summaryrefslogtreecommitdiffstats
path: root/doc/operation.rst
diff options
context:
space:
mode:
Diffstat (limited to 'doc/operation.rst')
-rw-r--r--doc/operation.rst1387
1 files changed, 1387 insertions, 0 deletions
diff --git a/doc/operation.rst b/doc/operation.rst
new file mode 100644
index 0000000..f953719
--- /dev/null
+++ b/doc/operation.rst
@@ -0,0 +1,1387 @@
+.. highlight:: none
+.. _Operation:
+
+*********
+Operation
+*********
+
+The Knot DNS server part :doc:`knotd<man_knotd>` can run either in the foreground,
+or in the background using the ``-d`` option. When run in the foreground, it
+doesn't create a PID file. Other than that, there are no differences and you
+can control both the same way.
+
+The tool :doc:`knotc<man_knotc>` is designed as a user front-end, making it easier
+to control a running server daemon. If you want to control the daemon directly,
+use ``SIGINT`` to quit the process or ``SIGHUP`` to reload the configuration.
+
+If you pass neither configuration file (``-c`` parameter) nor configuration
+database (``-C`` parameter), the server will first attempt to use the default
+configuration database stored in ``/var/lib/knot/confdb`` or the
+default configuration file stored in ``/etc/knot/knot.conf``. Both the
+default paths can be reconfigured with ``--with-storage=path`` or
+``--with-configdir=path`` respectively.
+
+Example of server start as a daemon::
+
+ $ knotd -d -c knot.conf
+
+Example of server shutdown::
+
+ $ knotc -c knot.conf stop
+
+For a complete list of actions refer to the program help (``-h`` parameter)
+or to the corresponding manual page.
+
+Also, the server needs to create :ref:`server_rundir` and :ref:`zone_storage`
+directories in order to run properly.
+
+.. _Configuration database:
+
+Configuration database
+======================
+
+In the case of a huge configuration file, the configuration can be stored
+in a binary database. Such a database can be simply initialized::
+
+ $ knotc conf-init
+
+or preloaded from a file::
+
+ $ knotc conf-import input.conf
+
+Also the configuration database can be exported into a textual file::
+
+ $ knotc conf-export output.conf
+
+.. WARNING::
+ The import and export commands access the configuration database
+ directly, without any interaction with the server. Therefore, any data
+ not yet committed to the database won't be exported. And the server won't
+ reflect imported configuration correctly. So it is strictly recommended to
+ import new configuration when the server is not running.
+
+.. _Dynamic configuration:
+
+Dynamic configuration
+=====================
+
+The configuration database can be accessed using the server control interface
+while the server is running. To get the full power of the dynamic configuration,
+the server must be started with a specified configuration database location
+or with the default database initialized. Otherwise all the changes to the
+configuration will be temporary (until the server is stopped).
+
+.. NOTE::
+ The database can be :ref:`imported<Configuration database>` in advance.
+
+Most of the commands get an item name and value parameters. The item name is
+in the form of ``section[identifier].name``. If the item is multivalued,
+more values can be specified as individual (command line) arguments.
+
+.. CAUTION::
+ Beware of the possibility of pathname expansion by the shell. For this reason,
+ it is advisable to escape (with backslash) square brackets or to quote command parameters if
+ not executed in the interactive mode.
+
+To get the list of configuration sections or to get the list of section items::
+
+ $ knotc conf-list
+ $ knotc conf-list 'server'
+
+To get the whole configuration or to get the whole configuration section or
+to get all section identifiers or to get a specific configuration item::
+
+ $ knotc conf-read
+ $ knotc conf-read 'remote'
+ $ knotc conf-read 'zone.domain'
+ $ knotc conf-read 'zone[example.com].master'
+
+.. WARNING::
+ The following operations don't work on OpenBSD!
+
+Modifying operations require an active configuration database transaction.
+Just one transaction can be active at a time. Such a transaction then can
+be aborted or committed. A semantic check is executed automatically before
+every commit::
+
+ $ knotc conf-begin
+ $ knotc conf-abort
+ $ knotc conf-commit
+
+To set a configuration item value or to add more values or to add a new
+section identifier or to add a value to all identified sections::
+
+ $ knotc conf-set 'server.identity' 'Knot DNS'
+ $ knotc conf-set 'server.listen' '0.0.0.0@53' '::@53'
+ $ knotc conf-set 'zone[example.com]'
+ $ knotc conf-set 'zone.slave' 'slave2'
+
+.. NOTE::
+ Also the include operation can be performed. A non-absolute file
+ location is relative to the server binary path, not to the control binary
+ path!
+
+ ::
+
+ $ knotc conf-set 'include' '/tmp/new_zones.conf'
+
+To unset the whole configuration or to unset the whole configuration section
+or to unset an identified section or to unset an item or to unset a specific
+item value::
+
+ $ knotc conf-unset
+ $ knotc conf-unset 'zone'
+ $ knotc conf-unset 'zone[example.com]'
+ $ knotc conf-unset 'zone[example.com].master'
+ $ knotc conf-unset 'zone[example.com].master' 'remote2' 'remote5'
+
+To get the change between the current configuration and the active transaction
+for the whole configuration or for a specific section or for a specific
+identified section or for a specific item::
+
+ $ knotc conf-diff
+ $ knotc conf-diff 'zone'
+ $ knotc conf-diff 'zone[example.com]'
+ $ knotc conf-diff 'zone[example.com].master'
+
+.. CAUTION::
+ While it is possible to change most of the configuration parameters
+ dynamically or via configuration file reload, a few of the parameters
+ in the section ``server`` require restarting the server, such that the changes
+ take effect. These parameters are:
+ :ref:`rundir<server_rundir>`,
+ :ref:`user<server_user>`,
+ :ref:`pidfile<server_pidfile>`,
+ :ref:`tcp-reuseport<server_tcp-reuseport>`,
+ :ref:`udp-workers<server_udp-workers>`,
+ :ref:`tcp-workers<server_tcp-workers>`,
+ :ref:`background-workers<server_background-workers>`, and
+ :ref:`listen<server_listen>`.
+
+An example of possible configuration initialization::
+
+ $ knotc conf-begin
+ $ knotc conf-set 'server.listen' '0.0.0.0@53' '::@53'
+ $ knotc conf-set 'remote[master_server]'
+ $ knotc conf-set 'remote[master_server].address' '192.168.1.1'
+ $ knotc conf-set 'template[default]'
+ $ knotc conf-set 'template[default].storage' '/var/lib/knot/zones/'
+ $ knotc conf-set 'template[default].master' 'master_server'
+ $ knotc conf-set 'zone[example.com]'
+ $ knotc conf-diff
+ $ knotc conf-commit
+
+.. _Secondary mode:
+
+Secondary (slave) mode
+======================
+
+Running the server as a secondary is very straightforward as the zone
+is transfered automatically from a remote server. The received zone is
+usually stored in a zone file after the :ref:`zone_zonefile-sync` period
+elapses. Zone differences are stored in the :ref:`zone journal <Journal behaviour>`.
+
+.. _Primary mode:
+
+Primary (master) mode
+=====================
+
+If you just want to check the zone files before starting, you can use::
+
+ $ knotc zone-check example.com
+
+.. _Editing zones:
+
+Reading and editing zones
+=========================
+
+Knot DNS allows you to read or change zone contents online using the server
+control interface.
+
+.. WARNING::
+ Avoid concurrent zone access when a zone event (zone file load, refresh,
+ DNSSEC signing, dynamic update) is in progress or pending. In such a case
+ zone events must be frozen before. For more information on how to freeze the
+ zone read :ref:`Editing zone file`.
