- knot-resolver-users - lists.nic.cz

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 3.2.1 has been released. Bugfixes -------- - trust_anchors: respect validity time range during TA bootstrap (!748) - fix TLS rehandshake handling (!739) - make TLS_FORWARD compatible with GnuTLS 3.3 (!741) - special thanks to Grigorii Demidov for his long-term work on Knot Resolver! Improvements ------------ - improve handling of timeouted outgoing TCP connections (!734) - trust_anchors: check syntax of public keys in DNSKEY RRs (!748) - validator: clarify message about bogus non-authoritative data (!735) - dnssec validation failures contain more verbose reasoning (!735) - new function trust_anchors.summary() describes state of DNSSEC TAs (!737), and logs new state of trust anchors after start up and automatic changes - trust anchors: refuse revoked DNSKEY even if specified explicitly, and downgrade missing the SEP bit to a warning Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.2.1/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.1.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.1.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v3.2.1/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

6 let, 4 měsíce

1
0
0 0

knot-resolver 2.4.1 centos 7 aborts

by Harry Hoffman

Hi Folks, Pretty new to knot-resolver and I've been searching around but haven't found anyone with the same error. I'm running CentOS 7 with knot-resolver 2.4.1 from the EPEL repository. I believe that my config is only slightly modified from an example config. [root@usher knot-resolver]# cat kresd.conf -- Config file example useable for personal resolver. -- The goal is to have a validating resolver with tiny memory footprint, -- while actively tracking and refreshing frequent records to lower user latency. -- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration -- Listen on localhost (default) -- net = { '127.0.0.1', '::1' } -- Drop root privileges -- user('knot-resolver', 'knot-resolver') -- Auto-maintain root TA trust_anchors.file = 'root.keys' -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'hints', -- Load /etc/hosts and allow custom root hints 'stats', -- Track internal statistics 'predict', -- Prefetch expiring/frequent records } -- Smaller cache size cache.size = 10 * MB verbose(true) policy.add(policy.all(policy.TLS_FORWARD({ {'9.9.9.9', hostname='dns.quad9.net'}, {'1.1.1.1', hostname='cloudflare-dns.com'}, {'149.112.112.112', hostname='dns.quad9.net'}, {'1.0.0.1', hostname='cloudflare-dns.com'}, }))) When running (either via systemd or at a command line) kresd aborts. Below are the verbose logs: [root@usher knot-resolver]# /usr/sbin/kresd --config=/etc/knot-resolver/kresd.conf --forks=1 [gnutls] (2) Initializing PKCS #11 modules [gnutls] (2) p11: Initializing module: p11-kit-trust [gnutls] (3) ASSERT: pkcs11.c:665 [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [tls_client] error: hostname 'dns.quad9.net' for address '9.9.9.9#00853' already was set, ignoring [tls_client] error: system ca for address '9.9.9.9#00853' already was set, ignoring [tls_client] error: hostname 'cloudflare-dns.com' for address '1.0.0.1#00853' already was set, ignoring [tls_client] error: system ca for address '1.0.0.1#00853' already was set, ignoring [tls_client] error: hostname 'dns.quad9.net' for address '149.112.112.112#00853' already was set, ignoring [tls_client] error: system ca for address '149.112.112.112#00853' already was set, ignoring [tls_client] error: hostname 'cloudflare-dns.com' for address '1.1.1.1#00853' already was set, ignoring [tls_client] error: system ca for address '1.1.1.1#00853' already was set, ignoring [ 0][plan] plan '.' type 'NS' [50114][iter] '.' type 'NS' id was assigned, parent id 0 [50114][plan] plan '.' type 'DNSKEY' [26197][iter] '.' type 'DNSKEY' id was assigned, parent id 50114 [ ][nsre] score 1 for 9.9.9.9; cached RTT: -1 [ ][nsre] score 1 for 1.1.1.1; cached RTT: -1 [ ][nsre] score 1 for 149.112.112.112; cached RTT: -1 [ ][nsre] score 1 for 1.0.0.1; cached RTT: -1 [gnutls] (5) REC[0x55801d4242b0]: Allocating epoch #0 [26197][wrkr] => connecting to: '9.9.9.9' [ 0][plan] plan '.' type 'NS' [38655][iter] '.' type 'NS' id was assigned, parent id 0 [ ][nsre] score 1 for 9.9.9.9; cached RTT: -1 [ ][nsre] score 1 for 1.1.1.1; cached RTT: -1 [ ][nsre] score 1 for 149.112.112.112; cached RTT: -1 [ ][nsre] score 1 for 1.0.0.1; cached RTT: -1 [26197][wrkr] => connected to '9.9.9.9' [gnutls] (3) ASSERT: gnutls_constate.c:586 [gnutls] (5) REC[0x55801d4242b0]: Allocating epoch #1 [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_AES_256_GCM_SHA384 (C0.30) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA1 (C0.13) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA256 (C0.27) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA1 (C0.14) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_128_GCM_SHA256 (00.9C) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_256_GCM_SHA384 (00.9D) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_128_GCM_SHA256 (C0.7A) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_256_GCM_SHA384 (C0.7B) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 (00.2F) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 (00.3C) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 (00.35) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256 (00.3D) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 (00.41) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA256 (00.BA) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 (00.84) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA256 (00.C0) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 (00.0A) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_128_GCM_SHA256 (00.9E) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_256_GCM_SHA384 (00.9F) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 (00.33) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 (00.67) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 (00.39) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256 (00.6B) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 (00.16) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_128_GCM_SHA256 (00.A2) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_256_GCM_SHA384 (00.A3) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_GCM_SHA256 (C0.80) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_GCM_SHA384 (C0.81) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 (00.32) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256 (00.40) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 (00.38) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256 (00.6A) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 (00.44) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA256 (00.BD) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 (00.87) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA256 (00.C3) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 (00.13) [gnutls] (4) EXT[0x55801d4242b0]: Sending extension STATUS REQUEST (5 bytes) [gnutls] (4) EXT[0x55801d4242b0]: Sending extension SAFE RENEGOTIATION (1 bytes) [gnutls] (4) EXT[0x55801d4242b0]: Sending extension SESSION TICKET (0 bytes) [gnutls] (4) EXT[0x55801d4242b0]: Sending extension SUPPORTED ECC (8 bytes) [gnutls] (4) EXT[0x55801d4242b0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes) [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (4.1) RSA-SHA256 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (4.2) DSA-SHA256 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (4.3) ECDSA-SHA256 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (5.1) RSA-SHA384 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (5.3) ECDSA-SHA384 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (6.1) RSA-SHA512 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (6.3) ECDSA-SHA512 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (3.1) RSA-SHA224 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (3.2) DSA-SHA224 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (3.3) ECDSA-SHA224 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (2.1) RSA-SHA1 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (2.2) DSA-SHA1 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (2.3) ECDSA-SHA1 [gnutls] (4) EXT[0x55801d4242b0]: Sending extension SIGNATURE ALGORITHMS (28 bytes) [gnutls] (4) HSK[0x55801d4242b0]: CLIENT HELLO was queued [227 bytes] [gnutls] (5) REC[0x55801d4242b0]: Preparing Packet Handshake(22) with length: 227 and min pad: 0 [gnutls] (5) REC[0x55801d4242b0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 232 [ 0][wrkr] [tls_client] push 232 <0x55801d3f4400> [gnutls] (3) ASSERT: gnutls_buffers.c:1139 [gnutls] (2) The pull function has been replaced but not the pull timeout.[gnutls] (3) ASSERT: gnutls_buffers.c:731 [gnutls] (3) ASSERT: gnutls_buffers.c:332 [gnutls] (3) ASSERT: gnutls_buffers.c:572 [gnutls] (3) ASSERT: gnutls_record.c:1063 [gnutls] (3) ASSERT: gnutls_record.c:1184 [gnutls] (3) ASSERT: gnutls_buffers.c:1393 [gnutls] (3) ASSERT: gnutls_handshake.c:1440 [gnutls] (3) ASSERT: gnutls_handshake.c:2739 [tls_client] handshake failed (Error in the pull function.) [ 0][resl] AD: request NOT classified as SECURE [26197][resl] finished: 0, queries: 0, mempool: 81952 B [priming] cannot resolve '.' NS, next priming query in 10 seconds [ 0][resl] AD: request NOT classified as SECURE [38655][resl] finished: 0, queries: 0, mempool: 81952 B [detect_time_skew] cannot resolve '.' NS [gnutls] (5) REC[0x55801d4242b0]: Start of epoch cleanup [gnutls] (5) REC[0x55801d4242b0]: End of epoch cleanup [gnutls] (5) REC[0x55801d4242b0]: Epoch #0 freed [gnutls] (5) REC[0x55801d4242b0]: Epoch #1 freed [ 0][plan] plan '.' type 'DNSKEY' [35791][iter] '.' type 'DNSKEY' id was assigned, parent id 0 [ ][nsre] score 1 for 9.9.9.9; cached RTT: -1 [ ][nsre] score 1 for 1.1.1.1; cached RTT: -1 [ ][nsre] score 1 for 149.112.112.112; cached RTT: -1 [ ][nsre] score 1 for 1.0.0.1; cached RTT: -1 kresd: daemon/worker.c:1691: qr_task_step: Assertion `session->outgoing' failed. Aborted

