Skip to content

Instantly share code, notes, and snippets.

@buffrr

buffrr/hsd.knot-resolver.md

Created December 11, 2021 03:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save buffrr/5aa3026a93a28e5aef861053efb39209 to your computer and use it in GitHub Desktop.
Save buffrr/5aa3026a93a28e5aef861053efb39209 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
hsd.knot-resolver.md

HSD + Knot resolver (with DNSSEC enabled)

Run hsd as a root server only at 127.0.0.2:53 and let knot-resolver do recursion (recommended):

hsd --no-wallet --no-rs --no-sig0 --ns-host 127.0.0.2 --ns-port 53

Add hsd KSK /var/lib/knot-resolver/root.keys

.                       9471    IN      DNSKEY  257 3 13 T9cURJ2M/Mz9q6UsZNY+Ospyvj+Uv+tgrrWkLtPQwgU/Xu5Yk0l02Sn5 ua2xAQfEYIzRO6v5iA+BejMeEwNP4Q==

edit /etc/knot-resolver/kresd.conf

-- Network interface configuration

-- add interfaces you'd like to listen to
net.listen('127.0.0.1', 53, { kind = 'dns' })


-- Load useful modules
modules = {
        'hints > iterate',  -- Load /etc/hosts and allow custom root hints
        'stats',            -- Track internal statistics
        'predict',          -- Prefetch expiring/frequent records
}

-- Unload TA signal
modules.unload('ta_signal_query')
modules.unload('ta_sentinel')

-- Unload root priming module
modules.unload('priming')

-- Override the root hints
-- synth record must match ip you used for hsd root server 127.0.0.2 = _fs0000g._synth. 
-- dig @hsd-root . NS to find correct synth name
hints.root({
  ['_fs0000g._synth.'] = { '127.0.0.2' }
})

-- Load custom trust anchor
trust_anchors.add_file('root.keys', true)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment