From 56f0af31539130faa62fa9e1da4ce7fcc14e6b8b Mon Sep 17 00:00:00 2001 From: Berwn Date: Sun, 14 Jun 2026 14:49:10 +0700 Subject: [PATCH] Fix knot startup on ns1/ns2: TSIG key perms and port 53 conflict MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit knotd runs as the "knot" user, so the shared TSIG key file needs owner/group knot — it was root-only and knot couldn't read it. systemd-resolved's stub listener was holding port 53, so knot's 0.0.0.0@53 / ::@53 TCP bind failed. Disable the stub (resolution still works via nss-resolve) to free the port. --- modules/dns/authoritative.nix | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/modules/dns/authoritative.nix b/modules/dns/authoritative.nix index 0eeb93c..b0cbb8b 100644 --- a/modules/dns/authoritative.nix +++ b/modules/dns/authoritative.nix @@ -9,7 +9,12 @@ in # this module, so primary and secondary authenticate transfers with the same key. clan.core.vars.generators.dns-tsig = { share = true; - files."tsig.conf".secret = true; + files."tsig.conf" = { + secret = true; + # knotd drops to the "knot" user, so the included key must be readable by it. + owner = "knot"; + group = "knot"; + }; runtimeInputs = [ pkgs.knot-dns ]; script = '' keymgr -t cnx_xfr hmac-sha256 > "$out"/tsig.conf @@ -19,6 +24,10 @@ in networking.firewall.allowedTCPPorts = [ 53 ]; networking.firewall.allowedUDPPorts = [ 53 ]; + # knot binds 0.0.0.0@53 and ::@53, so free port 53 by disabling the + # systemd-resolved stub listener. Resolution still works via nss-resolve. + services.resolved.extraConfig = "DNSStubListener=no"; + services.knot = { enable = true; # Including the key via keyFiles keeps the secret out of the Nix store.