- knot-resolver-users - lists.nic.cz

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 5.5.3 has been released! Security - fix CPU-expensive DoS by malicious domains - CVE-2022-40188 Improvements - fix config_tests on macOS (both HW variants) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.5.3/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.3.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.3.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.5.3/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

3 roky, 1 měsíc

1
0
0 0

Resolving problem connectivity.samsung.com.cn even on dual-stack

by Blažej Krajňák

Hello everyone, at AS50242 we experience problem with resolving connectivity.samsung.com.cn We run two servers, each with 4 instances. Both servers have working dual-stack (v4/v6). knot-dnsutils/unknown,now 3.1.1-cznic.1 amd64 [installed] knot-resolver-module-http/unknown,now 5.5.0-cznic.1 all [installed,automatic] knot-resolver-release/unknown,now 1.9-1 all [installed] knot-resolver/unknown,now 5.5.0-cznic.1 amd64 [installed] Dnsviz shows problem reaching few IPv6 servers of .cn TLD via UDP. I can not understand, why both of our servers response with SERVFAIL. Any ideas how to troubleshoot more? Thank you, Blažej

3 roky, 1 měsíc

3
7
0 0

not resolving CNAME

by Mike Wright

Hello, I am a user, not a developer, of knot-resolver, on ubuntu groovy. When I look up something that has a CNAME and ask for an A record I get a SERVFAIL. If I ask for the CNAME I get the correct answer but then I have to do another search for the A record for that. #------------- # using knot-resolver kdig @127.0.53.1 www.cdc.gov. ;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 44868 #------------- # using google dns kdig 8.8.8.8 www.cdc.gov. www.cdc.gov. 126 IN CNAME www.akam.cdc.gov. www.akam.cdc.gov. 20 IN A 104.100.61.241 #------------- My guess is I don't have a complete configuration. Here's my very simple knot-resolver.conf #------------ -- SPDX-License-Identifier: CC0-1.0 -- Network interface configuration net.listen('127.0.53.1') -- Load useful modules modules = { 'hints > iterate', -- Load /etc/hosts and allow custom root hints 'stats', -- Track internal statistics 'predict', -- Prefetch expiring/frequent records } -- Cache size cache.size = 100 * MB -- -- MY STUFF -- internalDomains = policy.todnames({ 'main', '0.1.10.in-addr.arpa', '1.10.in-addr.arpa', '10.in-addr.arpa' }) policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), internalDomains)) policy.add(policy.suffix(policy.STUB({'127.53.0.1'}), internalDomains)) #------------- How do I fix this? Thank you, Mike Wright

3 roky, 1 měsíc

2
2
0 0

When knot delete old ksk key ?

by support＠profiwh.eu

Hello, I have problem with ksk rotation keys. I've rotated shared KEY, submit by hand and rotate the key. I did setting of delete-delay, but after reaching time nothing happends. keymgr profivh.cz list 4a32ef440c27342c1aca748e0ff3236c41c9dff0 ksk=yes zsk=no tag=11739 algorithm=13 size=256 public-only=no pre-active=0 publish=1660242640 ready=1660246540 active=1660587842 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 55c0eb5bbc46ffc5b0355311384e32957f369bf3 ksk=no zsk=yes tag=51831 algorithm=13 size=256 public-only=no pre-active=0 publish=1659353890 ready=0 active=1659357790 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 a85ffe2752572a3e057c1dca6f1173e2d4f4a6b7 ksk=yes zsk=no tag=14655 algorithm=13 size=256 public-only=no pre-active=0 publish=1641666021 ready=1641666021 active=1655760727 retire-active=1660587842 retire=0 post-active=0 revoke=0 remove=1660587842 but time is over and knot didnt remove the key, list at current time : date +%s 1660838273 with policy setting : policy: - id: "signing_policy_prod" manual: "off" single-type-signing: "off" algorithm: "ecdsap256sha256" ksk-size: "256" zsk-size: "256" ksk-shared: "on" dnskey-ttl: "7200" ksk-lifetime: "0" zsk-lifetime: "2592000" delete-delay: "86400" propagation-delay: "14400" rrsig-lifetime: "1209600" rrsig-refresh: "604800" rrsig-pre-refresh: "3600" nsec3: "on" cds-cdnskey-publish: "none" with template : - id: "signed-zones" storage: "/var/lib/knot/szones" file: "%s" notify: [ "XXX.XXX.cz", "XXX.XXX.cz" ] acl: [ "sec1-transfer", "sec2-transfer" ] zonefile-sync: "0" zonefile-load: "whole" journal-content: "changes" dnssec-signing: "on" dnssec-policy: "signing_policy_prod" serial-policy: "unixtime" it is any normal behavior or is something wrong ? knotc (Knot DNS), version 3.1.9 Thanks for help.

