10 Dub
2026
10 Dub
'26
10:00
Hello,
I'm using this config.yaml with Knot Resolver 6 (on Debian 13):
workers: auto
network:
listen:
- interface: 127.0.0.1@53
logging:
level: info
options:
violators-workarounds: true
cache:
size-max: 100M
prefetch:
expiring: true
dnssec:
log-bogus: true
local-data:
rpz:
- file: /var/lib/rpz/urlhaus.abuse.ch.rpz
- file: /var/lib/rpz/threatfox.abuse.ch.rpz
lua:
script: |
policy.add(policy.suffix(policy.DENY, {todname('use-application-dns.net.')}))
policy.add(policy.suffix(policy.PASS, policy.todnames({
'uribl.com',
'zen.spamhaus.org',
'dbl.spamhaus.org',
'list.dnswl.org',
'sa-trusted.bondedsender.org',
'sa-accredit.habeas.com',
'bl.score.senderscore.com',
'dnsbl-1.uceprotect.net',
'dnsbl-2.uceprotect.net',
'dnsbl-3.uceprotect.net'
})))
policy.add(policy.all(policy.TLS_FORWARD({
{'9.9.9.9', hostname='dns.quad9.net',
ca_file='/etc/ssl/certs/ca-certificates.crt' },
{'149.112.112.112', hostname='dns.quad9.net',
ca_file='/etc/ssl/certs/ca-certificates.crt' },
})))
This results in this endless loop in the logs:
Apr 10 11:56:49 supervisord[56300]: captured stdio output from policy-loader[56777]
(stderr): [system] config 'policy-loader.conf' (workdir
'/run/knot-resolver'): No such file or directory
Apr 10 11:56:49 supervisord[56300]: success: policy-loader entered RUNNING state, process
has stayed up for > than 0 seconds (startsecs)
Apr 10 11:56:49 supervisord[56300]: exited: policy-loader (exit status 1; not expected)
Apr 10 11:56:49 supervisord[56300]: spawned: 'policy-loader' with pid 56778
Apr 10 11:56:49 supervisord[56300]: captured stdio output from policy-loader[56778]
(stderr): [system] config 'policy-loader.conf' (workdir
'/run/knot-resolver'): No such file or directory
Apr 10 11:56:49 supervisord[56300]: success: policy-loader entered RUNNING state, process
has stayed up for > than 0 seconds (startsecs)
Apr 10 11:56:50 supervisord[56300]: exited: policy-loader (exit status 1; not expected)
When using only one rpz file, thus removing the whole line
- file: /var/lib/rpz/threatfox.abuse.ch.rpz
it works fine.
What am I doing wrong here?
--
Frederik Himpe <frederik(a)frehi.be>