Hello,
I have a problem with knot-resolver and resolving CNAME on my domain, but request to bind-resolver is ok. Some configuration parameter (such as --trust_anchors.set_insecure,remove) doesn't solve my problem. Could you help me please?
Commands
(data is anonymized)
:
Here is trace command from kresd:
[cache ][205086.01] => satisfied by exact packet: rank 021, new TTL 7110
[iterat][205086.01] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 31993
;; Flags: qr aa rd QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
elearning.mycompany.sk. A
;; ANSWER SECTION
elearning.mycompany.sk. 7110 CNAME elearning.netcompany.sk.
;; ADDITIONAL SECTION
[resolv][205086.01] AD: request NOT classified as SECURE
[resolv][205086.01] finished in state: 4, queries: 1, mempool: 131152 B
;; selected from ANSWER sections:
; ranked rrset to_wire true, rank 021 (omit auth), cached false, qry_uid 1, revalidations 0
elearning.mycompany.sk. 7110 CNAME elearning.netcompany.sk.
curl -s --noproxy "*" http://127.0.0.1:8453/trace/elearning.netcompany.sk.
[iterat][65580.00] 'elearning.netcompany.sk.' type 'A' new uid was assigned .01, parent uid .00
[cache ][65580.01] => satisfied by exact RRset: rank 030, new TTL 1187
[iterat][65580.01] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 21817
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
elearning.netcompany.sk. A
;; ANSWER SECTION
elearning.netcompany.sk. 1187 A 53.53.53.153
elearning.netcompany.sk. 1187 RRSIG A 7 3 1800 ....
[iterat][65580.01] <= rcode: NOERROR
[resolv][65580.01] AD: request NOT classified as SECURE
[resolv][65580.01] finished in state: 4, queries: 1, mempool: 147552 B
;; selected from ANSWER sections:
; ranked rrset to_wire true, rank 030 (insecure auth), cached false, qry_uid 1, revalidations 0
elearning.netcompany.sk. 1187 A 53.53.53.153
; ranked rrset to_wire true, rank 030 (insecure auth), cached false, qry_uid 1, revalidations 0
elearning.netcompany.sk. 1187 RRSIG A 7 3 1800 .....
[ ~]$
journalctl -u kresd@1
kresd[18169]: [iterat][34703.00] 'elearning.mycompany.sk.' type 'A' new uid was assigned .01, parent uid .00
kresd[18169]: [cache ][34703.01] => satisfied by exact packet: rank 021, new TTL 6811
kresd[18169]: [resolv][34703.01] AD: request NOT classified as SECURE
kresd[18169]: [resolv][34703.01] finished in state: 4, queries: 1, mempool: 65600 B
kresd[18169]: [plan ][00000.00] plan 'elearning.netcompany.sk.' type 'AAAA' uid [17932.00]
kresd[18169]: [iterat][17932.00] 'elearning.netcompany.sk.' type 'AAAA' new uid was assigned .01, parent uid .00
kresd[18169]: [cache ][17932.01] => satisfied by exact packet: rank 020, new TTL 1411
kresd[18169]: [iterat][17932.01] <= rcode: NOERROR
kresd[18169]: [resolv][17932.01] AD: request NOT classified as SECURE
My kresd.conf:
log_level('warning')
net.listen('192.168.1.53', 53, { kind = 'dns', freebind = true })
net.listen('192.168.1.53', 853, { kind = 'tls', freebind = true })
net.listen('127.0.0.1', 8453, { kind = 'webmgmt' })
user('knot-resolver','knot-resolver')
modules = {
'hints > iterate', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
'policy',
'view', -- view:addr(..)
'prefill', -- Cache prefilling
'http'
}
internalDomains = policy.todnames({'mycompany.sk'})
externalIP = policy.todnames({'53.53.53.in-addr.arpa.'})
policy.add(policy.suffix(policy.STUB({'192.168.1.3','192.168.1.4'}), internalDomains))
policy.add(policy.suffix(policy.STUB({'192.168.1.3','192.168.1.4'}), externalIP))
view:addr('192.168.0.0/16', policy.all(policy.PASS))
view:addr('172.16.0.0/12', policy.all(policy.PASS))
view:addr('10.0.0.0/8', policy.all(policy.PASS))
view:addr('0.0.0.0/0', policy.all(policy.DROP)) --trust_anchors.set_insecure({ 'mycompany.sk.', 'netcompany.sk.' })
--trust_anchors.remove('.')
cache.size = cache.fssize() - 10*MB
thanks
Tomas