- knot-resolver-users - lists.nic.cz

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver versions 5.7.1 (stable) and 6.0.6 (early-access) have been released! These releases include important security fixes, an update is strongly advised! Security: - CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU * validator: lower the NSEC3 iteration limit (150 -> 50) * validator: similarly also limit excessive NSEC3 salt length * cache: limit the amount of work on SHA1 in NSEC3 aggressive cache * validator: limit the amount of work on SHA1 in NSEC3 proofs * validator: refuse to validate answers with more than 8 NSEC3 records - CVE-2023-50387 "KeyTrap": DNSSEC verification complexity could be exploited to exhaust CPU resources and stall DNS resolvers. Solution boils down mainly to limiting crypto-validations per packet. We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for bringing this vulnerability to our attention. Improvements: - update addresses of B.root-servers.net (!1478) Bugfixes: - fix potential SERVFAIL deadlocks if net.ipv6 = false (#880) The update affects how some cached records are being treated, which may trip up some sanity checking mechanisms in Knot Resolver if you have advanced debugging options enabled (disabled by default), "debugging.assertion_abort" for version 5 (Lua) and "logging/debugging/assertation-abort" for version 6 (YAML). In case you encounter any issues, please try clearing the cache first. Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.7.1/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.1.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.1.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.7.1/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

1 rok, 7 měsíců

1
0
0 0

Lost e-mails to the mailing list + upcoming security release today

by Oto Šťáva

Dear Knot Resolver users, last week a long-lasting bug in our mailing system has been discovered, which, over the past two years, blocked quite a few e-mails from being delivered to the list <knot-resolver-users(a)lists.nic.cz> and a few others (namely the <knot-dns-users(a)lists.nic.cz>, whose subscriber Juha Suhonen initially brought our attention to the issue - a thank you to Juha is in order!). This week the issue has been resolved and the blocked e-mails came through. Some of these were our own, namely the Knot Resolver 5.5.0 release announcement, which is obviously outdated, as the current stable version is Knot Resolver 5.7.0. We apologize for any confusion this situation may have caused. Some others are still awaiting additional approval, so after we manually identify, which are still relevant, and which are spam, they will also come through during the following weeks. Furthermore, later today we are planning to release new versions of the stable Knot Resolver 5 and the early-access Knot Resolver 6. These important updates will mitigate a few newfound DoS issues, the details of which will soon be revealed globally. We are fully aware that this unfortunate timing may cause further confusion, so we opted to inform you, the subscribers, beforehand, that this next release e-mail is indeed relevant. We once again apologize for the confusion. Best regards Oto Šťáva Knot Resolver team CZ.NIC z.s.p.o.

1 rok, 7 měsíců

1
0
0 0

[SOLVED] Re: [knot-dns-users] Re: kresd not starting with lua error

by Mike Wright

On 2/12/24 01:34, Vladimír Čunát wrote: > On 28/01/2024 02.52, Mike Wright wrote: >> [system] error while loading config: >> ...b/x86_64-linux-gnu/knot-resolver/kres_modules/policy.lua:378: bad >> argument #1 to 'create' (table expected, got nil) (workdir >> '/var/lib/knot-resolver') > > You don't define the `internalDomain` variable. That's correct in lua > and evaluates as nil. > > (and as I already posted, please use the correct mailing-list next time) OK, figured out my mistake. internalDomains MUST APPEAR BEFORE any reference to it. Thanks for your time, Mike Wright

1 rok, 7 měsíců

1
0
0 0

Introducing Knot Resolver 6.x

by Aleš Mrázek

Dear Knot Resolver users, we would like to introduce you to Knot Resolver 6.x! This future version of the resolver is now in the testing phase. An article was published on our blog as part of this introduction. EN: https://en.blog.nic.cz/2023/12/15/knot-resolver-6-x-news CZ: https://blog.nic.cz/2023/12/15/novinky-v-knot-resolver-6-x We will be happy if you try the new version and give us any feedback. -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

