Knot DNS issueshttps://gitlab.nic.cz/knot/knot-dns/-/issues2018-08-23T09:55:29+02:00https://gitlab.nic.cz/knot/knot-dns/-/issues/604cookies module fails to load when built as DSO2018-08-23T09:55:29+02:00Robert Edmondscookies module fails to load when built as DSOHi,
I built the 2.7.0 release with most modules compiled as DSOs. knot failed to start with the following error:
```
2018-08-15T17:25:07 error: module, failed to open '/home/redmonds/.install/stow/knot-2.7.0/lib/knot/cookies.so' (/home...Hi,
I built the 2.7.0 release with most modules compiled as DSOs. knot failed to start with the following error:
```
2018-08-15T17:25:07 error: module, failed to open '/home/redmonds/.install/stow/knot-2.7.0/lib/knot/cookies.so' (/home/redmonds/.install/stow/knot-2.7.0/lib/knot/cookies.so: undefined symbol: memzero)
2018-08-15T17:25:07 critical: failed to open configuration database '' (not exists)
```
It looks like the cookies DSO needs to be linked against libcontrib.la, i.e.:
```diff
--- a/src/knot/modules/cookies/Makefile.inc
+++ b/src/knot/modules/cookies/Makefile.inc
@@ -8,5 +8,6 @@ endif
if SHARED_MODULE_cookies
knot_modules_cookies_la_LDFLAGS = $(KNOTD_MOD_LDFLAGS)
knot_modules_cookies_la_CPPFLAGS = $(KNOTD_MOD_CPPFLAGS)
+knot_modules_cookies_la_LIBADD = libcontrib.la
pkglib_LTLIBRARIES += knot/modules/cookies.la
endif
```
I would also suggest that dlopen() failures like this not be fatal to the server, unless the module is actually required by the configuration, otherwise a buggy module in the module directory would cause knot to fail to start up.
Thanks!nextDaniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/issues/599obsolete single-type-signing documentation note2018-08-09T10:12:47+02:00Daniel Stirnimannobsolete single-type-signing documentation noteThe documentation for `single-type-signing` contains the following note:
> Note Because key rollover is not supported yet, just one combined signing key is generated if none is available.
See also
* https://gitlab.labs.nic.cz/knot/kno...The documentation for `single-type-signing` contains the following note:
> Note Because key rollover is not supported yet, just one combined signing key is generated if none is available.
See also
* https://gitlab.labs.nic.cz/knot/knot-dns/blob/master/doc/man/knot.conf.5in#L609
* https://gitlab.labs.nic.cz/knot/knot-dns/blob/master/doc/reference.rst#L693
This seems obsolete in 2.7.0 as https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.7.0/NEWS mentions
> - Online Signing support for automatic key rollovernextLibor PeltanLibor Peltanhttps://gitlab.nic.cz/knot/knot-dns/-/issues/598release tarball doesn't contain upstream packaging files2018-08-06T14:21:46+02:00Tomas Krizekrelease tarball doesn't contain upstream packaging filesThe `distro/` directory is meant to be part of the release tarball to make it easier for packagers across distributions to create a package consistent with the upstream policies.
Please ensure the `distro/` directory is part of the 2.7....The `distro/` directory is meant to be part of the release tarball to make it easier for packagers across distributions to create a package consistent with the upstream policies.
Please ensure the `distro/` directory is part of the 2.7.1 release.nextDaniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/issues/594zone not getting flushed2018-08-01T22:36:55+02:00Ghost Userzone not getting flushedOn a zone with dnssec-signing enabled the zone is not getting flushed as expected.
Here is a simple example tested with knot 2.6.8 on Debian buster:
```
$ tail -n +1 /etc/knot/knot.conf /var/lib/knot/zones/example.org test.sh
==> /etc...On a zone with dnssec-signing enabled the zone is not getting flushed as expected.
Here is a simple example tested with knot 2.6.8 on Debian buster:
```
$ tail -n +1 /etc/knot/knot.conf /var/lib/knot/zones/example.org test.sh
==> /etc/knot/knot.conf <==
server:
listen: 0.0.0.0@53
listen: ::@53
user: knot:knot
log:
- target: syslog
any: info
policy:
- id: default
algorithm: RSASHA256
ksk-size: 3248
zsk-size: 2432
nsec3: on
nsec3-iterations: 330
template:
- id: default
file: zones/%s
semantic-checks: on
dnssec-policy: default
dnssec-signing: on
zone:
- domain: example.org
zonefile-load: difference
==> /var/lib/knot/zones/example.org <==
example.org. 3600 SOA ns1.example.org. hostmaster.example.org 1530570453 3600 1200 3628800 60
example.org. 3600 NS ns1.example.org.
ns1 3600 A 127.0.0.1
==> test.sh <==
#! /bin/sh
# do zone update as per
# https://www.knot-dns.cz/docs/2.6/singlehtml/index.html#safe-reading-and-editing-zone-file
knotc zone-freeze example.org.
while ! knotc zone-status example.org. +freeze | grep -q 'freeze: yes'; do sleep 1; done
knotc zone-flush example.org.
editor /var/lib/knot/zones/example.org
knotc zone-reload example.org.
knotc zone-thaw example.org.
```
```
$ systemctl start knot.service
```
```
Jul 13 23:12:59 hostname systemd[1]: Started Knot DNS server.
