knot-resolver-users April 2026

knot-resolver-users@lists.nic.cz

3 participants
3 discussions

Re: is there a way to force DNS64 synthesis for specific domains that have native AAAA records?

by Vladimír Čunát

On 12/01/2026 00.11, * wrote: > However, I cannot use it in my production environment as this returns > NODATA globally (all views) for security.ubuntu.com. > I have several views not using dns64 for which the AAAA record should > be the existing original answer. While on Lua level it's not ergonomic, tags are supported in these APIs, so you can do a tiny change, e.g.: lua: policy-script: | assert(C.kr_rule_local_data_ins( kres.rrset(kres.str2dname('security.ubuntu.com.'), kres.type.AAAA, nil, C.KR_RULE_TTL_DEFAULT), nil, policy.get_tagset({'myTag'}), C.KR_RULE_OPTS_DEFAULT ) == 0) and then you just need to add myTag to the views where you want to apply this rule (in YAML). You can read more about tags and views in the docs, around page https://www.knot-resolver.cz/documentation/latest/config-policy-new.html

1 week

Knot Resolver 6.3.0

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 6.3.0 has been released! Improvements: - /local-data/rpz: support *.some.name. CNAME block.page. (!1808) - /local-data/rpz: print line number in the RPZ on error (!1823) - /local-data/nodata: also apply to `rpz:` and `records:` (!1812) - reply BADVERS on unsupported EDNS versions (#404, !1599) - make DoH cache-control header respect our cache's TTL limits (!1819) Bugfixes: - don't loop on reload in case policy-loader can't succeed (#950, !1824) - reduce excessive caching of some uncommon failed answers (!1819) - /local-data: fix `redirect` rules and *.localhost since v6.0.13 (!1817) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v6.3.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.3.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.3.0.tar.xz.asc Documentation: https://www.knot-resolver.cz/documentation/v6.3.0/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

2 weeks, 2 days

policy-loader endless loop when using more than one rpz

by Frederik Himpe

Hello, I'm using this config.yaml with Knot Resolver 6 (on Debian 13): workers: auto network: listen: - interface: 127.0.0.1@53 logging: level: info options: violators-workarounds: true cache: size-max: 100M prefetch: expiring: true dnssec: log-bogus: true local-data: rpz: - file: /var/lib/rpz/urlhaus.abuse.ch.rpz - file: /var/lib/rpz/threatfox.abuse.ch.rpz lua: script: | policy.add(policy.suffix(policy.DENY, {todname('use-application-dns.net.')})) policy.add(policy.suffix(policy.PASS, policy.todnames({ 'uribl.com', 'zen.spamhaus.org', 'dbl.spamhaus.org', 'list.dnswl.org', 'sa-trusted.bondedsender.org', 'sa-accredit.habeas.com', 'bl.score.senderscore.com', 'dnsbl-1.uceprotect.net', 'dnsbl-2.uceprotect.net', 'dnsbl-3.uceprotect.net' }))) policy.add(policy.all(policy.TLS_FORWARD({ {'9.9.9.9', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt' }, {'149.112.112.112', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt' }, }))) This results in this endless loop in the logs: Apr 10 11:56:49 supervisord[56300]: captured stdio output from policy-loader[56777] (stderr): [system] config 'policy-loader.conf' (workdir '/run/knot-resolver'): No such file or directory Apr 10 11:56:49 supervisord[56300]: success: policy-loader entered RUNNING state, process has stayed up for > than 0 seconds (startsecs) Apr 10 11:56:49 supervisord[56300]: exited: policy-loader (exit status 1; not expected) Apr 10 11:56:49 supervisord[56300]: spawned: 'policy-loader' with pid 56778 Apr 10 11:56:49 supervisord[56300]: captured stdio output from policy-loader[56778] (stderr): [system] config 'policy-loader.conf' (workdir '/run/knot-resolver'): No such file or directory Apr 10 11:56:49 supervisord[56300]: success: policy-loader entered RUNNING state, process has stayed up for > than 0 seconds (startsecs) Apr 10 11:56:50 supervisord[56300]: exited: policy-loader (exit status 1; not expected) When using only one rpz file, thus removing the whole line - file: /var/lib/rpz/threatfox.abuse.ch.rpz it works fine. What am I doing wrong here? -- Frederik Himpe <frederik(a)frehi.be>

1 month

2026

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users April 2026