secondary server, +which may interpret catalog zones differently. SOA still needs to be present in +the catalog zone and its serial handled appropriately. An apex NS record must be +present as for any other zone. The version record ``version 0 IN TXT "2"`` +is required at the catalog zone apex. + +A catalog zone may be modified using any standard means (e.g. AXFR/IXFR, DDNS, +zone file reload). In the case of incremental change, only affected +member zones are reloaded. + +The catalog zone must have at least one :ref:`zone_catalog-template` +configured. The configuration for any defined member zone is taken from its +*group* property value, which should match some catalog-template name. +If the *group* property is not defined for a member, is empty, or doesn't match +any of defined catalog-template names, the first catalog-template +(in the order from configuration) is used. Nesting of catalog zones isn't +supported. + +Any de-cataloged member zone is purged immediately, including its +zone file, journal, timers, and DNSSEC keys. The zone file is not +deleted if :ref:`zone_zonefile-sync` is set to *-1* for member zones. +Any member zone, whose PTR record's owner has been changed, is purged +immediately if and only if the *<unique-id>* has been changed. + +When setting up catalog zones, it might be useful to set +:ref:`database_catalog-db` and :ref:`database_catalog-db-max-size` +to non-default values. + +.. NOTE:: + + Whenever a catalog zone is updated, the server reloads itself with + all configured zones, including possibly existing other catalog zones. + It's similar to calling `knotc zone-reload` (for all zones). + The consequence is that new zone files might be discovered and reloaded, + even for zones that do not relate to updated catalog zone. + + Catalog zones never expire automatically, regardless of what is declared + in the catalog zone SOA. However, a catalog zone can be expired manually + at any time using `knotc -f zone-purge +expire`. + + Currently, expiration of a catalog zone doesn't have any effect on its + member zones. + +.. WARNING:: + + The server does not work well if one member zone appears in two catalog zones + concurrently. The user is encouraged to avoid this situation whatsoever. + Thus, there is no way a member zone can be migrated from one catalog + to another while preserving its metadata. Following steps may be used + as a workaround: + + * :ref:`Back up<Data and metadata backup>` the member zone's metadata + (on each server separately). + * Remove the member zone from the catalog it's a member of. + * Wait for the catalog zone to be propagated to all servers. + * Add the member zone to the other catalog. + * Restore the backed up metadata (on each server separately). + +Catalog zones configuration examples +------------------------------------ + +Below are configuration snippets (e.g. `server` and `log` sections missing) +of very simple catalog zone setups, in order to illustrate the relations +between catalog-related configuration options. + +First setup represents a very simple scenario where the primary is +the catalog zone generator and the secondary is the catalog zone consumer. + +Primary configuration:: + + acl: + - id: slave_xfr + address: ... + action: transfer + + template: + - id: mmemb + catalog-role: member + catalog-zone: catz. + acl: slave_xfr + + zone: + - domain: catz. + catalog-role: generate + acl: slave_xfr + + - domain: foo.com. + template: mmemb + + - domain: bar.com. + template: mmemb + +Secondary configuration:: + + acl: + - id: master_notify + address: ... + action: notify + + template: + - id: smemb + master: master + acl: master_notify + + zone: + - domain: catz. + master: master + acl: master_notify + catalog-role: interpret + catalog-template: smemb + +When new zones are added (or removed) to the primary configuration with assigned +`mmemb` template, they will automatically propagate to the secondary +and have the `smemb` template assigned there. + +Second example is with a hand-written (or script-generated) catalog zone, +while employing configuration groups:: + + catz. 0 SOA invalid. invalid. 1625079950 3600 600 2147483646 0 + catz. 0 NS invalid. + version.catz. 0 TXT "2" + nj2xg5bnmz2w4ltd.zones.catz. 0 PTR just-fun.com. + group.nj2xg5bnmz2w4ltd.zones.catz. 0 TXT unsigned + nvxxezjnmz2w4ltd.zones.catz. 0 PTR more-fun.com. + group.nvxxezjnmz2w4ltd.zones.catz. 0 TXT unsigned + nfwxa33sorqw45bo.zones.catz. 0 PTR important.com. + group.nfwxa33sorqw45bo.zones.catz. 0 TXT signed + mjqw42zomnxw2lq0.zones.catz. 0 PTR bank.com. + group.mjqw42zomnxw2lq0.zones.catz. 0 TXT signed + +And the server in this case is configured to distinguish the groups by applying +different templates:: + + template: + - id: unsigned + ... + + - id: signed + dnssec-signing: on + dnssec-policy: ... + ... + + zone: + - domain: catz. + file: ... + catalog-role: interpret + catalog-template: [ unsigned, signed ] + +.. _DNS_over_QUIC: + +DNS over QUIC +============= + +QUIC is a low-latency, encrypted, internet transport protocol. +Knot DNS supports DNS over QUIC (DoQ) (:rfc:`9250`), including zone transfers (XoQ). +By default, the UDP port `853` is used for DNS over QUIC. + +To use QUIC, a server :ref:`private key<server_key-file>` and a :ref:`certificate<server_cert-file>` +must be available. If no key is configured, the server automatically generates one +with a self-signed temporary certificate. The key is stored in the KASP database +directory for persistence across restarts. + +In order to listen for incoming requests over QUIC, at least one :ref:`interface<server_listen-quic>` +or :ref:`XDP interface<xdp_quic>` must be configured. + +An example of configuration of listening for DNS over QUIC on the loopback interface: + +.. code-block:: console + + server: + listen-quic: ::1 + +When the server is started, it logs some interface details and public key pin +of the used certificate: + +.. code-block:: console + + ... info: binding to QUIC interface ::1@853 + ... info: QUIC, certificate public key 0xtdayWpnJh4Py8goi8cei/gXGD4kJQ+HEqcxS++DBw= + +.. TIP:: + + The public key pin, which isn't secret, can also be displayed via: + + .. code-block:: console + + $ knotc status cert-key + 0xtdayWpnJh4Py8goi8cei/gXGD4kJQ+HEqcxS++DBw= + + Or from the keyfile via: + + .. code-block:: console + + $ certtool --infile=quic_key.pem -k | grep pin-sha256 + pin-sha256:0xtdayWpnJh4Py8goi8cei/gXGD4kJQ+HEqcxS++DBw= + +Using :doc:`kdig<man_kdig>` we can verify that the server responds over QUIC: + +.. code-block:: console + + $ kdig @::1 ch txt version.server +quic + ;; QUIC session (QUICv1)-(TLS1.3)-(ECDHE-X25519)-(EdDSA-Ed25519)-(AES-256-GCM) + ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 0 + ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1 + + ;; EDNS PSEUDOSECTION: + ;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR + ;; PADDING: 370 B + + ;; QUESTION SECTION: + ;; version.server. CH TXT + + ;; ANSWER SECTION: + version.server. 0 CH TXT "Knot DNS 3.3.0" + + ;; Received 468 B + ;; Time 2023-08-15 15:04:36 CEST + ;; From ::1@853(QUIC) in 1.1 ms + +In this case, :rfc:`opportunistic authentication<9103#section-9.3.1>` was +used, which doesn't guarantee that the client communicates with the genuine server +and vice versa. For :rfc:`strict authentication<9103#section-9.3.2>` +of the server, we can enforce certificate key pin check by specifying it +(enabled debug mode for details): + +.. code-block:: console + + $ kdig @::1 ch txt version.server +tls-pin=0xtdayWpnJh4Py8goi8cei/gXGD4kJQ+HEqcxS++DBw= +quic -d + ;; DEBUG: Querying for owner(version.server.), class(3), type(16), server(::1), port(853), protocol(UDP) + ;; DEBUG: TLS, received certificate hierarchy: + ;; DEBUG: #1, CN=tester + ;; DEBUG: SHA-256 PIN: 0xtdayWpnJh4Py8goi8cei/gXGD4kJQ+HEqcxS++DBw=, MATCH + ;; DEBUG: TLS, skipping certificate verification + ;; QUIC session (QUICv1)-(TLS1.3)-(ECDHE-X25519)-(EdDSA-Ed25519)-(AES-256-GCM) + ... + +We see that a server certificate key matches the specified pin. Another possibility +is to use certificate chain validation if a suitable certificate is configured +on the server. + +Zone transfers +-------------- + +For outgoing requests (e.g. NOTIFY and refresh), Knot DNS utilizes +:rfc:`session resumption<9250#section-5.5.3>`, which speeds up QUIC connection +establishment. + +Here are a few examples of zone transfer configurations using various +:rfc:`authentication mechanisms<9103#section-9>`: + +Opportunistic authentication: +............................. + +Primary and secondary can authenticate using TSIG. Fallback to clear-text DNS +isn't supported. + +.. panels:: + + Primary: + + .. code-block:: console + + server: + listen-quic: ::1 + automatic-acl: on + + key: + - id: xfr_key + algorithm: hmac-sha256 + secret: S059OFJv1SCDdR2P6JKENgWaM409iq2X44igcJdERhc= + + remote: + - id: secondary + address: ::2 + key: xfr_key # TSIG for secondary authentication + quic: on + + zone: + - domain: example.com + notify: secondary + + --- + + Secondary: + + .. code-block:: console + + server: + listen-quic: ::2 + automatic-acl: on + + key: + - id: xfr_key + algorithm: hmac-sha256 + secret: S059OFJv1SCDdR2P6JKENgWaM409iq2X44igcJdERhc= + + remote: + - id: primary + address: ::1 + key: xfr_key # TSIG for primary authentication + quic: on + + zone: + - domain: example.com + master: primary + +Strict authentication: +...................... + +Note that the automatic ACL doesn't work in this case due to asymmetrical +configuration. The secondary can authenticate using TSIG. + +.. panels:: + + Primary: + + .. code-block:: console + + server: + listen-quic: ::1 + + key: + - id: secondary_key + algorithm: hmac-sha256 + secret: S059OFJv1SCDdR2P6JKENgWaM409iq2X44igcJdERhc= + + remote: + - id: secondary + address: ::2 + quic: on + + acl: + - id: secondary_xfr + address: ::2 + key: secondary_key # TSIG for secondary authentication + action: transfer + + zone: + - domain: example.com + notify: secondary + acl: secondary_xfr + + --- + + Secondary: + + .. code-block:: console + + server: + listen-quic: ::2 + + key: + - id: secondary_key + algorithm: hmac-sha256 + secret: S059OFJv1SCDdR2P6JKENgWaM409iq2X44igcJdERhc= + + remote: + - id: primary + address: ::1 + key: secondary_key # TSIG for secondary authentication + quic: on + + acl: + - id: primary_notify + address: ::1 + cert-key: 0xtdayWpnJh4Py8goi8cei/gXGD4kJQ+HEqcxS++DBw= + action: notify + + zone: + - domain: example.com + master: primary + acl: primary_notify + +Mutual authentication: +...................... + +The :rfc:`mutual authentication<9103#section-9.3.3>` guarantees authentication +for both the primary and the secondary. In this case, TSIG would be redundant. +This mode is recommended if possible. + +.. panels:: + + Primary: + + .. code-block:: console + + server: + listen-quic: ::1 + automatic-acl: on + + remote: + - id: secondary + address: ::2 + quic: on + cert-key: PXqv7/lXn6N7scg/KJWvfU/TEPe5BoIUHQGRLMPr6YQ= + + zone: + - domain: example.com + notify: secondary + + --- + + Secondary: + + .. code-block:: console + + server: + listen-quic: ::2 + automatic-acl: on + + remote: + - id: primary + address: ::1 + quic: on + cert-key: 0xtdayWpnJh4Py8goi8cei/gXGD4kJQ+HEqcxS++DBw= + + zone: + - domain: example.com + master: primary + +.. NOTE:: + + Instead of certificate verification with specified authentication domain name, + Knot DNS uses certificate public key pinning. This approach has much lower + overhead and in most cases simplifies configuration and certificate management. + +.. _query-modules: + +Query modules +============= + +Knot DNS supports configurable query modules that can alter the way +queries are processed. Each query requires a finite number of steps to +be resolved. We call this set of steps a *query plan*, an abstraction +that groups these steps into several stages. + +* Before-query processing +* Answer, Authority, Additional records packet sections processing +* After-query processing + +For example, processing an Internet-class query needs to find an +answer. Then based on the previous state, it may also append an +authority SOA or provide additional records. Each of these actions +represents a 'processing step'. Now, if a query module is loaded for a +zone, it is provided with an implicit query plan which can be extended +by the module or even changed altogether. + +A module is active if its name, which includes the ``mod-`` prefix, is assigned +to the zone/template :ref:`zone_module` option or to the ``default`` template +:ref:`template_global-module` option if activating for all queries. +If the module is configurable, a corresponding