Another DNS server, you ask? Yes, serving DNS from servers of different "brands" is important to ensure that a single bug in a particular server brand/version doesn't take down your whole infrastructure. We welcome Knot, which has just been published as version 1.0.0.

Knot calls itself a

high-performance authoritative-only DNS server which supports all key features of the domain name system including zone transfers, dynamic updates and DNSSEC

I haven't found a definitive source as to how the name was concocted, but it certainly looks to me as though it's a rope-related pun on BIND and Unbound :-) Apropos BIND: if you don't like its semicolon and brace-filled configuration file, you probably won't like Knot's either.

Features supported by Knot include:

  • Zone transfers (AXFR/IXFR) (master and slave)
  • EDNS0
  • DNSSEC (signing and serving)
  • Adding/removing zones on-the-fly
  • Reconfiguring server instance on-the-fly
  • IPv6 support
  • Access control

I'm testing a small configuration with three zones. One is loaded from a local file (zone master file format), and two are slaved from a master server, uses TSIG keys to talk to its master. This is my knot.conf:

system {
  storage "/etc/knot";
  user: "root";

interfaces {
  ipv4 { address; }

keys {
  my-key hmac-md5 "xxxx";

remotes {
  local0 { address; }
  mastr { address; }
  m2 { address; key my-key; }

zones { {  
    file ""; 

  inline.aa {
    file "inline.aa";
    semantic-checks off;
    xfr-in mastr;
    notify-in mastr;
  } {
    file "";
    semantic-checks off;
    xfr-in m2;
    notify-in m2;
    xfr-out local0;
log {
  stdout { any info, notice; }
  stderr { any debug, warning, error; }
  syslog {}
  file "/tmp/knotd.log" { any all; }

Before launching the server, zone files have to be compiled into an internal format, similar to how NSD operates. This is accomplished with knotc, the knot control utility, which also starts or stops the server. I can add new zones into the server on the fly by adding a zone stanza to the configuration file, compiling (unnecessary for slave zones), and I then use knotc to reload the server.

Knot appears to be pretty fast; I haven't done any performance testing myself, but Miek Gieben said last night, he'd obtained 31526 qps via localhost, which is pretty good.

Apart from the knotc and knotd manual pages, documentation is scarce, but we have the source code, and a detailed list of configuration options is contained in samples/knot.full.conf. :-)

Knot already works as advertised, and I'll certainly keep an eye on it.

Update: Dynamic DNS Updates and RRL are know in Knot.

Flattr this
DNS and DNSSEC :: 01 Mar 2012 :: e-mail


blog comments powered by Disqus