1kresd(8) Knot Resolver 3.2.1 kresd(8)
2
3
4
6 kresd - Knot 3.2.1 full caching resolver.
7
9 kresd [-a|--addr addr[@port]] [-t|--tls addr[@port]] [-S|--fd fd]
10 [-T|--tlsfd fd] [-c|--config config] [-k|--keyfile keyfile] [-K|--key‐
11 file-ro keyfile] [-m|--moduledir path] [-f|--forks N] [-q|--quiet]
12 [-v|--verbose] [-V|--version] [-h|--help] [rundir]
13
15 Knot Resolver is a DNSSEC-enabled full caching resolver.
16
17 Default mode of operation: when it receives a DNS query it iteratively
18 asks authoritative nameservers starting from root zone (.) and ending
19 with a nameservers authoritative for queried name. Automatic DNSSEC
20 means verification of integrity of authoritative responses by following
21 keys and signatures starting from root. Root trust anchor is automati‐
22 cally bootstrapped from IANA, or you can provide a file with root trust
23 anchors (same format as Unbound or BIND9 root keys file).
24
25 The daemon also caches intermediate answers into cache, which by
26 default uses LMDB memory-mapped database. This has a significant advan‐
27 tage over in-memory caches as the process may be stopped and restarted
28 without loss of cache entries. In multi-user scenario a shared cache is
29 potential privacy/security issue, with kresd each user can have
30 resolver cache in their private directory and use it in similar fashion
31 to keychain.
32
33 By default, no configuration is needed, only a directory where the dae‐
34 mon can store runtime data (cache, control sockets, ...)
35
36 To use a locally running kresd for resolving put
37
38 nameserver 127.0.0.1
39
40 into resolv.conf(5) and start kresd
41
42 $ kresd -a 127.0.0.1 -k root.keys
43 [system] interactive mode
44 >
45
46 The daemon may be configured also as a plain forwarder using query
47 policies, that requires creating a file config in daemon runtime direc‐
48 tory. See daemon/README.md for more information about interacting with
49 CLI and configuration file options, or visit https://knot-
50 resolver.readthedocs.io online documentation.
51
52 # Create a basic forwarder configuration
53 $ cat << EOF > config
54 modules = { 'policy' }
55 policy.add(policy.all(policy.FORWARD('192.168.1.1')))
56 $ kresd -a 127.0.0.1 -k root.keys
57 EOF
58
59 The available CLI options are:
60
61 -a addr[@port], --addr=<addr[@port]>
62 Listen on given address (and port) pair. If no port is given, 53
63 is used as a default. Option may be passed multiple times to
64 listen on more addresses.
65
66 -t addr[@port], --tls=<addr[@port]>
67 Listen using TLS on given address (and port) pair. If no port is
68 given, 853 is used as a default. Option may be passed multiple
69 times to listen on more addresses.
70
71 -S fd, --fd=<fd>
72 Listen on given file descriptor(s), passed by supervisor.
73 Option may be passed multiple times to listen on more file
74 descriptors.
75
76 -T fd, --tlsfd=<fd>
77 Listen using TLS on given file descriptor(s), passed by supervi‐
78 sor. Option may be passed multiple times to listen on more file
79 descriptors.
80
81 -c config, --config=<config>
82 Set the config file with settings for kresd to read instead of
83 reading the file at the default location (config). The syntax is
84 described in daemon/README.md.
85
86 -k keyfile, --keyfile=<keyfile>
87 (Recommended!) Automatically managed root trust anchors file.
88 Root trust anchors in this file are managed using standard RFC
89 5011 (Automated Updates of DNS Security Trust Anchors). Kresd
90 needs write access to the directory containing the keyfile.
91
92 If the file does not exist, it will be automatically boostrapped
93 from IANA using HTTPS protocol and warning that you need to to
94 check the key before trusting it will be issued.
95
96 The file contains DNSKEY/DS records in presentation format, and
97 is compatible with Unbound and BIND 9 root key files.
98
99 -K keyfile, --keyfile-ro=<keyfile>
100 (Discouraged) Static root trust anchors file. The file is not
101 updated by kresd. Use of this option is discouraged because it
102 will break your installation when the trust anchor key changes!
103
104 Default: "" (can be empty if your distribution did not provide
105 one)
106
107 -m path, --moduledir=<path>
108 Override the directory that is searched for modules. Default:
109 /usr/lib64/kdns_modules
110
111 -f N, --forks=<N>
112 With this option, the daemon is started in non-interactive mode
113 and instead creates a UNIX socket in rundir that the operator
114 can connect to for interactive session. A number greater than 1
115 forks the daemon N times, all forks will bind to same addresses
116 and the kernel will load-balance between them on Linux with
117 SO_REUSEPORT support.
118
119 When socket-activated and supervised by systemd or the equiva‐
120 lent, kresd defaults to --forks=1, and must not be set to any
121 other value. If you want multiple concurrent processes super‐
122 vised in this way, they should be supervised independently (see
123 kresd.systemd(7)).
124
125 -q, --quiet
126 Daemon will refrain from printing the command prompt.
127
128 -v, --verbose
129 Increase verbosity. If given multiple times, more information is
130 logged. This is in addition to the verbosity (if any) from the
131 config file.
132
133 -h Show short commandline option help.
134
135 -V Show the version.
136
138 kresd.systemd(7), https://knot-resolver.readthedocs.io
139
141 kresd developers are mentioned in the AUTHORS file in the distribution.
142
143
144
145CZ.NIC 2019-01-10 kresd(8)