module section with +an identifier must be created and then referenced in the form of +``module_name/module_id``. See :ref:`Modules` for the list of available modules. + +The same module can be specified multiple times, such as a global module and +a per-zone module, or with different configurations. However, not all modules +are intended for this, for example, mod-cookies! Global modules are executed +before per-zone modules. + +.. NOTE:: + Query modules are processed in the order they are specified in the + zone/template configuration. In most cases, the recommended order is:: + + mod-synthrecord, mod-onlinesign, mod-cookies, mod-rrl, mod-dnstap, mod-stats + +Performance Tuning +================== + +Numbers of Workers +------------------ + +There are three types of workers ready for parallel execution of performance-oriented tasks: +UDP workers, TCP workers, and Background workers. The first two types handle all network requests +via the UDP and TCP protocol (respectively) and do the response jobs for common +queries. Background workers process changes to the zone. + +By default, Knot determines a well-fitting number of workers based on the number of CPU cores. +The user can specify the number of workers for each type with configuration/server section: +:ref:`server_udp-workers`, :ref:`server_tcp-workers`, :ref:`server_background-workers`. + +An indication of when to increase the number of workers is when the server is lagging behind +expected performance, while CPU usage remains low. This is usually due to waiting for network +or I/O response during the operation. It may be caused by Knot design not fitting the use-case well. +The user should try increasing the number of workers (of the related type) slightly above 100 and if +the performance improves, decide a further, exact setting. + +Number of available file descriptors +------------------------------------ + +A name server configured for a large number of zones (hundreds or more) needs enough file descriptors +available for zone transfers and zone file updates, which default OS settings often don't provide. +It's necessary to check with the OS configuration and documentation and ensure the number of file +descriptors (sometimes called a number of concurrently open files) effective for the knotd process +is set suitably high. The number of concurrently open incoming TCP connections must be taken into +account too. In other words, the required setting is affected by the :ref:`server_tcp-max-clients` +setting. + +Sysctl and NIC optimizations +---------------------------- + +There are several recommendations based on Knot developers' experience with their specific HW and SW +(mainstream Intel-based servers, Debian-based GNU/Linux distribution). They may improve or impact +performance in common use cases. + +If your NIC driver allows it (see /proc/interrupts for hint), set CPU affinity (/proc/irq/$IRQ/smp_affinity) +manually so that each NIC channel is served by unique CPU core(s). You must turn off irqbalance service +in advance to avoid configuration override. + +Configure sysctl as follows: :: + + socket_bufsize=1048576 + busy_latency=0 + backlog=40000 + optmem_max=20480 + + net.core.wmem_max = $socket_bufsize + net.core.wmem_default = $socket_bufsize + net.core.rmem_max = $socket_bufsize + net.core.rmem_default = $socket_bufsize + net.core.busy_read = $busy_latency + net.core.busy_poll = $busy_latency + net.core.netdev_max_backlog = $backlog + net.core.optmem_max = $optmem_max + +Disable huge pages. + +Configure your CPU to "performance" mode. This can be achieved depending on architecture, e.g. in BIOS, +or e.g. configuring /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor to "performance". + +Tune your NIC device with ethtool: :: + + ethtool -A $dev autoneg off rx off tx off + ethtool -K $dev tso off gro off ufo off + ethtool -G $dev rx 4096 tx 4096 + ethtool -C $dev rx-usecs 75 + ethtool -C $dev tx-usecs 75 + ethtool -N $dev rx-flow-hash udp4 sdfn + ethtool -N $dev rx-flow-hash udp6 sdfn + +On FreeBSD you can just: :: + + ifconfig ${dev} -rxcsum -txcsum -lro -tso + +Knot developers are open to hear about users' further suggestions about network devices tuning/optimization. |