+
+To get contents of all configured zones, or a specific zone contents, or zone
+records with a specific owner, or even with a specific record type::
+
+ $ knotc zone-read --
+ $ knotc zone-read example.com
+ $ knotc zone-read example.com ns1
+ $ knotc zone-read example.com ns1 NS
+
+.. NOTE::
+ If the record owner is not a fully qualified domain name, then it is
+ considered as a relative name to the zone name.
+
+To start a writing transaction on all zones or on specific zones::
+
+ $ knotc zone-begin --
+ $ knotc zone-begin example.com example.net
+
+Now you can list all nodes within the transaction using the ``zone-get``
+command, which always returns current data with all changes included. The
+command has the same syntax as ``zone-read``.
+
+Within the transaction, you can add a record to a specific zone or to all
+zones with an open transaction::
+
+ $ knotc zone-set example.com ns1 3600 A 192.168.0.1
+ $ knotc zone-set -- ns1 3600 A 192.168.0.1
+
+To remove all records with a specific owner, or a specific rrset, or
+specific record data::
+
+ $ knotc zone-unset example.com ns1
+ $ knotc zone-unset example.com ns1 A
+ $ knotc zone-unset example.com ns1 A 192.168.0.2
+
+To see the difference between the original zone and the current version::
+
+ $ knotc zone-diff example.com
+
+Finally, either commit or abort your transaction::
+
+ $ knotc zone-commit example.com
+ $ knotc zone-abort example.com
+
+A full example of setting up a completely new zone from scratch::
+
+ $ knotc conf-begin
+ $ knotc conf-set zone.domain example.com
+ $ knotc conf-commit
+ $ knotc zone-begin example.com
+ $ knotc zone-set example.com @ 3600 SOA ns admin 1 86400 900 691200 3600
+ $ knotc zone-set example.com @ 3600 NS ns
+ $ knotc zone-set example.com ns 3600 A 192.168.0.1
+ $ knotc zone-set example.com ns 3600 AAAA 2001:DB8::1
+ $ knotc zone-commit example.com
+
+.. NOTE::
+ If quotes are necessary for record data specification, remember to escape them::
+
+ $ knotc zone-set example.com @ 3600 TXT \"v=spf1 a:mail.example.com -all\"
+
+.. _Editing zone file:
+
+Reading and editing the zone file safely
+========================================
+
+It's always possible to read and edit zone contents via zone file manipulation.
+It may lead to confusion, however, if the zone contents are continuously being
+changed by DDNS, DNSSEC signing and the like. In such a case, the safe way to
+modify the zone file is to freeze zone events first::
+
+ $ knotc -b zone-freeze example.com.
+ $ knotc -b zone-flush example.com.
+
+After calling freeze on the zone, there still may be running zone operations (e.g. signing),
+causing freeze pending. Because of this, the blocking mode is used to ensure
+the operation was finished. Then the zone can be flushed to a file.
+
+Now the zone file can be safely modified (e.g. using a text editor).
+If :ref:`zone_zonefile-load` is not set to `difference-no-serial`, it's also necessary to
+**increase SOA serial** in this step to keep consistency. Finally, we can load the
+modified zone file and if successful, thaw the zone::
+
+ $ knotc -b zone-reload example.com.
+ $ knotc zone-thaw example.com.
+
+.. _Zone loading:
+
+Zone loading
+============
+
+The process of how the server loads a zone is influenced by the configuration of the
+:ref:`zonefile-load <zone_zonefile-load>` and :ref:`journal-content <zone_journal-content>`
+parameters (also DNSSEC signing applies), the existence of a zone file and journal
+(and their relative out-of-dateness), and whether it is a cold start of the server
+or a zone reload (e.g. invoked by the :doc:`knotc<man_knotc>` interface). Please note
+that zone transfers are not taken into account here – they are planned after the zone
+is loaded (including :ref:`zone bootstrap<Zone bootstrap>`).
+
+If the zone file exists and is not excluded by the configuration, it is first loaded
+and according to its SOA serial number, relevant journal changesets are applied.
+If this is a zone reload and we have :ref:`zone_zonefile-load` set to `difference`, the difference
+between old and new contents is computed and stored in the journal like an update.
+The zone file should be either unchanged since last load or changed with incremented
+SOA serial. In the case of a decreased SOA serial, the load is interrupted with
+an error; if unchanged, it is increased by the server.
+
+If the procedure described above succeeds without errors, the resulting zone contents are (after potential DNSSEC signing)
+used as the new zone.
+
+The option :ref:`zone_journal-content` set to `all` lets the server, beside better performance, keep
+track of the zone contents also across server restarts. It makes the cold start
+effectively work like a zone reload with the old contents loaded from the journal
+(unless this is the very first start with the zone not yet saved into the journal).
+
+.. _Journal behaviour:
+
+Journal behaviour
+=================
+
+The zone journal keeps some history of changes made to the zone. It is useful for
+responding to IXFR queries. Also if :ref:`zone file flush <zone_zonefile-sync>` is disabled, the
+journal keeps the difference between the zone file and the current zone in case of server shutdown.
+The history is stored in changesets – differences of zone contents between two
+(usually subsequent) zone versions (specified by SOA serials).
+
+Journals of all zones are stored in a common LMDB database. Huge changesets are
+split into 15-70 KiB [#fn-hc]_ blocks to prevent fragmentation of the DB. The
+journal does each operation in one transaction to keep consistency of the DB and performance.
+
+Each zone journal has its own occupation limits :ref:`maximum usage <zone_journal-max-usage>`
+and :ref:`maximum depth <zone_journal-max-depth>`. Changesets are stored in the journal
+one by one. When hitting any of the limits, the zone is flushed into the zone file
+if there are no redundant changesets to delete, and the oldest changesets are deleted.
+In the case of the size limit, twice [#fn-hc]_ the needed amount of space is purged
+to prevent overly frequent deletes.
+
+If :ref:`zone file flush <zone_zonefile-sync>` is disabled, then instead of flushing
+the zone, the journal tries to save space by merging the changesets into a special one.
+This approach is effective if the changes rewrite each other, e.g. periodically
+changing the same zone records, re-signing the whole zone etc. Thus the difference between the zone
+file and the zone is still preserved even if the journal deletes some older changesets.
+
+If the journal is used to store both zone history and contents, a special changeset
+is present with zone contents. When the journal gets full, the changes are merged into this
+special changeset.
+
+There is also a :ref:`safety hard limit <database_journal-db-max-size>` for overall
+journal database size, but it's strongly recommended to set the per-zone limits in
+a way to prevent hitting this one. For LMDB, it's hard to recover from the
+database-full state. For wiping one zone's journal, see *knotc zone-purge +journal*
+command.
+
+.. [#fn-hc] This constant is hardcoded.
+
+.. _Handling, zone file, journal, changes, serials:
+
+Handling zone file, journal, changes, serials
+=============================================
+
+Some configuration options regarding the zone file and journal, together with operation
+procedures, might lead to unexpected results. This chapter points out
+potential interference and both recommends and warns before some combinations thereof.
+Unfortunately, there is no optimal combination of configuration options,
+every approach has some disadvantages.
+
+Example 1
+---------
+
+Keep the zone file updated::
+
+ zonefile-sync: 0
+ zonefile-load: whole
+ journal-content: changes
+
+These are default values. The user can always check the current zone
+contents in the zone file, and also modify it (recommended with server turned-off or
+taking the :ref:`safe way<Editing zone file>`). The journal serves here just as a source of
+history for secondary servers' IXFR. Some users dislike that the server overwrites their
+prettily prepared zone file.
