kresd.8.in 4.52 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14
.TH "kresd" "8" "@DATE@" "CZ.NIC" "Knot DNS Resolver @VERSION@"
.\"
.\" kresd.8 -- kresd daemon manpage
.\"
.\" Copyright (c) 2016, CZ.NIC. All rights reserved.
.\"
.\" See COPYING for the license.
.\"
.\"
.SH "NAME"
.B kresd
\- Knot DNS @VERSION@ full caching resolver.
.SH "SYNOPSIS"
.B kresd
15
.RB [ \-a | \-\-addr
16
.IR addr[#port] ]
17 18 19
.RB [ \-S | \-\-fd
.IR fd ]
.RB [ \-c | \-\-config
20
.IR config ]
21
.RB [ \-k | \-\-keyfile
22
.IR keyfile ]
23
.RB [ \-f | \-\-forks
24
.IR N ]
25 26 27 28
.RB [ \-q | \-\-quiet ]
.RB [ \-v | \-\-verbose ]
.RB [ \-V | \-\-version ]
.RB [ \-h | \-\-help ]
29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77
.IR [rundir]
.SH "DESCRIPTION"
.B Knot DNS Resolver is a DNSSEC-enabled full caching resolver.
.P
Default mode of operation: when it receives a DNS query it iteratively
asks authoritative nameservers starting from root zone (.) and ending
with a nameservers authoritative for queried name. Automatic DNSSEC means
verification of integrity of authoritative responses by following
keys and signatures starting from root. Root trust anchor is automatically
bootstrapped from IANA, or you can provide a file with root trust anchors
(same format as Unbound or BIND9 root keys file).

The daemon also caches intermediate answers into cache, which by default
uses LMDB memory-mapped database. This has a significant advantage over
in-memory caches as the process may be stopped and restarted without
loss of cache entries. In multi-user scenario a shared cache
is potential privacy/security issue, with kresd each user can have resolver cache
in their private directory and use it in similar fashion to keychain.

By default, no configuration is needed, only a directory where the daemon can store
runtime data (cache, control sockets, ...)
.P
To use a locally running
.B kresd
for resolving put
.sp
.RS 6n
nameserver 127.0.0.1
.RE
.sp
into
.IR resolv.conf (5)
and start
.B kresd
.PP
.nf
.RS 6n
$ kresd -a 127.0.0.1 -k root.keys
[system] interactive mode
>
.RE
.fi
.PP
.P
The daemon may be configured also as a plain forwarder using query policies, that requires
creating a file
.B config
in daemon runtime directory. See \fIdaemon/README.md\fR for more information about interacting
with CLI and configuration file options, or visit
78 79
.B https://knot-resolver.readthedocs.io
online documentation.
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94
.PP
.nf
.RS 6n
# Create a basic forwarder configuration 
$ cat << EOF > config
modules = { 'policy' }
policy:add(policy.all(policy.FORWARD('192.168.1.1')))
$ kresd -a 127.0.0.1 -k root.keys
EOF
.RE
.fi
.PP
.P
The available CLI options are:
.TP
95
.B \-a\fI addr[#port]\fR, \fB\-\-addr=\fI<addr[#port]>
96 97 98
Listen on given address (and port) pair. If no port is given, \fI53\fR is used as a default.
Option may be passed multiple times to listen on more addresses.
.TP
99
.B \-S\fI fd\fR, \fB\-\-fd=\fI<fd>
100 101 102
Listen on given file descriptor(s), passed by supervisor.
Option may be passed multiple times to listen on more file descriptors.
.TP
103
.B \-k\fI keyfile\fR, \fB\-\-keyfile=\fI<keyfile>
104 105 106 107 108
Use given for keeping root trust anchors. If the file doesn't exist, it will be
automatically boostrapped from IANA and warning for you will be issued to check it
before trusting it. The file contains DNSKEY/DS records in presentation format,
and is compatible with Unbound or BIND9 root key files.
.TP
109
.B \-f\fI N\fR, \fB\-\-forks=\fI<N>
110 111 112 113
With this option, the daemon is started in non-interactive mode and instead creates a
UNIX socket in \fIrundir\fR that the operator can connect to for interactive session.
A number greater than 1 forks the daemon N times, all forks will bind to same addresses
and the kernel will load-balance between them on Linux with \fISO_REUSEPORT\fR support.
114 115 116 117

When socket-activated and supervised by systemd or the equivalent, kresd defaults to
--forks=1, and must not be set to any other value.  If you want multiple concurrent
processes supervised in this way, they should be supervised independently.
118
.TP
119
.B \-q\fR, \fB\-\-quiet
120 121
Daemon will refrain from printing any informative messages, not even a prompt.
.TP
122
.B \-v\fR, \fB\-\-verbose
123 124 125
Increase verbosity. If given multiple times, more information is logged.
This is in addition to the verbosity (if any) from the config file.
.TP
126
.B \-c\fI config\fR, \fB\-\-config=\fI<config>
127 128 129 130 131 132 133 134 135 136 137
Set the config file with settings for unbound to read instead of reading the
file at the default location (\fIconfig\fR). The syntax is
described in \fIdaemon/README.md\fR.
.TP
.B \-h
Show the version and commandline option help.
.TP
.B \-V
Show the version.
.SH "SEE ALSO"
\fIdaemon/README.md\fR,
138
\fIhttps://knot-resolver.readthedocs.io\fR
139 140
.SH "AUTHORS"
.B kresd
141
developers are mentioned in the AUTHORS file in the distribution.