1kresd(8)                      Knot Resolver 3.2.1                     kresd(8)
2
3
4

NAME

6       kresd - Knot 3.2.1 full caching resolver.
7

SYNOPSIS

9       kresd  [-a|--addr  addr[@port]]  [-t|--tls  addr[@port]]  [-S|--fd  fd]
10       [-T|--tlsfd fd] [-c|--config config] [-k|--keyfile keyfile]  [-K|--key‐
11       file-ro  keyfile]  [-m|--moduledir  path]  [-f|--forks  N] [-q|--quiet]
12       [-v|--verbose] [-V|--version] [-h|--help] [rundir]
13

DESCRIPTION

15       Knot Resolver is a DNSSEC-enabled full caching resolver.
16
17       Default mode of operation: when it receives a DNS query it  iteratively
18       asks  authoritative  nameservers starting from root zone (.) and ending
19       with a nameservers authoritative for  queried  name.  Automatic  DNSSEC
20       means verification of integrity of authoritative responses by following
21       keys and signatures starting from root. Root trust anchor is  automati‐
22       cally bootstrapped from IANA, or you can provide a file with root trust
23       anchors (same format as Unbound or BIND9 root keys file).
24
25       The daemon also  caches  intermediate  answers  into  cache,  which  by
26       default uses LMDB memory-mapped database. This has a significant advan‐
27       tage over in-memory caches as the process may be stopped and  restarted
28       without loss of cache entries. In multi-user scenario a shared cache is
29       potential  privacy/security  issue,  with  kresd  each  user  can  have
30       resolver cache in their private directory and use it in similar fashion
31       to keychain.
32
33       By default, no configuration is needed, only a directory where the dae‐
34       mon can store runtime data (cache, control sockets, ...)
35
36       To use a locally running kresd for resolving put
37
38             nameserver 127.0.0.1
39
40       into resolv.conf(5) and start kresd
41
42             $ kresd -a 127.0.0.1 -k root.keys
43             [system] interactive mode
44             >
45
46       The  daemon  may  be  configured  also as a plain forwarder using query
47       policies, that requires creating a file config in daemon runtime direc‐
48       tory.  See daemon/README.md for more information about interacting with
49       CLI  and   configuration   file   options,   or   visit   https://knot-
50       resolver.readthedocs.io online documentation.
51
52             # Create a basic forwarder configuration
53             $ cat << EOF > config
54             modules = { 'policy' }
55             policy.add(policy.all(policy.FORWARD('192.168.1.1')))
56             $ kresd -a 127.0.0.1 -k root.keys
57             EOF
58
59       The available CLI options are:
60
61       -a addr[@port], --addr=<addr[@port]>
62              Listen on given address (and port) pair. If no port is given, 53
63              is used as a default.  Option may be passed  multiple  times  to
64              listen on more addresses.
65
66       -t addr[@port], --tls=<addr[@port]>
67              Listen using TLS on given address (and port) pair. If no port is
68              given, 853 is used as a default.  Option may be passed  multiple
69              times to listen on more addresses.
70
71       -S fd, --fd=<fd>
72              Listen  on  given  file  descriptor(s),  passed  by  supervisor.
73              Option may be passed multiple  times  to  listen  on  more  file
74              descriptors.
75
76       -T fd, --tlsfd=<fd>
77              Listen using TLS on given file descriptor(s), passed by supervi‐
78              sor.  Option may be passed multiple times to listen on more file
79              descriptors.
80
81       -c config, --config=<config>
82              Set  the  config file with settings for kresd to read instead of
83              reading the file at the default location (config). The syntax is
84              described in daemon/README.md.
85
86       -k keyfile, --keyfile=<keyfile>
87              (Recommended!)  Automatically  managed  root trust anchors file.
88              Root trust anchors in this file are managed using  standard  RFC
89              5011  (Automated  Updates of DNS Security Trust Anchors).  Kresd
90              needs write access to the directory containing the keyfile.
91
92              If the file does not exist, it will be automatically boostrapped
93              from  IANA  using HTTPS protocol and warning that you need to to
94              check the key before trusting it will be issued.
95
96              The file contains DNSKEY/DS records in presentation format,  and
97              is compatible with Unbound and BIND 9 root key files.
98
99       -K keyfile, --keyfile-ro=<keyfile>
100              (Discouraged)  Static  root  trust anchors file. The file is not
101              updated by kresd. Use of this option is discouraged  because  it
102              will break your installation when the trust anchor key changes!
103
104              Default:  ""  (can be empty if your distribution did not provide
105              one)
106
107       -m path, --moduledir=<path>
108              Override the directory that is searched for  modules.   Default:
109              /usr/lib64/kdns_modules
110
111       -f N, --forks=<N>
112              With  this option, the daemon is started in non-interactive mode
113              and instead creates a UNIX socket in rundir  that  the  operator
114              can connect to for interactive session.  A number greater than 1
115              forks the daemon N times, all forks will bind to same  addresses
116              and  the  kernel  will  load-balance  between them on Linux with
117              SO_REUSEPORT support.
118
119              When socket-activated and supervised by systemd or  the  equiva‐
120              lent,  kresd  defaults  to --forks=1, and must not be set to any
121              other value.  If you want multiple concurrent  processes  super‐
122              vised  in this way, they should be supervised independently (see
123              kresd.systemd(7)).
124
125       -q, --quiet
126              Daemon will refrain from printing the command prompt.
127
128       -v, --verbose
129              Increase verbosity. If given multiple times, more information is
130              logged.   This is in addition to the verbosity (if any) from the
131              config file.
132
133       -h     Show short commandline option help.
134
135       -V     Show the version.
136

SEE ALSO

138       kresd.systemd(7), https://knot-resolver.readthedocs.io
139

AUTHORS

141       kresd developers are mentioned in the AUTHORS file in the distribution.
142
143
144
145CZ.NIC                            2019-01-10                          kresd(8)
Impressum