Over July and August, we received several reports about always the same cryptic bug happening quite sparsely. We were methodically disproving every hypothesis about this bug and slowly accepting our feat of creating a very specific and complex test setup to reproduce andproperly analyze the bug.
From OpenDNSSEC to Knot DNS
This article is written in an effort to aid those who are considering Knot DNS as a replacement for OpenDNSSEC.
More specifically, in this article we’ll be showing how to:
- make Knot use HSMs via the PKCS11 interface
- seamlessly transition from OpenDNSSEC to Knot
- then transition from HSM to automatically managed in-memory keys
If you’ve never interacted with Knot before, please familiarize yourself with the basics. Our documentation provides a great novice-friendly introduction.
EPPIC 3.1.0 is released
The CZ.NIC Association released a new version of EPPIC on July 2, 2025. Compared to the previous version, new commands have been added, the behavior of existing commands has been improved (in a backward-compatible way), and errors in texts have been fixed. Since EPPIC has only been briefly mentioned on this blog so far, let’s introduce it in more detail.
The year of domain auctions in the CZ registry
In mid-May, it has been one year since the launch of the CZ domain auctions run by our Association. This is certainly a good occasion to evaluate how this change in the domains’ life cycle is performing and how it has affected the operation of the domain registry in general. We surely have enough data to do so.
Knot DNS in a Complex DNSSEC Topology
Knot DNS has many powerful and useful features, but sometimes it might be difficult to see all the intricate ways in which they interact and complement each other. In this article I’ll attempt to clear up some of that confusion by showcasing a realistic moderately-complex DNS infrastructure built on instances of Knot. Our focus will be largely on DNSSEC.
On the Drawbacks, Weaknesses and Appropriate Uses of NSEC3
Let’s start with a brief reminder of non-existence proofs in DNSSEC. If you have a solid understanding of the topic, feel free to skip this introduction.
The standard DNSSEC solution to proving a record’s non-existence is the NSEC RR. It contains the next node in the lexicographical order and a bitmask of available RTYPEs:
Public release of FRED v2024.1, more news and future plans
The FRED (Free Registry for ENUM and Domains) system has been used for the .cz TLD since 2007 and is also utilized by eleven other domain registry operators worldwide. For us, this leads to an international responsibility for adding functionalities according to operational and legislative requirements, as well as for the security, stability and technological development of the FRED system.
Knot Resolver 6 News: DoS protection – technical solution
In the previous article of this series, we have outlined how Knot Resolver 6 and Knot DNS 3.4 protect themselves as well as other participants on the Internet against denial-of-service attacks, from a high-level point of view. Let us now dive deeper into the implementation and take a look at the actual technical solution used to achieve this kind of protection.
Merry Christmas and Happy New Year 2025!
Layered protocols, or the big I/O rewrite of Knot Resolver 6
One of the bigger changes made in Knot Resolver 6 is the almost complete rewrite of its I/O (input/output) system and management of communication sessions.
To understand why this rewrite was needed, let us first take a brief look at the history of Knot Resolver’s I/O.
In the beginning, the Resolver’s I/O was really quite simple. As it only supported DNS over plain UDP and TCP (nowadays collectively called Do53 after the standardized DNS port), there used to be only two quite distinct code paths for communication – one for UDP and one for TCP.