- knot-resolver-users - lists.nic.cz

by Champion Xie

*kresc> cache.stats()* [hit] => 0 [delete] => 0 [miss] => 0 *[insert] => 280* *kresc> stats.list()* [answer.nxdomain] => 0 [answer.100ms] => 0 [answer.1500ms] => 0 [answer.slow] => 0 [answer.servfail] => 0 [answer.250ms] => 0 *[answer.cached] => 2430* [answer.nodata] => 0 [query.edns] => 2710 [query.dnssec] => 1 [answer.total] => 2710 [answer.10ms] => 272 [answer.noerror] => 2710 [answer.50ms] => 8 [answer.500ms] => 0 [answer.1000ms] => 0 [answer.1ms] => 2430 *kresc> cache.count()* *372* -- Best Regards!! champion_xie

7 let

2
1
0 0

forward policy stub kind of round robin

by Thomas Belián

Hello, I have at the moment a network with 3 DNS servers. They do recursive/caching as well as authorative zones (Bind 9). I want to build a structure with 2 authorative Servers using Knot-DNS and 3 resolvers using Knot-Resolver. As our authorative servers are in our network and as I want to get any changes in their zones as fast as possible to our users I use from the documentation: Replacing part of the DNS tree Interesting is this line: policy.add(policy.suffix(policy.STUB({'$our ip'}), extraTrees)) Can I put more than one IP at this line to forward the queries? We have 2 authorative servers, so I want ask both of them round robin like. In my config I have comma separated two servers, kresd is running with it, but it seems it uses only the first. Is there a way to get my desired behavior? Regards Thomas P.S.: Versions are Knot-Resolver 3.2.1 and OS is Ubuntu 18.04.02 -- Thomas Belián Fachhochschule Erfurt Fak. GTI / FR AI & Hochschulrechenzentrum Postfach 45 01 55, 99051 Erfurt Telefon: +49361 6700 - 647 E-Mail: thomas.belian(a)fh-erfurt.de

7 let, 1 měsíc

2
2
0 0

Knot Resolver 3.2.1

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 3.2.1 has been released. Bugfixes -------- - trust_anchors: respect validity time range during TA bootstrap (!748) - fix TLS rehandshake handling (!739) - make TLS_FORWARD compatible with GnuTLS 3.3 (!741) - special thanks to Grigorii Demidov for his long-term work on Knot Resolver! Improvements ------------ - improve handling of timeouted outgoing TCP connections (!734) - trust_anchors: check syntax of public keys in DNSKEY RRs (!748) - validator: clarify message about bogus non-authoritative data (!735) - dnssec validation failures contain more verbose reasoning (!735) - new function trust_anchors.summary() describes state of DNSSEC TAs (!737), and logs new state of trust anchors after start up and automatic changes - trust anchors: refuse revoked DNSKEY even if specified explicitly, and downgrade missing the SEP bit to a warning Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.2.1/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.1.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.1.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v3.2.1/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

