Provided by: knot-resolver_2.1.1-1_amd64 bug

NAME
       kresd - Knot DNS 2.1.1 full caching resolver.


SYNOPSIS
       kresd   [-a|--addr  addr[@port]]  [-t|--tls  addr[@port]]  [-S|--fd  fd]  [-T|--tlsfd  fd]
       [-c|--config config]  [-k|--keyfile  keyfile]  [-K|--keyfile-ro  keyfile]  [-m|--moduledir
       path] [-f|--forks N] [-q|--quiet] [-v|--verbose] [-V|--version] [-h|--help] [rundir]


DESCRIPTION
       Knot DNS Resolver is a DNSSEC-enabled full caching resolver.

       Default  mode of operation: when it receives a DNS query it iteratively asks authoritative
       nameservers starting from root zone (.) and ending with a  nameservers  authoritative  for
       queried  name. Automatic DNSSEC means verification of integrity of authoritative responses
       by following keys and signatures starting from root. Root trust  anchor  is  automatically
       bootstrapped  from IANA, or you can provide a file with root trust anchors (same format as
       Unbound or BIND9 root keys file).

       The daemon also caches intermediate answers into cache, which by default uses LMDB memory-
       mapped database. This has a significant advantage over in-memory caches as the process may
       be stopped and restarted without loss of cache entries. In multi-user  scenario  a  shared
       cache is potential privacy/security issue, with kresd each user can have resolver cache in
       their private directory and use it in similar fashion to keychain.

       By default, no configuration is needed, only  a  directory  where  the  daemon  can  store
       runtime data (cache, control sockets, ...)

       To use a locally running kresd for resolving put

             nameserver 127.0.0.1

       into resolv.conf(5) and start kresd

             $ kresd -a 127.0.0.1 -k root.keys
             [system] interactive mode
             >

       The daemon may be configured also as a plain forwarder using query policies, that requires
       creating a file  config  in  daemon  runtime  directory.  See  daemon/README.md  for  more
       information   about  interacting  with  CLI  and  configuration  file  options,  or  visit
       https://knot-resolver.readthedocs.io online documentation.

             # Create a basic forwarder configuration
             $ cat << EOF > config
             modules = { 'policy' }
             policy.add(policy.all(policy.FORWARD('192.168.1.1')))
             $ kresd -a 127.0.0.1 -k root.keys
             EOF

       The available CLI options are:

       -a addr[@port], --addr=<addr[@port]>
              Listen on given address (and port) pair. If no port is  given,  53  is  used  as  a
              default.  Option may be passed multiple times to listen on more addresses.

       -t addr[@port], --tls=<addr[@port]>
              Listen using TLS on given address (and port) pair. If no port is given, 853 is used
              as a default.  Option may be passed multiple times to listen on more addresses.

       -S fd, --fd=<fd>
              Listen on given file descriptor(s), passed by supervisor.   Option  may  be  passed
              multiple times to listen on more file descriptors.

       -T fd, --tlsfd=<fd>
              Listen  using TLS on given file descriptor(s), passed by supervisor.  Option may be
              passed multiple times to listen on more file descriptors.

       -c config, --config=<config>
              Set the config file with settings for kresd to read instead of reading the file  at
              the default location (config). The syntax is described in daemon/README.md.

       -k keyfile, --keyfile=<keyfile>
              Automatically managed root trust anchors file.  Root trust anchors in this file are
              managed using standard RFC 5011 (Automated Updates of DNS Security Trust  Anchors).
              Kresd needs write access to the directory containing the keyfile.

              If  the  file  does not exist, it will be automatically boostrapped from IANA using
              HTTPS protocol and warning that you need to to check the  key  before  trusting  it
              will be issued.

              The  file contains DNSKEY/DS records in presentation format, and is compatible with
              Unbound and BIND 9 root key files.

       -K keyfile, --keyfile-ro=<keyfile>
              Static root trust anchors file. The file is not updated  by  kresd.  Please  ensure
              that  any  running  kresd  instances are restarted if the trust anchors change. (On
              Debian, this should happen automatically on upgrade of the dns-root-data package).

              Default: ""

       -m path, --moduledir=<path>
              Override the directory that  is  searched  for  modules.   Default:  /usr/lib/knot-
              resolver

       -f N, --forks=<N>
              With this option, the daemon is started in non-interactive mode and instead creates
              a UNIX socket in rundir that the operator can connect to for  interactive  session.
              A  number  greater  than  1  forks  the daemon N times, all forks will bind to same
              addresses and the kernel will load-balance between them on Linux with  SO_REUSEPORT
              support.

              When  socket-activated  and supervised by systemd or the equivalent, kresd defaults
              to --forks=1, and must not be set  to  any  other  value.   If  you  want  multiple
              concurrent   processes   supervised   in   this  way,  they  should  be  supervised
              independently (see kresd.systemd(7)).

       -q, --quiet
              Daemon will refrain from printing the command prompt.

       -v, --verbose
              Increase verbosity. If given multiple times, more information is logged.   This  is
              in addition to the verbosity (if any) from the config file.

       -h     Show short commandline option help.

       -V     Show the version.


SEE ALSO
       kresd.systemd(7), https://knot-resolver.readthedocs.io


AUTHORS
       kresd developers are mentioned in the AUTHORS file in the distribution.