Jul 13 23:12:59 hostname knotd[16474]: info: Knot DNS 2.6.8 starting
Jul 13 23:12:59 hostname knotd[16474]: info: binding to interface 0.0.0.0@53
Jul 13 23:12:59 hostname knotd[16474]: info: binding to interface ::@53
Jul 13 23:12:59 hostname knotd[16474]: info: changing GID to 105
Jul 13 23:12:59 hostname knotd[16474]: info: changing UID to 103
Jul 13 23:12:59 hostname knotd[16474]: info: loading 1 zones
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] zone will be loaded
Jul 13 23:12:59 hostname knotd[16474]: info: starting server
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] DNSSEC, key, tag 59494, algorithm RSASHA256, KSK, public, ready, active
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] DNSSEC, key, tag 11610, algorithm RSASHA256, public, active
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] DNSSEC, signing started
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] DNSSEC, successfully signed
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] loaded, serial 1530570454
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] DNSSEC, next signing at 2018-07-20T23:12:59
Jul 13 23:12:59 hostname knotd[16474]: notice: [example.org.] DNSSEC, KSK submission, waiting for confirmation
Jul 13 23:12:59 hostname knotd[16474]: info: server started in the foreground, PID 16474
Jul 13 23:12:59 hostname knotd[16474]: info: control, binding to '/run/knot/knot.sock'
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] zone file updated, serial 1530570453 -> 1530570454
```
In this example I'm manually increasing the serial of the SOA record by one in the spawned editor without changing anything else.
```
$ ./test.sh
OK
OK
OK
OK
```
```
Jul 13 23:14:38 backroad knotd[16474]: info: [example.org.] control, received command 'zone-freeze'
Jul 13 23:14:38 backroad knotd[16474]: info: [example.org.] zone updates frozen
Jul 13 23:14:38 backroad knotd[16474]: info: [example.org.] control, received command 'zone-status'
Jul 13 23:14:38 backroad knotd[16474]: info: [example.org.] control, received command 'zone-flush'
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] control, received command 'zone-reload'
Jul 13 23:14:45 backroad knotd[16474]: warning: [example.org.] check, node example.org., unverifiable signature (record type SOA)
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] DNSSEC, key, tag 59494, algorithm RSASHA256, KSK, public, ready, active
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] DNSSEC, key, tag 11610, algorithm RSASHA256, public, active
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] DNSSEC, signing started
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] DNSSEC, successfully signed
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] loaded, serial 1530570454 -> 1530570455
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] DNSSEC, next signing at 2018-07-20T23:12:59
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] control, received command 'zone-thaw'
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] zone updates unfrozen
```
Let's have a look at the zone file:
```
$ cat /var/lib/knot/zones/example.org
;; Zone dump (Knot DNS 2.6.8)
example.org. 3600 SOA ns1.example.org. hostmaster.example.org.example.org. 1530570455 3600 1200 3628800 60
example.org. 3600 NS ns1.example.org.
example.org. 0 CDNSKEY 257 3 8 AwEAAZgxUMJM2FyMGMMAP3jSOd8Qm/oTeE8FMQN0AV87f4cmw+TOhx/b0NqZao3HTC8tACOqyn/5d/rLYFWDYNjzcvOImh+pzIVNXjytH3PuFqgdQI3Eh6fhHjYHbnHlAx10oVJltjlmBwSIerrRUKflSPzql/5xM3V4Yc4/O7hzWaJihR3GXZN5cRJWDdNjvOqIcqJHzyMiTnw1wfOUCRHKWL1/0SQNizvbloLi3DoqywfdyGjnHC2uanVNA2rSpgkJj7arFx7BbazNGjb9wRC/USp97IJohRB8LokKYj/BnHDZWMLjA0WJj8I8SvnlViefnPaJSZry9YID4qQTCiRXxhtcF02Z74DbxM0077AP36L8eBW1n4+QiLhtdoJKm/UecL+xXC+/5NOeI6bbfboGuHyzi50Ger+jvx+LbZvw5b5F57F70SQJ01jvVLRsDiUCZ41fujzFAiimkzuWiEH6vewDXl1/YLS2gerb5qRvoLWLq9AbWfYljgH1HjwIU5Wf5QXz4D9zJkzEuWWtuIHFrfL3Vz8ERN8=
example.org. 0 CDS 59494 8 2 841198346EED8F8B3CF8AB4D453D72A11DFDCFB2964A61E742882FC9B0F6ACD4
