A year has passed since I last looked at the Knot DNS server, so it’s time to re-visit it; a lot has happened, and there are two features I want to single out: support for RFC 2136 (dynamic DNS updates) and a bit of RRL (Response Rate Limiting).

Dynamic DNS

Knot protects Dynamic DNS Updates to master zones with TSIG keys I create and copy into knot.conf:

...
keys {
  jpkey hmac-md5 "U/B55N6G9M8=";
}
...
remotes {
  tiggr { address 172.16.153.1@53; key jpkey; }
  anyclient { address 0.0.0.0/0;  key jpkey; }
}
...
zones {
  example.com {
    file "example.com.zone";
    update-in tiggr;
    zonefile-sync 5m;
  }
...
}

The TSIG key (named jpkey here) is associated with a remote server (or update client) and I specify the name of the remote which is allowed to update a zone with the update-in (i.e. allow IN-coming updates) statement within the zone statement.

Updates received to a master zone will be handled by the server and written out to the source zone file when the zonefile-sync period kicks in. Knot will forward updates received for a slave zone to the zone’s primary master server, which I specify in an xfr-in directive.

The server logs update requests, as follows:

09:01:19.704047+01:00 UPDATE of 'example.com.' from '172.16.153.1@52480' key 'jpkey.': Started.
09:01:19.704361+01:00 UPDATE of 'example.com.' from '172.16.153.1@52480' key 'jpkey.':: Finished.

There are currently a number of limitations regarding DNS updates on DNSSEC-signed zones (in particular: Knot can’t re-sign records), so keep an eye on the documentation! Knot can sign records updated dynamically.

Response Rate Limiting

Running dnsperf against my test installation (running in my portable data center, so please don’t pay too much attention to the actual numbers), I obtain the following results (output abbreviated):

  ...
  Run time limit:       30 seconds
  Ran through file:     88305 times
  Queries sent:         88305 queries
  Queries completed:    88305 queries
  Queries lost:         0 queries

  Queries per second:   2943.478807 qps

Latency   Success  Fail |
<    0.100s 88305     0 |############################################################
...

As of version 1.2.0, response rate limiting is compiled into Knot, but it is disabled by default. I enable it by configuring the rate-limit option in the system section, for example like this:

system {
  storage "/etc/knot";
  user: "root";

  rate-limit 100;
  rate-limit-slip 2;
}

After restarting Knot with RRL enabled as above, I run dnsperf again to obtain these quite different numbers:

[Timeout] Query timed out: msg id 2042
[...]
[Timeout] Query timed out: msg id 3236

  Run time limit:       30 seconds
  Ran through file:     3236 times
  Queries sent:         3237 queries
  Queries completed:    3118 queries
  Queries lost:         119 queries

  Queries per second:   91.900425 qps

Latency   Success  Fail |
<    0.100s  3118     0 |############################################################
...

Looking only at Queries per second and Queries completed, we see Knot has indeed limited the rate of responses, and the server logs the fact that it is engaging RRL mode:

08:23:16.774694+01:00 [notice] Address '172.16.153.1' leaves rate-limiting (class 'POSITIVE').
08:23:16.877744+01:00 [notice] Address '172.16.153.1' enters rate-limiting (class 'POSITIVE').

See also: DNSSEC-signing with the Knot authoritative DNS server