This article is written in an effort to aid those who are considering Knot DNS as a replacement for OpenDNSSEC.
More specifically, in this article we’ll be showing how to:
- make Knot use HSMs via the PKCS11 interface
- seamlessly transition from OpenDNSSEC to Knot
- then transition from HSM to automatically managed in-memory keys
If you’ve never interacted with Knot before, please familiarize yourself with the basics. Our documentation provides a great novice-friendly introduction.
Knot DNS in a Complex DNSSEC Topology
Knot DNS has many powerful and useful features, but sometimes it might be difficult to see all the intricate ways in which they interact and complement each other. In this article I’ll attempt to clear up some of that confusion by showcasing a realistic moderately-complex DNS infrastructure built on instances of Knot. Our focus will be largely on DNSSEC.
On the Drawbacks, Weaknesses and Appropriate Uses of NSEC3
Let’s start with a brief reminder of non-existence proofs in DNSSEC. If you have a solid understanding of the topic, feel free to skip this introduction.
The standard DNSSEC solution to proving a record’s non-existence is the NSEC RR. It contains the next node in the lexicographical order and a bitmask of available RTYPEs: