Previous: Using Response Rate Limiting, Up: Knot DNS Configuration [Contents][Index]
Knot DNS 1.4 is the first release to include automatic DNSSEC signing feature. Automatic DNSSEC signing is currently highly experimental and there is a lot of issues we are working on and limitations we will try to eliminate. By all means, anything in the current implementation can change including configuration options. We have no intention to maintain backward compatibility.
The example configuration enables automatic signing for all zones using
dnssec-enable option in the zones
section, but the signing is
explicitly disabled for zone example.dev
using the same option directly
in zone configuration. The location of directory with signing keys is set
globally by option dnssec-keydir.
zones { dnssec-enable on; dnssec-keydir "/var/lib/knot/keys"; example.com { file "example.com.zone"; } example.dev { file "example.dev.zone"; dnssec-enable off; } }
The signing keys can be generated using ISC dnssec-keygen
tool only
and there are some limitations:
.private
and .key
files for each key
are available in the key directory in order to use the keys (even for
verification only).
Example how to generate NSEC3 capable zone signing key (ZSK) and key signing
key (KSK) for zone example.com
:
$ cd /var/lib/knot/keys $ dnssec-keygen -3 example.com $ dnssec-keygen -3 -f KSK example.com
Currently the signing policy is not configurable, except for signature lifetime.
The signing process consists of the following steps:
NSEC
or NSEC3
records. This is determined by
NSEC3PARAM
record presence in unsigned zone.
DNSKEY
records. This also means adding DNSKEY records for any keys that are present in keydir, but missing in zone file.
DNSKEY
records are signed by both ZSK
and KSK keys, other records are signed only by ZSK keys.
The zone signing is performed when the zone is loaded into server, on zone
reload, before any signature is expiring, and after DDNS update. The signing
can be also forced using signzone
command issued by knotc
, in
this case all signatures are recreated. After each zone signing, a new signing
event is planned. User can view the time of this event by using the
knotc zonestatus
command.
Previous: Using Response Rate Limiting, Up: Knot DNS Configuration [Contents][Index]