- knot-resolver-users - lists.nic.cz

HTTP module after upgrade from Knot DNS Resolver, version 2.3.0 to Knot Resolver, version 4.2.0

by Milan Jeskynka Kazatel

Hello Knot Resolver team, I tried to upgrade to the latest stable version of Knot Resolver on Centos7, where I'm facing with a configuration issue with the module HTTP. I used it in version 2.3.0 with configuration -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Handle requests by source IP 'stats', -- Track internal statistics 'hints', -- Add static records to resolver http = { host = '10.0.0.1', port = 8053, cert = false, } } and it works as expected, I reached a /stats/ from the browser. Unfortunately after upgrade to version 4.2.0 I'm not able to correctly start the module even if I follow the migration hints on documentation websites. I still receive a startup fail message Oct 04 11:32:09 dns systemd[1]: Starting Knot Resolver daemon... Oct 04 11:32:54 dns kresd[9540]: error: /usr/lib64/knot-resolver/kres_ modules/http.lua:35: attempt to call global 'moduledir' (a nil value) Oct 04 11:32:54 dns kresd[9540]: [system] failed to load module 'http' Oct 04 11:32:54 dns kresd[9540]: error occured here (config filename:lineno is at the bottom, if config is involved): Oct 04 11:32:54 dns kresd[9540]: stack traceback: Oct 04 11:32:54 dns kresd[9540]: [C]: in function 'load' Oct 04 11:32:54 dns kresd[9540]: /etc/knot-resolver/kresd.conf:14: in main chunk Oct 04 11:32:54 dns kresd[9540]: ERROR: No such file or directory Oct 04 11:32:54 dns systemd[1]: kresd(a)1.service: main process exited, code= exited, status=1/FAILURE Oct 04 11:32:54 dns systemd[1]: Failed to start Knot Resolver daemon. Current configuration is: -- interfaces ... net.listen('10.0.0.1', 8453, { kind = 'webmgmt' }) -- load HTTP module with defaults (self-signed TLS cert) modules.load('http') http.config() -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Handle requests by source IP 'stats', -- Track internal statistics 'hints', -- Add static records to resolver } Where should be written the path to module http? What I did wrong? Regards, -- Smil Milan Jeskyňka Kazatel

6 let, 5 měsíců

2
4
0 0

Knot Resolver 4.2.2

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 4.2.2 has been released! Bugfixes -------- - lua bindings: fix a 4.2.1 regression on 32-bit systems (#514) which also fixes libknot 2.9 support on all systems Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v4.2.2/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.2.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.2.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v4.2.2/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

6 let, 5 měsíců

1
0
0 0

HTTP module after upgrade from Knot DNS Resolver, version 2.3.0 to Knot Resolver, version 4.2.0

by Milan Jeskynka Kazatel

Hello Knot Resolver team, I tried to upgrade to the latest stable version of Knot Resolver on Centos7, where I'm facing with a configuration issue with the module HTTP. I used it in version 2.3.0 with configuration -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Handle requests by source IP 'stats', -- Track internal statistics 'hints', -- Add static records to resolver http = { host = '10.0.0.1', port = 8053, cert = false, } } and it works as expected, I reached a /stats/ from the browser. Unfortunately after upgrade to version 4.2.0 I'm not able to correctly start the module even if I follow the migration hints on documentation websites. I still receive a startup fail message Oct 04 11:32:09 dns systemd[1]: Starting Knot Resolver daemon... Oct 04 11:32:54 dns kresd[9540]: error: /usr/lib64/knot-resolver/kres_ modules/http.lua:35: attempt to call global 'moduledir' (a nil value) Oct 04 11:32:54 dns kresd[9540]: [system] failed to load module 'http' Oct 04 11:32:54 dns kresd[9540]: error occured here (config filename:lineno is at the bottom, if config is involved): Oct 04 11:32:54 dns kresd[9540]: stack traceback: Oct 04 11:32:54 dns kresd[9540]: [C]: in function 'load' Oct 04 11:32:54 dns kresd[9540]: /etc/knot-resolver/kresd.conf:14: in main chunk Oct 04 11:32:54 dns kresd[9540]: ERROR: No such file or directory Oct 04 11:32:54 dns systemd[1]: kresd(a)1.service: main process exited, code= exited, status=1/FAILURE Oct 04 11:32:54 dns systemd[1]: Failed to start Knot Resolver daemon. Current configuration is: -- interfaces ... net.listen('10.0.0.1', 8453, { kind = 'webmgmt' }) -- load HTTP module with defaults (self-signed TLS cert) modules.load('http') http.config() -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Handle requests by source IP 'stats', -- Track internal statistics 'hints', -- Add static records to resolver } Where should be written the path to module http? What I did wrong? -- Smil Milan Jeskyňka Kazatel

6 let, 5 měsíců

1
0
0 0

Knot Resolver 4.2.1

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 4.2.1 has been released! Note for Debian users: If you have previously installed knot-resolver-dbgsym package on Debian, please remove it and install knot-resolver-dbg instead. Bugfixes -------- - rebinding module: fix handling some requests, respect ALLOW_LOCAL flag - fix incorrect SERVFAIL on cached bogus answer for +cd request (!860) (regression since 4.1.0 release, in less common cases) - prefill module: allow a different module-loading style (#506) - validation: trim TTLs by RRSIG's expiration and original TTL (#319, #504) - NS choice algorithm: fix a regression since 4.0.0 (#497, !868) - policy: special domains home.arpa. and local. get NXDOMAIN (!855) Improvements ------------ - add compatibility with (future) libknot 2.9 Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v4.2.1/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.1.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.1.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v4.2.1/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

6 let, 5 měsíců

1
0
0 0

CentOS 7 package ships writable /etc/knot-resolver

by Anand Buddhdev

Hello Knot resolver folks, and especially the packagers, I've noticed that the CentOS 7 packages published by CZNIC ship with /etc/knot-resolver writable by the "knot-res" user (the directory mode is 0775). It seems that the directory is writable, because kresd (running as user knot-res) runs a lua script to manage the /etc/knot-resolver/root.keys file. My sysadmin mind is suspicious of this setup. If any other modules of kresd have a bug, they have the potential to modify config files in /etc/knot-resolver. My thinking is that the root.keys file should be installed in /var/cache/knot-resolver, and that is writable by "knot-res". Could someone please explain to me why the config directory is writable by an unprivileged user? Is there a good reason I'm not seeing for this setup? Regards, Anand Buddhdev

6 let, 5 měsíců

2
4
0 0

Knot Resolver - module hints - reload?

by Milan Jeskynka Kazatel

Hello, Could someone help me to understand the behavior of Knot Resolver? Can I somehow process a change in the list of static records for knot resolver like a command for reloading configuration? If I have in the kresd.conf file a module modules = { 'hints> iterate', - Add static records to resolver ... ... and the list is located - Load static records hints.add_hosts ('/ etc / knot-resolver / static_records.txt') how can I reload the change in the static_records.txt list for the kresd @ 1 service Or should I always restart the daemon kresd @ 1 systemctl restart Kresd @ 1 Thanks for any advice, Regadrs, -- Smil Milan Jeskyňka Kazatel

6 let, 6 měsíců

3
7
0 0

Knot Resolver 4.2.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 4.2.0 has been released! Improvements ------------ - queries without RD bit set are REFUSED by default (!838) - support forwarding to multiple targets (!825) Bugfixes -------- - tls_client: fix issue with TLS session resumption (#489) - rebinding module: fix another false-positive assertion case (!851) Module API changes ------------------ - kr_request::add_selected is now really put into answer, instead of the "duplicate" ::additional field (#490) Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v4.2.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v4.2.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

6 let, 7 měsíců

1
0
0 0

Re: [knot-resolver-users] Specify wildcard subdomain static hints

by Vladimír Čunát

Hello, first note the change to the correct mailing-list. On 7/29/19 10:20 AM, Balakrishnan B wrote: > I am trying to add wildcard static hints to catch all local domains like > below. But does not seem to work. > > hints['nextcloud.local'] = '127.0.0.1' # This works fine > hints['*.local'] = '127.0.0.1' > hints['.local'] = '127.0.0.1' > > DNSMasq supports this like https://stackoverflow.com/a/22551303 > > Is there way to do this in knot? No, I don't think there's a good way currently. The hints module only supports exact names with A and AAAA and corresponding PTR, like in /etc/hosts files. With our [RPZ] you can do wildcards, but there's no support for positive answers (so you need to do NXDOMAIN or similar denials). BTW, note that .local is reserved for [mDNS] protocol, in particular kresd might never get to such requests because it's "only" a DNS server: > 3. Name resolution APIs and libraries SHOULD recognize these names as > special and SHOULD NOT send queries for these names to their > configured (unicast) caching DNS server(s). > [RPZ] https://knot-resolver.readthedocs.io/en/stable/modules.html#c.policy.rpz [mDNS] https://tools.ietf.org/html/rfc6762#section-22.1 --Vladimir

6 let, 7 měsíců

2
2
0 0

debian repo: http -> https

by Christoph

The instructions on: https://www.knot-resolver.cz/download/ read: " wget https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb dpkg -i knot-resolver-release.deb apt update && apt install -y knot-resolver " these instructions result in an http://.. URL in: /etc/apt/sources.list.d/knot-resolver-latest.list I'd suggest to change it to https://..

