KnotDNS 3.0.0 Is Released
KnotDNS is a highly efficient DNS server developed by the Czech Republic's DNS name registry CZ.NIC. The latest version supports XDP sockets, DNS over HTTPS, DNSSEC validation and a lot more. It may be worth a look if you have a very busy website and you are hosting your own DNS servers.
written by 林慧 (Wai Lin). published 2020-09-10 - last edited 2020-09-11
Knot is a high-performing fully featured DNS server similar to the more well-known named domain name server from the Internet Systems Consortium. It is written in C and Lua. Knot is of course multi-threaded and non-blocking. It was written with a nation's Internet registry in mind which means that it is well suited for fast and efficiently answering a lot of DNS requests with mostly NX-domain.
KnotDNS is meant to be used as an authoritative DNS server for domain names, it is not meant to be used as a recursive DNS server on a local network. The Czechs have a separate product called the "Knot Resolver" for that purpose.
KnotDNS 3.0.0 has a lot of new features. Those are:
- "High-performance networking mode using XDP sockets". The Linux kernel documentation describe those as "an address family that is optimized for high performance packet processing". XDP sockets were a new feature in Linux 4.18.
- Support for "Catalog Zones"
- A new tool for manually signing DNSSEC tools called "kzonesign"
- A new DNS over UDP traffic generation tool called "kxdpgun". Why a DNS server would need that is not indicated.
- DNS over HTTPS support
- Support for KSK revoked DNSSEC key states pr RFC 5011
- Deterministic signing with ECDSA algorithms
- "Safe" persistent zone data backup and restore
The Czech have also made several improvements to their DNS server.
- CNAME and DNAME chains are now limited to 20. You're doing it wrong if that's an issue for you. CNAME are of course domain names pointing at another domain name (
www.linuxreviews.orgis currently a
CNAMEto linuxreviews.org). Chains of more than 20 CNAME redirects shouldn't exist but apparently it is common enough to make the Knot developers put a hard limit on how many there can be in a chain.
- The kdig utility prints detailed algorithm identifiers for PRIVATEDNS and PRIVATEOID. GNU/Linux distributions tend to make kdig available in a separate package called
knot-utils. It is essentially just like
- QTYPE ANY and RRSIG queries are now limited to one random RRSet
- The statistics module performs better
- The CPU cache is better utilized
- Logging on no-syslog streams now get their own timestamps
They've also fixed two minor bugs.
The new KnotDNS server can be acquired from their website, in English, at www.knot-dns.cz. There is ample documentation at www.knot-dns.cz/documentation. Knot's configuration files and options differ from named so you will have to read it if you are used to know named does things.