B4L/cnx-network-clan
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix knot startup on ns1/ns2: TSIG key perms and port 53 conflict

Browse Source 
knotd runs as the "knot" user, so the shared TSIG key file needs
owner/group knot — it was root-only and knot couldn't read it.

systemd-resolved's stub listener was holding port 53, so knot's
0.0.0.0@53 / ::@53 TCP bind failed. Disable the stub (resolution
still works via nss-resolve) to free the port.
This commit is contained in:
Berwn
2026-06-14 14:49:10 +07:00
parent 9de95b4fb5
commit 56f0af3153
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/dns/authoritative.nix
+10 -1
View File
@@ -9,7 +9,12 @@ in
# this module, so primary and secondary authenticate transfers with the same key. # this module, so primary and secondary authenticate transfers with the same key.
clan.core.vars.generators.dns-tsig = { clan.core.vars.generators.dns-tsig = {
share = true; share = true;
files."tsig.conf".secret = true; files."tsig.conf" = {
secret = true;
# knotd drops to the "knot" user, so the included key must be readable by it.
owner = "knot";
group = "knot";
};
runtimeInputs = [ pkgs.knot-dns ]; runtimeInputs = [ pkgs.knot-dns ];
script = '' script = ''
keymgr -t cnx_xfr hmac-sha256 > "$out"/tsig.conf keymgr -t cnx_xfr hmac-sha256 > "$out"/tsig.conf
@@ -19,6 +24,10 @@ in
networking.firewall.allowedTCPPorts = [ 53 ]; networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ]; networking.firewall.allowedUDPPorts = [ 53 ];
# knot binds 0.0.0.0@53 and ::@53, so free port 53 by disabling the
# systemd-resolved stub listener. Resolution still works via nss-resolve.
services.resolved.extraConfig = "DNSStubListener=no";
services.knot = { services.knot = {
enable = true; enable = true;
# Including the key via keyFiles keeps the secret out of the Nix store. # Including the key via keyFiles keeps the secret out of the Nix store.