- knot-resolver-users - lists.nic.cz

Running knot-resolver with only kresd-tls.socket

by Vladimír Čunát

Message "moved" from [knot-dns-users] to [knot-resolver-users]: -------- Forwarded Message -------- Subject: [knot-dns-users] running knot-resolver with only kresd-tls.socket Date: Sat, 16 Mar 2019 13:36:50 -0000 (UTC) From: Daniel Lublin <daniel(a)lublin.se> To: knot-dns-users(a)lists.nic.cz Ahoj, I'm tinkering with running knot-resolver for DNS-over-TLS (only). My kresd@1 is listening on the public interface by using a drop-in override file, following kresd.systemd(7) (kresd-tls.socket.d/override.conf). Thing is, I would like knot to not listen on port 53 on any interface, not even localhost. But this is precisely what it does. I naively tried to stop it from doing so, first with a kresd.socket.d/override.conf with: [Socket] ListenStream= But that failed with journalctl -u kresd.socket containing `kresd.socket: Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.` And also by trying to disable that "socket-unit", with a kresd(a)1.service.d/override.conf containing: [Service] Sockets= Sockets=kresd-tls.socket Sockets=kresd-control(a)%i.socket But that did nothing. Finally, using `systemctl mask kresd.socket` I get it to stop listening on (localhost) port 53. But then instead systemd find itself in "degraded" mode... Any tip on how to accomplish this cleanly?

6 let, 7 měsíců

3
2
0 0

Knot Resolver is not affected by compromised Knot DNS repositories

by Petr Špaček

Hello Knot Resolver users, please let me clarify that Knot Resolver repositories linked from https://www.knot-resolver.cz/download/ are independent and are not affected by compromised Knot DNS repositories [1]. Users who use only Knot Resolver packages from our repositories [2] do not need to take any action. If you have any questions do not hesistate to ask here. [1] https://lists.nic.cz/pipermail/knot-dns-users/2019-March/001630.html [2] https://www.knot-resolver.cz/download/ -- Petr Špaček @ CZ.NIC

6 let, 7 měsíců

1
0
0 0

Re: [knot-resolver-users] Knot DNS 2.8.0 release

by Vladimír Čunát

Hello, Knot * users! Please note that Knot DNS 2.8.x breaks all Knot Resolver versions released so far (<=3.2.1). The breakage is a bit subtle, and build system won't detect it. We plan to release an update soon. If you don't want to wait, you can apply a simple patch: https://gitlab.labs.nic.cz/knot/knot-resolver/commit/186f2639 --Vladimir

6 let, 8 měsíců

2
3
0 0

why random conversion uppercase and lowercase letters

by Champion Xie

Hi， When I request a domain name to the knot-resolver server, I will see that the uppercase and lowercase letters are randomly converted to log records. -- Best Regards!! champion_xie

6 let, 8 měsíců

2
1
0 0

how to dump cache detail

by Champion Xie

Knot-resolver Is there a tool like BIND rndc dumpdb? I want to see the specific cached domain name entry kresc> stats.list() [answer.nxdomain] => 0 [answer.100ms] => 0 [answer.1500ms] => 0 [answer.slow] => 0 [answer.servfail] => 0 [answer.250ms] => 0 *[answer.cached] => 622* [answer.nodata] => 0 [query.dnssec] => 1 [answer.1ms] => 34 [predict.epoch] => 19 [query.edns] => 624 [predict.queue] => 0 [answer.total] => 624 [answer.10ms] => 498 [answer.noerror] => 624 [answer.50ms] => 92 [answer.500ms] => 0 [answer.1000ms] => 0 [predict.learned] => 1 -- Best Regards!! champion_xie

6 let, 8 měsíců

2
1
0 0

which one cache hit count

by Champion Xie

*kresc> cache.stats()* [hit] => 0 [delete] => 0 [miss] => 0 *[insert] => 280* *kresc> stats.list()* [answer.nxdomain] => 0 [answer.100ms] => 0 [answer.1500ms] => 0 [answer.slow] => 0 [answer.servfail] => 0 [answer.250ms] => 0 *[answer.cached] => 2430* [answer.nodata] => 0 [query.edns] => 2710 [query.dnssec] => 1 [answer.total] => 2710 [answer.10ms] => 272 [answer.noerror] => 2710 [answer.50ms] => 8 [answer.500ms] => 0 [answer.1000ms] => 0 [answer.1ms] => 2430 *kresc> cache.count()* *372* -- Best Regards!! champion_xie