+
+Example 2
+---------
+
+Zonefileless setup::
+
+ zonefile-sync: -1
+ zonefile-load: none
+ journal-content: all
+
+Zone contents are stored only in the journal. The zone is updated by DDNS,
+zone transfer, or via the control interface. The user might have filled the
+zone contents initially from a zone file by setting :ref:`zone_zonefile-load` to
+`whole` temporarily.
+It's also a good setup for secondary servers. Anyway, it's recommended to carefully tune
+the journal-size-related options to avoid surprises like the journal getting full
+(see :ref:`Journal behaviour`).
+
+Example 3
+---------
+
+Input-only zone file::
+
+ zonefile-sync: -1
+ zonefile-load: difference
+ journal-content: changes
+
+The user can make changes to the zone by editing the zone file, and his pretty zone file
+is never overwritten or filled with DNSSEC-related autogenerated records – they are
+only stored in the journal.
+
+.. WARNING::
+ The zone file's SOA serial must be properly set to a number which is higher than the
+ current SOA serial in the zone (not in the zone file) if manually updated!
+ This is important to ensure consistency of the journal and outgoing IXFR.
+
+Example 4
+---------
+
+Auto-increment SOA serial::
+
+ zonefile-sync: -1
+ zonefile-load: difference-no-serial
+ journal-content: all
+
+This is similar to the previous setup, but the SOA serial is handled by the server
+automatically. So the user no longer needs to care about it in the zone file.
+
+However, this requires setting :ref:`zone_journal-content` to `all` so that
+the information about the last real SOA serial is preserved in case of server re-start.
+The sizing of journal limits needs to be taken into consideration
+(see :ref:`Journal behaviour`).
+
+.. _Zone bootstrap:
+
+Zone bootstrapping on secondary
+===============================
+
+When zone refresh from the primary fails, the ``retry`` value from SOA is used
+as the interval between refresh attempts. In a case that SOA isn't known to the
+secondary (either because the zone hasn't been retrieved from the primary yet,
+or the zone has expired), a backoff is used for repeated retry attempts.
+
+With every retry, the delay rises as a quadratic polynomial (5 * n^2, where n
+represents the sequence number of the retry attempt) up to two hours, each time
+with a random delay of 0 to 30 seconds added to spread the load on the primary.
+In each attempt, the retry interval is subject to :ref:`zone_retry-min-interval`
+and :ref:`zone_retry-max-interval`.
+
+Until the refresh has been successfully completed, the backoff is restarted from
+the beginning by every ``zone-refresh`` or ``zone-retransfer`` of the zone
+triggered manually via :doc:`knotc<man_knotc>`, by ``zone-purge`` or
+``zone-restore`` of the zone's timers, or by a restart of :doc:`knotd<man_knotd>`.
+
+.. _Zone expiration:
+
+Zone expiration
+===============
+
+On a primary, zone normally never expires. On a secondary, zone expiration results
+in removal of the current zone contents and a trigger of immediate zone refresh.
+The zone file and zone's journal are kept, but not used for answering requests
+until the refresh is successfully completed.
+
+The zone expire timer is set according to the zone's SOA expire field. In addition
+to it, Knot DNS also supports EDNS EXPIRE extension of the expire timer in both
+primary and secondary roles as described in :rfc:`7314`.
+
+When Knot DNS is configured as a secondary, EDNS EXPIRE option present in a SOA,
+IXFR, or AFXR response from the primary is processed and used to update the zone
+timer when necessary. This functionality (together with requests of any other EDNS
+options) for a specified primary may be disabled using the :ref:`remote_no-edns`
+configuration parameter.
+
+If it's necessary, any zone may be expired manually using the ``zone-purge``
+command of the :doc:`knotc<man_knotc>` utility. Manual expiration is applicable
+to any zone, including a catalog zone or a zone on a primary. Beware, a manually
+expired zone on a primary or a manually expired catalog zone becomes valid again
+after a server configuration is reloaded or the :doc:`knotd<man_knotd>` process
+is restarted, provided that the zone data hasn't been removed.
+
+.. _DNSSEC Key states:
+
+DNSSEC key states
+=================
+
+During its lifetime, a DNSSEC key finds itself in different states. Most of the time it
+is used for signing the zone and published in the zone. In order to exchange
+the key, one type of a key rollover is necessary, and during this rollover,
+the key goes through various states with respect to the rollover type and also the
+state of the other key being rolled-over.
+
+First, let's list the states of the key being rolled-in.
+
+Standard states:
+
+- ``active`` — The key is used for signing.
+- ``published`` — The key is published in the zone, but not used for signing. If the key is
+ a KSK or CSK, it is used for signing the DNSKEY RRSet.
+- ``ready`` (only for KSK) — The key is published in the zone and used for signing. The
+ old key is still active, since we are waiting for the DS records in the parent zone to be
+ updated (i.e. "KSK submission").
+
+Special states for algorithm rollover:
+
+- ``pre-active`` — The key is not yet published in the zone, but it's used for signing the zone.
+- ``published`` — The key is published in the zone, and it's still used for signing since the
+ pre-active state.
+
+Second, we list the states of the key being rolled-out.
+
+Standard states:
+
+- ``retire-active`` — The key is still used for signing, and is published in the zone, waiting for
+ the updated DS records in parent zone to be acked by resolvers (KSK case) or synchronizing
+ with KSK during algorithm rollover (ZSK case).
+- ``retired`` — The key is no longer used for signing. If ZSK, the key is still published in the zone.
+- ``removed`` — The key is not used in any way (in most cases such keys are deleted immediately).
+
+Special states for algorithm rollover:
+
+- ``post-active`` — The key is no longer published in the zone, but still used for signing.
+
+Special states for :rfc:`5011` trust anchor roll-over
+
+- ``revoke`` (only for KSK) — The key is published and used for signing, and the Revoked flag is set.
+
+.. NOTE::
+ Trust anchor roll-over is not implemented with automatic key management.
+
+ The ``revoke`` state can only be established using :doc:`keymgr<man_keymgr>` when using
+ :ref:`dnssec-manual-key-management`.
+
+The states listed above are relevant for :doc:`keymgr<man_keymgr>` operations like generating
+a key, setting its timers and listing KASP database.
+
+Note that the key "states" displayed in the server log lines while zone signing
+are not according to those listed above, but just a hint as to what the key is currently used for
+(e.g. "public, active" = key is published in the zone and used for signing).
+
+.. _DNSSEC Key rollovers:
+
+DNSSEC key rollovers
+====================
+
+This section describes the process of DNSSEC key rollover and its implementation
+in Knot DNS, and how the operator might watch and check that it's working correctly.
+The prerequisite is automatic zone signing with enabled
+:ref:`automatic key management<dnssec-automatic-ksk-management>`.
+
+The KSK and ZSK rollovers are triggered by the respective zone key getting old according
+to the settings (see :ref:`KSK<policy_ksk-lifetime>` and :ref:`ZSK<policy_zsk-lifetime>` lifetimes).
+
+The algorithm rollover starts when the policy :ref:`algorithm<policy_algorithm>`
+field is updated to a different value.
+
+The signing scheme rollover happens when the policy :ref:`signing scheme<policy_single-type-signing>`
+field is changed.
+
+It's also possible to change the algorithm and signing scheme in one rollover.
+
+The operator may check the next rollover phase time by watching the next zone signing time,
+either in the log or via ``knotc zone-status``. There is no special log for finishing a rollover.
+
+.. NOTE::
+ There are never two key rollovers running in parallel for one zone. If
+ a rollover is triggered while another is in progress, it waits until the
+ first one is finished. Note that a rollover might be considered finished
+ when the old key is retired or waiting to be deleted.
