25 Úno
2018
25 Úno
'18
1:15
Greetings. My kresd config file is:
net.listen('192.241.207.161', 5364)
trust_anchors.file = 'root.keys'
modules.load('ta_sentinel')
I wanted to test this with a zone I set up at this-is-signed.com. However,
I'm getting a positive result back for both the is-ta and the not-ta
records (it is properly giving me the SERVFAIL for the bogus record).
Have I configured Knot Resolver incorrectly? For Knot 2.2.1, do I need a
different form for the names in order to get the kskroll-sentinel effect to
kick in? From the DNSOP WG mailing list traffic, I thought I needed the
4f66 tag, but could have misinterpreted that.
--Paul Hoffman
# dig @192.241.207.161 -p 5364
kskroll-sentinel-is-ta-4f66.this-is-signed.com a
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.241.207.161 -p 5364
kskroll-sentinel-is-ta-4f66.this-is-signed.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36153
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;kskroll-sentinel-is-ta-4f66.this-is-signed.com. IN A
;; ANSWER SECTION:
kskroll-sentinel-is-ta-4f66.this-is-signed.com. 60 IN CNAME
this-is-signed.com.
this-is-signed.com. 60 IN A 192.241.207.161
;; Query time: 283 msec
;; SERVER: 192.241.207.161#5364(192.241.207.161)
;; WHEN: Sun Feb 25 00:09:54 UTC 2018
;; MSG SIZE rcvd: 105
# dig @192.241.207.161 -p 5364
kskroll-sentinel-not-ta-4f66.this-is-signed.com a
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.241.207.161 -p 5364
kskroll-sentinel-not-ta-4f66.this-is-signed.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14466
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;kskroll-sentinel-not-ta-4f66.this-is-signed.com. IN A
;; ANSWER SECTION:
kskroll-sentinel-not-ta-4f66.this-is-signed.com. 60 IN CNAME
this-is-signed.com.
this-is-signed.com. 54 IN A 192.241.207.161
;; Query time: 5 msec
;; SERVER: 192.241.207.161#5364(192.241.207.161)
;; WHEN: Sun Feb 25 00:10:00 UTC 2018
;; MSG SIZE rcvd: 106
# dig @192.241.207.161 -p 5364 bogus.this-is-signed.com a
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.241.207.161 -p 5364
bogus.this-is-signed.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20810
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;bogus.this-is-signed.com. IN A
;; Query time: 9 msec
;; SERVER: 192.241.207.161#5364(192.241.207.161)
;; WHEN: Sun Feb 25 00:10:08 UTC 2018
;; MSG SIZE rcvd: 42