example.org. 3600 DNSKEY 256 3 8 AwEAAbpocB9KiiSO3vg3T5tLRJRK1oo6rHIfwZD1ZfFu+nN0UJH+bzQp1wCrTaVFvIu/ibpgBfT0n0trsghJXS8Yqjb26zIdDF/i7cyHN6TTKcBIcnLTJjb6DwaUGP9SqF60+y5AP/CmA8QAe/7oQVoZpRzFdgE0h7BmA8M6vfg4oGY03trgmKQeicjgyhszvzg9vFC0L4ScMo0wu/HNVo67hGFFrX1CI6o2prIEVE49YWWCakUVtXLxZerHRqeen11Fecrh/5je9T01h/lVYDvUstA39qVP6YxP9J/t1bP4br4AT13poa9I+6CFwl0Q+QtkxSYkrJSFZ23ByHrpvYzb+1F/vC0hDH0dydPUfiZCZXElPmwBqI2rLytW/jzSwko52/jffT1C1EO3uusDb/m+C6U=
example.org. 3600 DNSKEY 257 3 8 AwEAAZgxUMJM2FyMGMMAP3jSOd8Qm/oTeE8FMQN0AV87f4cmw+TOhx/b0NqZao3HTC8tACOqyn/5d/rLYFWDYNjzcvOImh+pzIVNXjytH3PuFqgdQI3Eh6fhHjYHbnHlAx10oVJltjlmBwSIerrRUKflSPzql/5xM3V4Yc4/O7hzWaJihR3GXZN5cRJWDdNjvOqIcqJHzyMiTnw1wfOUCRHKWL1/0SQNizvbloLi3DoqywfdyGjnHC2uanVNA2rSpgkJj7arFx7BbazNGjb9wRC/USp97IJohRB8LokKYj/BnHDZWMLjA0WJj8I8SvnlViefnPaJSZry9YID4qQTCiRXxhtcF02Z74DbxM0077AP36L8eBW1n4+QiLhtdoJKm/UecL+xXC+/5NOeI6bbfboGuHyzi50Ger+jvx+LbZvw5b5F57F70SQJ01jvVLRsDiUCZ41fujzFAiimkzuWiEH6vewDXl1/YLS2gerb5qRvoLWLq9AbWfYljgH1HjwIU5Wf5QXz4D9zJkzEuWWtuIHFrfL3Vz8ERN8=
example.org. 0 NSEC3PARAM 1 0 330 316D384BD40F1292
ns1.example.org. 3600 A 127.0.0.1
;; DNSSEC signatures
example.org. 3600 RRSIG NS 8 2 3600 20180727211259 20180713194259 11610 example.org. le3oaghZ9Av3M5ZkfKxbs5J41hncHpkiWeocbvEZR59CguSAAiN9EHvYerN5CAt+4swvT/mzHP0bG9jD9qsGR7niMxyY+3P13YEecQonH+kn7uwWrvmrbJ42oxoKL/F0ivvLUuFhpbo+0YM4dBEbpxYP2Jfxk1vJ5ofrf9goCDITAUK5jdjnz72dvbXKusGFQEmDOtFGzqPkJ8KgykUtqejO6De7KcBe39LyqbCBFIbjkAgzXrygcNRee8deR9+wHN1jBDDZb52Fp/nZNspCqI/C9ttAAnKeUvMp61PiJ4eBJybs4kCColfBoNMHUrCymke5Hm6Ws48siBKLn2lEXXs8dUcI7RWzlcRVN/x04Muhs0Q8XOa3yPPytDPq+TFUBxjhqBQtzMyTVka9RR5pPQ==
example.org. 3600 RRSIG SOA 8 2 3600 20180727211259 20180713194259 11610 example.org. E4gP40Fjee1HYxmmLO/i6lueDagKDjGux6scHfTpk3XWl89LLtSUZAl5bECiE4vK8hP+MVQM1FMAt0fWIxcHGhs5p9Lqt9b/8Io4qpYp2/bZJrqnKOGPw6uc9EN9VGmLQwvjcJF7NFCfR11f9CTsFZKM30HYn85IjheHddwx3/VAd1uxzGNZexS+2ZOL4lvLH7ZxAzGDpOmjpLWFPkYWDBghMnwzx9lyRNmwkNnsk+/WE2VYfMjdzA3S10FkbixvoT3M7XL4HfSGixVGikrkM1aBE+yGKZLXSNnrFvR854vJlce21CFeNimvhp06n/12+oLWkPZI0dIHVcctWOmSWRN6XQF2RlQmTkQxqM43a5gwOuMMFg8Y6Trk0UcCl348gFXfQns+eO8eG4dOZdFmaw==
example.org. 3600 RRSIG DNSKEY 8 2 3600 20180727211259 20180713194259 59494 example.org. XCL1h78Zf/t0hS1s1tNW5Us8uq2icw/JCeQmFX3T4J+NF9NXeWBjvUMxLmdo3k8nzzTSphNYiN45La42vzu83JfnxSg4Rv2OL/OmFOna+7yFVqZD+5WindHSVAqBMKIXxkfmwMl9PqC/1CM6PJaKoKLD2AOj9dnATGrjunXt2aI0zn96mnYjY+V/S7docdOZlDY/KwHG9upit9EwBGXIs+PUe1i75W1JCc/RenOCZG9By3PblZEI+OwqwXyrJNfu2N1BlUqBddmd7oTZG5fSMJbv9ywp6THCEwGmPNsHtCBWb0/sJCmv5GZj5kvtYMYoN4H44ZZhaZ8zj41LeBsgdmhjpKJ6+xokJEKzCkA9ge/OOWjnMFlRkGy+VcYuQR6WTWCw+OIueQfPZ8tZlYEIaM1eEGncLkGK8hbnbkqXZt3W3vpPtwbjPOd0TuNQD0C6hXFcA0oEik3TII+DOyfXrVtBFH6JG2L8N/isyGmIg4cTp3wPO2h2Ol2++GoealNDxqzY0pFg61JUi65zHQN2EROvMfxevA==
example.org. 0 RRSIG NSEC3PARAM 8 2 0 20180727211259 20180713194259 11610 example.org. VGNSm2jMg+q6N/JtBkvNQS0lsj2HqWT0J+K+2QDpqAvs8KQMNvbQ15cZyEN4hc+FAiwUuWJfyGhWLJNGm6/pFU1zdRlohcFsJ+QG2t3sfbZaGs/Lrd+HwDxRaFoYPf4m8Jr7S/rD3AApM8r40TBFUa1A8GmJ4OfbU60+TS9TRYOZuhZ9qmqo/oyWOJw5eJOIATQhq+eeHLWx04yA7HXILdPozgWa2dcKXLfoKAvWXYRKnXHeYrFK/kmeLA+ulV+icb5ymYX04s9C7U/kojGIN+6GWwmmij7kALfpStIcrpGTkzXMK3EwKstE09YQoA6BiPtu0qU+H6VOQ3P29jbMwD+ciJWztG43prnSHOKx+Mc5l8X5mhbwjhfzAEVuCQtwFKKFoMEqc5wV5whbADaJNQ==
example.org. 0 RRSIG CDS 8 2 0 20180727211259 20180713194259 11610 example.org. XATduwnRJdzFUIliH+LtBdp6vWX7XmZSZDunMxyJrG69sPx1n7e0E/maKA1XUy6ezeItoLTTEnpJW27zybSpc73OtQWqnXRS6tH8FU7nPblKNpbrbhZ7eTEuCkjihjZsLvpuF4tjrJHoyMqD6bXACGk/u0ueEskq+EPfyTcgM9akbqD8jOGj0w2UPgdZfHm305Ae8krU3lT5RjVCX5AZ+HvqWkran2XOZcXy6Q6tDsOlOqYN70jewYcPpf07VaCR6TZ7BmptqsbRQi1DO9U6Czl43HBFjrrmU0vDBmFqPnYMjdXetqcRux+zWHdLBMvHlF507croQxVHF1Gsvkl+MDO/uw8K4LysMi1GvONhdwbzdjH0H96AzuLD7AlWignRd/hBEvf/0fF6Re+jt92AJg==
example.org. 0 RRSIG CDNSKEY 8 2 0 20180727211259 20180713194259 11610 example.org. ANklM+vJ3qAK0N2znGJp1LgLrkL/7YhnnO00I8ouEmwkqIf2u0L72ZV682lvfC5OjIme++4sjnbivG4PStnRncrlbH5dXpB73EnAJBUKumrI55P2PJjYxoQ3lylxtm2N1E+ORnVEl/LiEnoulhdX3BrKPw2M7a2jwxDGtOw9Vi0veVHDSVbfo4THLAPg3l4/4plrLPeYWE2ST3lg5dIzP+ImOb0QcWVEydYT2YXiJCuX8Itnq9pgUplri8K+a8NWgRwc10h0dpX86Mz1BoOK+IeBeidzIXtaQoAXTbWkRTemPwE6Qn/YsvUrb3ZYYcTuC8TTH7cVXeB6HmhKKdtQQDyVdl/9EXF/B+qIOTTxJEVhJiRcQOUdJpC288kZyK/YPAjFqzvCDRJ1Nx98jNBmnQ==
