.CZ zone generation and signing underwent technical inspection, original components were replaced with Knot DNS

I try to describe the basic building blocks of our national domain registry administration to people around me quite often. Yet (or maybe for that very reason), the .cz is still perceived as something that simply works. Just like when you get in your car to take your children to school every morning. You expect the journey to take the usual 10 minutes (or 15 if you need to refuel) and that you won’t have to deal with any trouble. Even though you know that you need to change the oil regularly, check and change worn parts, or repair defects caused by operation, most of you leave these “out of order” cases to service professionals or at least a handy neighbor and avoid having to wash your hands from automotive grease or to remember the required type of brake pads. Modern cars are able to inform you of any necessary maintenance and all you have to do is dial the correct phone number. Although you don’t fully understand the person at the other end of the line, they manage to get through to you because you have a basic idea of how a car works.

Knot DNS 3.0 News

Recently, version 3.0 of Knot DNS – an open-source implementation of an authoritative DNS server – has been released. Despite the version number, the software isn’t changing much. There are slightly more new features than in common feature releases such as 2.9. However, the features added in 3.0 don’t change any behaviour, unless the user turns them on. The migration from 2.9 to 3.0 is therefore seamless.

Epic DNS Benchmarking

DNS is one of the critical services necessary for proper operation of the Internet. Also it is often a target of various cyber attacks. Considering this fact, operators of authoritative DNS servers require robust solutions offering enough performance for regular DNS traffic and resisting possible attacks against this service. That is the reason why we focus, besides other aspects, on the performance during development of our authoritative DNS server Knot DNS. Benchmarking is an inseparable part of the project and we have been exploring various ways of further performance growth. Recently we had a great opportunity to play with the epic 128-thread processor AMD EPYC 7702P. In this blog post I will share some results from its benchmarking.

GeoIP in Knot DNS 2.7

The latest release of our authoritative DNS server, Knot DNS 2.7, comes with several new features. One of them is the GeoIP module for geography-based or subnet-based responses. In this article, we will briefly explain what the module is for and how it works and then we will explore how to set up and configure the module on your Knot server.

DNS traffic collector

We are releasing dns-collector, an entry part of our pipeline for monitoring of our DNS servers and analysis of the DNS traffic. Together with advanced analysis of the collected data, we can not only monitor the DNS traffic for urgent problems, but also detect and examine long-term trends and issues (e.g. misconfiguration of other servers). We have presented this system at the IT 15.2 conference (video and slides in Czech).

DNSSEC signing with Knot DNS and YubiKey

Knot DNS 2.1 introduced support for DNSSEC signing using PKCS #11. PKCS #11 (also called Cryptoki) is a standard interface to access various Hardware Security Modules (HSM). Such devices are usually used to improve protection of private key material. The interface is rather flexible and gives the HSM vendors huge amount of freedom, which unfortunately makes its use a bit tricky. There are often surprising differences between individual implementations.

Scripting in Knot DNS Resolver

This week I was approached by a man dressed in platypus pyjamas, he asked me: “These layers and modules you talk about, they’re cool. But can it be even better?”. After the initial costume distraction wore off, I pondered a bit and said: “Sure, let me just grab a cup of coffee”. The real story is that the layers are now much more interactive, and the documentation is improved.

Embedding LuaJIT in 30 minutes (or so)

Since you’re reading this, you probably know Lua, the world’s most infuriating language. If not, hop on to Lua in 15 minutes to get the basics right. Now there are two types of use cases where Lua shines – as a tiny script/configuration language, and for high-performance data processing (with JIT). I went through both of them with kresd, and wrote down some notes.