Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 15:25
    Libor Peltan opened merge request #1184 Fix crash nsec3 addstree in Knot DNS
  • 15:24
    GitLab | Libor Peltan pushed 4 commits to Knot DNS
  • 13:03
    Laszlo Dobo commented on issue #694 knotc error: failed to connect to socket '/run/knot/knot.sock' (OS lacked necessary resources) in Knot DNS
  • 12:29
    GitLab | Libor Peltan pushed 1 commits to Knot DNS
  • 11:02
    Daniel Salzman commented on issue #694 knotc error: failed to connect to socket '/run/knot/knot.sock' (OS lacked necessary resources) in Knot DNS
  • 10:54
    Daniel Salzman commented on issue #692 knot with xdp in Knot DNS
  • 09:29
    Laszlo Dobo opened issue #694 knotc error: failed to connect to socket '/run/knot/knot.sock' (OS lacked necessary resources) in Knot DNS
  • 08:21
    GitLab | David Vasek pushed 1 commits to Knot DNS
  • Sep 29 21:35
    GitLab | David Vasek pushed 1 commits to Knot DNS
  • Sep 29 20:21
    Simon South opened issue #693 test_net_shortwrite: Ensure connection can succeed in Knot DNS
  • Sep 29 18:33
    GitLab | Daniel Salzman pushed 1 commits to Knot DNS
  • Sep 29 17:36
    GitLab | Libor Peltan pushed 210 commits to Knot DNS
  • Sep 28 18:30
    GitLab | Daniel Salzman pushed 1 commits to Knot DNS
  • Sep 28 14:51
    Daniel Salzman commented on issue #692 knot with xdp in Knot DNS
  • Sep 28 11:29
    mscbg opened issue #692 knot with xdp in Knot DNS
  • Sep 26 14:09
    GitLab | David Vasek pushed 218 commits to Knot DNS
  • Sep 26 07:33
    GitLab | Daniel Salzman pushed 1 commits to Knot DNS
  • Sep 25 12:04
    GitLab | Jan Hák pushed 1 commits to Knot DNS
  • Sep 25 11:28
    GitLab | Jan Hák pushed 1 commits to Knot DNS
  • Sep 25 11:02
    GitLab | Jan Hák pushed 1 commits to Knot DNS
muellert
@muellert
No. Something else is wrong. Suddenly, the server refuses all queries, despite having loaded the zones and the socket being open.
Oh.. my mistake: "No zones loaded"
Daniel Salzman
@salzmdan
Btw, could you share an anonymized snippet of the broken config file? I would investigate that.
muellert
@muellert
ok... it does need the zone: section
Daniel Salzman
@salzmdan
if you want to configure zones :-)
muellert
@muellert
It is really the thing I mentioned in the beginning.
I (mis-) understood you to mean that if I don't have a config database, it would load all zone files matching the template specs automatically.
Do you have a GPG key, besides the one for code signing?
Daniel Salzman
@salzmdan
Ah, no, the server loads explicitly configured zones only.
Yes, see https://www.knot-dns.cz/development/
muellert
@muellert
I'll then send you something via email.
Daniel Salzman
@salzmdan
Ok. It's to late here. Will continue tomorrow.
muellert
@muellert
No problem. This is "only" my standby nameserver. Thanks a bunch for your help so far!
Daniel Lublin
@quite
Hi! (this has probably been asked before) I seems like it would be useful to be able to reference a remote from an acl, to avoid duplicating addresses. Are you against that somehow? Should we generate our knot.conf's from templates anyway...?
Daniel Lublin
@quite
And another question, regarding knot's template. Does non-default templates inherit from the special default template?
Daniel Lublin
@quite
Regarding the default template, other templates does not seem to inherit it.
Daniel Salzman
@salzmdan
You are correct. Templates are exclusive. But you can override template settings in the zone section.
Daniel Salzman
@salzmdan
As for the remote from acl, I understand the idea but there are some slight differences between the items. Anyway, I will reconsider possible simplification.
Daniel Lublin
@quite
should i add an issue?
Daniel Salzman
@salzmdan
It's not necessary (I have my private TODO list :-) ). But if you wish
Daniel Lublin
@quite
ah just tid anyway :) heh there yes
Daniel Salzman
@salzmdan
:-)
Micah
@micah_gitlab
I'm at 2.9.1-1 and when I push out a zone file change, and I do /usr/sbin/knotc zone-reload, I'm told in the logs error: [myzone.] zone event 'load' failed (semantic check) but if I run knotc zone-check on the zone, I dont get any complaints
can I turn up debugging somehow to find out what the sematic check failure is?