3 roky, 2 měsíce

2
2
0 0

Knot Resolver 5.5.1

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 5.5.1 has been released! Improvements - daemon/tls: disable TLS resumption via tickets for TLS <= 1.2 (#742, !1295) - daemon/http: DoH now responds with proper HTTP codes (#728, !1279) - renumber module: allow rewriting subnet to a single IP (!1302) - renumber module: allow arbitrary netmask (!1306) - nameserver selection algorithm: improve IPv6 avoidance if broken (!1298) Bugfixes - modules/dns64: fix incorrect packet writes for cached packets (#727, !1275) - xdp: make it work also with libknot 3.1 (#735, !1276) - prefill module: fix lockup when starting multiple idle instances (!1285) - validator: fix some failing negative NSEC proofs (!1294, #738, #443) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.5.1/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.1.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.1.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.5.1/ Donation: https://donations.nic.cz/en/donate/?project=knot-resolver -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

3 roky, 2 měsíce

1
1
0 0

new user - issues with one domain

by Jürgen Echter

Hi, i installed knot-resolver on my mail server and i see a issue with a specific domain, dovecot.org. Everything is working as expected but this single domain doesn't always resolve. After some time postfix cannot check the domain where mails coming from and doesn't accept them. If i do dig dovecot.org, i get this (SERVFAIL): dig dovecot.org ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> dovecot.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27594 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;dovecot.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fr Apr 29 08:34:55 CEST 2022 ;; MSG SIZE rcvd: 40 it starts working again if do dig +cd, like this: dig +cd dovecot.org ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> +cd dovecot.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56130 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;dovecot.org. IN A ;; ANSWER SECTION: dovecot.org. 300 IN A 94.237.12.234 ;; Query time: 245 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fr Apr 29 08:34:59 CEST 2022 ;; MSG SIZE rcvd: 56 i didn't have this kind of issue using unbound before i switched, so i think here would be the right place to ask. i'm using the knot-resolver 5.5.0 package from epel on rockylinux 8.5 and my kresd config is very simple: net.listen('127.0.0.1', 53, { kind = 'dns' }) net.listen('127.0.0.1', 853, { kind = 'tls' }) --net.listen('127.0.0.1', 443, { kind = 'doh2' }) net.listen('::1', 53, { kind = 'dns', freebind = true }) net.listen('::1', 853, { kind = 'tls', freebind = true }) --net.listen('::1', 443, { kind = 'doh2' }) -- Load useful modules modules = { 'hints > iterate', -- Allow loading /etc/hosts or custom root hints 'stats', -- Track internal statistics 'predict', -- Prefetch expiring/frequent records } -- Cache size cache.size = 100 * MB -- use /etc/hosts entries -- hints.add_hosts() net.ipv6 = false Anything i can do to track this down? Thanks in advance for your help. Juergen

3 roky, 5 měsíců

2
3
0 0

kresd segfault

by Aleš Rygl

Hello, I have noticed kresd segfault: [Sun May 15 14:22:47 2022] kresd[1791403]: segfault at 407ce590 ip 00000000407ce590 sp 00007ffc2d192668 error 15 There were also about 1300 lines from the same PID with a message like this: May 15 14:23:45 xxxx kresd[1791403]: [primin] triggered priming query, next in 0 seconds Maybe it is related to the crash maybe not. OS: Debian Linux 11.3 kernel 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) Knot-Resolver: 5.5.0-cznic.1 With regards Ales