ns1.example.org. 3600 RRSIG A 8 3 3600 20180727211259 20180713194259 11610 example.org. Fp4iRI3gIDa6MUgAbivG/1Xff4usmh3AS8CO5ir12NpoPA/g2NZfYzlQ0m1PyY+nStyKIoweMA0XlAyzwHXExACNI2VTmx21vcEggUAIB0F4Sxy0a2/0IMd5M2rOPjP5+s6sMgad7Z+KGxlgZEpcuMTpnROmyjWplmm1g9femT5n9HBgWAoXQ3zFI80jvAL4rtM2vGwol0G8qLB37G7tumWorUH+0jup+wM49bwMJEjx2gOQTAyEPVJ/TkzV9GB/extf9mIyv8QUwVX39uZY7heTMiWpW2uFB6qI8YL+c0sk+QpgPzjt30UFBqMOge/LrxxOitg2oWh8GBoYB8k0UkAbnQVlOmPMP+nTlj6y3fE48ex1CF0J1zOKTIt3nvmPlOHdxjM1eJXflHCtsq3vpw==
;; DNSSEC NSEC3 chain
g8kguklp9p7lr64s5blii14k1099doo6.example.org. 60 NSEC3 1 0 330 316D384BD40F1292 JBLLAITNO58OJ82IFPE1UKQ7UKDL80I3 A RRSIG
jbllaitno58oj82ifpe1ukq7ukdl80i3.example.org. 60 NSEC3 1 0 330 316D384BD40F1292 G8KGUKLP9P7LR64S5BLII14K1099DOO6 NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
;; DNSSEC NSEC3 signatures
g8kguklp9p7lr64s5blii14k1099doo6.example.org. 60 RRSIG NSEC3 8 3 60 20180727211259 20180713194259 11610 example.org. lphHsZ/vNjkfCg8yxGQzNz3WprCZVkAHCC6v6GcABjuRlHtmGC5JGn7tYKcA21X9QrJ8jIXnXm+8HhdJJKPpkDHPl1yOGBJCBaQaQ1qTiS3YTJGN8m5pMo2tntdo9j0o0FliArLMJCzVUPUQXwoTZFBBjcxwpi7pw3G/nipOMXIiWPRITQK6K+4gssmBu+vbVLBsgGzKcn8iZ16oQf5I/NHa1+fstNXJAA8a1zriSoNPgFRwxdHuHE3m3sjClwM1vbw+tpy5LsrRCfN6URilVrYo5Z40+qnPEr0k1H3onn4k9DkeJP5wsvFbayHEv38RWCJmuZEHtqMPLKrc7rsOx7Z9FzNItBK8fi6RDRYeFO+6cyEqdy5gJMtU/3JwPaF7YUiQP057oCN1I+rHGOhIcA==
jbllaitno58oj82ifpe1ukq7ukdl80i3.example.org. 60 RRSIG NSEC3 8 3 60 20180727211259 20180713194259 11610 example.org. S1z6eHh6vToYJ1799tiKGgzEmtPUGEbUqwEUUaqgryEOl9YJlDwWZz9gHxvbLxSqoB8pqE8gbK0i+HLY4OJ/Z+aRSFIRq/i81/hlFjs4SYG3KV0DjlfHGhq5WDElCXqG5KQSyOI+icQPTGzc69VQEIEcDGeo3tTe9XFuNJIRBPHlEtN+hl6ko2Ldi3zqRDSg+NmoAdyg51lbPNbsccwQzciGoD7aI46JVzfo7als65oG9Emp0pWn60KsdDjbIoSBN9m4VQkOLoAn7FyA7txoVnrC6JAniSkB3Am4kEG2JFnOO1bp8JTdW/OTaW+fZ76NGmzylDU/OsOIJAxtYORXASkyL/Ek8kJVkOMM/fQCPj7E/g8WgX7d7U9c2u7OLJIq18KmoGJuZeXrV9+jgcWVqQ==
;; Written 19 records
;; Time 2018-07-13 23:12:59 CEST
```
Let's query the server for it's SOA record and the signature
```
$ kdig +dnssec @localhost example.org -t SOA
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 24517
;; Flags: qr aa rd; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; example.org. IN SOA
;; ANSWER SECTION:
example.org. 3600 IN SOA ns1.example.org. hostmaster.example.org.example.org. 1530570455 3600 1200 3628800 60
example.org. 3600 IN RRSIG SOA 8 2 3600 20180727211445 20180713194445 11610 example.org. lAY4frj2Wxly48bbO/Hw1pHb4qvPSCimvmeDqrX7kbwMbublN5qIIOBW/aMQnW4Vw8GYd61t97ps/bkAg9bGtyD0qHOZCZuK5U1aEGHjcLp/7/+j5bXw95FM75l8M951Hf4RjD26Dq8SXOdnJPqWCasDzg4V0nufBQ7WIQWL6akkxENGvmavHkxiaYU7IlsmbbyOcmC/oeuNr1LY0F3pnmn8m3QR0rK07YJMoVpFPC0/DC4oIbuYaqgCmlj2axGxf2IgvrZOre8HRIPPGRShDUUgVXIzOxFEJOc1TkoXCqYZrqya0qhRmY+Su5v/qSg5ffBAyb0NzHYCkECxBEGM1vnyOw3LuLWRdRTK6lY7VhEu0P+STicCJTC0IMeOXXhwAEMZYpYhYxDXx54Rf++Iaw==
;; Received 450 B
;; Time 2018-07-13 23:19:19 CEST
;; From ::1@53(UDP) in 0.0 ms
```
Notice the RRSIG for the SOA is different to the zone file.
Try flushing the zone:
```
$ knotc zone-flush example.org
OK
```
```
Jul 13 23:22:34 hostname knotd[16474]: info: [example.org.] control, received command 'zone-flush'
```
Check the RRSIG in the zone file, notice it's still the old entry:
```
$ grep SOA /var/lib/knot/zones/example.org
example.org. 3600 SOA ns1.example.org. hostmaster.example.org.example.org. 1530570455 3600 1200 3628800 60
example.org. 3600 RRSIG SOA 8 2 3600 20180727211259 20180713194259 11610 example.org. E4gP40Fjee1HYxmmLO/i6lueDagKDjGux6scHfTpk3XWl89LLtSUZAl5bECiE4vK8hP+MVQM1FMAt0fWIxcHGhs5p9Lqt9b/8Io4qpYp2/bZJrqnKOGPw6uc9EN9VGmLQwvjcJF7NFCfR11f9CTsFZKM30HYn85IjheHddwx3/VAd1uxzGNZexS+2ZOL4lvLH7ZxAzGDpOmjpLWFPkYWDBghMnwzx9lyRNmwkNnsk+/WE2VYfMjdzA3S10FkbixvoT3M7XL4HfSGixVGikrkM1aBE+yGKZLXSNnrFvR854vJlce21CFeNimvhp06n/12+oLWkPZI0dIHVcctWOmSWRN6XQF2RlQmTkQxqM43a5gwOuMMFg8Y6Trk0UcCl348gFXfQns+eO8eG4dOZdFmaw==
jbllaitno58oj82ifpe1ukq7ukdl80i3.example.org. 60 NSEC3 1 0 330 316D384BD40F1292 G8KGUKLP9P7LR64S5BLII14K1099DOO6 NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
```
---
---
I found two ways to actually flush the current zone entries:
```
$ mkdir -m777 /tmp/knot
$ knotc zone-flush example.org +outdir /tmp/knot/
OK
$ grep SOA /tmp/knot/example.org
example.org. 3600 SOA ns1.example.org. hostmaster.example.org.example.org. 1530570455 3600 1200 3628800 60
example.org. 3600 RRSIG SOA 8 2 3600 20180727211445 20180713194445 11610 example.org. lAY4frj2Wxly48bbO/Hw1pHb4qvPSCimvmeDqrX7kbwMbublN5qIIOBW/aMQnW4Vw8GYd61t97ps/bkAg9bGtyD0qHOZCZuK5U1aEGHjcLp/7/+j5bXw95FM75l8M951Hf4RjD26Dq8SXOdnJPqWCasDzg4V0nufBQ7WIQWL6akkxENGvmavHkxiaYU7IlsmbbyOcmC/oeuNr1LY0F3pnmn8m3QR0rK07YJMoVpFPC0/DC4oIbuYaqgCmlj2axGxf2IgvrZOre8HRIPPGRShDUUgVXIzOxFEJOc1TkoXCqYZrqya0qhRmY+Su5v/qSg5ffBAyb0NzHYCkECxBEGM1vnyOw3LuLWRdRTK6lY7VhEu0P+STicCJTC0IMeOXXhwAEMZYpYhYxDXx54Rf++Iaw==
jbllaitno58oj82ifpe1ukq7ukdl80i3.example.org. 60 NSEC3 1 0 330 316D384BD40F1292 G8KGUKLP9P7LR64S5BLII14K1099DOO6 NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
```
```
Jul 13 23:26:57 hostname knotd[16474]: info: [example.org.] control, received command 'zone-flush'
```
and:
```
$ knotc -f zone-flush example.org
OK
$ grep SOA /var/lib/knot/zones/example.org
example.org. 3600 SOA ns1.example.org. hostmaster.example.org.example.org. 1530570455 3600 1200 3628800 60
example.org. 3600 RRSIG SOA 8 2 3600 20180727211445 20180713194445 11610 example.org. lAY4frj2Wxly48bbO/Hw1pHb4qvPSCimvmeDqrX7kbwMbublN5qIIOBW/aMQnW4Vw8GYd61t97ps/bkAg9bGtyD0qHOZCZuK5U1aEGHjcLp/7/+j5bXw95FM75l8M951Hf4RjD26Dq8SXOdnJPqWCasDzg4V0nufBQ7WIQWL6akkxENGvmavHkxiaYU7IlsmbbyOcmC/oeuNr1LY0F3pnmn8m3QR0rK07YJMoVpFPC0/DC4oIbuYaqgCmlj2axGxf2IgvrZOre8HRIPPGRShDUUgVXIzOxFEJOc1TkoXCqYZrqya0qhRmY+Su5v/qSg5ffBAyb0NzHYCkECxBEGM1vnyOw3LuLWRdRTK6lY7VhEu0P+STicCJTC0IMeOXXhwAEMZYpYhYxDXx54Rf++Iaw==
jbllaitno58oj82ifpe1ukq7ukdl80i3.example.org. 60 NSEC3 1 0 330 316D384BD40F1292 G8KGUKLP9P7LR64S5BLII14K1099DOO6 NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
```
```
Jul 13 23:28:39 hostname knotd[16474]: info: [example.org.] control, received command 'zone-flush'
Jul 13 23:28:39 hostname knotd[16474]: info: [example.org.] zone file updated, serial 1530570455 -> 1530570455
```
If I read the documentation correctly knot should automatically flush the zone file (default zonefile-sync is 0). Additionally a zone-flush command without "-f" should work.nexthttps://gitlab.nic.cz/knot/knot-dns/-/issues/593multiple DDNS zone updates fails when using serial-policy unixtime2018-07-06T20:54:23+02:00Ghost Usermultiple DDNS zone updates fails when using serial-policy unixtimeAttempting to perform multiple dynamic DNS zone updates fail with serial-policy unixtime.
Please find below the attached example configuration and log outputs to reproduce this issue.
This has been tested with knot 2.6.7 on Debian buste...Attempting to perform multiple dynamic DNS zone updates fail with serial-policy unixtime.
Please find below the attached example configuration and log outputs to reproduce this issue.
This has been tested with knot 2.6.7 on Debian buster.
```
$ tail -n +1 /etc/knot/knot.conf /var/lib/knot/zones/example.org test.sh
==> /etc/knot/knot.conf <==
server:
listen: 0.0.0.0@53
listen: ::@53
user: knot:knot
log:
- target: syslog
any: info
acl:
- id: example.org
action: update
template:
- id: default
file: zones/%s
semantic-checks: on
serial-policy: unixtime
zone:
- domain: example.org
acl: [example.org]
==> /var/lib/knot/zones/example.org <==
example.org. 3600 SOA ns1.example.org. hostmaster.example.org 1530570453 3600 1200 3628800 60
example.org. 3600 NS ns1.example.org.
ns1 3600 A 127.0.0.1
==> test.sh <==
#! /bin/sh
cat << EOF | nsupdate
server localhost
update delete ip1.example.org.
update add ip1.example.org. 60 IN A 192.0.2.1
update delete ip2.example.org.
update add ip2.example.org. 60 IN A 192.0.2.2
update delete ip3.example.org.
update add ip3.example.org. 60 IN A 192.0.2.3
send
quit
EOF
```
```
$ systemctl start knot.service
Jul 05 00:33:52 hostname systemd[1]: Started Knot DNS server.
Jul 05 00:33:52 hostname knotd[22344]: info: Knot DNS 2.6.7 starting
