Knot DNS

Last updated
Knot DNS
Developer(s) CZ.NIC
Initial releaseDecember 12, 2011;12 years ago (2011-12-12)
Stable release
3.3.7 / June 25, 2024;0 days ago (2024-06-25)
Repository
Operating system Unix-like
Type DNS server
License GPL license
Website www.knot-dns.cz

Knot DNS is an open-source authoritative-only server for the Domain Name System. It was created from scratch and is actively developed by CZ.NIC, the .CZ domain registry. The purpose of this project is to supply an alternative open-source implementation of an authoritative DNS server suitable for TLD operators to increase overall security, stability and resiliency of the Domain Name System. It is implemented as a multi-threaded daemon, using a number of programming techniques and data structures to make the server very fast, [1] notably Read-copy-update [2] or a special kind of a radix tree.

Contents

Knot DNS uses a zone parser written in Ragel to achieve very fast loading of the zones at the startup. It is also able to add and remove zones on the fly by changing the configuration file and reloading the server using the 'knotc' utility.

Since version 3.0.0, Knot DNS supports a high performance XDP mode in Linux, which can improve response performance significantly. [3] [4]

Changelog

New in 1.2.0: Response Rate Limiting, Dynamic DNS, and a new remote control utility.

New in 1.3.0: new zone parser in Ragel (replaces zone compilation) and several client utilities (kdig, khost and knsupdate).

New in 1.4.0: automatic DNSSEC signing of the managed zones.

New in 1.5.0: query modules with two new modules: "Automatic forward/reverse records" and dnstap.

New in 1.6.0: persistent timers for slave zones (expire, refresh, and flush) using LMDB.

New in 2.0.0: new YAML-based configuration, and new DNSSEC implementation using GnuTLS.

New in 2.1.0: [5] dynamic configuration, PKCS #11 interface, and online DNSSEC signing.

New in 2.2.0: [6] Response Rate Limiting white listing, support for URI (RFC 7553) and CAA (RFC 6844) resource record types, interactive mode for 'knotc', new control interface for the server including simple Python bindings.

New in 2.3.0: [7] DNSSEC signing configured in server configuration, automatic NSEC3 resalting, zone operations over server control interface, TLS in kdig.

New in 2.4.0: [8] Unified LMDB based journal, new statistics module, automatic deletion of retired DNSSEC keys.

New in 2.5.0: [9] LMDB based KASP database, KSK rollover, dynamic modules, zone freeze/thaw, zone contents in journal.

New in 2.6.0: [10] On-slave DNSSEC signing, automatic DNSSEC algorithm rollover, Ed25519 algorithm support, TCP Fast Open.

New in 2.7.0: [11] Performance improvement, new module for DNS Cookies, new module for GeoIP, support for ECS.

New in 2.8.0: [12] Offline-KSK, multithreaded DNSSEC signing, extended ACL for DDNS, zone update speed-up.

New in 2.9.0: [13] Significant zone update speed-up, TCP optimizations, configuration cleanup.

New in 3.0.0: [14] High performance XDP mode for UDP under Linux, catalog zones support, continuous DNSSEC validation, kzonesign and kxdpgun utilities, DoH support in kdig, deterministic ECDSA support, on-line backup of persistent data. [15]

New in 3.1.0: [16] basic DNS over TCP using XDP, routing-aware XDP processing, ZONEMD generation and validation, SVCB/HTTPS support, zone catalog evolution, EDNS error (EDE) support, epoll/kqueue support.

New in 3.2.0: [17] full DNS over TCP using XDP (including transfers), DNS over QUIC in the XDP mode, DNSSEC multi-signer support.

New in 3.3.0: [18] full DNS over QUIC (using both XDP and operating system TCP/IP-stack), bidirectional XFR over QUIC, multi-signer operation mode.

See also

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

BIND is a suite of software for interacting with the Domain Name System (DNS). Its most prominent component, named, performs both of the main DNS server roles, acting as an authoritative name server for DNS zones and as a recursive resolver in the network. As of 2015, it is the most widely used domain name server software, and is the de facto standard on Unix-like operating systems. Also contained in the suite are various administration tools such as nsupdate and dig, and a DNS resolver interface library.

The DNS root zone is the top-level DNS zone in the hierarchical namespace of the Domain Name System (DNS) of the Internet.

The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.

PowerDNS is a DNS server program, written in C++ and licensed under the GPL. It runs on most Unix derivatives. PowerDNS features a large number of different backends ranging from simple BIND style zonefiles to relational databases and load balancing/failover algorithms. A DNS recursor is provided as a separate program.

