10 Kvě
2023
10 Kvě
'23
15:49
Oto:
I double-checked just to be sure (with a default build + install
sometimes things can go wrong...).
Whether I run via systemd:
ExecStart=/usr/sbin/kresd -c
/usr/lib/aarch64-linux-gnu/knot-resolver/distro-preconfig.lua -c
/etc/knot-resolver/kresd.conf -n
or by command line, I am explicitly calling the kresd.conf where I have
my changes.
I added DNSKEY's (thank you for that pointer - I would have missed it)
and they work:
$ dig @127.0.1.1 pir.org +dnssec +multi
; <<>> DiG 9.16.37-Debian <<>> @127.0.1.1 pir.org +dnssec +multi ;
(1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16985
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;pir.org. IN A
;; ANSWER SECTION:
pir.org. 300 IN A 34.74.232.240
pir.org. 300 IN RRSIG A 5 2 300 (
20230524084004 20230510084004 56958
pir.org. NGT9ammi8eyXDKJ1YqMaSTnas1FM6foabFmb30GDyklP
dIYsIbLmfP2evYc5Izn/SJdCN/RmWBJozGmPk+kAfv0U
7YEoKBcbRxIeQiDtg8D0Nsl98Do/R7CsaXLVAkC+k8Ed
vnNhnDYo+mn0xAOTOWGPQN/2MoSxYJkcPRcINeo=
)
;; Query time: 627 msec
;; SERVER: 127.0.1.1(127.0.1.1)
;; WHEN: Wed May 10 08:35:34 CDT 2023
;; MSG SIZE rcvd: 219
But I'm still getting the "a.name-servers.net" NXDOMAIN on trying to
resolve 'grep.geek':
$ dig @127.0.1.1 grep.geek +dnssec +multi
; <<>> DiG 9.16.37-Debian <<>> @127.0.1.1 grep.geek +dnssec +multi
-p
53001 ; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29189
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;grep.geek. IN A
;; AUTHORITY SECTION:
. 24985 IN SOA a.root-servers.net.
nstld.verisign-grs.com. (
[trimmed]
I even moved the default 'root.hints' file out of /etc/knot-resolver
just to make sure it wasn't being called somehow (and checked the
/var/lib and /var/cache folders as well).
Still getting the NX from a.root-servers.net as above.
I'm stumped...
--
Ed V.
On Wed, 10 May 2023 07:46:16 +0200
Oto Šťáva <oto.stava(a)nic.cz> wrote:
Hi, Ed.
This looks to me like Knot Resolver is not pointed to the same
configuration file you are editing since your changes are not taking
effect at all. The 'hints.root()' function really should replace the
default root hints, which it does not seem to be doing in your case.
How exactly are you running Knot Resolver? Are you pointing it to the
correct 'kresd.conf' file?
Also, your first attempt with 'policy' would not work because
'policy.FORWARD' expects the provided addresses to be resolvers, but
the OpenNIC root servers are authoritative.
Using 'hints.root' is correct, BUT it is not enough to only set that.
You will run into SERVFAILs because you also need to set the correct
DNSSEC trust anchors [1], which Knot Resolver verifies. You will need
the correct keys from OpenNIC root servers [2].
[1]
https://knot-resolver.readthedocs.io/en/stable/config-dnssec.html#trust_anc…
[2] https://wiki.opennic.org/opennic/dnssec
On 09. 05. 23 23:05, Ed V. wrote:
Hoping someone can help...
Built Knot Resolver v5.6.0 from source.
It works and resolves correctly for "regular" TLDs.
However, I would like to point it to OpenNIC for resolution
/forwarding so that I can resolve the expanded /alternative TLDs.
Default configuration with:
policy.add(policy.all(
policy.FORWARD(
{'2001:19f0:b001:379:5400:3ff:fe68:1cc6',
'138.197.140.189',
'2600:3c04::f03c:93ff:febd:be27',
'45.61.49.203'})))
and it fails to find "grep.geek" using the standard root zone
/hints:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22871
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;grep.geek. IN A
;; AUTHORITY SECTION:
. 86077 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2023050902 1800 900 604800 86400
So I checked the Documentation site and found "hints.root" which
theoretically will override any other root hints.
Using the OpenNIC root zone file (downloads as "db.root") I set:
hints.root ({
['ns13.opennic.glue.'] = { '2a01:4f8:192:43a5::2',
'144.76.103.143' } })
in kresd.conf.
Still no joy - "grep.geek" is NXDOMAIN from a.root-servers.net
again.
Any thoughts? Things I might have missed along the way?
--
--