+
+The ZSK rollover is performed with Pre-publish method, KSK rollover uses Double-Signature
+scheme, as described in :rfc:`6781`.
+
+.. _Automatic KSK and ZSK rollovers example:
+
+Automatic KSK and ZSK rollovers example
+---------------------------------------
+
+Let's start with the following set of keys::
+
+ 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, key, tag 50613, algorithm ECDSAP256SHA256, KSK, public, active
+ 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, key, tag 62932, algorithm ECDSAP256SHA256, public, active
+
+The last fields hint the key state: ``public`` denotes a key that will be presented
+as the DNSKEY record, ``ready`` means that CDS/CDNSKEY records were created,
+``active`` tells us that the key is used for signing, while ``active+`` is an
+active key undergoing a roll-over or roll-in.
+
+For demonstration purposes, the following configuration is used::
+
+ submission:
+ - id: test_submission
+ check-interval: 2s
+ parent: dnssec_validating_resolver
+
+ policy:
+ - id: test_policy
+ ksk-lifetime: 5m
+ zsk-lifetime: 2m
+ propagation-delay: 2s
+ dnskey-ttl: 10s
+ zone-max-ttl: 15s
+ ksk-submission: test_submission
+
+Upon the zone's KSK lifetime expiration, a new KSK is generated and the rollover
+continues along the lines of :rfc:`6781#section-4.1.2`::
+
+ # KSK Rollover (50613 -> 9081)
+
+ 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, signing zone
+ 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, KSK rollover started
+ 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, key, tag 50613, algorithm ECDSAP256SHA256, KSK, public, active
+ 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, key, tag 62932, algorithm ECDSAP256SHA256, public, active
+ 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active+
+ 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, signing started
+ 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, successfully signed
+ 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:50:12+0200
+
+ ... (propagation-delay + dnskey-ttl) ...
+
+ 2021-05-10T20:50:12+0200 info: [example.com.] DNSSEC, signing zone
+ 2021-05-10T20:50:12+0200 notice: [example.com.] DNSSEC, KSK submission, waiting for confirmation
+ 2021-05-10T20:50:12+0200 info: [example.com.] DNSSEC, key, tag 50613, algorithm ECDSAP256SHA256, KSK, public, active
+ 2021-05-10T20:50:12+0200 info: [example.com.] DNSSEC, key, tag 62932, algorithm ECDSAP256SHA256, public, active
+ 2021-05-10T20:50:12+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, ready, active+
+ 2021-05-10T20:50:12+0200 info: [example.com.] DNSSEC, signing started
+ 2021-05-10T20:50:12+0200 info: [example.com.] DNSSEC, successfully signed
+ 2021-05-10T20:50:12+0200 info: [example.com.] DNSSEC, next signing at 2021-05-17T20:49:56+0200
+
+At this point the new KSK has to be submitted to the parent zone. Knot detects the updated parent's DS
+record automatically (and waits for additional period of the DS's TTL before retiring the old key)
+if :ref:`parent DS check<Submission section>` is configured, otherwise the
+operator must confirm it manually (using ``knotc zone-ksk-submitted``)::
+
+ 2021-05-10T20:50:12+0200 info: [example.com.] DS check, outgoing, remote 127.0.0.1@5300, KSK submission check: negative
+ 2021-05-10T20:50:14+0200 info: [example.com.] DS check, outgoing, remote 127.0.0.1@5300, KSK submission check: negative
+ 2021-05-10T20:50:16+0200 info: [example.com.] DS check, outgoing, remote 127.0.0.1@5300, KSK submission check: positive
+ 2021-05-10T20:50:16+0200 notice: [example.com.] DNSSEC, KSK submission, confirmed
+ 2021-05-10T20:50:16+0200 info: [example.com.] DNSSEC, signing zone
+ 2021-05-10T20:50:16+0200 info: [example.com.] DNSSEC, key, tag 50613, algorithm ECDSAP256SHA256, KSK, public, active+
+ 2021-05-10T20:50:16+0200 info: [example.com.] DNSSEC, key, tag 62932, algorithm ECDSAP256SHA256, public, active
+ 2021-05-10T20:50:16+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active
+ 2021-05-10T20:50:16+0200 info: [example.com.] DNSSEC, signing started
+ 2021-05-10T20:50:16+0200 info: [example.com.] DNSSEC, successfully signed
+ 2021-05-10T20:50:16+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:50:23+0200
+
+ ... (parent's DS TTL is 7 seconds) ...
+
+ 2021-05-10T20:50:23+0200 info: [example.com.] DNSSEC, signing zone
+ 2021-05-10T20:50:23+0200 info: [example.com.] DNSSEC, key, tag 62932, algorithm ECDSAP256SHA256, public, active
+ 2021-05-10T20:50:23+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active
+ 2021-05-10T20:50:23+0200 info: [example.com.] DNSSEC, signing started
+ 2021-05-10T20:50:23+0200 info: [example.com.] DNSSEC, successfully signed
+ 2021-05-10T20:50:23+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:51:56+0200
+
+Upon the zone's ZSK lifetime expiration, a new ZSK is generated and the rollover
+continues along the lines of :rfc:`6781#section-4.1.1`::
+
+ # ZSK Rollover (62932 -> 33255)
+
+ 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, signing zone
+ 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, ZSK rollover started
+ 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, key, tag 62932, algorithm ECDSAP256SHA256, public, active
+ 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active
+ 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, key, tag 33255, algorithm ECDSAP256SHA256, public
+ 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, signing started
+ 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, successfully signed
+ 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:52:08+0200
+
+ ... (propagation-delay + dnskey-ttl) ...
+
+ 2021-05-10T20:52:08+0200 info: [example.com.] DNSSEC, signing zone
+ 2021-05-10T20:52:08+0200 info: [example.com.] DNSSEC, key, tag 62932, algorithm ECDSAP256SHA256, public
+ 2021-05-10T20:52:08+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active
+ 2021-05-10T20:52:08+0200 info: [example.com.] DNSSEC, key, tag 33255, algorithm ECDSAP256SHA256, public, active
+ 2021-05-10T20:52:08+0200 info: [example.com.] DNSSEC, signing started
+ 2021-05-10T20:52:08+0200 info: [example.com.] DNSSEC, successfully signed
+ 2021-05-10T20:52:08+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:52:25+0200
+
+ ... (propagation-delay + zone-max-ttl) ...
+
+ 2021-05-10T20:52:25+0200 info: [example.com.] DNSSEC, signing zone
+ 2021-05-10T20:52:25+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active
+ 2021-05-10T20:52:25+0200 info: [example.com.] DNSSEC, key, tag 33255, algorithm ECDSAP256SHA256, public, active
+ 2021-05-10T20:52:25+0200 info: [example.com.] DNSSEC, signing started
+ 2021-05-10T20:52:25+0200 info: [example.com.] DNSSEC, successfully signed
+ 2021-05-10T20:52:25+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:54:08+0200
+ 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, signing zone
+
+Further rollovers::
+
+ ... (zsk-lifetime - propagation-delay - zone-max-ttl) ...
+
+ # Another ZSK Rollover (33255 -> 49526)
+
+ 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, signing zone
+ 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, ZSK rollover started
+ 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active
+ 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, key, tag 33255, algorithm ECDSAP256SHA256, public, active
+ 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, key, tag 49526, algorithm ECDSAP256SHA256, public
+ 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, signing started
+ 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, successfully signed
+ 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:54:20+0200
+
+ ...
