This article is written in an effort to aid those who are considering Knot DNS as a replacement for OpenDNSSEC.
More specifically, in this article we’ll be showing how to:
- make Knot use HSMs via the PKCS11 interface
- seamlessly transition from OpenDNSSEC to Knot
- then transition from HSM to automatically managed in-memory keys
If you’ve never interacted with Knot before, please familiarize yourself with the basics. Our documentation provides a great novice-friendly introduction.
Knot DNS in a Complex DNSSEC Topology
Knot DNS has many powerful and useful features, but sometimes it might be difficult to see all the intricate ways in which they interact and complement each other. In this article I’ll attempt to clear up some of that confusion by showcasing a realistic moderately-complex DNS infrastructure built on instances of Knot. Our focus will be largely on DNSSEC.
On the Drawbacks, Weaknesses and Appropriate Uses of NSEC3
Let’s start with a brief reminder of non-existence proofs in DNSSEC. If you have a solid understanding of the topic, feel free to skip this introduction.
The standard DNSSEC solution to proving a record’s non-existence is the NSEC RR. It contains the next node in the lexicographical order and a bitmask of available RTYPEs:
SaltStack, DNS and TLSA
Lately I blogged about how am I managing my DNS entries via SaltStack. So far it was about being a great time saver, but nothing that you couldn’t do manually with considerably more effort. This time, let’s take a look at something that would be in some setups almost impossible manually – adding TLSA records for your webs.
RFC 9432: DNS Catalog zones
A DNS zone is usually served by multiple authoritative servers, which is actually recommended for the sake of redundancy. Large authoritative DNS operators even combine different name server implementations to avoid complete infrastructure outage in case of any software error. For synchronizing zone contents between authoritative servers, a DNS-specific mechanism is available, called zone transfer. It is well established and supported by all common DNS implementations. It enables both full zone transfer (AXFR) and incremental update (IXFR).