Jul 05 00:33:52 hostname knotd[22344]: info: binding to interface 0.0.0.0@53
Jul 05 00:33:52 hostname knotd[22344]: info: binding to interface ::@53
Jul 05 00:33:52 hostname knotd[22344]: info: changing GID to 105
Jul 05 00:33:52 hostname knotd[22344]: info: changing UID to 103
Jul 05 00:33:52 hostname knotd[22344]: info: loading 1 zones
Jul 05 00:33:52 hostname knotd[22344]: info: [example.org.] zone will be loaded
Jul 05 00:33:52 hostname knotd[22344]: info: starting server
Jul 05 00:33:52 hostname knotd[22344]: info: [example.org.] loaded, serial 1530570453
Jul 05 00:33:52 hostname knotd[22344]: info: server started in the foreground, PID 22344
Jul 05 00:33:52 hostname knotd[22344]: info: control, binding to '/run/knot/knot.sock'
```
```
$ ./test.sh
update failed: SERVFAIL
Jul 05 00:34:38 hostname knotd[22344]: info: [example.org.] DDNS, processing 1 updates
Jul 05 00:34:38 hostname knotd[22344]: info: [example.org.] DDNS, update finished, serial 1530570453 -> 1530743678, 0.09 seconds
Jul 05 00:34:38 hostname knotd[22344]: info: [example.org.] zone file updated, serial 1530570453 -> 1530743678
Jul 05 00:34:38 hostname knotd[22344]: info: [example.org.] DDNS, processing 1 updates
Jul 05 00:34:38 hostname knotd[22344]: warning: [example.org.] updated serial is lower than current, serial 1530743678 -> 1530743678
Jul 05 00:34:38 hostname knotd[22344]: info: [example.org.] DDNS, finished, no changes to the zone were made
Jul 05 00:34:38 hostname knotd[22344]: info: [example.org.] DDNS, processing 1 updates
Jul 05 00:34:38 hostname knotd[22344]: warning: [example.org.] updated serial is lower than current, serial 1530743678 -> 1530743678
Jul 05 00:34:38 hostname knotd[22344]: warning: [example.org.] journal, duplicate changeset serial (1530743678), dropping older changesets
Jul 05 00:34:38 hostname knotd[22344]: notice: [example.org.] journal is full, flushing
Jul 05 00:34:38 hostname knotd[22344]: warning: [example.org.] journal, duplicate changeset serial (1530743678), dropping older changesets
Jul 05 00:34:38 hostname knotd[22344]: error: [example.org.] DDNS, processing failed (requested resource is busy)
```
I suspect the problem is that the updates happen much faster than one second and thus generate the same unix time stamp. Removing the "serial-policy: unixtime" line from the configuration makes the error go away:
```
Jul 05 00:58:19 hostname knotd[22379]: info: [example.org.] DDNS, processing 1 updates
Jul 05 00:58:19 hostname knotd[22379]: info: [example.org.] DDNS, update finished, serial 1530743678 -> 1530743679, 0.06 seconds
Jul 05 00:58:19 hostname knotd[22379]: info: [example.org.] zone file updated, serial 1530743678 -> 1530743679
Jul 05 00:58:19 hostname knotd[22379]: info: [example.org.] DDNS, processing 1 updates
Jul 05 00:58:20 hostname knotd[22379]: info: [example.org.] DDNS, update finished, serial 1530743679 -> 1530743680, 0.02 seconds
Jul 05 00:58:20 hostname knotd[22379]: info: [example.org.] zone file updated, serial 1530743679 -> 1530743680
Jul 05 00:58:20 hostname knotd[22379]: info: [example.org.] DDNS, processing 1 updates
Jul 05 00:58:20 hostname knotd[22379]: info: [example.org.] DDNS, update finished, serial 1530743680 -> 1530743681, 0.02 seconds
Jul 05 00:58:20 hostname knotd[22379]: info: [example.org.] zone file updated, serial 1530743680 -> 1530743681
```nexthttps://gitlab.nic.cz/knot/knot-dns/-/issues/588CSK deactivated too early when rolling to KSK+ZSK policy2018-06-28T15:29:46+02:00Ondřej CaletkaCSK deactivated too early when rolling to KSK+ZSK policyWith Knot 2.6.7, let there be a zone with a CSK, having a secure delegation:
```
# dig zone.66.acad.cz dnskey +dnssec +multi
; <<>> DiG 9.10.3-P4-Debian <<>> zone.66.acad.cz dnskey +dnssec +multi
;; global options: +cmd
;; Got answer:
...With Knot 2.6.7, let there be a zone with a CSK, having a secure delegation:
```
# dig zone.66.acad.cz dnskey +dnssec +multi
; <<>> DiG 9.10.3-P4-Debian <<>> zone.66.acad.cz dnskey +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16303
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;zone.66.acad.cz. IN DNSKEY
;; ANSWER SECTION:
zone.66.acad.cz. 60 IN DNSKEY 257 3 13 (
PMKxlJcyu+72MFU/7Bb+a9VI5fkSyJ/RITuzgYnCGC9e
3My96ThEsFtJQunWpSvpOI7X2GZ/xhts8N+6/xDjaQ==
) ; KSK; alg = ECDSAP256SHA256; key id = 50801
zone.66.acad.cz. 60 IN RRSIG DNSKEY 13 4 60 (
20180624161108 20180624124108 50801 zone.66.acad.cz.
0Aa/hizP73s/q6qiU/yKzAwM/LX+UjU+6bEm+gai7Pk6
Kth6l8A0graQYIMw4HD0czviFt1D9qRouG/iqmVpsA== )
# keymgr zone.66.acad.cz list
08cd5137185f4333e42b1c046cf29e684b771c86 ksk=yes zsk=yes tag=50801 algorithm=13 public-only=no created=1529849198 pre-active=0 publish=1529849198 ready=1529849208 active=1529849448 retire-active=0 retire=0 post-active=0 remove=0
# cat knot.conf
… irrelevant parts ommited …
policy:
- id: ecdsa_fast
ksk-shared: on
zsk-lifetime: 1h
ksk-lifetime: 5h
propagation-delay: 10s
rrsig-lifetime: 2h
rrsig-refresh: 1h
ksk-submission: local_resolver
single-type-signing: off
- id: ecdsa_fast_single
ksk-shared: on
zsk-lifetime: 1h
ksk-lifetime: 5h
propagation-delay: 10s
rrsig-lifetime: 2h
rrsig-refresh: 1h
single-type-signing: on
ksk-submission: local_resolver
zone:
- domain: "zone.66.acad.cz"
template: mastersign
dnssec-policy: ecdsa_fast_single
file: "/etc/knot/%s.zone"
zonefile-sync: -1
zonefile-load: difference
dnssec-signing: on
dnssec-policy: manual
acl: acl_slave
```
Let's suppose we want to migrate to ZSK + KSK signing. So we switch to a different policy, which only differs in `single-type-signing:` option. In system log, the change goes like this:
```
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: configuration reloaded
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing zone
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing scheme rollover started
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 50801, algorithm ECDSAP256SHA256, CSK, public, active
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 30240, algorithm ECDSAP256SHA256, KSK, public
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 4, algorithm ECDSAP256SHA256, public
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing started
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, successfully signed
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, next signing at 2018-06-24T16:15:11
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing zone
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 50801, algorithm ECDSAP256SHA256, CSK, public, active
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 30240, algorithm ECDSAP256SHA256, KSK, public, ready, active
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 4, algorithm ECDSAP256SHA256, public, active
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing started
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, successfully signed
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, next signing at 2018-06-24T16:15:21
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: notice: [zone.66.acad.cz.] DNSSEC, KSK submission, waiting for confirmation
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] parent DS check, outgoing, 2001:718::53@53: KSK submission attempt: negative
```
Please note that new the KSK has been submitted, but the DS record has not been updated yet…
```
Jun 24 16:15:21 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing zone
Jun 24 16:15:21 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 50801, algorithm ECDSAP256SHA256, CSK, public
Jun 24 16:15:21 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 30240, algorithm ECDSAP256SHA256, KSK, public, ready, active
Jun 24 16:15:21 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 4, algorithm ECDSAP256SHA256, public, active
Jun 24 16:15:21 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing started
Jun 24 16:15:21 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, successfully signed
Jun 24 16:15:21 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, next signing at 2018-06-24T16:15:31
```
At this moment, the zone becomes bogus because the DNSKEY RR is no longer signed by CSK with id=50801.