1 rok, 9 měsíců

1
0
0 0

Knot Resolver error

by martin.skalicky＠outlook.cz

Hi! I'm pretty new to Knot Resolver, previously i used Bind9 but wanted to try something else. However, i can't really figure out one problem, error: [system] error while loading config: /usr/lib/knot-resolver/kres_modules/policy.lua:43: bad argument #1 to 'kr_straddr_split' (cannot convert 'table' to 'const char *') (workdir '/var/lib/knot-resolver') I don't absolutely know, what am I doing wrong. Can you help me, please? Also, possible communication in Czech if better for someone? Here is my kresd.conf (my actual domains are replaced by domain1.tld, domain2.tld respectively): -- SPDX-License-Identifier: CC0-1.0 -- vim:syntax=lua:set ts=4 sw=4: -- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/ -- Network interface configuration net.listen('127.0.0.1', 53, { kind = 'dns' }) net.listen('127.0.0.1', 853, { kind = 'tls' }) net.listen('::1', 53, { kind = 'dns', freebind = true }) net.listen('::1', 853, { kind = 'tls', freebind = true }) -- Load useful modules modules = { 'hints > iterate', -- Allow loading /etc/hosts or custom root hints 'stats', -- Track internal statistics 'predict', -- Prefetch expiring/frequent records } -- Cache size cache.size = 100 * MB -- DNS Rebinding Configuration policy.add(policy.todnames({'domain2.tld', 'domain1.tld'}), policy.PASS) policy.add(policy.todnames({'domain2.tld', 'domain1.tld'}), policy.FORWARD({{'192.168.0.126'}}))

1 rok, 9 měsíců

3
3
0 0

Problems with DNSSEC .CZ

by Martin Doubrava

Hi colleagues, we are using knot-resolver as anycast resolvers for our region wide network. Everything works fine, but from saturday we are experiencing problems with zone .cz on one of our resolvers: lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [plan ][00000.00] plan 'www.seznam.cz.' type 'AAAA' uid [20220.00] lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [iterat][20220.00] 'www.seznam.cz.' type 'AAAA' new uid was assigned .01, parent uid .00 lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => skipping exact RR: rank 060 (min. 030), new TTL -16225 lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => trying zone: seznam.cz., NSEC3, hash db928b48 lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3 depth 1: hash 0sil3tll31qpi1iq50o2h3kjrmon169q lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3 encloser error for www.seznam.cz.: range search found stale or insecure entry lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3 depth 0: hash lg5rgspgqdoqqjko0u7fkpkakk8hgc1s lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3 encloser error for seznam.cz.: range search found stale or insecure entry lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => trying zone: seznam.cz., NSEC3, hash f8ba757c lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3 depth 1: hash s92e2vuk6k14pvqp4ubga1im9kpgff8a lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3 encloser error for www.seznam.cz.: range search found stale or insecure entry lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3 depth 0: hash 07u4nbhjigung96jklsqvtf6crqjojp8 lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.01] => NSEC3 encloser error for seznam.cz.: range search found stale or insecure entry lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [zoncut][20220.01] found cut: cz. (rank 002 return codes: DS 0, DNSKEY -116) lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [plan ][20220.01] plan 'cz.' type 'DNSKEY' uid [20220.02] lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [iterat][20220.02] 'cz.' type 'DNSKEY' new uid was assigned .03, parent uid .01 lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.03] => skipping exact RR: rank 060 (min. 030), new TTL -14979 lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.03] => trying zone: cz., NSEC3, hash 20b5ab23 lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.03] => NSEC3 depth 0: hash gurgi3ems8m3ts3pvppubu3hhqkivt3l lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.03] => NSEC3 encloser error for cz.: range search found stale or insecure entry lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [cache ][20220.03] => skipping zone: cz., NSEC, hash 0;new TTL -123456789, ret -2 lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [select][20220.03] => id: '03706' choosing from addresses: 0 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [select][20220.03] => id: '03706' no suitable transport, zone cut: 'cz.' lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [iterat][20220.03] 'cz.' type 'DNSKEY' new uid was assigned .04, parent uid .01 lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [select][20220.04] => id: '28359' choosing from addresses: 0 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [select][20220.04] => id: '28359' no suitable transport, zone cut: 'cz.' lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [resolv][20220.04] AD: request NOT classified as SECURE lis 27 12:44:19 doubrava-dns-lito-02 kresd[9742]: [resolv][20220.01] finished in state: 8, queries: 1, mempool: 16400 B Version of knot-resolver: 5.7.0-cznic.1 When i turn off DNSSEC with trust_anchors.remove('.') and then turn it on everything works, but only for day or so. Other machines are working seamlessly. What we are doing here wrong? Thank you! -- Best regards Bc. Martin Doubrava CEO _______________________________ DOUBRAVA.NET s.r.o. Náklo 178, 783 32 Náklo Mobil: +420 771 280 361 Technická podpora: +420 776 778 173 Office: +420 588 884 000 E-mail: martin(a)doubrava.net WWW: http://www.doubrava.net Najdete nás i na facebooku: http://www.facebook.com/doubravanet

