kresd(8) Knot Resolver 6.0.12 kresd(8)
NAME
kresd - full caching DNSSEC-enabled Knot Resolver 6.0.12.
SYNOPSIS
kresd [-a|--addr addr[@port]] [-t|--tls addr[@port]] [-S|--fd fd]
[-T|--tlsfd fd] [-c|--config config] [-n|--noninteractive] [-q|--quiet]
[-v|--verbose] [-V|--version] [-h|--help] [rundir]
DESCRIPTION
Beware: you most likely don't want to use the kresd process directly.
Instead the knot-resolver command will manage the processes for you.
Knot Resolver is a DNSSEC-enabled full caching resolver.
Default mode of operation: when it receives a DNS query it iteratively
asks authoritative nameservers starting from root zone (.) and ending
with a nameservers authoritative for queried name. Automatic DNSSEC
means verification of integrity of authoritative responses by following
keys and signatures starting from root. Root trust anchor is
automatically bootstrapped from IANA, or you can provide a file with
root trust anchors (same format as Unbound or BIND9 root keys file).
The daemon also caches intermediate answers into cache, which by
default uses LMDB memory-mapped database. This has a significant
advantage over in-memory caches as the process may be stopped and
restarted without loss of cache entries. In multi-user scenario a
shared cache is potential privacy/security issue, with kresd each user
can have resolver cache in their private directory and use it in
similar fashion to keychain.
To use a locally running kresd for resolving put
nameserver 127.0.0.1
into resolv.conf(5) and start kresd
The daemon may be configured also as a plain forwarder using query
policies. This requires using a config file. Please refer to
documentation for configuration file options. It is available at
https://www.knot-resolver.cz/documentation/latest/ or in package
documentation (available as knot-resolver-doc package in most
distributions).
The available CLI options are:
-a addr[@port], --addr=<addr[@port]>
Listen on given address (and port) pair. If no port is given, 53
is used as a default. Option may be passed multiple times to
listen on more addresses.
-t addr[@port], --tls=<addr[@port]>
Listen using TLS on given address (and port) pair. If no port is
given, 853 is used as a default. Option may be passed multiple
times to listen on more addresses.
-S fd, --fd=<fd>
Listen on given file descriptor(s), passed by supervisor.
Option may be passed multiple times to listen on more file
descriptors.
-T fd, --tlsfd=<fd>
Listen using TLS on given file descriptor(s), passed by
supervisor. Option may be passed multiple times to listen on
more file descriptors.
-c config, --config=<config>
Set the config file with settings for kresd to read instead of
reading the file at the default location (config).
-n, --noninteractive
Daemon will refrain from entering into read-eval-print loop for
stdin+stdout.
-q, --quiet
Daemon will refrain from printing the command prompt.
-v, --verbose
Increase logging to debug level.
-h Show short command-line option help.
-V Show the version.
SEE ALSO
https://www.knot-resolver.cz/documentation/latest/
AUTHORS
kresd developers are mentioned in the AUTHORS file in the distribution.
CZ.NIC 2025-04-24 kresd(8)
knot-resolver 6.0.12 - Generated Thu May 8 11:19:56 CDT 2025