6 let, 8 měsíců

2
1
0 0

forward policy stub kind of round robin

by Thomas Belián

Hello, I have at the moment a network with 3 DNS servers. They do recursive/caching as well as authorative zones (Bind 9). I want to build a structure with 2 authorative Servers using Knot-DNS and 3 resolvers using Knot-Resolver. As our authorative servers are in our network and as I want to get any changes in their zones as fast as possible to our users I use from the documentation: Replacing part of the DNS tree Interesting is this line: policy.add(policy.suffix(policy.STUB({'$our ip'}), extraTrees)) Can I put more than one IP at this line to forward the queries? We have 2 authorative servers, so I want ask both of them round robin like. In my config I have comma separated two servers, kresd is running with it, but it seems it uses only the first. Is there a way to get my desired behavior? Regards Thomas P.S.: Versions are Knot-Resolver 3.2.1 and OS is Ubuntu 18.04.02 -- Thomas Belián Fachhochschule Erfurt Fak. GTI / FR AI & Hochschulrechenzentrum Postfach 45 01 55, 99051 Erfurt Telefon: +49361 6700 - 647 E-Mail: thomas.belian(a)fh-erfurt.de

6 let, 8 měsíců

2
2
0 0

Knot Resolver 3.2.1

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 3.2.1 has been released. Bugfixes -------- - trust_anchors: respect validity time range during TA bootstrap (!748) - fix TLS rehandshake handling (!739) - make TLS_FORWARD compatible with GnuTLS 3.3 (!741) - special thanks to Grigorii Demidov for his long-term work on Knot Resolver! Improvements ------------ - improve handling of timeouted outgoing TCP connections (!734) - trust_anchors: check syntax of public keys in DNSKEY RRs (!748) - validator: clarify message about bogus non-authoritative data (!735) - dnssec validation failures contain more verbose reasoning (!735) - new function trust_anchors.summary() describes state of DNSSEC TAs (!737), and logs new state of trust anchors after start up and automatic changes - trust anchors: refuse revoked DNSKEY even if specified explicitly, and downgrade missing the SEP bit to a warning Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.2.1/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.1.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.1.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v3.2.1/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

