← DNS SoftwareDNS Software / Authoritative

Knot DNS

A high-performance authoritative-only DNS server built by the .cz TLD operator — designed for TLD-scale deployments with automated DNSSEC management.

Overview

TLD-Grade Authoritative Server

Knot DNS is developed by CZ.NIC, the registry operator for the .cz country code TLD. It is authoritative-only — it does not perform recursion. The focus on a single role allows Knot DNS to be extremely fast at zone serving, with multi-threaded architecture and memory-mapped zone data for minimal latency.

Knot DNS has excellent DNSSEC automation — it can automatically sign zones, rotate keys on schedule, and publish/roll DNSKEY and DS records. The knotc control utility and keymgr tool make key lifecycle management straightforward compared to BIND's manual process.

  • Authoritative-only — no recursion, minimal attack surface
  • Multi-threaded with lock-free zone data access for high query throughput
  • Automatic DNSSEC signing and key rollover with configurable policies
  • Fast zone transfers with IXFR and catalog zone support
  • Online DNSSEC signing (signs records as queries arrive, no pre-signing needed)
  • Query modules for logging, statistics, and response rewriting
  • YAML-based configuration — more readable than BIND's named.conf syntax
When to Choose Knot DNS
  • You need high-throughput authoritative DNS at TLD or enterprise scale
  • You want automated DNSSEC key management
  • You prefer YAML configuration over named.conf syntax
  • You are running a ccTLD or gTLD registry
CZ.NIC
Built by .cz TLD operator
Auth
Authoritative only
Configuration

Key Configuration Examples

knot.conf — basic setup

# /etc/knot/knot.conf (YAML) server: listen: [ 0.0.0.0@53, ::@53 ] rundir: /run/knot log: - target: syslog any: info database: storage: /var/lib/knot acl: - id: secondary_acl address: 192.0.2.10 action: transfer zone: - domain: example.com file: zones/example.com.zone acl: secondary_acl notify: [ secondary ]

Automatic DNSSEC signing

# DNSSEC policy in knot.conf policy: - id: default_policy algorithm: ecdsap256sha256 ksk-lifetime: 365d zsk-lifetime: 90d rrsig-lifetime: 14d rrsig-refresh: 7d zone: - domain: example.com file: zones/example.com.zone dnssec-signing: on dnssec-policy: default_policy # Knot handles key generation, # signing, and rollover automatically. # Check status: # keymgr example.com list

knotc runtime commands

# Check server status knotc status # Reload configuration knotc reload # Reload a specific zone knotc zone-reload example.com # Force zone re-sign knotc zone-sign example.com # Check zone status knotc zone-status example.com # Flush journal (force full AXFR to secondaries) knotc zone-flush example.com

keymgr key management

# List keys for a zone keymgr example.com list # Generate a new KSK keymgr example.com generate \ algorithm=ECDSAP256SHA256 ksk=yes # Import an existing key keymgr example.com import-bind \ /path/to/Kexample.com.+013+12345.key # Show DS records to submit to registrar keymgr example.com ds # Set key timing for planned rollover keymgr example.com set <keytag> \ active=+1d retire=+90d remove=+100d

Related Topics

BIND 9

The most widely deployed authoritative DNS server — broad platform support and mature ecosystem.

NSD

Another authoritative-only server from NLnet Labs — extremely minimal and fast.

PowerDNS

Feature-rich authoritative server with database backends and a REST API for automation.