- knot-resolver-users - lists.nic.cz

DNSSEC validation failure logging on Centos 7 Knot Resolver, version 4.2.0

by Milan Jeskynka Kazatel

Hello Team, I would like to know if the "DNSSEC validation failure logging" is enabled by DEFAULT in version 4.2.0. on Centos 7. I do not have any explicit call for this module - as is described in the documentation like this: modules.load('bogus_log'), nevertheless, I´m facing a huge report in the system log regarding DNSSEC validation failure somedomainname. DNSKEY In the configuration, I´m using the 'http' module and module 'stats', can it be relevant? kresd.conf -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Handle requests by source IP 'stats', -- Track internal statistics 'hints', -- Add static records to resolver } -- load HTTP module with defaults (self-signed TLS cert) modules.load('http') http.config() How can I disable DNSSEC validation failure logging? best regards, -- Smil Milan Jeskyňka Kazatel

5 let, 7 měsíců

1
0
0 0

HTTP module after upgrade from Knot DNS Resolver, version 2.3.0 to Knot Resolver, version 4.2.0

by Milan Jeskynka Kazatel

Hello Knot Resolver team, I tried to upgrade to the latest stable version of Knot Resolver on Centos7, where I'm facing with a configuration issue with the module HTTP. I used it in version 2.3.0 with configuration -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Handle requests by source IP 'stats', -- Track internal statistics 'hints', -- Add static records to resolver http = { host = '10.0.0.1', port = 8053, cert = false, } } and it works as expected, I reached a /stats/ from the browser. Unfortunately after upgrade to version 4.2.0 I'm not able to correctly start the module even if I follow the migration hints on documentation websites. I still receive a startup fail message Oct 04 11:32:09 dns systemd[1]: Starting Knot Resolver daemon... Oct 04 11:32:54 dns kresd[9540]: error: /usr/lib64/knot-resolver/kres_ modules/http.lua:35: attempt to call global 'moduledir' (a nil value) Oct 04 11:32:54 dns kresd[9540]: [system] failed to load module 'http' Oct 04 11:32:54 dns kresd[9540]: error occured here (config filename:lineno is at the bottom, if config is involved): Oct 04 11:32:54 dns kresd[9540]: stack traceback: Oct 04 11:32:54 dns kresd[9540]: [C]: in function 'load' Oct 04 11:32:54 dns kresd[9540]: /etc/knot-resolver/kresd.conf:14: in main chunk Oct 04 11:32:54 dns kresd[9540]: ERROR: No such file or directory Oct 04 11:32:54 dns systemd[1]: kresd(a)1.service: main process exited, code= exited, status=1/FAILURE Oct 04 11:32:54 dns systemd[1]: Failed to start Knot Resolver daemon. Current configuration is: -- interfaces ... net.listen('10.0.0.1', 8453, { kind = 'webmgmt' }) -- load HTTP module with defaults (self-signed TLS cert) modules.load('http') http.config() -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Handle requests by source IP 'stats', -- Track internal statistics 'hints', -- Add static records to resolver } Where should be written the path to module http? What I did wrong? Regards, -- Smil Milan Jeskyňka Kazatel

5 let, 8 měsíců

2
4
0 0

Knot Resolver 4.2.2

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 4.2.2 has been released! Bugfixes -------- - lua bindings: fix a 4.2.1 regression on 32-bit systems (#514) which also fixes libknot 2.9 support on all systems Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v4.2.2/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.2.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.2.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v4.2.2/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

5 let, 8 měsíců

1
0
0 0

HTTP module after upgrade from Knot DNS Resolver, version 2.3.0 to Knot Resolver, version 4.2.0

by Milan Jeskynka Kazatel

Hello Knot Resolver team, I tried to upgrade to the latest stable version of Knot Resolver on Centos7, where I'm facing with a configuration issue with the module HTTP. I used it in version 2.3.0 with configuration -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Handle requests by source IP 'stats', -- Track internal statistics 'hints', -- Add static records to resolver http = { host = '10.0.0.1', port = 8053, cert = false, } } and it works as expected, I reached a /stats/ from the browser. Unfortunately after upgrade to version 4.2.0 I'm not able to correctly start the module even if I follow the migration hints on documentation websites. I still receive a startup fail message Oct 04 11:32:09 dns systemd[1]: Starting Knot Resolver daemon... Oct 04 11:32:54 dns kresd[9540]: error: /usr/lib64/knot-resolver/kres_ modules/http.lua:35: attempt to call global 'moduledir' (a nil value) Oct 04 11:32:54 dns kresd[9540]: [system] failed to load module 'http' Oct 04 11:32:54 dns kresd[9540]: error occured here (config filename:lineno is at the bottom, if config is involved): Oct 04 11:32:54 dns kresd[9540]: stack traceback: Oct 04 11:32:54 dns kresd[9540]: [C]: in function 'load' Oct 04 11:32:54 dns kresd[9540]: /etc/knot-resolver/kresd.conf:14: in main chunk Oct 04 11:32:54 dns kresd[9540]: ERROR: No such file or directory Oct 04 11:32:54 dns systemd[1]: kresd(a)1.service: main process exited, code= exited, status=1/FAILURE Oct 04 11:32:54 dns systemd[1]: Failed to start Knot Resolver daemon. Current configuration is: -- interfaces ... net.listen('10.0.0.1', 8453, { kind = 'webmgmt' }) -- load HTTP module with defaults (self-signed TLS cert) modules.load('http') http.config() -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Handle requests by source IP 'stats', -- Track internal statistics 'hints', -- Add static records to resolver } Where should be written the path to module http? What I did wrong? -- Smil Milan Jeskyňka Kazatel