7 let, 2 měsíce

1
0
0 0

knot-resolver 2.4.1 centos 7 aborts

by Harry Hoffman

Hi Folks, Pretty new to knot-resolver and I've been searching around but haven't found anyone with the same error. I'm running CentOS 7 with knot-resolver 2.4.1 from the EPEL repository. I believe that my config is only slightly modified from an example config. [root@usher knot-resolver]# cat kresd.conf -- Config file example useable for personal resolver. -- The goal is to have a validating resolver with tiny memory footprint, -- while actively tracking and refreshing frequent records to lower user latency. -- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration -- Listen on localhost (default) -- net = { '127.0.0.1', '::1' } -- Drop root privileges -- user('knot-resolver', 'knot-resolver') -- Auto-maintain root TA trust_anchors.file = 'root.keys' -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'hints', -- Load /etc/hosts and allow custom root hints 'stats', -- Track internal statistics 'predict', -- Prefetch expiring/frequent records } -- Smaller cache size cache.size = 10 * MB verbose(true) policy.add(policy.all(policy.TLS_FORWARD({ {'9.9.9.9', hostname='dns.quad9.net'}, {'1.1.1.1', hostname='cloudflare-dns.com'}, {'149.112.112.112', hostname='dns.quad9.net'}, {'1.0.0.1', hostname='cloudflare-dns.com'}, }))) When running (either via systemd or at a command line) kresd aborts. Below are the verbose logs: [root@usher knot-resolver]# /usr/sbin/kresd --config=/etc/knot-resolver/kresd.conf --forks=1 [gnutls] (2) Initializing PKCS #11 modules [gnutls] (2) p11: Initializing module: p11-kit-trust [gnutls] (3) ASSERT: pkcs11.c:665 [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [tls_client] error: hostname 'dns.quad9.net' for address '9.9.9.9#00853' already was set, ignoring [tls_client] error: system ca for address '9.9.9.9#00853' already was set, ignoring [tls_client] error: hostname 'cloudflare-dns.com' for address '1.0.0.1#00853' already was set, ignoring [tls_client] error: system ca for address '1.0.0.1#00853' already was set, ignoring [tls_client] error: hostname 'dns.quad9.net' for address '149.112.112.112#00853' already was set, ignoring [tls_client] error: system ca for address '149.112.112.112#00853' already was set, ignoring [tls_client] error: hostname 'cloudflare-dns.com' for address '1.1.1.1#00853' already was set, ignoring [tls_client] error: system ca for address '1.1.1.1#00853' already was set, ignoring [ 0][plan] plan '.' type 'NS' [50114][iter] '.' type 'NS' id was assigned, parent id 0 [50114][plan] plan '.' type 'DNSKEY' [26197][iter] '.' type 'DNSKEY' id was assigned, parent id 50114 [ ][nsre] score 1 for 9.9.9.9; cached RTT: -1 [ ][nsre] score 1 for 1.1.1.1; cached RTT: -1 [ ][nsre] score 1 for 149.112.112.112; cached RTT: -1 [ ][nsre] score 1 for 1.0.0.1; cached RTT: -1 [gnutls] (5) REC[0x55801d4242b0]: Allocating epoch #0 [26197][wrkr] => connecting to: '9.9.9.9' [ 0][plan] plan '.' type 'NS' [38655][iter] '.' type 'NS' id was assigned, parent id 0 [ ][nsre] score 1 for 9.9.9.9; cached RTT: -1 [ ][nsre] score 1 for 1.1.1.1; cached RTT: -1 [ ][nsre] score 1 for 149.112.112.112; cached RTT: -1 [ ][nsre] score 1 for 1.0.0.1; cached RTT: -1 [26197][wrkr] => connected to '9.9.9.9' [gnutls] (3) ASSERT: gnutls_constate.c:586 [gnutls] (5) REC[0x55801d4242b0]: Allocating epoch #1 [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_AES_256_GCM_SHA384 (C0.30) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA1 (C0.13) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA256 (C0.27) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA1 (C0.14) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_128_GCM_SHA256 (00.9C) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_256_GCM_SHA384 (00.9D) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_128_GCM_SHA256 (C0.7A) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_256_GCM_SHA384 (C0.7B) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 (00.2F) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 (00.3C) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 (00.35) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256 (00.3D) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 (00.41) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA256 (00.BA) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 (00.84) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA256 (00.C0) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 (00.0A) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_128_GCM_SHA256 (00.9E) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_256_GCM_SHA384 (00.9F) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 (00.33) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 (00.67) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 (00.39) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256 (00.6B) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 (00.16) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_128_GCM_SHA256 (00.A2) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_256_GCM_SHA384 (00.A3) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_GCM_SHA256 (C0.80) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_GCM_SHA384 (C0.81) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 (00.32) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256 (00.40) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 (00.38) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256 (00.6A) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 (00.44) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA256 (00.BD) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 (00.87) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA256 (00.C3) [gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 (00.13) [gnutls] (4) EXT[0x55801d4242b0]: Sending extension STATUS REQUEST (5 bytes) [gnutls] (4) EXT[0x55801d4242b0]: Sending extension SAFE RENEGOTIATION (1 bytes) [gnutls] (4) EXT[0x55801d4242b0]: Sending extension SESSION TICKET (0 bytes) [gnutls] (4) EXT[0x55801d4242b0]: Sending extension SUPPORTED ECC (8 bytes) [gnutls] (4) EXT[0x55801d4242b0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes) [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (4.1) RSA-SHA256 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (4.2) DSA-SHA256 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (4.3) ECDSA-SHA256 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (5.1) RSA-SHA384 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (5.3) ECDSA-SHA384 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (6.1) RSA-SHA512 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (6.3) ECDSA-SHA512 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (3.1) RSA-SHA224 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (3.2) DSA-SHA224 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (3.3) ECDSA-SHA224 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (2.1) RSA-SHA1 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (2.2) DSA-SHA1 [gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (2.3) ECDSA-SHA1 [gnutls] (4) EXT[0x55801d4242b0]: Sending extension SIGNATURE ALGORITHMS (28 bytes) [gnutls] (4) HSK[0x55801d4242b0]: CLIENT HELLO was queued [227 bytes] [gnutls] (5) REC[0x55801d4242b0]: Preparing Packet Handshake(22) with length: 227 and min pad: 0 [gnutls] (5) REC[0x55801d4242b0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 232 [ 0][wrkr] [tls_client] push 232 <0x55801d3f4400> [gnutls] (3) ASSERT: gnutls_buffers.c:1139 [gnutls] (2) The pull function has been replaced but not the pull timeout.[gnutls] (3) ASSERT: gnutls_buffers.c:731 [gnutls] (3) ASSERT: gnutls_buffers.c:332 [gnutls] (3) ASSERT: gnutls_buffers.c:572 [gnutls] (3) ASSERT: gnutls_record.c:1063 [gnutls] (3) ASSERT: gnutls_record.c:1184 [gnutls] (3) ASSERT: gnutls_buffers.c:1393 [gnutls] (3) ASSERT: gnutls_handshake.c:1440 [gnutls] (3) ASSERT: gnutls_handshake.c:2739 [tls_client] handshake failed (Error in the pull function.) [ 0][resl] AD: request NOT classified as SECURE [26197][resl] finished: 0, queries: 0, mempool: 81952 B [priming] cannot resolve '.' NS, next priming query in 10 seconds [ 0][resl] AD: request NOT classified as SECURE [38655][resl] finished: 0, queries: 0, mempool: 81952 B [detect_time_skew] cannot resolve '.' NS [gnutls] (5) REC[0x55801d4242b0]: Start of epoch cleanup [gnutls] (5) REC[0x55801d4242b0]: End of epoch cleanup [gnutls] (5) REC[0x55801d4242b0]: Epoch #0 freed [gnutls] (5) REC[0x55801d4242b0]: Epoch #1 freed [ 0][plan] plan '.' type 'DNSKEY' [35791][iter] '.' type 'DNSKEY' id was assigned, parent id 0 [ ][nsre] score 1 for 9.9.9.9; cached RTT: -1 [ ][nsre] score 1 for 1.1.1.1; cached RTT: -1 [ ][nsre] score 1 for 149.112.112.112; cached RTT: -1 [ ][nsre] score 1 for 1.0.0.1; cached RTT: -1 kresd: daemon/worker.c:1691: qr_task_step: Assertion `session->outgoing' failed. Aborted