6 let, 7 měsíců

2
3
0 0

Knot Resolver 4.1.0

by Petr Špaček

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear Knot Resolver users, Knot Resolver 4.1.0 has been released! This is a minor release with couple improvements and many bugfixes, including security fixes for CVE-2019-10190 and CVE-2019-10191. Packages for supported distributions are now available from https://www.knot-resolver.cz/download/ Highlights ========== - - security fixes, we encourage all users to upgrade as soon as possible - - new garbage collector improves cache utilization on busy machines - - ARM64 (aarch64) is now experimentally supported, please report issues - - compatibility with non-standard DoH clients was improved Full release notes: Knot Resolver 4.1.0 (2019-07-10) ================================ Security - -------- - - fix CVE-2019-10190: do not pass bogus negative answer to client (!827) - - fix CVE-2019-10191: do not cache negative answer with forged QNAME+QTYPE (!839) Improvements - ------------ - - new cache garbage collector is available and enabled by default (#257) This improves cache efficiency on big installations. - - DNS-over-HTTPS: unknown HTTP parameters are ignored to improve compatibility with non-standard clients (!832) - - DNS-over-HTTPS: answers include `access-control-allow-origin: *` which allows JavaScript to use DoH endpoint (!823). - - http module: support named AF_UNIX stream sockets (again) - - aggressive caching is disabled on minimal NSEC* ranges (!826) This improves cache effectivity with DNSSEC black lies and also accidentally works around bug in proofs-of-nonexistence from F5 BIG-IP load-balancers. - - aarch64 support, even kernels with ARM64_VA_BITS >= 48 (#216, !797) This is done by working around a LuaJIT incompatibility. Please report bugs. - - lua tables for C modules are more strict by default, e.g. `nsid.foo` will throw an error instead of returning `nil` (!797) - - systemd: basic watchdog is now available and enabled by default (#275) Bugfixes - -------- - - TCP to upstream: fix unlikely case of sending out wrong message length (!816) - - http module: fix problems around maintenance of ephemeral certs (!819) - - http module: also send intermediate TLS certificate to clients, if available and luaossl >= 20181207 (!819) - - send EDNS with SERVFAILs, e.g. on validation failures (#180, !827) - - prefill module: avoid crash on empty zone file (#474, !840) - - rebinding module: avoid excessive iteration on blocked attempts (!842) - - rebinding module: fix crash caused by race condition (!842) - - rebinding module: log each blocked query only in verbose mode (!842) - - cache: automatically clear stale reader locks (!844) Module API changes - ------------------ - - lua modules may omit casting parameters of layer functions (!797) - -- Petr Špaček @ CZ.NIC -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAl0mBC0ACgkQzo3WoaUK IeT3uw/9Fqz2PWYmEtF50nlnFIyM44EAClQFVboM8djVQVffN347nZTo4WPI+rsj exUg5tYKIEC6xrihRLwojbTfFcGVXcEHo0NZsvyv51qIP+lT6yHOVMz+tckmGyPI qG4JxvF7juUz1oLNCLUJfuZX/rOBgcOID2hga6q8ZXmkE5GFkyPsz7giaxjNWCGY Hf+uxzR2oezd4GGaOS2bIpqSjBmQwjaLvN3odG0xGZEHQCm+MkblVIbpiKuyR79e CulWcLNU1KL4V4o/rF5BUXHCnArGP/TM0JoVifPZepZVyB8xMEfBuyew9k1EAuX6 +5oJ9H1JcsftMtBgGUtksltTVK+9Mst9Rc52oiP5RA8ffpc5j0TtQi/lgNSgGnfQ P10t7fnlotseBYsHeQ0dm54TlGKBgsECuk1/wgjlytbUU9AUQMkmop696xZEcw1w gVY7FhAq09ciqtNTKuPJLoNTN/uhIdnyvt496Xf15OA3znZlMxdrI+rdVvf3btX/ SV9/bzNyWtJOhiYoN4hIPUqcvq6rFqxBbZpDA3pX9ks/lsWil7Y8sm96GzOjvaSx EjhDbBaFLBtX4kOPbrREDs8DbCTsxD1rLEruPos+Mp8PfAISEa/RvjyhuI/yyjwE qpNksYdKNHeniYEcycJ1khJBs1cz+9GlBFdCnSdFG2tFFu4nY4g= =pAEs -----END PGP SIGNATURE-----

6 let, 8 měsíců

1
0
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users