6 let, 9 měsíců

1
0
0 0

knot-resolver 2.4.1 centos 7 aborts

by Harry Hoffman

Hi Folks, Pretty new to knot-resolver and I've been searching around but haven't found anyone with the same error. I'm running CentOS 7 with knot-resolver 2.4.1 from the EPEL repository. I believe that my config is only slightly modified from an example config. [root@usher knot-resolver]# cat kresd.conf -- Config file example useable for personal resolver. -- The goal is to have a validating resolver with tiny memory footprint, -- while actively tracking and refreshing frequent records to lower user latency. -- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration -- Listen on localhost (default) -- net = { '127.0.0.1', '::1' } -- Drop root privileges -- user('knot-resolver', 'knot-resolver') -- Auto-maintain root TA trust_anchors.file = 'root.keys' -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'hints', -- Load /etc/hosts and allow custom root hints 'stats', -- Track internal statistics 'predict', -- Prefetch expiring/frequent records } -- Smaller cache size cache.size = 10 * MB verbose(true) policy.add(policy.all(policy.TLS_FORWARD({ {'9.9.9.9', hostname='dns.quad9.net'}, {'1.1.1.1', hostname='cloudflare-dns.com'}, {'149.112.112.112', hostname='dns.quad9.net'}, {'1.0.0.1', hostname='cloudflare-dns.com'}, }))) When running (either via systemd or at a command line) kresd aborts. Below are the verbose logs: [root@usher knot-resolver]# /usr/sbin/kresd --config=/etc/knot-resolver/kresd.conf --forks=1 [gnutls] (2) Initializing PKCS #11 modules [gnutls] (2) p11: Initializing module: p11-kit-trust [gnutls] (3) ASSERT: pkcs11.c:665 [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [tls_client] error: hostname 'dns.quad9.net' for address '9.9.9.9#00853' already was set, ignoring [tls_client] error: system ca for address '9.9.9.9#00853' already was set, ignoring [tls_client] error: hostname 'cloudflare-dns.com' for address '1.0.0.1#00853' already was set, ignoring [tls_client] error: system ca for address '1.0.0.1#00853' already was set, ignoring [tls_client] error: hostname 'dns.quad9.net' for address '149.112.112.112#00853' already was set, ignoring [tls_client] error: system ca for address '149.112.112.112#00853' already was set, ignoring [tls_client] error: hostname 'cloudflare-dns.com' for address '1.1.1.1#00853' already was set, ignoring [tls_client] error: system ca for address '1.1.1.1#00853' already was set, ignoring [ 0][plan] plan '.' type 'NS' [50114][iter] '.' type 'NS' id was assigned, parent id 0 [50114][plan] plan '.' type 'DNSKEY' [26197][iter] '.' type 'DNSKEY' id was assigned, parent id 50114 [ ][nsre] score 1 for 9.9.9.9; cached RTT: -1 [ ][nsre] score 1 for 1.1.1.1; cached RTT: -1 [ ][nsre] score 1 for 149.112.112.112; cached RTT: -1 [ ][nsre] score 1 for 1.0.0.1; cached RTT: -1 [gnutls] (5) REC[0x55801d4242b0]: Allocating epoch #0 [26197][wrkr] => connecting to: '9.9.9.9' [ 0][plan] plan '.' type 'NS' [38655][iter] '.' type 'NS' id was assigned, parent id 0 [ ][nsre] score 1 for 9.9.9.9; cached RTT: -1 [ ][nsre] score 1 for 1.1.1.1; cached RTT: -1 [ ][nsre] score 1 for 149.112.112.112; cached RTT: -1 [ ][nsre] score 1 for 1.0.0.1; cached RTT: -1 [26197][wrkr] => connected to '9.9.9.9' [gnutls] (3) ASSERT: gnutls_constate.c:586 [gnutls] (5) REC[0x55801d4242b0]: Allocating epoch #1 [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_AES_256_GCM_SHA384 (C0.30) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA1 (C0.13) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA256 (C0.27) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA1 (C0.14) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_128_GCM_SHA256 (00.9C) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_256_GCM_SHA384 (00.9D) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_128_GCM_SHA256 (C0.7A) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_256_GCM_SHA384 (C0.7B) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 (00.2F) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 (00.3C) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 (00.35) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256 (00.3D) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 (00.41) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA256 (00.BA) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 (00.84) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA256 (00.C0) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 (00.0A) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_128_GCM_SHA256 (00.9E) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_256_GCM_SHA384 (00.9F) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 (00.33) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 (00.67) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 (00.39) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256 (00.6B) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 (00.16) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_128_GCM_SHA256 (00.A2) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_256_GCM_SHA384 (00.A3) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_GCM_SHA256 (C0.80) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_GCM_SHA384 (C0.81) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 (00.32) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256 (00.40) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 (00.38) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256 (00.6A) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 (00.44) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA256 (00.BD) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 (00.87) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA256 (00.C3) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 (00.13) [gnutls] (4) EXT[0x55801d4242b0]: Sending extension STATUS REQUEST (5 bytes) [gnutls] (4) EXT[0x55801d4242b0]: Sending extension SAFE RENEGOTIATION (1 bytes) [gnutls] (4) EXT[0x55801d4242b0]: Sending extension SESSION TICKET (0 bytes) [gnutls] (4) EXT[0x55801d4242b0]: Sending extension SUPPORTED ECC (8 bytes) [gnutls] (4) EXT[0x55801d4242b0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes) [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (4.1) RSA-SHA256 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (4.2) DSA-SHA256 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (4.3) ECDSA-SHA256 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (5.1) RSA-SHA384 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (5.3) ECDSA-SHA384 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (6.1) RSA-SHA512 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (6.3) ECDSA-SHA512 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (3.1) RSA-SHA224 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (3.2) DSA-SHA224 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (3.3) ECDSA-SHA224 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (2.1) RSA-SHA1 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (2.2) DSA-SHA1 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (2.3) ECDSA-SHA1 [gnutls] (4) EXT[0x55801d4242b0]: Sending extension SIGNATURE ALGORITHMS (28 bytes) [gnutls] (4) HSK[0x55801d4242b0]: CLIENT HELLO was queued [227 bytes] [gnutls] (5) REC[0x55801d4242b0]: Preparing Packet Handshake(22) with length: 227 and min pad: 0 [gnutls] (5) REC[0x55801d4242b0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 232 [ 0][wrkr] [tls_client] push 232 <0x55801d3f4400> [gnutls] (3) ASSERT: gnutls_buffers.c:1139 [gnutls] (2) The pull function has been replaced but not the pull timeout.[gnutls] (3) ASSERT: gnutls_buffers.c:731 [gnutls] (3) ASSERT: gnutls_buffers.c:332 [gnutls] (3) ASSERT: gnutls_buffers.c:572 [gnutls] (3) ASSERT: gnutls_record.c:1063 [gnutls] (3) ASSERT: gnutls_record.c:1184 [gnutls] (3) ASSERT: gnutls_buffers.c:1393 [gnutls] (3) ASSERT: gnutls_handshake.c:1440 [gnutls] (3) ASSERT: gnutls_handshake.c:2739 [tls_client] handshake failed (Error in the pull function.) [ 0][resl] AD: request NOT classified as SECURE [26197][resl] finished: 0, queries: 0, mempool: 81952 B [priming] cannot resolve '.' NS, next priming query in 10 seconds [ 0][resl] AD: request NOT classified as SECURE [38655][resl] finished: 0, queries: 0, mempool: 81952 B [detect_time_skew] cannot resolve '.' NS [gnutls] (5) REC[0x55801d4242b0]: Start of epoch cleanup [gnutls] (5) REC[0x55801d4242b0]: End of epoch cleanup [gnutls] (5) REC[0x55801d4242b0]: Epoch #0 freed [gnutls] (5) REC[0x55801d4242b0]: Epoch #1 freed [ 0][plan] plan '.' type 'DNSKEY' [35791][iter] '.' type 'DNSKEY' id was assigned, parent id 0 [ ][nsre] score 1 for 9.9.9.9; cached RTT: -1 [ ][nsre] score 1 for 1.1.1.1; cached RTT: -1 [ ][nsre] score 1 for 149.112.112.112; cached RTT: -1 [ ][nsre] score 1 for 1.0.0.1; cached RTT: -1 kresd: daemon/worker.c:1691: qr_task_step: Assertion `session->outgoing' failed. Aborted