I'm able to restart knotd (systemctl restart knotd) and it seems to load it fine. Interestingly, it does a DNSSEC signing before it tries to load it
Daniel Salzman
@salzmdan
This error doesn't necessary mean that the zone itself has errors. In this case it's rather about a problematic zone change during the reload. It depends also on the configuration and journal contents. Do you know how the zone file was modified?
However, I agree the log message lacks some information.
Micah
@micah_gitlab
@salzmdan what I can tell is that it doesn't transfer the new zone to the secondaries, and isn't loaded on the primary
@salzmdan i do know how the zone was modified, I did it myself. I've had issues with the journal in the past, and have had to remove it in order for things to work ok again.
Daniel Salzman
@salzmdan
Hm. I don't remember whether 2.9.2 fixes something that you already reported. Do you have more logs or other details? :-(
Micah
@micah_gitlab
@salzmdan i dont have any more logs than that... but I can replicate this by making a change/bumping the serial, so if there is something I can do to get more info I can easily repeat the problem
I also can install 2.9.2 and see if that fixes anything
Micah
@micah_gitlab
@salzmdan ok, I upgraded to 2.9.2, and when it starts it now says, "zone event 'load' failed (not enough memory)'
there is 2gig of memory on this machine and only 600meg used
the zone is... 832 lines, including comments
Daniel Salzman
@salzmdan
@micah_gitlab you are a very good tester. What the heck are you doing?! :-D
Could you start with an empty journal? Maybe there is still something bad in it. Also you could switch back from journal-content: all to journal-content: changes. It was a workaround for your case IRC.
Micah
@micah_gitlab
@salzmdan i dont know what I'm doing !! :)
Starting with an empty journal would be: stop knotd, remove the journal, start knotd (after changing journal-content:)
Daniel Salzman
@salzmdan
Yes
Micah
@micah_gitlab
ok, did those two things. The last entry in the log now is DNSSEC, signing started, surprised it hasn't said DNSSEC, successfully signed yet as that was 5minutes ago, but maybe I'm expecting the wrong thing
Daniel Salzman
@salzmdan
Could you share all the logs since the server start? Use the private chat.
libor-peltan-cznic
@libor-peltan-cznic
Regarding the "semantic check" error: wasn't the error message preceded by a warning like "zone file changed without SOA serial update" or such?
Daniel Salzman
@salzmdan
Strangely, there were no other warnings. But zonefile-load: difference-no-serial solved that.
Kristian Klausen
@klausenbusk
Does it makes sense to "sandbox" knot? (https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html)
Kristian Klausen
@klausenbusk
It seems to work (I will open a PR tomorrow):
diff --git a/distro/common/knot.service b/distro/common/knot.service
index 750fadb55..5270f6b5a 100644
--- a/distro/common/knot.service
+++ b/distro/common/knot.service
@@ -10,6 +10,32 @@ User=knot
 Group=knot
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETPCAP
 AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETPCAP
+TemporaryFileSystem=/run:ro /var:ro
+BindPaths=/run/systemd
+BindPaths=/run/knot
+BindPaths=/var/lib/knot
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+RemoveIPC=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources
 ExecStartPre=/usr/sbin/knotc conf-check
 ExecStart=/usr/sbin/knotd
 ExecReload=/usr/sbin/knotc reload
Kristian Klausen
@klausenbusk
Edit: PrivateUsers=yes should be PrivateUsers=no
Vladimír Čunát
@vcunat

I've seen a subset of these restrictions used by some people with knotd, without any complaint on those for about a year now.

From a quick look I'm not sure if it's good to force /var/lib/knotnon-persistent (tmpfs).

Daniel Salzman
@salzmdan
@klausenbusk I don't think that all the options are necessary. It would also require testing on all supported distributions. I like simplicity and don't like overusing systemd features :-)
Vladimír Čunát
@vcunat
BTW, it's nice that individual users can add such restrictions through overrides, i.e. without editing the unit files installed from package.
Daniel Salzman
@salzmdan
:+1:
Kristian Klausen
@klausenbusk
@salzmdan None of them are "necessary, but principle of least privilege :)