KnotDNS 3.0.0 Is Released

From LinuxReviews
Jump to navigationJump to search

KnotDNS is a highly efficient DNS server developed by the Czech Republic's DNS name registry CZ.NIC. The latest version supports XDP sockets, DNS over HTTPS, DNSSEC validation and a lot more. It may be worth a look if you have a very busy website and you are hosting your own DNS servers.

written by 林慧 (Wai Lin) 2020-09-10 - last edited 2020-09-11. © CC BY


Knot is a high-performing fully featured DNS server similar to the more well-known named domain name server from the Internet Systems Consortium. It is written in C and Lua. Knot is of course multi-threaded and non-blocking. It was written with a nation's Internet registry in mind which means that it is well suited for fast and efficiently answering a lot of DNS requests with mostly NX-domain.

KnotDNS is meant to be used as an authoritative DNS server for domain names, it is not meant to be used as a recursive DNS server on a local network. The Czechs have a separate product called the "Knot Resolver" for that purpose.

KnotDNS 3.0.0 has a lot of new features. Those are:

  • "High-performance networking mode using XDP sockets". The Linux kernel documentation describe those as "an address family that is optimized for high performance packet processing". XDP sockets were a new feature in Linux 4.18.
  • Support for "Catalog Zones"
  • A new tool for manually signing DNSSEC tools called "kzonesign"
  • A new DNS over UDP traffic generation tool called "kxdpgun". Why a DNS server would need that is not indicated.
  • DNS over HTTPS support
  • Support for KSK revoked DNSSEC key states pr RFC 5011
  • Deterministic signing with ECDSA algorithms
  • "Safe" persistent zone data backup and restore

The Czech have also made several improvements to their DNS server.

  • CNAME and DNAME chains are now limited to 20. You're doing it wrong if that's an issue for you. CNAME are of course domain names pointing at another domain name ( is currently a CNAME to Chains of more than 20 CNAME redirects shouldn't exist but apparently it is common enough to make the Knot developers put a hard limit on how many there can be in a chain.
  • The kdig utility prints detailed algorithm identifiers for PRIVATEDNS and PRIVATEOID. GNU/Linux distributions tend to make kdig available in a separate package called knot-utils. It is essentially just like dig.
  • QTYPE ANY and RRSIG queries are now limited to one random RRSet
  • The statistics module performs better
  • The CPU cache is better utilized
  • Logging on no-syslog streams now get their own timestamps

They've also fixed two minor bugs.

The new KnotDNS server can be acquired from their website, in English, at There is ample documentation at Knot's configuration files and options differ from named so you will have to read it if you are used to know named does things.

(0 votes)

Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.