3 roky, 5 měsíců

2
1
0 0

100....Error Messages new user

by Günther J. Niederwimmer

Hello List, why i got hundreds of these error messages see below, How can I best determine whether and how knot-resolver is working correctly May 9 13:37:28 bbs kresd[2102]: [graphi] reconnecting: ::1@3000 tcp reason: / usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:28 bbs kresd[2102]: [graphi] reconnecting: 192.168.100.200@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:28 bbs kresd[2107]: [graphi] reconnecting: 127.0.0.1@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:28 bbs kresd[2107]: [graphi] reconnecting: ::1@3000 tcp reason: / usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:28 bbs kresd[2107]: [graphi] reconnecting: 192.168.100.200@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:37 bbs kresd[2101]: [graphi] reconnecting: 127.0.0.1@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:37 bbs kresd[2100]: [graphi] reconnecting: 127.0.0.1@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Broken pipe) May 9 13:37:37 bbs kresd[2101]: [graphi] reconnecting: ::1@3000 tcp reason: / usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:37 bbs kresd[2100]: [graphi] reconnecting: ::1@3000 tcp reason: / usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:37 bbs kresd[2100]: [graphi] reconnecting: 192.168.100.200@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:37 bbs kresd[2101]: [graphi] reconnecting: 192.168.100.200@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:38 bbs kresd[2102]: [graphi] reconnecting: 127.0.0.1@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:38 bbs kresd[2102]: [graphi] reconnecting: ::1@3000 tcp reason: / usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:38 bbs kresd[2102]: [graphi] reconnecting: 192.168.100.200@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Broken pipe) May 9 13:37:38 bbs kresd[2107]: [graphi] reconnecting: 127.0.0.1@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:38 bbs kresd[2107]: [graphi] reconnecting: ::1@3000 tcp reason: / usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:38 bbs kresd[2107]: [graphi] reconnecting: 192.168.100.200@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) Thanks for the Help, -- mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer

3 roky, 5 měsíců

2
1
0 0

100....Error Messages new user

by Günther J. Niederwimmer

Hello List why i got hundreds of these error messages see below, How can I best determine whether and how knot-resolver is working correctly May 9 13:37:28 bbs kresd[2102]: [graphi] reconnecting: ::1@3000 tcp reason: / usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:28 bbs kresd[2102]: [graphi] reconnecting: 192.168.100.200@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:28 bbs kresd[2107]: [graphi] reconnecting: 127.0.0.1@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:28 bbs kresd[2107]: [graphi] reconnecting: ::1@3000 tcp reason: / usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:28 bbs kresd[2107]: [graphi] reconnecting: 192.168.100.200@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:37 bbs kresd[2101]: [graphi] reconnecting: 127.0.0.1@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:37 bbs kresd[2100]: [graphi] reconnecting: 127.0.0.1@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Broken pipe) May 9 13:37:37 bbs kresd[2101]: [graphi] reconnecting: ::1@3000 tcp reason: / usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:37 bbs kresd[2100]: [graphi] reconnecting: ::1@3000 tcp reason: / usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:37 bbs kresd[2100]: [graphi] reconnecting: 192.168.100.200@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:37 bbs kresd[2101]: [graphi] reconnecting: 192.168.100.200@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:38 bbs kresd[2102]: [graphi] reconnecting: 127.0.0.1@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:38 bbs kresd[2102]: [graphi] reconnecting: ::1@3000 tcp reason: / usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:38 bbs kresd[2102]: [graphi] reconnecting: 192.168.100.200@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Broken pipe) May 9 13:37:38 bbs kresd[2107]: [graphi] reconnecting: 127.0.0.1@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:38 bbs kresd[2107]: [graphi] reconnecting: ::1@3000 tcp reason: / usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) May 9 13:37:38 bbs kresd[2107]: [graphi] reconnecting: 192.168.100.200@3000 tcp reason: /usr/share/lua/5.1/cqueues/socket.lua:449: exceeded unchecked error limit (Connection reset by peer) Thanks for the Help, -- mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer

3 roky, 5 měsíců

1
0
0 0

Rebinding protection - how to suppress additional section

by Aleš Rygl

Hello, We are using Knot-Resolver 5.5.0 with rebinding protection: modules.load('rebinding < iterate') We have some complains about an invalid domain name being returned in the additional section of the response to the blocked request: ;; ADDITIONAL SECTION: explanation.invalid. 10800 IN TXT "blocked by DNS rebinding protection" It looks like some windows domain controllers running DNS clients do not like it and log an error: The DNS server encountered an invalid domain name in a packet from <Knot-Resolver IP> The packet will be rejected. The event data contains the DNS packet. Is there a way how to suppress this? Or even better response with SERVFAIL? Thanks Ales Rygl

3 roky, 6 měsíců

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users