I'm trying to set up a resolver with the addition of an invented TLD
(this is an experiment, no need to explain to me that it may be a bad
idea). I have authoritative name servers for the dummy TLD, which is
signed with DNSSEC and I want DNSSEC validation.
The documentation says that policy.FORWARD requires to forward to a
resolver :-(
policy.STUB disables validation so it is a no-no.
If I configure with policy.add + policy.FORWARD, and trust_anchors.add
for the key of the dummy TLD, it works for the TLD apex, for
subdomains of the TLD which are NOT signed but for signed subdomains
of the TLD, I get SERVFAIL + "EDE: 12 (NSEC Missing): (AHXI)".
Querying directly the authoritative name servers with the DO bit, I
get all the RRSIG and NSEC I need. But apparently, Knot cannot get them.
Knot-resolver 5.7.4
On 02/04/2025 23.19, oui.mages_0w(a)icloud.com wrote:
> So knot-resolver 6.0.8 with libknot15 seems to also trigger the memory
> leak I was experiencing with knot-resolver 6.0.9+ by the unidentified
> traffic pattern (or whatever is causing this).
Thanks, this is very interesting. I confirm that (for our Ubuntu 24.04
packages), libknot15 (i.e. knot 3.4) is used exactly since 6.0.9, so the
timing checks out, too. That's just a matter of binary builds. Even
the latest versions can still be built with libknot14 (3.3.x)
Have you looked into which libdnssec and libzscanner you have there?
The thing is that these two didn't change soname between knot 3.3 and
3.4, so here I see larger risks than with libknot itself.
Hello,
In short, we do use stats module with http module exposing webmgmt every
time SYSTEMD process knot is started (we do have 30 on one machine).
Unfortunately each of webmgmt shows the same stats in /stats or /metrics
endpoint (prometheus)
Checking metrics with socat, going into each process and running
stats.list() shows correctly stats per process.
Is there any way to have automatically exported per knot process statistics?
Regards,
_
*Marcel Adamski*DevOps Engineer
*M: *+48 882 115 524
*Redge *Technologies
Ostrobramska 86 | 04-163 Warsaw
*T: *+48 22 255 11 00 | *F: *+48 22 255 15 50
*www.redge.com* <https://redge.com/>
[image: RedgeTechnologies]
*Redge Technologies Sp. z o.o.*
*VAT No:* PL1132687365 | *REGON:* 141103558 | *KRS: *0000287417
District Court for the Capital City of Warsaw, XIV Commercial Division of
National Court Register | Share capital: 501 650 PLN
We use personal data in accordance with our privacy policy
<https://redge.com/privacy-policy/>
Hello
We are using knot-resolver 5.7.4 with multiple independent instances - 32. We also use tmpfs.
We starts processes by systemd.
the problem we encountered is that when systemd starts 32 processes, they get a timeout and are restarted by systemd. As a result, we have problems starting all processes. The problem does not occur when we do not use tmpfs.
How to solve this problem?
We shoud add to systemd something like this?
ExecStartPre=/bin/sleep $(( RANDOM % 5 ))
[Service]
StartLimitBurst=5
StartLimitIntervalSec=10
Or we should something to kresd configuration?
Hi,
I've found this warning in my journal:
... kresd[1071788]: [taupd ] you need to update package with trust
anchors in "/usr/share/dns/root.key" before it breaks
I don't know how to do that.
I think my system is current but just ran: apt update; apt list
--upgradable and it shows nothing regarding knot.
Thanks for any pointers,
Mike Wright
Hello,
On my local network, I have a computer fixed IP that I would like to use
a specific TLS FORWARD.
Generic TLS_FORWARD is simply configured as such.
policy.add(policy.all(policy.TLS_FORWARD({
{'9.9.9.9', hostname='dns9.quad9.net'},
{'1.1.1.1', hostname='cloudflare-dns.com'},
{'1.0.0.1', hostname='cloudflare-dns.com'},
})))
I tried to embed a specific different TLS_FORWARD with a
view:addr('10.10.10.10', ... )
but I cannot manage to restrict this TLS_FORWARD and to avoid it
poisoning the cache.
Is there somewhere an example of such setup, with ACL ending up on two
different TLS_FORWARD and one with no cache ?
Regards,
--
Mathieu Roy
Dear Knot Resolver users,
Knot Resolver 6.0.9 (early-access) has been released!
Improvements:
- rate-limiting: add these options, mechanism, docs (!1624)
- manager: secret for TLS session resumption via ticket (RFC5077) (!1567)
The manager creates and sets the secret for all running 'kresd' workers.
The secret is created automatically if the user does not configure
their own secret in the configuration.
This means that the workers will be able to resume each other's TLS
sessions, regardless of whether the user has configured it to do so.
- answer NOTIMPL for meta-types and non-IN RR classes (!1589)
- views: improve interaction with old-style policies (!1576)
- stats: add stale answer counter 'answer.stale' (!1591)
- extended_errors: answer with EDE in more cases (!1585, !1588, !1590,
!1592)
- local-data: make DNAMEs work, i.e. generate CNAMEs (!1609)
- daemon: use connected UDP sockets by default (#326, !1618)
- docker: multiplatform builds (#922, !1623)
- docker: shared VOLUMEs are prepared for configuration and cache
(!1625, !1627)
Configuration path was changed to standard
'/etc/knot-resolver/config.yaml'.
Bugfixes:
- daemon/proxyv2: fix informing the engine about TCP/TLS from the actual
client (!1578)
- forward: fix wrong pin-sha256 length; also log pins on mismatch
(!1601, #813)
Incompatible changes:
- -f/--forks is removed (#631, !1602)
- gnutls < 3.4 support is dropped, released over 9 years ago (!1601)
- libuv < 1.27 support is dropped, released over 5 years ago (!1618)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.9/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.9.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.9.tar.xz.asc
Documentation:
https://www.knot-resolver.cz/documentation/v6.0.9/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE