Dear Knot Resolver users,
Knot Resolver 2.4.0 has been released.
Incompatible changes
--------------------
- minimal libknot version is now 2.6.7 to pull in latest fixes (#366)
Security
--------
- fix a rare case of zones incorrectly downgraded to insecure status
(!576)
New features
------------
- TLS session resumption (RFC 5077), both server and client (!585, #105)
(disabled when compiling with gnutls < 3.5)
- TLS_FORWARD policy uses system CA certificate store by default (!568)
- …
[View More]aggressive caching for NSEC3 zones (!600)
- optional protection from DNS Rebinding attack (module rebinding, !608)
- module bogus_log to log DNSSEC bogus queries without verbose logging
(!613)
Bugfixes
--------
- prefill: fix ability to read certificate bundle (!578)
- avoid turning off qname minimization in some cases, e.g. co.uk. (#339)
- fix validation of explicit wildcard queries (#274)
- dns64 module: more properties from the RFC implemented (incl.
bug #375)
Improvements
------------
- systemd: multiple enabled kresd instances can now be started using
kresd.target
- ta_sentinel: switch to version 14 of the RFC draft (!596)
- support for glibc systems with a non-Linux kernel (!588)
- support per-request variables for Lua modules (!533)
- support custom HTTP endpoints for Lua modules (!527)
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v2.4.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-2.4.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-2.4.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v2.4.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
[View Less]
Hi,
today I wanted to try the ta sentinel functionality.
Unfortunately do I not get the expected results.
Maybe somebody could show me some example querries?
I tried:
dig +dnssec kskroll-sentinel-is-ta-20326.iis.se
dig +dnssec kskroll-sentinel-not-ta-20326.iis.se
dig +dnssec kskroll-sentinel-is-ta-19036.iis.se
dig +dnssec kskroll-sentinel-not-ta-19036.iis.se
All with the same result. No answer section.
dig +dnssec iis.se
iis.se. 60 IN A 91.226.37.214
iis.se. 60 IN RRSIG A 5 2 60 …
[View More]20180615103001 20180605103001 6150 iis.se.
XAbt3nM5DmpsDsvZN6gRW94mGwTsCYpAQxurTJYp4FHZXaXt82o+3SMD
ZEZjWsDswy3WsYp087Wx7Y4sH6HbuP0VYuwg1yLsBegrj6xNlcd5JarN
wi8ZGbTytnDBG5rvpqwUp8fat3ZZ6kko4t7BtsD4cFzdL2xpw4MPbBKz p0s=
What am I doing wrong?
/Ulrich
--
Ulrich Wisser
ulrich(a)wisser.se
[View Less]
Hi,
over the last weekend I did configure knot resolver on Turris Omnia to
write statistics to my influxdb instance.
Now that I have statistics, I am not entirely sure what all the data means.
Everything under answer is easy to understand.
But all data under cache is only 0, although answer.cached is not 0.
Please find some stats below. I would be very grateful for some explanation
what the data means.
My next step would be to try to use RPZ funtionality. is there statistics
for RPZ too?
/…
[View More]Ulrich
> stats.list()
[answer.nxdomain] => 360546
[answer.100ms] => 64682
[answer.1500ms] => 2740
[answer.slow] => 12137
[answer.servfail] => 204137
[answer.250ms] => 84208
[answer.cached] => 430091
[answer.nodata] => 1533
[answer.1ms] => 462921
[answer.total] => 922236
[answer.10ms] => 58963
[answer.noerror] => 356015
[answer.50ms] => 195917
[answer.500ms] => 29794
[answer.1000ms] => 7525
[predict.learned] => 54
[predict.epoch] => 19
[predict.queue] => 520
[query.edns] => 152223
[query.dnssec] => 211
> cache.stats()
[hit] => 0
[delete] => 0
[miss] => 0
[insert] => 0
--
Ulrich Wisser
ulrich(a)wisser.se
[View Less]
Hello knot-resolver users,
I have a question about design of systemd service for knot-resolver. I
installed knot from repository OpenSuse repository
<https://software.opensuse.org//download.html?project=home%3ACZ-NIC%3Aknot-r…>
on Ubuntu 16 and 18.