+
+ # Another KSK Rollover (9081 -> 9179)
+
+ 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, signing zone
+ 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, KSK rollover started
+ 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active
+ 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, key, tag 49526, algorithm ECDSAP256SHA256, public, active
+ 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, key, tag 9179, algorithm ECDSAP256SHA256, KSK, public, active+
+ 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, signing started
+ 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, successfully signed
+ 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:55:12+0200
+
+ ...
+
+.. TIP::
+ If systemd is available, the KSK submission event is logged into journald
+ in a structured way. The intended use case is to trigger a user-created script.
+ Example::
+
+ journalctl -f -t knotd -o json | python3 -c '
+ import json, sys
+ for line in sys.stdin:
+ k = json.loads(line);
+ if "KEY_SUBMISSION" in k:
+ print("%s, zone=%s, keytag=%s" % (k["__REALTIME_TIMESTAMP"], k["ZONE"], k["KEY_SUBMISSION"]))
+ '
+
+ Alternatively, the :ref:`D-Bus signaling<server_dbus-event>` can be utilized for the same use.
+
+.. _DNSSEC Shared KSK:
+
+DNSSEC shared KSK
+=================
+
+Knot DNS allows, with automatic DNSSEC key management, to configure a shared KSK for multiple zones.
+By enabling :ref:`policy_ksk-shared`, we tell Knot to share all newly-created KSKs
+among all the zones with the same :ref:`DNSSEC signing policy<Policy section>` assigned.
+
+The feature works as follows. Each zone still manages its keys separately. If a new KSK shall be
+generated for the zone, it first checks if it can grab another zone's shared KSK instead -
+that is the last generated KSK in any of the zones with the same policy assigned.
+Anyway, only the cryptographic material is shared, the key may have different timers
+in each zone.
+
+.. rubric:: Consequences:
+
+If we have an initial setting with brand new zones without any DNSSEC keys,
+the initial keys for all zones are generated. With shared KSK, they will all have the same KSK,
+but different ZSKs. The KSK rollovers may take place at slightly different times for each of the zones,
+but the resulting new KSK will be shared again among all of them.
+
+If we have zones which already have their keys, turning on the shared KSK feature triggers no action.
+But when a KSK rollover takes place, they will use the same new key afterwards.
+
+.. WARNING::
+ Changing the policy :ref:`id<policy_id>` must be done carefully if shared
+ KSK is in use.
+
+.. _DNSSEC Delete algorithm:
+
+DNSSEC delete algorithm
+=======================
+
+This is how to "disconnect" a signed zone from a DNSSEC-aware parent zone.
+More precisely, we tell the parent zone to remove our zone's DS record by
+publishing a special formatted CDNSKEY and CDS record. This is mostly useful
+if we want to turn off DNSSEC on our zone so it becomes insecure, but not bogus.
+
+With automatic DNSSEC signing and key management by Knot, this is as easy as
+configuring :ref:`policy_cds-cdnskey-publish` option and reloading the configuration.
+We check if the special CDNSKEY and CDS records with the rdata "0 3 0 AA==" and "0 0 0 00",
+respectively, appeared in the zone.
+
+After the parent zone notices and reflects the change, we wait for TTL expire
+(so all resolvers' caches get updated), and finally we may do anything with the
+zone, e.g. turning off DNSSEC, removing all the keys and signatures as desired.
+
+.. _DNSSEC Offline KSK:
+
+DNSSEC Offline KSK
+==================
+
+Knot DNS allows a special mode of operation where the private part of the Key Signing Key is
+not available to the daemon, but it is rather stored securely in an offline storage. This requires
+that the KSK/ZSK signing scheme is used (i.e. :ref:`policy_single-type-signing` is off).
+The Zone Signing Key is always fully available to the daemon in order to sign common changes to the zone contents.
+
+The server (or the "ZSK side") only uses ZSK to sign zone contents and its changes. Before
+performing a ZSK rollover, the DNSKEY records will be pre-generated and signed by the
+signer (the "KSK side"). Both sides exchange keys in the form of human-readable messages with the help
+of the :doc:`keymgr<man_keymgr>` utility.
+
+Prerequisites
+-------------
+
+For the ZSK side (i.e. the operator of the DNS server), the zone has to be configured with:
+
+- Enabled :ref:`DNSSEC signing <zone_dnssec-signing>`
+- Properly configured and assigned :ref:`DNSSEC policy <Policy section>`:
+
+ - Enabled :ref:`policy_manual`
+ - Enabled :ref:`policy_offline-ksk`
+ - Explicit :ref:`policy_dnskey-ttl`
+ - Explicit :ref:`policy_zone-max-ttl`
+ - Other options are optional
+- KASP DB may contain a ZSK (the present or some previous one(s))
+
+For the KSK side (i.e. the operator of the KSK signer), the zone has to be configured with:
+
+- Properly configured and assigned :ref:`DNSSEC policy <Policy section>`:
+
+ - Enabled :ref:`policy_manual`
+ - Enabled :ref:`policy_offline-ksk`
+ - Explicit :ref:`policy_rrsig-refresh`
+ - Optional :ref:`policy_rrsig-lifetime`, :ref:`policy_rrsig-pre-refresh`,
+ :ref:`policy_algorithm`, :ref:`policy_reproducible-signing`,
+ and :ref:`policy_cds-cdnskey-publish`
+ - Other options are ignored
+- KASP DB contains a KSK (the present or a newly generated one)
+
+Generating and signing future ZSKs
+----------------------------------
+
+1. Use the ``keymgr pregenerate`` command on the ZSK side to prepare the ZSKs for a specified period of time in the future. The following example
+ generates ZSKs for the *example.com* zone for 6 months ahead starting from now::
+
+ $ keymgr -c /path/to/ZSK/side.conf example.com. pregenerate +6mo
+
+ If the time period is selected as e.g. *2 x* :ref:`policy_zsk-lifetime` *+ 4 x* :ref:`policy_propagation-delay`, it will
+ prepare roughly two complete future key rollovers. The newly-generated
+ ZSKs remain in non-published state until their rollover starts, i.e. the time
+ they would be generated in case of automatic key management.
+
+2. Use the ``keymgr generate-ksr`` command on the ZSK side to export the public parts of the future ZSKs in a form
+ similar to DNSKEY records. You might use the same time period as in the first step::
+
+ $ keymgr -c /path/to/ZSK/side.conf example.com. generate-ksr +0 +6mo > /path/to/ksr/file
+
+ Save the output of the command (called the Key Signing Request or KSR) to a file and transfer it to the KSK side e.g. via e-mail.
+
+3. Use the ``keymgr sign-ksr`` command on the KSK side with the KSR file from the previous step as a parameter::
+
+ $ keymgr -c /path/to/KSK/side.conf example.com. sign-ksr /path/to/ksr/file > /path/to/skr/file
+
+ This creates all the future forms of the DNSKEY, CDNSKEY and CSK records and all the respective RRSIGs and prints them on output. Save
+ the output of the command (called the Signed Key Response or SKR) to a file and transfer it back to the ZSK side.
+
+4. Use the ``keymgr import-skr`` command to import the records and signatures from the SKR file generated in the last step
+ into the KASP DB on the ZSK side::
+
+ $ keymgr -c /path/to/ZSK/side.conf example.com. import-skr /path/to/skr/file
+
+5. Use the ``knotc zone-keys-load`` command to trigger a zone re-sign on the ZSK-side and set up the future re-signing events correctly.::
+
+ $ knotc -c /path/to/ZSK/side.conf zone-keys-load example.com.
+
+6. Now the future ZSKs and DNSKEY records with signatures are ready in KASP DB for later usage.