6 let, 10 měsíců

2
6
0 0

Knot Resolver 3.2.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 3.2.0 has been released. New features ------------ - module edns_keepalive to implement server side of RFC 7828 (#408) - module nsid to implement server side of RFC 5001 (#289) - module bogus_log provides .frequent() table (!629, credit Ulrich Wisser) - module stats collects flags from answer messages (!629, credit Ulrich Wisser) - module view supports multiple rules with identical address/TSIG specification and keeps trying rules until a "non-chain" action is executed (!678) - module experimental_dot_auth implements an DNS-over-TLS to auth protocol (!711, credit Manu Bretelle) - net.bpf bindings allow advanced users to use eBPF socket filters Bugfixes -------- - http module: only run prometheus in parent process if using --forks=N, as the submodule collects metrics from all sub-processes as well. - TLS fixes for corner cases (!700, !714, !716, !721, !728) - fix build with -DNOVERBOSELOG (#424) - policy.{FORWARD,TLS_FORWARD,STUB}: respect net.ipv{4,6} setting (!710) - avoid SERVFAILs due to certain kind of NS dependency cycles, again (#374) this time seen as 'circular dependency' in verbose logs - policy and view modules do not overwrite result finished requests (!678) Improvements ------------ - Dockerfile: rework, basing on Debian instead of Alpine - policy.{FORWARD,TLS_FORWARD,STUB}: give advantage to IPv6 when choosing whom to ask, just as for iteration - use pseudo-randomness from gnutls instead of internal ISAAC (#233) - tune the way we deal with non-responsive servers (!716, !723) - documentation clarifies interaction between policy and view modules (!678, !730) Module API changes ------------------ - new layer is added: answer_finalize - kr_request keeps ::qsource.packet beyond the begin layer - kr_request::qsource.tcp renamed to ::qsource.flags.tcp - kr_request::has_tls renamed to ::qsource.flags.tls - kr_zonecut_add(), kr_zonecut_del() and kr_nsrep_sort() changed parameters slightly Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.2.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v3.2.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

6 let, 10 měsíců

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users