The systemd service uses user *knot-resolver*. But this user cannot bind to
unprivileged ports, so when I have configuration like below where I bind to
network interface on privileged port and change user context, it fails with
"*[system] …
[View More]bind to '10.20.30.118@853' Permission denied*":
```
net.listen({'10.20.30.118'}, 853, { tls = true })
user('knot-resolver', 'knot-resolver')
```
To fix this I changed User *knot-resolver* to *root* in systemd service.
Now service starts to run as root, binds to network interface and then
changes context.
My question is, is this solution security wise fine? Why is the systemd
service designed to run as user knot-resolver, when I guess many people
will need to override this in order to use knot-resolver properly? What is
the main idea? Or is there a different approach to overcome this (Such as
linux capabilities)?
Thank you for responses and please correct me in anything if I am wrong.
Ondrej Vaško
[View Less]
Hi,
I would like to run Knot Resolver with DNS-over-TLS on my laptop, but I
need to configure 'policy.FORWARD' whenever I connect to our corporate
network. The information about new connection is provided by the Network
Manager, that is not a problem, but then I need to configure the
resolver somehow. I was thinking about creating a new configuration file
and simply restarting the server, but it fails with "Start request
repeated too quickly".
Is there a way to add/remove policy rules "on the …
[View More]fly"?
The HTTP/2 module seems like a good candidate for doing this. Can this
module be used to accomplish this task?
Best regards,
Martin Sehnoutka
PS: If there is anyone using dnssec-trigger, this would be similar, but
less complicated.
--
Martin Sehnoutka | Associate Software Engineer
PGP: 5FD64AF5
UTC+1 (CET)
RED HAT | TRIED. TESTED. TRUSTED.
[View Less]
Hi, Folks!
I want to use GoogleDNS 8.8.x.x as fallback forwarder when domain's NS'es
are down or inaccessible (for example, when network connectivity between me
and NS is broken).
Is it possible?
policy.add(policy.all(policy.FORWARD({ '8.8.8.8', '8.8.4.4' }))) works
well, but disables recursion at all. How to call it only after/when
recursion is failed?
WBR, Ilya
Dear Knot Resolver users,
Knot Resolver 2.3.0 has been released. This is a security release that
fixes CVE-2018-1110.
We're also introducing a new mailing list, knot-resolver-announce. Only
notifications about new releases or important announcements will be
posted there.
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-resolver-announce
Security
--------
- fix CVE-2018-1110: denial of service triggered by malformed DNS
messages (!550, !558, security!2, security!4)
- increase resilience …
[View More]against slow lorris attack (security!5)
Bugfixes
--------
- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single
zone (!538)
- validation: fix SERVFAIL for DS . query (!544)
- lib/resolve: don't send unecessary queries to parent zone (!513)
- iterate: fix validation for zones where parent and child share
NS (!543)
- TLS: improve error handling and documentation (!536, !555, !559)
Improvements
------------
- prefill: new module to periodically import root zone into cache
(replacement for RFC 7706, !511)
- network_listen_fd: always create end point for supervisor supplied
file descriptor
- use CPPFLAGS build environment variable if set (!547)
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v2.3.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-2.3.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-2.3.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v2.3.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
[View Less]
Hi,
I have a fresh installation of the Knot Resolver on my Fedora 27:
*Package version*:
$ rpm -q knot-resolver
knot-resolver-2.2.0-1.fc27.x86_64
but it does not work out of the box. The problem is, that the user
"knot-resolver" cannot bind to a privileged port. Why is the systemd
service file using knot-resolver user? It works just fine, when I remove
the "User=" option from service file and add this line into the
kres.conf file:
user('knot-resolver', 'knot-resolver')
The resulting process …
[View More]runs as knot-resolver and it binds successfully.
Best regards,
--
Martin Sehnoutka | Associate Software Engineer
PGP: 5FD64AF5
UTC+1 (CET)
RED HAT | TRIED. TESTED. TRUSTED.
[View Less]