Knot protects Dynamic DNS Updates to master zones with TSIG keys I create and
copy into knot.conf:
The TSIG key (named jpkey here) is associated with a remote server (or update client)
and I specify the name of the remote which is allowed to update a zone with the
update-in (i.e. allow IN-coming updates) statement within the zone statement.
Updates received to a master zone will be handled by the server and written out
to the source zone file when the zonefile-sync period kicks in. Knot will
forward updates received for a slave zone to the zone’s primary master server,
which I specify in an xfr-in directive.
The server logs update requests, as follows:
There are currently a number of limitations regarding DNS updates on
DNSSEC-signed zones (in particular: Knot can’t re-sign records), so keep an eye
on the documentation!Knot can sign records updated dynamically.
Response Rate Limiting
Running dnsperf against my test installation (running in my portable data
center, so please don’t pay too much attention to the actual
numbers), I obtain the following results (output abbreviated):
As of version 1.2.0, response rate limiting is compiled into Knot, but
it is disabled by default. I enable it by configuring the rate-limit option
in the system section, for example like this:
After restarting Knot with RRL enabled as above, I run dnsperf again to obtain
these quite different numbers:
Looking only at Queries per second and Queries completed, we see Knot has indeed
limited the rate of responses, and the server logs the fact that it is engaging RRL mode: