many thanks for your hint regarding modules.unload('bogus_log')
I´m still facing the service kresd@1 crashes without any obvious reasons. Today I did a second try to upgrade to Knot Resover to version 4.2.2 and the upgrade seems to be ok, service can start without any difficulties. It runs as expected more than 3,5 hour, but unfortunately, it starts to write in the log the same messages as was reported in my previous post and the service get restart by itself. Every restarts couse a new sevice PID in /var/cache/knot-resolver/tty, the old one was not correctly finished and the whole operating system goes to a visible slowdown. I don´t know how to do an exact sevice crashdump file, but I can provide any log messages if needed.
I unload the bogus_log.
The service runs now just a while. My usual dns queries throughput is around 700qps and I have only one PID in /var/cache/knot-resolver/tty as usual.
Regards,
-- Smil Milan Jeskyňka Kazatel
Send knot-resolver-users mailing list submissions to knot-resolver-users@lists.nic.cz
To subscribe or unsubscribe via the World Wide Web, visit https://lists.nic.cz/mailman/listinfo/knot-resolver-users or, via email, send a message with subject or body 'help' to knot-resolver-users-request@lists.nic.cz
You can reach the person managing the list at knot-resolver-users-owner@lists.nic.cz
When replying, please edit your Subject line so it is more specific than "Re: Contents of knot-resolver-users digest..."
Today's Topics:
1. Re: DNSSEC validation failure logging on Centos 7 Knot Resolver, version 4.2.0 (Milan Jeskynka Kazatel) 2. Re: DNSSEC validation failure logging on Centos 7 Knot Resolver, version 4.2.0 (Petr Špaček) 3. HTTP module after upgrade from Knot DNS Resolver, version 2.3.0 to Knot Resolver, version 4.2.0 (Milan Jeskynka Kazatel)
Message: 1 Date: Tue, 22 Oct 2019 14:27:30 +0200 (CEST) From: "Milan Jeskynka Kazatel" <KazatelM@seznam.cz> To: <knot-resolver-users@lists.nic.cz> Subject: Re: [knot-resolver-users] DNSSEC validation failure logging on Centos 7 Knot Resolver, version 4.2.0 Message-ID: <1XT.6dmr.1vQ4HW9UcyY.1ThlMo@seznam.cz> Content-Type: text/plain; charset="utf-8"
Hello Team,
I found it, it is described in the Upgrading guide,
DNSSEC validation is now turned on by default. If you need to disable it, see Trust anchors and DNSSEC (https://knot-resolver.readthedocs.io/en/stable/daemon.html#dnssec-config).
***
Since version 4.0, DNSSEC validation is enabled by default. This is secure default and should not be changed unless absolutely necessary.
Options in this section are intended only for expert users and normally should not be needed.
If you really need to turn DNSSEC off and are okay with lowering security of your system by doing so, add the following snippet to your configuration file.
Anyway, if it is enabled by default, how to prevent the "DNSSEC validation failure" spamming in the log and increasing the I/O operation on the system?
For me now is the service in the unstable condition. My kresd@1 is crashing and restarting in the row. Please, any advice?
I modify the server name and the domain, but still it is a live log output.
Oct 22 14:02:51 dnstestserver kresd[15877]: DNSSEC validation failure example.com DNSKEY
Oct 22 14:02:58 dnstestserver kresd[15877]: DNSSEC validation failure example.com DNSKEY
Oct 22 14:03:08 dnstestserver kresd[15877]: DNSSEC validation failure example.com DNSKEY
Oct 22 14:03:18 dnstestserver systemd[1]: kresd@1.service watchdog timeout (limit 10s)!
Oct 22 14:03:22 dnstestserver systemd[1]: kresd@1.service: main process exited, code=killed, status=6/ABRT
Oct 22 14:03:22 dnstestserver systemd[1]: Unit kresd@1.service entered failed state.
Oct 22 14:03:22 dnstestserver systemd[1]: kresd@1.service failed.
Oct 22 14:03:22 dnstestserver systemd[1]: kresd@1.service holdoff time over, scheduling restart.
Oct 22 14:03:22 dnstestserver systemd[1]: Cannot add dependency job for unit kresd.service, ignoring: Unit not found.
Oct 22 14:03:22 dnstestserver systemd[1]: Stopped Knot Resolver daemon.
Oct 22 14:03:22 dnstestserver systemd[1]: Starting Knot Resolver daemon...
Oct 22 14:04:07 dnstestserver kresd[16468]: [http] created new ephemeral TLS certificate
Oct 22 14:04:07 dnstestserver systemd[1]: Started Knot Resolver daemon.
