Previous: Using Response Rate Limiting, Up: Knot DNS Configuration [Contents][Index]
Knot DNS 1.4 is the first release to include automatic DNSSEC signing feature. Automatic DNSSEC signing is currently a technical preview and there are some limitations we will try to eliminate. The concept of key management and configuration is likely to change in the future without maintaining backward compatibility.
The example configuration enables automatic signing for all zones using
dnssec-enable option in the zones
section, but the signing is
explicitly disabled for zone example.dev
using the same option directly
in zone configuration. The location of directory with signing keys is set
globally by option dnssec-keydir.
zones { dnssec-enable on; dnssec-keydir "/var/lib/knot/keys"; example.com { file "example.com.zone"; } example.dev { file "example.dev.zone"; dnssec-enable off; } }
The signing keys can be generated using ISC dnssec-keygen
tool only
and there are some limitations:
.private
and .key
files for each key
are available in the key directory in order to use the keys (even for
verification only).
Example how to generate NSEC3 capable zone signing key (ZSK) and key signing
key (KSK) for zone example.com
:
$ cd /var/lib/knot/keys $ dnssec-keygen -3 example.com $ dnssec-keygen -3 -f KSK example.com
Currently the signing policy is not configurable, except for signature lifetime.
The signing process consists of the following steps:
NSEC
or NSEC3
records. This is determined by
NSEC3PARAM
record presence in unsigned zone.
DNSKEY
records. This also means adding DNSKEY records for any keys that are present in keydir, but missing in zone file.
DNSKEY
records are signed by both ZSK
and KSK keys, other records are signed only by ZSK keys.
The zone signing is performed when the zone is loaded into server, on zone
reload, before any signature is expiring, and after DDNS update. The signing
can be also forced using signzone
command issued by knotc
, in
this case all signatures are recreated. After each zone signing, a new signing
event is planned. User can view the time of this event by using the
knotc zonestatus
command.
Previous: Using Response Rate Limiting, Up: Knot DNS Configuration [Contents][Index]