1 rok, 9 měsíců

2
3
0 0

Accessing DoH headers in Lua

by Blažej Krajňák

Hi there, please, can anyone move me forward? I want to implement new stats counter for DoH requests with “Chrome” in "user-agent" header. I don’t know how to iterate “query.request.qsource.headers”. I have tried: function count_chrome_doh() return function (state, query) if query.request.qsource.flags.http then for k, v in ipairs(query.request.qsource.headers) do if v.name == 'user-agent' and v.value == 'Chrome' then if stats.get('request.agent.chrome') then stats['request.agent.chrome'] = stats.get('request.agent.chrome') + 1 else stats['request.agent.chrome'] = 1 end return nil end end end return nil end end policy.add(count_chrome_doh()) but it falls with error "'struct 322' has no '__ipairs’ metamethod” Thanks! Blažej

1 rok, 12 měsíců

2
3
0 0

Best way to implement kresd to filter by listening interface

by oui.mages_0w＠icloud.com

Hello, What would be the best way to implement the following with kresd? The device used has a 2 core cpu. It has 3 (listening) ip addresses, for example: 10.2.3.4, 2001:0DB8:123::1 and 2001:0DB8:123::64 I want to have kresd to listen to: – 10.2.3.4 and 2001:0DB8:123::1 and do a dns resolution using UDP (53), TLS and HTTPS (the question is not about these settings). – 2001:0DB8:123::64 and use the same settings as above, but adding the dns64 module and resolution (only for requests made to 2001:0DB8:123::64). Having 2 cores, I have 2 identical instances; should I differentiate them and have one for dns64 and one without? or could I have 2 identical instances with a shared configuration file allowing to use dns64 or not depending on the listening ip? Or 4 instances (2 identical for dns64, 2 identical without, to have a spare of each config)? The options with view: are good to filter or do actions depending on the source ip, the queried domain or even the resolved ip (destination), but nothing about the ip used to reach the resolver (the listening address). Thank you.

1 rok, 12 měsíců

1
0
0 0

Accessing DoH headers in Lua

by Blažej Krajňák

Hi there, please, can anyone move me forward? I want to implement new stats counter for DoH requests with “Chrome” in "user-agent" header. I don’t know how to iterate “query.request.qsource.headers”. I have tried: function count_chrome_doh() return function (state, query) if query.request.qsource.flags.http then for k, v in ipairs(query.request.qsource.headers) do if v.name == 'user-agent' and v.value == 'Chrome' then if stats.get('request.agent.chrome') then stats['request.agent.chrome'] = stats.get('request.agent.chrome') + 1 else stats['request.agent.chrome'] = 1 end return nil end end end return nil end end policy.add(count_chrome_doh()) but it falls with error "'struct 322' has no '__ipairs’ metamethod” Thanks! Blažej

2 roky

1
0
0 0

Knot Resolver 5.7.0

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 5.7.0 has been released! Security - avoid excessive TCP reconnections in a few more cases Like before, the remote server had to behave nonsensically in order to inflict this upon itself, but it might be abusable for DoS. We thank Ivan Jedek from OryxLabs for reporting this. Improvements - forwarding mode: tweak dealing with failures from forwarders, in particular prefer sending CD=0 upstream (!1392) Bugfixes - fix unusual timestamp format in debug dumps of records (!1386) - adjust linker options; it should help less common platforms (!1384) - hints module: fix names inside home.arpa. (!1406) - EDNS padding (RFC 8467) compatibility with knot-dns 3.3 libs (!1422) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.7.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.7.0/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

2 roky

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users