6 let, 5 měsíců

2
6
0 0

Knot Resolver 3.2.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 3.2.0 has been released. New features ------------ - module edns_keepalive to implement server side of RFC 7828 (#408) - module nsid to implement server side of RFC 5001 (#289) - module bogus_log provides .frequent() table (!629, credit Ulrich Wisser) - module stats collects flags from answer messages (!629, credit Ulrich Wisser) - module view supports multiple rules with identical address/TSIG specification and keeps trying rules until a "non-chain" action is executed (!678) - module experimental_dot_auth implements an DNS-over-TLS to auth protocol (!711, credit Manu Bretelle) - net.bpf bindings allow advanced users to use eBPF socket filters Bugfixes -------- - http module: only run prometheus in parent process if using --forks=N, as the submodule collects metrics from all sub-processes as well. - TLS fixes for corner cases (!700, !714, !716, !721, !728) - fix build with -DNOVERBOSELOG (#424) - policy.{FORWARD,TLS_FORWARD,STUB}: respect net.ipv{4,6} setting (!710) - avoid SERVFAILs due to certain kind of NS dependency cycles, again (#374) this time seen as 'circular dependency' in verbose logs - policy and view modules do not overwrite result finished requests (!678) Improvements ------------ - Dockerfile: rework, basing on Debian instead of Alpine - policy.{FORWARD,TLS_FORWARD,STUB}: give advantage to IPv6 when choosing whom to ask, just as for iteration - use pseudo-randomness from gnutls instead of internal ISAAC (#233) - tune the way we deal with non-responsive servers (!716, !723) - documentation clarifies interaction between policy and view modules (!678, !730) Module API changes ------------------ - new layer is added: answer_finalize - kr_request keeps ::qsource.packet beyond the begin layer - kr_request::qsource.tcp renamed to ::qsource.flags.tcp - kr_request::has_tls renamed to ::qsource.flags.tls - kr_zonecut_add(), kr_zonecut_del() and kr_nsrep_sort() changed parameters slightly Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.2.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v3.2.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

6 let, 5 měsíců

1
0
0 0

knot-resolver 3.1.0 nevrací A záznam pro www.cezdistribuce.cz

by Zdeněk Janiš

Dobrý den, používám knot-resolver ver. 3.1.0 a zjistil, že nevrací A záznamy pro: www.cezdistribuce.cz když vymažu cache: cache.clear('cezdistribuce.cz') tak se knot-resolver na nedefinovanou dobu umoudří a A záznamy normálně vrací. Přitom google DNS 8.8.8.8 záznamy vrací v pořádku. Jinou anomálii jsem nezjistil. V čem může být problém? Konfigurace? Nefunkční výpis: $ dig @192.168.100.100 -t A www.cezdistribuce.cz ; <<>> DiG 9.11.4-P2-3~bpo9+1-Debian <<>> @192.168.100.100 -t A www.cezdistribuce.cz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26696 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.cezdistribuce.cz. IN A ;; AUTHORITY SECTION: cezdistribuce.cz. 41952 IN SOA ns10.cez.cz. netmaster.cezdata.cz. 2018112701 28800 7200 864000 86400 ;; Query time: 1 msec ;; SERVER: 192.168.100.100#53(192.168.100.100) ;; WHEN: Po pro 10 07:58:55 CET 2018 ;; MSG SIZE rcvd: 112 Funkční, po vymazaní z cache: $ dig @192.168.100.100 -t A www.cezdistribuce.cz ; <<>> DiG 9.11.4-P2-3~bpo9+1-Debian <<>> @192.168.100.100 -t A www.cezdistribuce.cz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 89 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.cezdistribuce.cz. IN A ;; ANSWER SECTION: www.cezdistribuce.cz. 24 IN A 89.111.76.140 ;; Query time: 0 msec ;; SERVER: 192.168.100.100#53(192.168.100.100) ;; WHEN: Po pro 10 08:09:59 CET 2018 ;; MSG SIZE rcvd: 65 Děkuji za pomoc. -- Zdeněk Janiš

6 let, 5 měsíců

3
2
0 0

not able to configure kresd

by Ján Boroš

hi My idea is to use knot resolver as dns forwarder / cache instead using dnsmasq. I am using old PC with archlinux as router. I did change dnsmasq config so it listen on port 5353. following steps here https://wiki.archlinux.org/index.php/Knot_Resolver I did change systemd unit so my kresd is listening on both local interfaces. I am checking that with ss command and it is ok. here is my config of kresd cat /etc/knot-resolver/kresd.conf -- vim:syntax=lua: -- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration -- Load useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'hints > iterate', -- Load /etc/hosts and allow custom root hints 'stats', -- Track internal statistics 'predict', -- Prefetch expiring/frequent records } -- See kresd.systemd(7) about configuring network interfaces when using systemd -- Listen on localhost (default) -- net = { '127.0.0.1', '::1'} -- Enable DNSSEC validation -- trust_anchors.file = '/etc/knot-resolver/root.keys' hints.root_file = '/etc/knot-resolver/root.hints' -- Cache size cache.size = 100 * MB After start I can see following errors in journal Nov 08 22:49:43 skriatok systemd[1]: Starting Knot Resolver daemon... Nov 08 22:49:43 skriatok systemd[1]: Started Knot Resolver daemon. Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'b.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'b.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'h.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'j.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'm.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'l.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'j.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'i.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'g.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'f.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'e.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'd.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'a.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'h.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'c.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'k.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'e.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'f.root- servers.net.', type: 1 ... thank you for help

