1kresd(8) Knot Resolver 5.4.2 kresd(8)
2
3
4
6 kresd - full caching DNSSEC-enabled Knot Resolver 5.4.2.
7
9 kresd [-a|--addr addr[@port]] [-t|--tls addr[@port]] [-S|--fd fd]
10 [-T|--tlsfd fd] [-c|--config config] [-n|--noninteractive] [-q|--quiet]
11 [-v|--verbose] [-V|--version] [-h|--help] [rundir]
12
14 Knot Resolver is a DNSSEC-enabled full caching resolver.
15
16 Default mode of operation: when it receives a DNS query it iteratively
17 asks authoritative nameservers starting from root zone (.) and ending
18 with a nameservers authoritative for queried name. Automatic DNSSEC
19 means verification of integrity of authoritative responses by following
20 keys and signatures starting from root. Root trust anchor is automati‐
21 cally bootstrapped from IANA, or you can provide a file with root trust
22 anchors (same format as Unbound or BIND9 root keys file).
23
24 The daemon also caches intermediate answers into cache, which by de‐
25 fault uses LMDB memory-mapped database. This has a significant advan‐
26 tage over in-memory caches as the process may be stopped and restarted
27 without loss of cache entries. In multi-user scenario a shared cache is
28 potential privacy/security issue, with kresd each user can have re‐
29 solver cache in their private directory and use it in similar fashion
30 to keychain.
31
32
33 To use a locally running kresd for resolving put
34
35 nameserver 127.0.0.1
36
37 into resolv.conf(5) and start kresd
38
39
40 The daemon may be configured also as a plain forwarder using query
41 policies. This requires using a config file. Please refer to documen‐
42 tation for configuration file options. It is available at https://knot-
43 resolver.readthedocs.io or in package documentation (available as knot-
44 resolver-doc package in most distributions).
45
46 The available CLI options are:
47
48 -a addr[@port], --addr=<addr[@port]>
49 Listen on given address (and port) pair. If no port is given, 53
50 is used as a default. Option may be passed multiple times to
51 listen on more addresses.
52
53 -t addr[@port], --tls=<addr[@port]>
54 Listen using TLS on given address (and port) pair. If no port is
55 given, 853 is used as a default. Option may be passed multiple
56 times to listen on more addresses.
57
58 -S fd, --fd=<fd>
59 Listen on given file descriptor(s), passed by supervisor. Op‐
60 tion may be passed multiple times to listen on more file de‐
61 scriptors.
62
63 -T fd, --tlsfd=<fd>
64 Listen using TLS on given file descriptor(s), passed by supervi‐
65 sor. Option may be passed multiple times to listen on more file
66 descriptors.
67
68 -c config, --config=<config>
69 Set the config file with settings for kresd to read instead of
70 reading the file at the default location (config).
71
72 -f N, --forks=<N>
73 This option is deprecated since 5.0.0!
74
75 With this option, the daemon is started in non-interactive mode
76 and instead creates a UNIX socket in rundir that the operator
77 can connect to for interactive session. A number greater than 1
78 forks the daemon N times, all forks will bind to same addresses
79 and the kernel will load-balance between them on Linux with
80 SO_REUSEPORT support.
81
82 If you want multiple concurrent processes supervised in this
83 way, they should be supervised independently (see kresd.sys‐
84 temd(7)).
85
86 -n, --noninteractive
87 Daemon will refrain from entering into read-eval-print loop for
88 stdin+stdout.
89
90 -q, --quiet
91 Daemon will refrain from printing the command prompt.
92
93 -v, --verbose
94 Increase logging to debug level.
95
96 -h Show short commandline option help.
97
98 -V Show the version.
99
101 kresd.systemd(7), https://knot-resolver.readthedocs.io/en/v5.4.2/
102
104 kresd developers are mentioned in the AUTHORS file in the distribution.
105
106
107
108CZ.NIC 2021-10-13 kresd(8)