kresd man page

kresd — Knot DNS 2.4.0 full caching resolver.

Synopsis

kresd [-a|--addr addr[@port]] [-t|--tls addr[@port]] [-S|--fd fd] [-T|--tlsfd fd] [-c|--config config] [-k|--keyfile keyfile] [-K|--keyfile-ro keyfile] [-m|--moduledir path] [-f|--forks N] [-q|--quiet] [-v|--verbose] [-V|--version] [-h|--help] [rundir]

Description

Knot DNS Resolver is a DNSSEC-enabled full caching resolver.

Default mode of operation: when it receives a DNS query it iteratively asks authoritative nameservers starting from root zone (.) and ending with a nameservers authoritative for queried name. Automatic DNSSEC means verification of integrity of authoritative responses by following keys and signatures starting from root. Root trust anchor is automatically bootstrapped from IANA, or you can provide a file with root trust anchors (same format as Unbound or BIND9 root keys file).

The daemon also caches intermediate answers into cache, which by default uses LMDB memory-mapped database. This has a significant advantage over in-memory caches as the process may be stopped and restarted without loss of cache entries. In multi-user scenario a shared cache is potential privacy/security issue, with kresd each user can have resolver cache in their private directory and use it in similar fashion to keychain.

By default, no configuration is needed, only a directory where the daemon can store runtime data (cache, control sockets, ...)

To use a locally running kresd for resolving put

nameserver 127.0.0.1

into resolv.conf(5) and start kresd

   $ kresd -a 127.0.0.1 -k root.keys
   [system] interactive mode
   >

The daemon may be configured also as a plain forwarder using query policies, that requires creating a file config in daemon runtime directory. See daemon/README.md for more information about interacting with CLI and configuration file options, or visit https://knot-resolver.readthedocs.io online documentation.

   # Create a basic forwarder configuration
   $ cat << EOF > config
   modules = { 'policy' }
   policy.add(policy.all(policy.FORWARD('192.168.1.1')))
   $ kresd -a 127.0.0.1 -k root.keys
   EOF

The available CLI options are:

-a addr[@port], --addr=<addr[@port]>

Listen on given address (and port) pair. If no port is given, 53 is used as a default. Option may be passed multiple times to listen on more addresses.

-t addr[@port], --tls=<addr[@port]>

Listen using TLS on given address (and port) pair. If no port is given, 853 is used as a default.  Option may be passed multiple times to listen on more addresses.

-S fd, --fd=<fd>

Listen on given file descriptor(s), passed by supervisor. Option may be passed multiple times to listen on more file descriptors.

-T fd, --tlsfd=<fd>

Listen using TLS on given file descriptor(s), passed by supervisor. Option may be passed multiple times to listen on more file descriptors.

-c config, --config=<config>

Set the config file with settings for kresd to read instead of reading the file at the default location (config). The syntax is described in daemon/README.md.

-k keyfile, --keyfile=<keyfile>

(Recommended!) Automatically managed root trust anchors file. Root trust anchors in this file are managed using standard RFC 5011 (Automated Updates of DNS Security Trust Anchors). Kresd needs write access to the directory containing the keyfile.

If the file does not exist, it will be automatically boostrapped from IANA using HTTPS protocol and warning that you need to to check the key before trusting it will be issued.

The file contains DNSKEY/DS records in presentation format, and is compatible with Unbound and BIND 9 root key files.

-K keyfile, --keyfile-ro=<keyfile>

(Discouraged) Static root trust anchors file. The file is not updated by kresd. Use of this option is discouraged because it will break your installation when the trust anchor key changes!

Default: "" (can be empty if your distribution did not provide one)

-m path, --moduledir=<path>

Override the directory that is searched for modules.  Default: /usr/lib64/kdns_modules

-f N, --forks=<N>

With this option, the daemon is started in non-interactive mode and instead creates a UNIX socket in rundir that the operator can connect to for interactive session. A number greater than 1 forks the daemon N times, all forks will bind to same addresses and the kernel will load-balance between them on Linux with SO_REUSEPORT support.

When socket-activated and supervised by systemd or the equivalent, kresd defaults to --forks=1, and must not be set to any other value.  If you want multiple concurrent processes supervised in this way, they should be supervised independently (see kresd.systemd(7)).

-q, --quiet

Daemon will refrain from printing the command prompt.

-v, --verbose

Increase verbosity. If given multiple times, more information is logged. This is in addition to the verbosity (if any) from the config file.

-h

Show short commandline option help.

-V

Show the version.

See Also

kresd.systemd(7), https://knot-resolver.readthedocs.io

Authors

kresd developers are mentioned in the AUTHORS file in the distribution.

Referenced By

kresd.systemd(7).

2018-07-03 CZ.NIC Knot DNS Resolver 2.4.0