7 let, 2 měsíce

2
6
0 0

Knot Resolver 3.2.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 3.2.0 has been released. New features ------------ - module edns_keepalive to implement server side of RFC 7828 (#408) - module nsid to implement server side of RFC 5001 (#289) - module bogus_log provides .frequent() table (!629, credit Ulrich Wisser) - module stats collects flags from answer messages (!629, credit Ulrich Wisser) - module view supports multiple rules with identical address/TSIG specification and keeps trying rules until a "non-chain" action is executed (!678) - module experimental_dot_auth implements an DNS-over-TLS to auth protocol (!711, credit Manu Bretelle) - net.bpf bindings allow advanced users to use eBPF socket filters Bugfixes -------- - http module: only run prometheus in parent process if using --forks=N, as the submodule collects metrics from all sub-processes as well. - TLS fixes for corner cases (!700, !714, !716, !721, !728) - fix build with -DNOVERBOSELOG (#424) - policy.{FORWARD,TLS_FORWARD,STUB}: respect net.ipv{4,6} setting (!710) - avoid SERVFAILs due to certain kind of NS dependency cycles, again (#374) this time seen as 'circular dependency' in verbose logs - policy and view modules do not overwrite result finished requests (!678) Improvements ------------ - Dockerfile: rework, basing on Debian instead of Alpine - policy.{FORWARD,TLS_FORWARD,STUB}: give advantage to IPv6 when choosing whom to ask, just as for iteration - use pseudo-randomness from gnutls instead of internal ISAAC (#233) - tune the way we deal with non-responsive servers (!716, !723) - documentation clarifies interaction between policy and view modules (!678, !730) Module API changes ------------------ - new layer is added: answer_finalize - kr_request keeps ::qsource.packet beyond the begin layer - kr_request::qsource.tcp renamed to ::qsource.flags.tcp - kr_request::has_tls renamed to ::qsource.flags.tls - kr_zonecut_add(), kr_zonecut_del() and kr_nsrep_sort() changed parameters slightly Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.2.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v3.2.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

7 let, 3 měsíce

1
0
0 0

knot-resolver 3.1.0 nevrací A záznam pro www.cezdistribuce.cz

by Zdeněk Janiš

Dobrý den, používám knot-resolver ver. 3.1.0 a zjistil, že nevrací A záznamy pro: www.cezdistribuce.cz když vymažu cache: cache.clear('cezdistribuce.cz') tak se knot-resolver na nedefinovanou dobu umoudří a A záznamy normálně vrací. Přitom google DNS 8.8.8.8 záznamy vrací v pořádku. Jinou anomálii jsem nezjistil. V čem může být problém? Konfigurace? Nefunkční výpis: $ dig @192.168.100.100 -t A www.cezdistribuce.cz ; <<>> DiG 9.11.4-P2-3~bpo9+1-Debian <<>> @192.168.100.100 -t A www.cezdistribuce.cz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26696 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.cezdistribuce.cz. IN A ;; AUTHORITY SECTION: cezdistribuce.cz. 41952 IN SOA ns10.cez.cz. netmaster.cezdata.cz. 2018112701 28800 7200 864000 86400 ;; Query time: 1 msec ;; SERVER: 192.168.100.100#53(192.168.100.100) ;; WHEN: Po pro 10 07:58:55 CET 2018 ;; MSG SIZE rcvd: 112 Funkční, po vymazaní z cache: $ dig @192.168.100.100 -t A www.cezdistribuce.cz ; <<>> DiG 9.11.4-P2-3~bpo9+1-Debian <<>> @192.168.100.100 -t A www.cezdistribuce.cz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 89 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.cezdistribuce.cz. IN A ;; ANSWER SECTION: www.cezdistribuce.cz. 24 IN A 89.111.76.140 ;; Query time: 0 msec ;; SERVER: 192.168.100.100#53(192.168.100.100) ;; WHEN: Po pro 10 08:09:59 CET 2018 ;; MSG SIZE rcvd: 65 Děkuji za pomoc. -- Zdeněk Janiš

7 let, 3 měsíce

3
2
0 0

not able to configure kresd

by Ján Boroš

hi My idea is to use knot resolver as dns forwarder / cache instead using dnsmasq. I am using old PC with archlinux as router. I did change dnsmasq config so it listen on port 5353. following steps here https://wiki.archlinux.org/index.php/Knot_Resolver I did change systemd unit so my kresd is listening on both local interfaces. I am checking that with ss command and it is ok. here is my config of kresd cat /etc/knot-resolver/kresd.conf -- vim:syntax=lua: -- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration -- Load useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'hints > iterate', -- Load /etc/hosts and allow custom root hints 'stats', -- Track internal statistics 'predict', -- Prefetch expiring/frequent records } -- See kresd.systemd(7) about configuring network interfaces when using systemd -- Listen on localhost (default) -- net = { '127.0.0.1', '::1'} -- Enable DNSSEC validation -- trust_anchors.file = '/etc/knot-resolver/root.keys' hints.root_file = '/etc/knot-resolver/root.hints' -- Cache size cache.size = 100 * MB After start I can see following errors in journal Nov 08 22:49:43 skriatok systemd[1]: Starting Knot Resolver daemon... Nov 08 22:49:43 skriatok systemd[1]: Started Knot Resolver daemon. Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'b.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'b.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'h.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'j.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'm.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'l.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'j.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'i.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'g.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'f.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'e.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'd.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'a.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'h.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'c.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'k.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'e.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'f.root- servers.net.', type: 1 ... thank you for help

7 let, 4 měsíce

3
6
0 0

Status of DNS over HTTPS in knot resolver

by Arsen STASIC

Hi, What is the current status for DoH (DNS over HTTPS) in knot resolver? There is an open issue #280 https://gitlab.labs.nic.cz/knot/knot-resolver/issues/280 Marek Vavrusa from Cloudflare offers a patch for this, but I haven't found it so far and dnsprivacy.org also mentions (probably) this patch. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status Is this patch available? cheers -arsen

7 let, 4 měsíce

2
1
0 0

forward for given zones

by Ivo Panáček

Hi, I am not able to force knot-resolver to forward some queries. I have real DNS zone and in internal network I have few 3rd level subzones. For them I would like to make my kresd forward queries to our internal DNS server (bind9). My computer is not inside company nework - connected via openvpn. System is ubuntu 18.04.1 (up-to-date) and knot-resolver 3.0.0. Relevant part of kresd.conf is: policy.add(policy.suffix( policy.FORWARD('10.0.0.1'),{ todname('sub1.company.cz'), todname('sub2.company.cz') } )) dig machine.sub1.company.cz @127.0.0.53 does NOT work, dig machine.sub1.company.cz @10.0.0.1 DOES work I have set verbose(true) but with no help. kresd queries 10.0.0.1 for 'company.cz' only, but that's all. I am just working on it on my ubuntu workstation, but real target will be turris omnia with its kresd, which connects via openvpn to company network. -- Sincerely Ivo Panacek

7 let, 4 měsíce

3
8
0 0

Knot Resolver 3.1.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 3.1.0 has been released. Incompatible changes -------------------- - hints.use_nodata(true) by default; that's what most users want - libknot >= 2.7.2 is required Improvements ------------ - cache: handle out-of-space SIGBUS slightly better (#197) - daemon: improve TCP timeout handling (!686) Bugfixes -------- - cache.clear('name'): fix some edge cases in API (#401) - fix error handling from TLS writes (!669) - avoid SERVFAILs due to certain kind of NS dependency cycles (#374) Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.1.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.1.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.1.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v3.1.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

7 let, 5 měsíců

1
0
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users