5 let, 8 měsíců

1
0
0 0

Knot Resolver 4.2.1

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 4.2.1 has been released! Note for Debian users: If you have previously installed knot-resolver-dbgsym package on Debian, please remove it and install knot-resolver-dbg instead. Bugfixes -------- - rebinding module: fix handling some requests, respect ALLOW_LOCAL flag - fix incorrect SERVFAIL on cached bogus answer for +cd request (!860) (regression since 4.1.0 release, in less common cases) - prefill module: allow a different module-loading style (#506) - validation: trim TTLs by RRSIG's expiration and original TTL (#319, #504) - NS choice algorithm: fix a regression since 4.0.0 (#497, !868) - policy: special domains home.arpa. and local. get NXDOMAIN (!855) Improvements ------------ - add compatibility with (future) libknot 2.9 Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v4.2.1/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.1.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.1.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v4.2.1/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

5 let, 8 měsíců

1
0
0 0

CentOS 7 package ships writable /etc/knot-resolver

by Anand Buddhdev

Hello Knot resolver folks, and especially the packagers, I've noticed that the CentOS 7 packages published by CZNIC ship with /etc/knot-resolver writable by the "knot-res" user (the directory mode is 0775). It seems that the directory is writable, because kresd (running as user knot-res) runs a lua script to manage the /etc/knot-resolver/root.keys file. My sysadmin mind is suspicious of this setup. If any other modules of kresd have a bug, they have the potential to modify config files in /etc/knot-resolver. My thinking is that the root.keys file should be installed in /var/cache/knot-resolver, and that is writable by "knot-res". Could someone please explain to me why the config directory is writable by an unprivileged user? Is there a good reason I'm not seeing for this setup? Regards, Anand Buddhdev

5 let, 8 měsíců

2
4
0 0

Knot Resolver - module hints - reload?

by Milan Jeskynka Kazatel

Hello, Could someone help me to understand the behavior of Knot Resolver? Can I somehow process a change in the list of static records for knot resolver like a command for reloading configuration? If I have in the kresd.conf file a module modules = { 'hints> iterate', - Add static records to resolver ... ... and the list is located - Load static records hints.add_hosts ('/ etc / knot-resolver / static_records.txt') how can I reload the change in the static_records.txt list for the kresd @ 1 service Or should I always restart the daemon kresd @ 1 systemctl restart Kresd @ 1 Thanks for any advice, Regadrs, -- Smil Milan Jeskyňka Kazatel

5 let, 9 měsíců

3
7
0 0

Knot Resolver 4.2.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 4.2.0 has been released! Improvements ------------ - queries without RD bit set are REFUSED by default (!838) - support forwarding to multiple targets (!825) Bugfixes -------- - tls_client: fix issue with TLS session resumption (#489) - rebinding module: fix another false-positive assertion case (!851) Module API changes ------------------ - kr_request::add_selected is now really put into answer, instead of the "duplicate" ::additional field (#490) Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v4.2.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v4.2.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

5 let, 10 měsíců

1
0
0 0

Re: [knot-resolver-users] Specify wildcard subdomain static hints

by Vladimír Čunát

Hello, first note the change to the correct mailing-list. On 7/29/19 10:20 AM, Balakrishnan B wrote: > I am trying to add wildcard static hints to catch all local domains like > below. But does not seem to work. > > hints['nextcloud.local'] = '127.0.0.1' # This works fine > hints['*.local'] = '127.0.0.1' > hints['.local'] = '127.0.0.1' > > DNSMasq supports this like https://stackoverflow.com/a/22551303 > > Is there way to do this in knot? No, I don't think there's a good way currently. The hints module only supports exact names with A and AAAA and corresponding PTR, like in /etc/hosts files. With our [RPZ] you can do wildcards, but there's no support for positive answers (so you need to do NXDOMAIN or similar denials). BTW, note that .local is reserved for [mDNS] protocol, in particular kresd might never get to such requests because it's "only" a DNS server: > 3. Name resolution APIs and libraries SHOULD recognize these names as > special and SHOULD NOT send queries for these names to their > configured (unicast) caching DNS server(s). > [RPZ] https://knot-resolver.readthedocs.io/en/stable/modules.html#c.policy.rpz [mDNS] https://tools.ietf.org/html/rfc6762#section-22.1 --Vladimir

5 let, 10 měsíců

2
2
0 0

debian repo: http -> https

by Christoph

The instructions on: https://www.knot-resolver.cz/download/ read: " wget https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb dpkg -i knot-resolver-release.deb apt update && apt install -y knot-resolver " these instructions result in an http://.. URL in: /etc/apt/sources.list.d/knot-resolver-latest.list I'd suggest to change it to https://..

5 let, 10 měsíců

2
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users