Hi,
i installed knot-resolver on my mail server and i see a issue with a specific domain, dovecot.org.
Everything is working as expected but this single domain doesn't always resolve.
After some time postfix cannot check the domain where mails coming from and doesn't accept them.
If i do dig dovecot.org, i get this (SERVFAIL):
dig dovecot.org
; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> dovecot.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27594
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dovecot.org. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fr Apr 29 08:34:55 CEST 2022
;; MSG SIZE rcvd: 40
it starts working again if do dig +cd, like this:
dig +cd dovecot.org
; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> +cd dovecot.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56130
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dovecot.org. IN A
;; ANSWER SECTION:
dovecot.org. 300 IN A 94.237.12.234
;; Query time: 245 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fr Apr 29 08:34:59 CEST 2022
;; MSG SIZE rcvd: 56
i didn't have this kind of issue using unbound before i switched, so i think here would be the right place to ask.
i'm using the knot-resolver 5.5.0 package from epel on rockylinux 8.5 and my kresd config is very simple:
net.listen('127.0.0.1', 53, { kind = 'dns' })
net.listen('127.0.0.1', 853, { kind = 'tls' })
--net.listen('127.0.0.1', 443, { kind = 'doh2' })
net.listen('::1', 53, { kind = 'dns', freebind = true })
net.listen('::1', 853, { kind = 'tls', freebind = true })
--net.listen('::1', 443, { kind = 'doh2' })
-- Load useful modules
modules = {
'hints > iterate', -- Allow loading /etc/hosts or custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
}
-- Cache size
cache.size = 100 * MB
-- use /etc/hosts entries
-- hints.add_hosts()
net.ipv6 = false
Anything i can do to track this down?
Thanks in advance for your help.
Juergen
Hello,
I have noticed kresd segfault:
[Sun May 15 14:22:47 2022] kresd[1791403]: segfault at 407ce590 ip
00000000407ce590 sp 00007ffc2d192668 error 15
There were also about 1300 lines from the same PID with a message like this:
May 15 14:23:45 xxxx kresd[1791403]: [primin] triggered priming query,
next in 0 seconds
Maybe it is related to the crash maybe not.
OS: Debian Linux 11.3 kernel 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1
(2022-03-17)
Knot-Resolver: 5.5.0-cznic.1
With regards
Ales
Hello,
We are using Knot-Resolver 5.5.0 with rebinding protection:
modules.load('rebinding < iterate')
We have some complains about an invalid domain name being returned in
the additional section of the response to the blocked request:
;; ADDITIONAL SECTION:
explanation.invalid. 10800 IN TXT "blocked by DNS
rebinding protection"
It looks like some windows domain controllers running DNS clients do not
like it and log an error:
The DNS server encountered an invalid domain name in a packet from
<Knot-Resolver IP> The packet will be rejected. The event data contains
the DNS packet.
Is there a way how to suppress this? Or even better response with SERVFAIL?
Thanks
Ales Rygl
Hello,
I'd would like to ask for help with preload module. The issue is that
when running multiple instatnces of kresd under systemd usualy just one
of them is able to start correctly. The other hangs and fails to start.
The config is just copy/paste from the documentation:
modules.load('prefill')
prefill.config({
['.'] = {
url = 'https://www.internic.net/domain/root.zone',
interval = 86400, -- seconds
}
})
Starting instances in a sequence does not help, the 2nd one hangs - and
only if the 1st one is killed/stopped the 2nd one goes on and processes
the root zone.
Did I miss something in the documentation?
With regards
Ales Rygl
Hi everyone,
The DNS Security Extensions (DNSSEC) add integrity and authenticity to the
Domain Name System (DNS). Now, more than 17 years after their
standardization, we would like to hear from DNS recursive resolver operators
about their experience with DNSSEC. For this reason, we have set up a short
survey. It’s directed mainly towards organisations that run a recursive
resolver. Filling out the survey should take roughly 5 to 10 minutes.
https://forms.gle/FxTD9FofaogdvLqcA (link directs to Google Forms)
This survey is carried out by SIDN Labs (https://sidnlabs.nl) and by the
Swedish Internet Foundation (https://internetstiftelsen.se/en/). You can
contact us via email: moritz.muller(a)sidn.nl
Please excuse us, if you have received this email via different mailing
lists.
—
Moritz Müller Research Engineer at SIDN Labs
