bionic (8) kresd.8.gz

Provided by: knot-resolver_2.1.1-1_amd64 bug

NAME

       kresd - Knot DNS 2.1.1 full caching resolver.

SYNOPSIS

       kresd  [-a|--addr  addr[@port]]  [-t|--tls addr[@port]] [-S|--fd fd] [-T|--tlsfd fd] [-c|--config config]
       [-k|--keyfile keyfile]  [-K|--keyfile-ro  keyfile]  [-m|--moduledir  path]  [-f|--forks  N]  [-q|--quiet]
       [-v|--verbose] [-V|--version] [-h|--help] [rundir]

DESCRIPTION

       Knot DNS Resolver is a DNSSEC-enabled full caching resolver.

       Default  mode  of  operation:  when it receives a DNS query it iteratively asks authoritative nameservers
       starting from root zone (.) and ending with a  nameservers  authoritative  for  queried  name.  Automatic
       DNSSEC  means  verification  of  integrity  of  authoritative  responses by following keys and signatures
       starting from root. Root trust anchor is automatically bootstrapped from IANA, or you can provide a  file
       with root trust anchors (same format as Unbound or BIND9 root keys file).

       The  daemon  also  caches  intermediate  answers  into  cache,  which  by default uses LMDB memory-mapped
       database. This has a significant advantage over in-memory caches  as  the  process  may  be  stopped  and
       restarted   without  loss  of  cache  entries.  In  multi-user  scenario  a  shared  cache  is  potential
       privacy/security issue, with kresd each user can have resolver cache in their private directory  and  use
       it in similar fashion to keychain.

       By  default, no configuration is needed, only a directory where the daemon can store runtime data (cache,
       control sockets, ...)

       To use a locally running kresd for resolving put

             nameserver 127.0.0.1

       into resolv.conf(5) and start kresd

             $ kresd -a 127.0.0.1 -k root.keys
             [system] interactive mode
             >

       The daemon may be configured also as a plain forwarder using query policies,  that  requires  creating  a
       file config in daemon runtime directory. See daemon/README.md for more information about interacting with
       CLI and configuration file options, or visit https://knot-resolver.readthedocs.io online documentation.

             # Create a basic forwarder configuration
             $ cat << EOF > config
             modules = { 'policy' }
             policy.add(policy.all(policy.FORWARD('192.168.1.1')))
             $ kresd -a 127.0.0.1 -k root.keys
             EOF

       The available CLI options are:

       -a addr[@port], --addr=<addr[@port]>
              Listen on given address (and port) pair. If no port is given, 53 is used as a default.  Option may
              be passed multiple times to listen on more addresses.

       -t addr[@port], --tls=<addr[@port]>
              Listen  using TLS on given address (and port) pair. If no port is given, 853 is used as a default.
              Option may be passed multiple times to listen on more addresses.

       -S fd, --fd=<fd>
              Listen on given file descriptor(s), passed by supervisor.  Option may be passed multiple times  to
              listen on more file descriptors.

       -T fd, --tlsfd=<fd>
              Listen using TLS on given file descriptor(s), passed by supervisor.  Option may be passed multiple
              times to listen on more file descriptors.

       -c config, --config=<config>
              Set the config file with settings for kresd to read instead of reading the  file  at  the  default
              location (config). The syntax is described in daemon/README.md.

       -k keyfile, --keyfile=<keyfile>
              Automatically  managed root trust anchors file.  Root trust anchors in this file are managed using
              standard RFC 5011 (Automated Updates of DNS Security Trust Anchors).  Kresd needs write access  to
              the directory containing the keyfile.

              If  the  file  does not exist, it will be automatically boostrapped from IANA using HTTPS protocol
              and warning that you need to to check the key before trusting it will be issued.

              The file contains DNSKEY/DS records in presentation format, and is  compatible  with  Unbound  and
              BIND 9 root key files.

       -K keyfile, --keyfile-ro=<keyfile>
              Static  root  trust anchors file. The file is not updated by kresd. Please ensure that any running
              kresd instances are restarted if  the  trust  anchors  change.  (On  Debian,  this  should  happen
              automatically on upgrade of the dns-root-data package).

              Default: ""

       -m path, --moduledir=<path>
              Override the directory that is searched for modules.  Default: /usr/lib/knot-resolver

       -f N, --forks=<N>
              With  this option, the daemon is started in non-interactive mode and instead creates a UNIX socket
              in rundir that the operator can connect to for interactive session.  A number greater than 1 forks
              the daemon N times, all forks will bind to same addresses and the kernel will load-balance between
              them on Linux with SO_REUSEPORT support.

              When socket-activated and supervised by systemd or the equivalent, kresd  defaults  to  --forks=1,
              and  must  not be set to any other value.  If you want multiple concurrent processes supervised in
              this way, they should be supervised independently (see kresd.systemd(7)).

       -q, --quiet
              Daemon will refrain from printing the command prompt.

       -v, --verbose
              Increase verbosity. If given multiple times, more information is logged.  This is in  addition  to
              the verbosity (if any) from the config file.

       -h     Show short commandline option help.

       -V     Show the version.

SEE ALSO

       kresd.systemd(7), https://knot-resolver.readthedocs.io

AUTHORS

       kresd developers are mentioned in the AUTHORS file in the distribution.