```
Jun 24 16:15:31 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing zone
Jun 24 16:15:31 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 30240, algorithm ECDSAP256SHA256, KSK, public, ready, active
Jun 24 16:15:31 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 4, algorithm ECDSAP256SHA256, public, active
Jun 24 16:15:31 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing started
Jun 24 16:15:31 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, successfully signed
Jun 24 16:15:31 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, next signing at 2018-06-24T17:15:11
```
Now, the CSK key is even cleared from the zone, even though it is still referenced by parent DS record. Even though the rollover is finished, the parent DS check keeps running:
```
Jun 24 16:17:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] parent DS check, outgoing, 2001:718::53@53: KSK submission attempt: negative
Jun 24 16:18:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] parent DS check, outgoing, 2001:718::53@53: KSK submission attempt: negative
Jun 24 16:19:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] parent DS check, outgoing, 2001:718::53@53: KSK submission attempt: negative
```
When rolling in the opposite direction – from ZSK+KSK to CSK – no issue is observed.nexthttps://gitlab.nic.cz/knot/knot-dns/-/issues/229Support for NSEC3 opt-out2018-06-13T15:42:05+02:00Jan VčelákSupport for NSEC3 opt-outCurrently, NSEC3 opt-out is not supported by zone signing. There is also no way to set the flag, as the flag in NSEC3PARAM has to be zero. The support can be added with the new DNSSEC library - the flag will be part of the KASP settings....Currently, NSEC3 opt-out is not supported by zone signing. There is also no way to set the flag, as the flag in NSEC3PARAM has to be zero. The support can be added with the new DNSSEC library - the flag will be part of the KASP settings.
Note: Bind allows setting of the flag via DDNS. NSEC3PARAM with opt-out enabled is written as a private RR type, which is used to control the signing. Final NSEC3PARAM in the zone has the flag cleared.
nextLibor PeltanLibor Peltanhttps://gitlab.nic.cz/knot/knot-dns/-/issues/567knot should not crash if MODULE_DIR does not exist2018-02-26T16:47:16+01:00Daniel Kahn Gillmorknot should not crash if MODULE_DIR does not existknot is currently fine if there are no modules available in `MODULE_DIR`. This should be basically the same situation as if `MODULE_DIR` does not exist.
However, if `MODULE_DIR` does not exist, knot currently crashes with:
error: ...knot is currently fine if there are no modules available in `MODULE_DIR`. This should be basically the same situation as if `MODULE_DIR` does not exist.
However, if `MODULE_DIR` does not exist, knot currently crashes with:
error: module, invalid directory '/path/to/MODULE_DIR'
If `MODULE_DIR` does not exist, knot should behave the same as if the directory exists but was empty.nextDaniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/issues/560inconsistency in zone names in structured logs2017-12-06T13:52:06+01:00Jan Včelákinconsistency in zone names in structured logsKnot emits inconsistent zone names in journald's structured logs. For control commands, the trailing dot is removed:
```
[fcelda@kitt ~]$ journalctl -u knot -b ZONE=fcelda.cz -n1
-- Logs begin at Sat 2017-04-08 13:54:21 CEST, end at Fri...Knot emits inconsistent zone names in journald's structured logs. For control commands, the trailing dot is removed:
```
[fcelda@kitt ~]$ journalctl -u knot -b ZONE=fcelda.cz -n1
-- Logs begin at Sat 2017-04-08 13:54:21 CEST, end at Fri 2017-12-01 10:57:38 CET. --
Nov 24 11:44:38 kitt.fcelda.cz knotd[15653]: info: [fcelda.cz.] control, received command 'zone-status'
[fcelda@kitt ~]$ journalctl -u knot -b ZONE=fcelda.cz. -n1
-- Logs begin at Sat 2017-04-08 13:54:21 CEST, end at Fri 2017-12-01 10:57:38 CET. --
Nov 30 20:08:19 kitt.fcelda.cz knotd[15653]: info: [fcelda.cz.] AXFR, outgoing, 172.10.10.1@49799: finished, 0.00 seconds, 1 messages, 11485 bytes
```nextDaniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/issues/545opendnssec migration2017-10-23T13:26:58+02:00Filip Sirokyopendnssec migrationhttps://gitlab.labs.nic.cz/knot/knot-dns/issues/176
possible to reuse?: https://pagure.io/freeipa/blob/master/f/ipaserver/dnssec/odsmgr.py#_80https://gitlab.labs.nic.cz/knot/knot-dns/issues/176
possible to reuse?: https://pagure.io/freeipa/blob/master/f/ipaserver/dnssec/odsmgr.py#_80nextFilip SirokyFilip Siroky