Configuring KNOT 1. Log into your AUTH1 machine (10.192.X.1) and : # cd /etc/knot/ Create directory for a local copy of the zone file # mkdir master Increment the SOA serial in /etc/bind/master/MYTLD so that we can see chages on the slave. # cp /etc/bind/master/MYTLD master/ # chown -R knot master Now edit the file knot.conf, and make the following changes: Add your MYTLD zone and configure automated signing. Insert the following lines, replacing the appropriate values for your setup: - - - - - - - - - - - - - - - cut below - - - - - - - - - - - - - server: listen: 0.0.0.0@53 listen: ::@53 user: knot:knot log: - target: syslog any: info remote: - id: slave address: 10.192.Y.1@53 - id: master address: 10.192.Y.1@53 - id: parents address: 10.192.0.232@53 acl: - id: acl_slave address: 10.192.Y.1 action: transfer - id: acl_master address: 10.192.Y.1 action: notify template: - id: default storage: "/var/lib/knot" submission: - id: testparent parent: parents policy: - id: testlab zsk-lifetime: 120s propagation-delay: 20s rrsig-lifetime: 60s rrsig-refresh: 30s nsec3: on ksk-submission: testparent zone: - domain: mytld file: "/etc/knot/master/mytld" notify: slave acl: acl_slave dnssec-signing: on dnssec-policy: testlab - domain: othertld master: master acl: acl_master - - - - - - - - - - - - - - - cut above - - - - - - - - - - - - - 10.192.Y.1 is the master server for OTHERTLD and typically your slave. It is assumed you have completed the BIND exercize and hence the zonefile is in /etc/bind/master/MYTLD Note: Knot likes lower case names in the conf file so make sure to replace MYTLD with your tld in lower case. Save the file, exit For more info, "man knot.conf" 2. Start KNOT ! If BIND is running, disable starting it # update-rc.d bind9 disable and stop it. # service bind9 stop If NSD is running, disable starting it # update-rc.d nsd disable and stop it. # service nsd stop Make sure KNOT is enabled: # update-rc.d knot enable Next start KNOT. # service knot start and check that knot is running with # tail -F /var/log/syslog (it is often instructive to have a second ssh terminal open with this running) # ps ax | grep knot Errors can be checked with: # knotc conf-check # knotc zone-check Correct and errors and restart knot. (hint: "knotd" will run in forground) # service knot restart 3. Test that your new server is answering: # dig @127.0.0.1 MYTLD SOA 4. Controlling KNOT To cause the KNOT daemon to reload the zone and config: # knotc reload To stop the KNOT program: # knotc stop To check if it is running: # ps ax | grep knot OR # knotc zone-status 5. Verify that your slave has picked up a new copy of the zone: # dig @10.192.Y.1 SOA MYTLD You should also be able to observe knot's support for the CDS mechanism used to automate updating the parent DS records once an initial chain of trust has been established. # dig +multi +dnssec -t CDS MYTLD @10.192.X.1 On the class resolver... # dig @10.192.0.230 SOA MYTLD Do the SOA serial numbers match? What happens here? Since knot created its own KSK, validation will SERVFAIL. Go to https://rzm.dnssek.org/ Login with MYTLD/password. RZM should have tried to lookup your new DNSKEY RRSet and derive a DS record from it. Compare these "eyed" DS records to the DS record corresonding to the KSK automatically generated by knot. You could compute the DS record directly from the knot keys in /var/lib/knot/keys/keys or from the DNSKEY in the /etc/knot/MYTLD file - which is now being managed by knot. Like this: # dnssec-dsfromkey -f /etc/knot/master/MYTLD MYTLD Or doing a dig for the same DNSKEY on your own zone (e.g. dig dnskey MYTLD @127.0.0.1) and passing this through dnssec-dsfromkey. However, since knot automatically generates a CDS record which is identical to the DS record, we can simply use that result above to compare what RZM has divined. Click on the matching SHA256 digest to get a check mark, click on the old DS record to get and X mark, and click update to update the DS entry in the root. After a minute or two do: # dig @10.192.0.230 SOA MYTLD to see if it validates (AD bit). Contemplate how nice it would be if we could automate this CDS/DS update process with the parent zone. 6. Watch the key rolling You can see what knot is doing by simply looking at syslog: # tail -F /var/log/syslog You should notice that fresh KSK and ZSK were automatically created and the ZSK is being rolled. You can use "dig" to track this as well: # dig +multi +dnssec -t dnskey MYTLD @10.192.X.1 by looking at the key tag numbers. 7. [OPTIONAL] Test Knot's response rate limiting capabilities by modifying knot.conf with the following: - - - - - - - - - - - - - - - cut below - - - - - - - - - - - - - mod-rrl: - id: defaultr rate-limit: 2 slip: 0 template: - id: default storage: "/var/lib/knot" global-module: mod-rrl/defaultr - - - - - - - - - - - - - - - cut above - - - - - - - - - - - - - then executing: # knotc reload From another terminal window you can then test rate limiting by executing multiple queries using something like: # cnt=1; while [ $cnt -lt 100 ]; do echo -n "$cnt "; \ dig +short @10.192.X.1 www.MYTLD.; cnt=$(( $cnt + 1 )); done What do you see? "tail -f /var/log/syslog" in another terminal window may be helpful. 7. Return to using BIND for the rest of the class labs. # service knot stop # update-rc.d knot disable # update-rc.d bind9 enable # service bind9 start