This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software.

TSIG is a computer-networking protocol defined in RFC 2845. Primarily it enables the Domain Name System (DNS) to authenticate updates to a DNS database. It is most commonly used to update Dynamic DNS or a secondary/slave DNS server. TSIG uses shared secret keys and one-way hashing to provide a cryptographically secure means of authenticating each endpoint of a connection as being allowed to make or respond to a DNS update.

Extension Mechanisms for DNS (EDNS) is a specification for expanding the size of several parameters of the Domain Name System (DNS) protocol which had size restrictions that the Internet engineering community deemed too limited for increasing functionality of the protocol. The first set of extensions was published in 1999 by the Internet Engineering Task Force as RFC 2671, also known as EDNS0 which was updated by RFC 6891 in 2013 changing abbreviation slightly to EDNS(0).

mysqlBind/unxsBind is a DNS management software system. It supports Internet Systems Consortium BIND Domain Name System (DNS) and is distributed as open source software under the GNU General Public License.

MaraDNS is an open-source Domain Name System (DNS) implementation, which acts as either a caching, recursive, or authoritative nameserver.

DNSCurve is a proposed secure protocol for the Domain Name System (DNS), designed by Daniel J. Bernstein. It encrypts and authenticates DNS packets between resolvers and authoritative servers.

OpenDNSSEC is a computer program that manages the security of domain names on the Internet. The project intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security.

In computer networking, TCP Fast Open (TFO) is an extension to speed up the opening of successive Transmission Control Protocol (TCP) connections between two endpoints. It works by using a TFO cookie, which is a cryptographic cookie stored on the client and set upon the initial connection with the server. When the client later reconnects, it sends the initial SYN packet along with the TFO cookie data to authenticate itself. If successful, the server may start sending data to the client even before the reception of the final ACK packet of the three-way handshake, thus skipping a round-trip delay and lowering the latency in the start of data transmission.

DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC).

QUIC is a general-purpose transport layer network protocol initially designed by Jim Roskind at Google, implemented, and deployed in 2012, announced publicly in 2013 as experimentation broadened, and described at an IETF meeting. QUIC is used by more than half of all connections from the Chrome web browser to Google's servers. Microsoft Edge, Firefox, and Safari support it.

Enduro/X is an open-source middleware platform for distributed transaction processing. It is built on proven APIs such as X/Open group's XATMI and XA. The platform is designed for building real-time microservices based applications with a clusterization option. Enduro/X functions as an extended drop-in replacement for Oracle Tuxedo. The platform uses in-memory POSIX Kernel queues which insures high interprocess communication throughput.

A public recursive name server is a name server service that networked computers may use to query the Domain Name System (DNS), the decentralized Internet naming system, in place of name servers operated by the local Internet service provider (ISP) to which the devices are connected. Reasons for using these services include:

<span class="mw-page-title-main">MsQuic</span> Microsoft open source library

MsQuic is a free and open source implementation of the IETF QUIC protocol written in C that is officially supported on the Microsoft Windows, Linux, and Xbox platforms. The project also provides libraries for macOS and Android, which are unsupported. It is designed to be a cross-platform general purpose QUIC library optimized for client and server applications benefitting from maximal throughput and minimal latency. By the end of 2021 the codebase had over 200,000 lines of production code, with 50,000 lines of "core" code, sharable across platforms. The source code is licensed under MIT License and available on GitHub.

References

  1. Response rate benchmark of several OSS authoritative name servers
  2. Knot DNS memory requirements
  3. Peltan, Libor (2020-02-08). "DNS response rate speedup by using XDP". Presentation at DNS OARC 32. Retrieved 2020-09-09.
  4. Knot DNS 3.0 Benchmarking
  5. Knot DNS 2.1.0
  6. Knot DNS 2.2.0
  7. Knot DNS 2.3.0
  8. Knot DNS 2.4.0
  9. Knot DNS 2.5.0
  10. Knot DNS 2.6.0
  11. Knot DNS 2.7.0
  12. Knot DNS 2.8.0
  13. Knot DNS 2.9.0
  14. Knot DNS 3.0.0
  15. Peltan, Libor (2020-09-09). "Knot DNS 3.0 News". Blog of CZ.NIC staff. Retrieved 2020-09-09.
  16. Knot DNS 3.1.0
  17. Knot DNS 3.2.0
  18. Knot DNS 3.3.0
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.