Dear all,
I am using knot-resolver for DNS over TLS (DoT) for a while now. So far
I let nginx handle the TLS part on port 853 and proxy the requests to
127.0.0.1:53. I wanted to simplify my setup and let knot-resolver do the
whole thing. But I am facing problems on my server (Debian Stable
Bullseye).
I can enable DoT on 853 successfully using without specifying certs but
I want to use my TLS certs created by certbot. Once I add the following
line kresd fails to start.
> net.tls("/etc/letsencrypt/live/mdosch.de/fullchain.pem",
> "/etc/letsencrypt/live/mdosch.de/privkey.pem")
Systemd shows me the following error:
> Oct 28 19:49:41 v220191283267104968 systemd[1]: Starting Knot Resolver daemon...
> Oct 28 19:49:41 v220191283267104968 kresd[22488]: [tls] gnutls_certificate_set_x509_key_file(/etc/letsencrypt/live/md>
> Oct 28 19:49:41 v220191283267104968 kresd[22488]: [system] error while loading config: error occurred here (config fi>
> Oct 28 19:49:41 v220191283267104968 kresd[22488]: stack traceback:
> Oct 28 19:49:41 v220191283267104968 kresd[22488]: [C]: in function 'tls'
> Oct 28 19:49:41 v220191283267104968 kresd[22488]: /etc/knot-resolver/kresd.conf:3: in main chunk
> Oct 28 19:49:41 v220191283267104968 kresd[22488]: ERROR: Invalid argument (workdir '/var/lib/knot-resolver')
> Oct 28 19:49:41 v220191283267104968 systemd[1]: kresd(a)1.service: Main process exited, code=exited, status=1/FAILURE
> Oct 28 19:49:41 v220191283267104968 systemd[1]: kresd(a)1.service: Failed with result 'exit-code'.
> Oct 28 19:49:41 v220191283267104968 systemd[1]: Failed to start Knot
> Resolver daemon.
The files are world readable so I don't know what's going on:
> ll /etc/letsencrypt/live/mdosch.de/
> total 4.0K
> -rw-r--r-- 1 certbot prosody 692 Jun 11 00:30 README
> lrwxrwxrwx 1 root root 38 Oct 27 22:07 cert.pem -> ../../archive/mdosch.de-0003/cert9.pem
> lrwxrwxrwx 1 root root 39 Oct 27 22:07 chain.pem -> ../../archive/mdosch.de-0003/chain9.pem
> lrwxrwxrwx 1 root root 43 Oct 27 22:07 fullchain.pem -> ../../archive/mdosch.de-0003/fullchain9.pem
> lrwxrwxrwx 1 root root 41 Oct 27 22:07 privkey.pem -> ../../archive/mdosch.de-0003/privkey9.pem
Also I don't understand why it complains about the workdir as I didn't
change anything regarding workdir but only pointed to the cert and key
file.
Do you have any idea what I am doing wrong?
Best regards,
Martin
Hi there,
is it actually possible to import a zone file for a locale zone
(yyyyy.xxxx.com.lan) or does it have to be done differently?
In any case, I can't figure out how to do it correctly!
Can someone help with an example i have had some problems with my local
domains since i switched to knot?
Can you actually import the domains from knot into the knot resolver?
I would like to have a stable DNS system on my servers again with knot & knot-
resolver I hope I "think" correctly, a 25 year "bind" damaged person ;-)
--
mit freundlichen Grüßen / best regards
Günther J. Niederwimmer
Hello List,
I would like to install KNOT-resolver, first test it with DNS over TLS, but
that doesn't work?
My system is an oracle Linux 8.4
I have a Letsencrypt certificate for this system and wanted to integrate it
into kresd, but I get a GNUTLS error?
Sep 22 18:27:30 bbs kresd[446005]: [tls ]
gnutls_certificate_set_x509_key_file(/etc/letsencrypt/live/bbs.xxxx.xxxx/
fullchain_ecdsa.pem,/etc/pki/private/xxxx.xxxx_ec.key) failed: -64
(GNUTLS_E_FILE_ERROR)
Sep 22 18:27:30 bbs kresd[446005]: [system] error while loading config: error
occurred here (config filename:lineno is at the bottom, if config is
involved):#012stack traceback:#012#011[C]: in function 'tls'#012#011/etc/knot-
resolver/kresd.conf:24: in main chunk#012ERROR: Invalid argument (workdir '/
var/lib/knot-resolver')
Sep 22 18:27:30 bbs systemd[1]: kresd(a)1.serbice.service: Main process exited,
code=exited, status=1/FAILURE
Does this not work with a Letsenkrypt certificate or I have another error in
my configuration
My config
-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/
-- Uncomment this only if you need to debug problems
-- verbose(true)
log_level('debug')
-- Network interface configuration
net.listen('127.0.0.1', 53, { kind = 'dns' })
net.listen('127.0.0.1', 853, { kind = 'tls' })
--net.listen('127.0.0.1', 443, { kind = 'doh2' })
net.listen('::1', 53, { kind = 'dns', freebind = true })
net.listen('::1', 853, { kind = 'tls', freebind = true })
--net.listen('::1', 443, { kind = 'doh2' })
net.listen('xxx.xxx.xxx.1', 53, { kind = 'dns' })
net.listen('xxx.xxx.xxx.1', 853, { kind = 'tls' })
net.listen('192.168.100.200', 53, { kind = 'dns' })
net.listen('192.168.100.200', 853, { kind = 'tls' })
net.listen('xxx:xxxx:xxxx:xxx::200', 53, { kind = 'dns' })
net.listen('xxx:xxxx:xxxx:xxx::200', 853, { kind = 'tls' })
-- DNS over TLS
net.tls("/etc/letsencrypt/live/bbs.xxxx.xxx/fullchain_ecdsa.pem", "/etc/pki/
tls/private/xxxx.xxx_ec.key")
-- Load useful modules
modules = {
'hints > iterate', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
}
I heard / read from a user that knot resolver must have its own rights for the
certificate, but that is not possible, because the key is also intended for
other computers and this creates a system risk? Is this a design problem or a
bug?
Thanks for an answer,
--
mit freundlichen Grüßen / best regards
Günther J. Niederwimmer
On 24/09/2021 14.29, Günther J. Niederwimmer wrote:
> I mean my cert and key are are equipped with "standard" rights ?
>
> Knot-resolver can't handle it ?
It does not run under "root" user or group (by default), so in your
settings it won't be able to read them.
--Vladimir
Hi,
I'm having trouble reading the documentation for Lua modules, is it
possible to issue multiple recursive queries and await all of the
results?
What I'm trying to achieve is a CNAME glue-zone, d.example.com, that
searches in several other zones (phy.example.com, vm.example.com,
ad.example.com, etc) and returns a CNAME record into the one with the
highest priority (configurable, probably just a list) that does not
reply with a NXDOMAIN.
I'd like to do all the recursions in parallel, to keep users as happy
as possible.
Configuration might look something like this:
local zones = {
["d.example.com"] = {
"phy.example.com",
"vm.example.com",
"ad.example.com"
},
["vm.example.com"] = {
"vmware.vm.example.com",
"hyperv.vm.example.com"
}
}
/Erik
() ascii ribbon - against html e-mail
/\ arc.pasp.de - against proprietary attachments
Hello,
it seems that Knot Resolver doesn't responde for DNS ANY queries or it does?
Unable to found how to set it up in documentaction.
Thank you for you help
Michal
Hello,
it seems that Knot Resolver doesn't responde for DNS ANY queries or it does?
Unable to found how to set it up in documentaction.
Thank you for your help
Michal