+ Knot automatically uses them at the correct time intervals.
+ The entire procedure must be repeated before the time period selected at the beginning passes,
+ or whenever a configuration is changed significantly. Importing new SKR over some previously-imported
+ one leads to deleting the old offline records.
+
+Offline KSK and manual ZSK management
+-------------------------------------
+
+If the automatically preplanned ZSK roll-overs (first step) are not desired, just set the :ref:`policy_zsk-lifetime`
+to zero, and manually pregenerate ZSK keys and set their timers. Then follow the steps
+``generate-ksr — sign-ksr — import-skr — zone-keys-load`` and repeat the ceremony when necessary.
+
+Offline KSK roll-over
+---------------------
+
+The KSKs (on the KSK side) must be managed manually, but manual KSK roll-over is possible. Just plan the steps
+of the KSK roll-over in advance, and whenever the KSK set or timers are changed, re-perform the relevant rest of the ceremony
+``sign-ksr — import-skr — zone-keys-load``.
+
+Emergency SKR
+-------------
+
+A general recommendation for large deployments is to have some backup pre-published keys, so that if the current ones are
+compromised, they can be rolled-over to the backup ones without any delay. But in the case of Offline KSK, according to
+the procedures above, both ZSK and KSK immediate rollovers require the KSR-SKR ceremony.
+
+However, a trick can be done to achieve really immediate key substitution. This is no longer about Knot DNS functionality,
+just a hint for the operator.
+
+The idea is to perform every KSR-SKR ceremony twice: once with normal state of the keys (the backup key is only published),
+and once with the keys already exchanged (the backup key is temporarily marked as active and the standard key temporarily
+as public only). The second (backup) SKR should be saved for emergency key replacement.
+
+Summary of the steps:
+
+* Prepare KSK and ZSK side as usual, including public-only emergency key
+* Perform normal Offline KSK ceremony:
+
+ * Pre-generate ZSKs (only in the case of automatic ZSK management)
+ * Generate KSR
+ * Sign KSR on the KSK side
+ * Import SKR
+ * Re-sign the zone
+
+* Freeze the zone on the ZSK side
+* Temporarily set the backup key as active and the normal key as publish-only
+* Perform backup Offline KSK ceremony:
+
+ * Generate KSR (only if the backup key is a replacement for ZSK)
+ * Sign the KSR on the KSK side
+ * Save the SKR to a backup storage, don't import it yet
+
+* Return the keys to the previous state
+* Thaw the zone on the ZSK side
+
+Emergency key replacement:
+
+* Import the backup SKR
+* Align the keys with the new states (backup key as active, compromised key as public)
+* Re-sign the zone
+
+.. _DNSSEC multi-signer:
+
+DNSSEC multi-signer
+===================
+
+`Multi-signer` is a general term that refers to any mode of operation in which
+a DNS zone is signed by multiple servers (usually two) in parallel.
+Knot DNS offers various multi-signer modes, which are recommended for redundancy
+within an organization. For multi-signer operations involving multiple
+"DNSSEC providers" and the ability to switch between them, you can also refer to
+`MUSIC <https://github.com/DNSSEC-Provisioning/music>`_.
+
+
+Regardless of the chosen mode from the following options, any secondary that has multiple signers
+configured as primaries must prevent interchanged IXFR from them. This can be achieved
+either by setting :ref:`master pinning <zone_master-pin-tolerance>` on every secondary or
+by setting distinct :ref:`zone_serial-modulo` on each signer. It is recommended to combine
+both approaches. Alternatively, if any of the secondaries is not Knot DNS,
+:ref:`zone_provide-ixfr` can be disabled on the signers.
+
+Sharing private keys, manual policy
+-----------------------------------
+
+When DNSSEC keys are shared among zone signing servers (signers), one challenge
+is automatic key management (roll-overs) and synchronization among the signers.
+In this example mode of operation, it is expected that key management is maintained
+outside of Knot, and the generated keys, including private keys and metadata
+(timers), are available in Bind9 format.
+
+Every new key is then imported into each Knot using the :doc:`keymgr <man_keymgr>`
+``import-bind`` command, after which :doc:`knotc <man_knotc>` ``zone-keys-load``
+is invoked. With :ref:`policy_manual` policy configured, the signers simply
+follow prescribed key timers, maintaining the same key set at each signer.
+For more useful commands like ``list``, ``set``, and ``delete``, refer
+to :doc:`keymgr <man_keymgr>`.
+
+Sharing private keys, automatic policy
+--------------------------------------
+
+Knot handles automatic key management very well, but enabling it on multiple
+instances would lead to redundant key generation. However, it's possible to enable it on one signer
+and keep synchronizing the keys to all others. The managing signer shall be configured with
+:ref:`automatic ZSK/KSK management <dnssec-automatic-zsk-management>`, all others
+with :ref:`policy_manual` policy.
+
+The key set changes on the managing signer can be monitored by periodic queries
+with :doc:`keymgr <man_keymgr>` ``list``, or by listening to
+:ref:`D-Bus <server_dbus-event>` interface and watching for the ``keys_updated`` event.
+
+Whenever the key set is changed, key synchronization can be safely performed with
+:ref:`Data and metadata backup` feature. Dump the KASP
+database on the managing signer with :doc:`knotc <man_knotc>` ``zone-backup +kaspdb``,
+transfer the backup directory to each other signer, and import the keys by
+:doc:`knotc <man_knotc>` ``zone-restore +kaspdb``, followed by ``zone-keys-load``
+on them.
+
+This way, the full key set, including private keys and all metadata, is always
+synchronized between signers. The method of transporting the backup directory
+is beyond the scope of Knot and this documentation. An eventual loss of the managing
+signer results in the automatic key management being halted, but DNSSEC signing continues
+to function. The synchronization delay for keys between the managing signer and other
+signers must be accounted for in :ref:`policy_propagation-delay`.
+
+Distinct keys, DNSKEY record synchronization
+--------------------------------------------
+
+When the DNSSEC keys are not shared among signers, each server can manage its own keys separately.
+However, the DNSKEY (including CDNSKEY and CDS) records (with public keys) must be synchronized
+for full validity of the signed zone. :ref:`Dynamic updates` can be used to achieve this sharing.
+
+The following configuration options should be used:
+
+ - Set :ref:`policy_dnskey-management` to ``incremental`` on each signer to ensure
+ it retains the other's DNSKEY records in the zone during signing.
+ - Set :ref:`policy_delete-delay` to a reasonable time interval, which ensures that
+ all signers get synchronized during this period.
+ - Set :ref:`policy_cds-cdnskey-publish` to either ``none`` or ``always``, otherwise
+ the parent DS record might configure itself to point only to one signer's KSK.
+ - Configure :ref:`policy_dnskey-sync` to all other signers so that this signer's
+ public keys appear in each other's DNSKEY (also applies to CDNSKEY and CDS) RRSets.
+ - Configure :ref:`ACL` so that DDNS from all other signers is allowed.
+ - Set :ref:`zone_ddns-master` to empty value (`""`) so that DDNS from other signers
+ is not forwarded to the primary master if any.
+ - Additionally, the synchronization delay between all signers must be accounted
+ for in :ref:`policy_propagation-delay`.
+
+With careful configuration, all signers automatically synchronize their DNSKEY (and eventually
+CDNSKEY and CDS) RRSets, keeping them synchronized during roll-overs. Nevertheless,
+it is recommended to monitor their logs.
+
+.. NOTE::
+ It is highly recommended to use this mode with only two signers. With three or more signers,
+ it often happens that they continuously overwrite each other's DNSKEYs for a long time before
+ settling down. This can be mitigated by configuring :ref:`policy_dnskey-sync` in a cyclic maner,
+ such that they form a cycle (i.e. signer1 synchronizes only to signer2, signer2 to signer3 and so on).
+ However, this in turn leads to a breakage in DNSKEY synchronization whenever any signer goes offline.
+ A practical compromise is carefully configuring the order of each signer's :ref:`policy_dnskey-sync`
+ values in the way that the "cycling" signer is at the first position and the remaining signers follow.
+
+An illustrative example of the second of three signers::
+
+ remote:
+ - id: signer1
+ address: 10.20.30.1
+ - id: signer3
+ address: 10.20.30.3
+
+ acl:
+ - id: signers
+ remote: [ signer1, signer3 ]
+ action: [ query, update ]
+ # TODO configure TSIGs!
+
+ dnskey-sync:
+ - id: sync
+ remote: [ signer3, signer1 ] # the order matters here!
+
+ policy:
+ - id: multisigner
+ single-type-signing: on
+ ksk-lifetime: 60d
+ ksk-submission: ... # TODO see Automatic KSK management
+ propagation-delay: 14h
+ delete-delay: 2h
+ cds-cdnskey-publish: always
+ dnskey-management: incremental
+ dnskey-sync: sync
+
+ zone:
+ - domain: example.com.
+ # TODO configure zonefile and journal
+ # TODO configure transfers in/out: master, NOTIFY, ACLs...
+ dnssec-signing: on
+ dnssec-policy: multisigner
+ ddns-master: ""
+ serial-modulo: 1/3
+ acl: signers
+
+Distinct keys, DNSKEY at common unsigned primary
+------------------------------------------------
+
+The same approach and configuration can be used, with the difference that the signers
+do not send updated DNSKEYs (along with CDNSKEYs and CDSs) to each other. Instead, they
+send the updates to their common primary, which holds the unsigned version of zone.
+The only configuration change involves redirecting
+:ref:`policy_dnskey-sync` to the common primary and adjusting its ACL to allow DDNS
+from the signers.
+
+It is also necessary to configure :ref:`zone_ixfr-benevolent` on each signer so that
+they accept incremental zone transfers from the primary with additions (or removals)
+of their own's DNSKEYs.
+
+This setup should work nicely with any number of signers, however, due to the size
+of DNSKEY RRSet, at most three are advisable.
+
+.. _DNSSEC keys import to HSM:
+
+DNSSEC keys import to HSM
+=========================
+
+Knot DNS stores DNSSEC keys in textual PEM format (:rfc:`7468`),
+while many HSM management software require the keys for import to be in binary
+DER format (`Rec. ITU-T X.690 <https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=x.690>`_).
+Keys can be converted from one format to another by software tools such as
+``certtool`` from `GnuTLS <https://www.gnutls.org/>`_ suite or
+``openssl`` from `OpenSSL <https://www.openssl.org/>`_ suite.
+
+In the examples below, ``c4eae5dea3ee8c15395680085c515f2ad41941b6`` is used as the key ID,
+``c4eae5dea3ee8c15395680085c515f2ad41941b6.pem`` represents the filename of the key in PEM format
+as copied from the Knot DNS zone's :ref:`KASP database directory <database_kasp-db>`,
+``c4eae5dea3ee8c15395680085c515f2ad41941b6.priv.der`` represents the file containing the private
+key in DER format as generated by the conversion tool, and
+``c4eae5dea3ee8c15395680085c515f2ad41941b6.pub.der`` represents the file containing the public
+key in DER format as generated by the conversion tool.
+
+.. code-block:: console
+
+ $ certtool -V -k --outder --infile c4eae5dea3ee8c15395680085c515f2ad41941b6.pem \
+ --outfile c4eae5dea3ee8c15395680085c515f2ad41941b6.priv.der
+
+ $ certtool -V --pubkey-info --outder --load-privkey c4eae5dea3ee8c15395680085c515f2ad41941b6.pem \
+ --outfile c4eae5dea3ee8c15395680085c515f2ad41941b6.pub.der
+
+As an alternative, ``openssl`` can be used instead. It is necessary to specify either ``rsa`` or ``ec``
+command according to the algorithm used by the key.
+
+.. code-block:: console
+
+ $ openssl rsa -outform DER -in c4eae5dea3ee8c15395680085c515f2ad41941b6.pem \
+ -out c4eae5dea3ee8c15395680085c515f2ad41941b6.priv.der
+
+ $ openssl rsa -outform DER -in c4eae5dea3ee8c15395680085c515f2ad41941b6.pem \
+ -out c4eae5dea3ee8c15395680085c515f2ad41941b6.pub.der -pubout
+
+Actual import of keys (both public and private keys from the same key pair) to an HSM can be done
+via PKCS #11 interface, by ``pkcs11-tool`` from `OpenSC <https://github.com/OpenSC/OpenSC/wiki>`_ toolkit
+for example. In the example below, ``/usr/local/lib/pkcs11.so`` is used as a name of the PKCS #11 library
+or module used for communication with the HSM.
+
+.. code-block:: console
+
+ $ pkcs11-tool --module /usr/local/lib/pkcs11.so --login \
+ --write-object c4eae5dea3ee8c15395680085c515f2ad41941b6.priv.der --type privkey \
+ --usage-sign --id c4eae5dea3ee8c15395680085c515f2ad41941b6
+
+ $ pkcs11-tool --module /usr/local/lib/pkcs11.so -login \
+ --write-object c4eae5dea3ee8c15395680085c515f2ad41941b6.pub.der --type pubkey \
+ --usage-sign --id c4eae5dea3ee8c15395680085c515f2ad41941b6
+
+.. _Controlling a running daemon:
+
+Daemon controls
+===============
+
+Knot DNS was designed to allow server reconfiguration on-the-fly
+without interrupting its operation. Thus it is possible to change
+both configuration and zone files and also add or remove zones without
+restarting the server. This can be done with::
+
+ $ knotc reload
+
+If you want to refresh the secondary zones, you can do this with::
+
+ $ knotc zone-refresh
+
+.. _Data and metadata backup:
+
+Data and metadata backup
+========================
+
+Some of the zone-related data, such as zone contents or DNSSEC signing keys,
+and metadata, like zone timers, might be worth backing up. For the sake of
+consistency, it's usually necessary to shut down the server, or at least freeze all
+the zones, before copying the data like zone files, KASP database, etc, to
+a backup location. To avoid this necessity, Knot DNS provides a feature to
+back up some or all of the zones seamlessly.
+
+Online backup
+-------------
+
+While the server is running and the zones normally loaded (even when they are
+constantly/frequently being updated), the user can manually trigger the
+backup by calling::
+
+ $ knotc zone-backup +backupdir /path/of/backup
+
+To back up just some of the zones (instead of all), the user might provide
+their list::
+
+ $ knotc zone-backup +backupdir /path/to/backup zone1.com. zone2.com. ...
+
+The backup directory should be empty or non-existing and it must be accessible
+and writable for the :ref:`server_user` account under which knotd is running.
+The backup procedure will begin soon and will happen zone-by-zone
+(partially in parallel if more :ref:`server_background-workers` are configured).
+**The user shall check the logs for the outcome of each zone's backup attempt.**
+The knotc's ``-b`` parameter might be used if the user desires to wait until
+the backup work is done and a simple result status is printed out.
+
+.. TIP::
+ There is a plain ASCII text file in the backup directory,
+ ``knot_backup.label``, that contains some useful information about the
+ backup, such as the backup creation date & time, the server identity, etc.