6 let, 7 měsíců

3
6
0 0

Status of DNS over HTTPS in knot resolver

by Arsen STASIC

Hi, What is the current status for DoH (DNS over HTTPS) in knot resolver? There is an open issue #280 https://gitlab.labs.nic.cz/knot/knot-resolver/issues/280 Marek Vavrusa from Cloudflare offers a patch for this, but I haven't found it so far and dnsprivacy.org also mentions (probably) this patch. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status Is this patch available? cheers -arsen

6 let, 7 měsíců

2
1
0 0

forward for given zones

by Ivo Panáček

Hi, I am not able to force knot-resolver to forward some queries. I have real DNS zone and in internal network I have few 3rd level subzones. For them I would like to make my kresd forward queries to our internal DNS server (bind9). My computer is not inside company nework - connected via openvpn. System is ubuntu 18.04.1 (up-to-date) and knot-resolver 3.0.0. Relevant part of kresd.conf is: policy.add(policy.suffix( policy.FORWARD('10.0.0.1'),{ todname('sub1.company.cz'), todname('sub2.company.cz') } )) dig machine.sub1.company.cz @127.0.0.53 does NOT work, dig machine.sub1.company.cz @10.0.0.1 DOES work I have set verbose(true) but with no help. kresd queries 10.0.0.1 for 'company.cz' only, but that's all. I am just working on it on my ubuntu workstation, but real target will be turris omnia with its kresd, which connects via openvpn to company network. -- Sincerely Ivo Panacek

6 let, 7 měsíců

3
8
0 0

Knot Resolver 3.1.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 3.1.0 has been released. Incompatible changes -------------------- - hints.use_nodata(true) by default; that's what most users want - libknot >= 2.7.2 is required Improvements ------------ - cache: handle out-of-space SIGBUS slightly better (#197) - daemon: improve TCP timeout handling (!686) Bugfixes -------- - cache.clear('name'): fix some edge cases in API (#401) - fix error handling from TLS writes (!669) - avoid SERVFAILs due to certain kind of NS dependency cycles (#374) Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.1.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.1.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.1.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v3.1.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

6 let, 7 měsíců

1
0
0 0

views with more than one policy

by Bratislav ILIC

Dear Knot Resolver users, Is it possible to create a view with more than one policie? If I do for example something like this: view:addr('192.168.1.0/24', policy.suffix( policy.PASS, policy.todnames({'good.com','better.com','best.com'}) ) ) view:addr('192.168.1.0/24', policy.suffix( policy.REFUSE,{todname('bad.com')} ) ) Knot resolver will obey only the first view and users will be able to resolve the bad.com domain ... obviously the first view is the match and no other views are considered afterwards ... Without multiple policies views are pretty much useless so I believe that I must be doing something wrong here so could anybody help me on this ... Best regards, Bratislav ILIC

6 let, 8 měsíců

3
3
0 0

Knot Resolver 3.0.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 3.0.0 has been released. Incompatible changes -------------------- - cache: fail lua operations if cache isn't open yet (!639) By default cache is opened *after* reading the configuration, and older versions were silently ignoring cache operations. Valid configuration must open cache using `cache.open()` or `cache.size =` before executing cache operations like `cache.clear()`. - libknot >= 2.7.1 is required, which brings also larger API changes - in case you wrote custom Lua modules, please consult https://knot-resolver.readthedocs.io/en/latest/lib.html#incompatible-change… - in case you wrote custom C modules, please see compile against Knot DNS 2.7 and adjust your module according to messages from C compiler - DNS cookie module (RFC 7873) is not available in this release, it will be later reworked to reflect development in IEFT dnsop working group - version module was permanently removed because it was not really used by users; if you want to receive notifications about new releases please subscribe to https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-resolver-announce Bugfixes -------- - fix multi-process race condition in trust anchor maintenance (!643) - ta_sentinel: also consider static trust anchors not managed via RFC 5011 Improvements ------------ - reorder_RR() implementation is brought back - bring in performace improvements provided by libknot 2.7 - cache.clear() has a new, more powerful API - cache documentation was improved - old name "Knot DNS Resolver" is replaced by unambiguous "Knot Resolver" to prevent confusion with "Knot DNS" authoritative server Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.0.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.0.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.0.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v3.0.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

6 let, 9 měsíců

4
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users