+ Care must always be taken **not to remove this file** from the backup nor to
+ damage it.
+
+If a backup fails, the backup directory containing incomplete backup is retained.
+For repeated backup attempts to the same directory, it must be removed or renamed
+manually first.
+
+.. NOTE::
+ When backing up or restoring a catalog zone, it's necessary to make sure that
+ the contents of the catalog doesn't change during the backup or restore.
+ An easy solution is to use ``knotc zone-freeze`` on the catalog zone for the
+ time of backup and restore.
+
+Offline restore
+---------------
+
+If the Online backup was performed for all zones, it's possible to
+restore the backed up data by simply copying them to their normal locations,
+since they're simply copies. For example, the user can copy (overwrite)
+the backed up KASP database files to their configured location.
+
+This restore of course must be done when the server is stopped. After starting up
+the server, it should run in the same state as at the time of backup.
+
+This method is recommended in the case of complete data loss, for example
+physical server failure.
+
+.. NOTE::
+ The online backup procedure stores all zone files in a single directory
+ using their default file names. If the original directory layout was
+ different, then the required directory structure must be created manually
+ for offline restore and zone files must be placed individually to their
+ respective directories. If the zone file names don't follow the default
+ pattern, they must be renamed manually to match the configuration. These
+ limitations don't apply to the online restore procedure.
+
+Online restore
+--------------
+
+This procedure is symmetrical to Online backup. By calling::
+
+ $ knotc zone-restore +backupdir /path/of/backup
+
+the user triggers a one-by-one zone restore from the backup on a running
+server. Again, a subset of zones might be specified. It must be specified
+if the backup was created for only a subset of zones.
+
+.. NOTE::
+ For restore of backups that have been created by Knot DNS releases prior
+ to 3.1, it's necessary to use the ``-f`` option. Since this option also
+ turns off some verification checks, it shouldn't be used in other cases.
+
+.. NOTE::
+ For QUIC, only the auto-generated key is restored. The ``zone-restore``
+ command doesn't restore a user-defined QUIC key and certificate so as to
+ avoid possible configuration management conflicts and they must be restored
+ from the backup (its subdirectory ``quic``) manually. In all cases,
+ restart of the Knot server after the restore is necessary for the restored
+ QUIC key/certificate to take effect.
+
+Limitations
+-----------
+
+Neither configuration file nor :ref:`Configuration database` is backed up
+by zone backup. The configuration has to be synchronized before zone restore
+is performed!
+
+If the private keys are stored in a HSM (anything using a PKCS#11 interface),
+they are not backed up. This includes internal metadata of the PKCS#11 provider
+software, such as key mappings, authentication information, and the configuration
+of the provider. Details are vendor-specific.
+
+The restore procedure does not care for keys deleted after taking the snapshot.
+Thus, after restore, there might remain some redundant ``.pem`` files
+of obsolete signing keys.
+
+.. TIP::
+ In order to seamlessly deploy a restored backup of KASP DB with respect to
+ a possibly ongoing DNSSEC key rollover, it's recommended to set
+ :ref:`propagation-delay <policy_propagation-delay>` to the sum of:
+
+ - The maximum delay between beginning of the zone signing and publishing
+ re-signed zone on all public secondary servers.
+ - How long it takes for the backup server to start up with the restored data.
+ - The period between taking backup snapshots of the live environment.
+
+.. _Statistics:
+
+Statistics
+==========
+
+The server provides some general statistics and optional query module statistics
+(see :ref:`mod-stats<mod-stats>`).
+
+Server statistics or global module statistics can be shown by::
+
+ $ knotc stats
+ $ knotc stats server # Show all server counters
+ $ knotc stats mod-stats # Show all mod-stats counters
+ $ knotc stats server.zone-count # Show specific server counter
+
+Per zone statistics can be shown by::
+
+ $ knotc zone-stats example.com. # Show all zone counters
+ $ knotc zone-stats example.com. mod-stats # Show all zone mod-stats counters
+ $ knotc zone-stats example.com. mod-stats.query-type # Show specific zone counter
+ $ knotc zone-stats -- # Show all zone counters for all zones
+ $ knotc zone-stats -- mod-stats.request-protocol # Show specific zone counter for all zones
+
+To show all supported counters even with 0 value, use the force option.
+
+A simple periodic statistic dump to a YAML file can also be enabled. See
+:ref:`stats section` for the configuration details.
+
+As the statistics data can be accessed over the server control socket,
+it is possible to create an arbitrary script (Python is supported at the moment)
+which could, for example, publish the data in JSON format via HTTP(S)
+or upload the data to a more efficient time series database. Take a look into
+the python folder of the project for these scripts.
+
+.. _Mode XDP:
+
+Mode XDP
+========
+
+Thanks to recent Linux kernel capabilities, namely eXpress Data Path and AF_XDP
+address family, Knot DNS offers a high-performance DNS over UDP packet processing
+mode. The basic idea is to filter DNS messages close to the network device and
+effectively forward them to the nameserver without touching the network stack
+of the operating system. Other messages (including DNS over TCP) are processed
+as usual.
+
+If :ref:`xdp_listen` is configured, the server creates
+additional XDP workers, listening on specified interface(s) and port(s) for DNS
+over UDP queries. Each XDP worker handles one RX and TX network queue pair.
+
+.. _Mode XDP_pre-requisites:
+
+Pre-requisites
+--------------
+
+* Linux kernel 4.18+ (5.x+ is recommended for optimal performance) compiled with
+ the `CONFIG_XDP_SOCKETS=y` option. The XDP mode isn't supported in other operating systems.
+* A multiqueue network card, which offers enough Combined RX/TX channels, with
+ native XDP support is highly recommended. Successfully tested cards:
+
+ * Intel series 700 (driver `i40e`), maximum number of channels per interface is 64.
+ * Intel series 500 (driver `ixgbe`), maximum number of channels per interface is 64.
+ The number of CPUs available has to be at most 64!
+
+* If the `knotd` service is not directly executed in the privileged mode, some
+ additional Linux capabilities have to be set:
+
+ Execute command::
+
+ systemctl edit knot
+
+ And insert these lines::
+
+ [Service]
+ CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN CAP_IPC_LOCK CAP_SYS_RESOURCE
+ AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN CAP_IPC_LOCK CAP_SYS_RESOURCE
+
+ The `CAP_SYS_RESOURCE` is needed on Linux < 5.11.
+
+ All the capabilities are dropped upon the service is started.
+
+* For proper processing of VLAN traffic, VLAN offloading should be disabled. E.g.::
+
+ ethtool -K <interface> tx-vlan-offload off rx-vlan-offload off
+
+
+Optimizations
+-------------
+
+Some helpful commands::
+
+ ethtool -N <interface> rx-flow-hash udp4 sdfn
+ ethtool -N <interface> rx-flow-hash udp6 sdfn
+ ethtool -L <interface> combined <?>
+ ethtool -G <interface> rx <?> tx <?>
+ renice -n 19 -p $(pgrep '^ksoftirqd/[0-9]*$')
+
+Limitations
+-----------
+
+* Request and its response must go through the same physical network device.
+* Dynamic DNS over XDP is not supported.
+* MTU higher than 1790 bytes is not supported.
+* Multiple BPF filters per one network device are not supported.
+* Systems with big-endian byte ordering require special recompilation of the nameserver.
+* IPv4 header and UDP checksums are not verified on received DNS messages.
+* DNS over XDP traffic is not visible to common system tools (e.g. firewall, tcpdump etc.).
+* BPF filter is not automatically unloaded from the network device. Manual filter unload::
+
+ ip link set dev <interface> xdp off