Oct 22 14:04:07 dnstestserver kresd[16468]: [ta_update] refreshing TA for .
Oct 22 14:04:07 dnstestserver kresd[16468]: [ta_update] key: 20326 state: Valid
Oct 22 14:04:07 dnstestserver kresd[16468]: [ta_update] next refresh for . in 24 hours
Oct 22 14:04:09 dnstestserver kresd[16468]: DNSSEC validation failure example.com DNSKEY
...
Best regards. -- Smil Milan Jeskyňka Kazatel
---------- Původní e-mail ---------- Od: Milan Jeskynka Kazatel <KazatelM@seznam.cz> Komu: knot-resolver-users@lists.nic.cz Datum: 22. 10. 2019 13:33:46 Předmět: DNSSEC validation failure logging on Centos 7 Knot Resolver, version 4.2.0 "Hello Team,
I would like to know if the "DNSSEC validation failure logging" is enabled by DEFAULT in version 4.2.0. on Centos 7.
I do not have any explicit call for this module - as is described in the documentation like this: modules.load('bogus_log'), nevertheless, I´m facing a huge report in the system log regarding DNSSEC validation failure somedomainname. DNSKEY
In the configuration, I´m using the 'http' module and module 'stats', can it be relevant?
kresd.conf
-- Load Useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'view', -- Handle requests by source IP
'stats', -- Track internal statistics
'hints', -- Add static records to resolver
}
-- load HTTP module with defaults (self-signed TLS cert)
modules.load('http')
http.config()
How can I disable DNSSEC validation failure logging?
best regards, -- Smil Milan Jeskyňka Kazatel
" -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nic.cz/pipermail/knot-resolver-users/attachments/20191022/8a105f6c/attachment-0001.html>
------------------------------
Message: 2 Date: Tue, 22 Oct 2019 15:40:28 +0200 From: Petr Špaček <petr.spacek@nic.cz> To: knot-resolver-users@lists.nic.cz Subject: Re: [knot-resolver-users] DNSSEC validation failure logging on Centos 7 Knot Resolver, version 4.2.0 Message-ID: <1948d6bf-dfac-cc0b-fdbc-396fd339c69a@nic.cz> Content-Type: text/plain; charset=utf-8
Hello,
according the log snippet you provided it logs one message in 7-10 seconds, so I/O does not seem to be a problem.
You can try to unload the bogus_log module but beware that it might break statistics reported in HTTP module. To unload the module add this command to end of your config file: modules.unload('bogus_log')
To find the root cause of the problem we need to see the coredump file + information about exact package version.
Please send the corefile to e-mail knot-resolver@labs.nic.cz (do *not* send it to this mailing list).
Thank you for your time. Petr Špaček @ CZ.NIC
On 22. 10. 19 14:27, Milan Jeskynka Kazatel wrote: > Hello Team, > > I found it, it is described in the Upgrading guide, > DNSSEC validation is now turned on by default. If you need to disable it, see Trust anchors and DNSSEC <https://knot-resolver.readthedocs.io/en/stable/daemon.html#dnssec-config>. > > *** > > Since version 4.0, *DNSSEC validation is enabled by default*. This is secure default and should not be changed unless absolutely necessary. > > *Options in this section are intended only for expert users and normally should not be needed.* > > If you really need to turn DNSSEC off and are okay with lowering security of your system by doing so, add the following snippet to your configuration file. > > -- turns off DNSSEC validation > trust_anchors.remove('.'). > > *** > > Anyway, if it is enabled by default, how to prevent the "DNSSEC validation failure" spamming in the log and increasing the I/O operation on the system? > For me now is the service in the unstable condition. My kresd@1 is crashing and restarting in the row. Please, any advice? > > I modify the server name and the domain, but still it is a live log output. > > Oct 22 14:02:51 dnstestserver kresd[15877]: DNSSEC validation failure example.com DNSKEY > Oct 22 14:02:58 dnstestserver kresd[15877]: DNSSEC validation failure example.com DNSKEY > Oct 22 14:03:08 dnstestserver kresd[15877]: DNSSEC validation failure example.com DNSKEY > Oct 22 14:03:18 dnstestserver systemd[1]: kresd@1.service watchdog timeout (limit 10s)! > Oct 22 14:03:22 dnstestserver systemd[1]: kresd@1.service: main process exited, code=killed, status=6/ABRT > Oct 22 14:03:22 dnstestserver systemd[1]: Unit kresd@1.service entered failed state. > Oct 22 14:03:22 dnstestserver systemd[1]: kresd@1.service failed. > Oct 22 14:03:22 dnstestserver systemd[1]: kresd@1.service holdoff time over, scheduling restart. > Oct 22 14:03:22 dnstestserver systemd[1]: Cannot add dependency job for unit kresd.service, ignoring: Unit not found. > Oct 22 14:03:22 dnstestserver systemd[1]: Stopped Knot Resolver daemon. > Oct 22 14:03:22 dnstestserver systemd[1]: Starting Knot Resolver daemon... > Oct 22 14:04:07 dnstestserver kresd[16468]: [http] created new ephemeral TLS certificate > Oct 22 14:04:07 dnstestserver systemd[1]: Started Knot Resolver daemon. > Oct 22 14:04:07 dnstestserver kresd[16468]: [ta_update] refreshing TA for . > Oct 22 14:04:07 dnstestserver kresd[16468]: [ta_update] key: 20326 state: Valid > Oct 22 14:04:07 dnstestserver kresd[16468]: [ta_update] next refresh for . in 24 hours > Oct 22 14:04:09 dnstestserver kresd[16468]: DNSSEC validation failure example.com DNSKEY > ... > Best regards. > -- > Smil Milan Jeskyňka Kazatel > > ---------- Původní e-mail ---------- > Od: Milan Jeskynka Kazatel <KazatelM@seznam.cz> > Komu: knot-resolver-users@lists.nic.cz > Datum: 22. 10. 2019 13:33:46 > Předmět: DNSSEC validation failure logging on Centos 7 Knot Resolver, version 4.2.0 > > > Hello Team, > > I would like to know if the "DNSSEC validation failure logging" is enabled by DEFAULT in version 4.2.0. on Centos 7. > > I do not have any explicit call for this module - as is described in the documentation like this: modules.load('bogus_log'), nevertheless, I´m facing a huge report in the system log regarding DNSSEC validation failure somedomainname. DNSKEY > > In the configuration, I´m using the 'http' module and module 'stats', can it be relevant? > > kresd.conf > -- Load Useful modules > modules = { > 'policy', -- Block queries to local zones/bad sites > 'view', -- Handle requests by source IP > 'stats', -- Track internal statistics > 'hints', -- Add static records to resolver > } > > -- load HTTP module with defaults (self-signed TLS cert) > modules.load('http') > http.config() > > *How can I disable **DNSSEC validation failure logging**?* > > best regards, > -- > Smil Milan Jeskyňka Kazatel
------------------------------
Message: 3 Date: Fri, 04 Oct 2019 11:48:36 +0200 (CEST) From: "Milan Jeskynka Kazatel" <KazatelM@seznam.cz> To: <knot-resolver-users@lists.nic.cz> Subject: [knot-resolver-users] HTTP module after upgrade from Knot DNS Resolver, version 2.3.0 to Knot Resolver, version 4.2.0 Message-ID: <QKB.6dEh.3RPVIGlmGnG.1TbnLq@seznam.cz> Content-Type: text/plain; charset="utf-8"
Hello Knot Resolver team,
I tried to upgrade to the latest stable version of Knot Resolver on Centos7,
where I'm facing with a configuration issue with the module HTTP.
I used it in version 2.3.0 with configuration
-- Load Useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'view', -- Handle requests by source IP
'stats', -- Track internal statistics
'hints', -- Add static records to resolver
http = {
host = '10.0.0.1',
port = 8053,
cert = false,
}
}
and it works as expected, I reached a /stats/ from the browser.
Unfortunately after upgrade to version 4.2.0 I'm not able to correctly start the module even if I follow the migration hints on documentation websites. I still receive a startup fail message
Oct 04 11:32:09 dns systemd[1]: Starting Knot Resolver daemon...
Oct 04 11:32:54 dns kresd[9540]: error: /usr/lib64/knot-resolver/kres_ modules/http.lua:35: attempt to call global 'moduledir' (a nil value)
Oct 04 11:32:54 dns kresd[9540]: [system] failed to load module 'http'
Oct 04 11:32:54 dns kresd[9540]: error occured here (config filename:lineno is at the bottom, if config is involved):
Oct 04 11:32:54 dns kresd[9540]: stack traceback:
Oct 04 11:32:54 dns kresd[9540]: [C]: in function 'load'
Oct 04 11:32:54 dns kresd[9540]: /etc/knot-resolver/kresd.conf:14: in main chunk
Oct 04 11:32:54 dns kresd[9540]: ERROR: No such file or directory
Oct 04 11:32:54 dns systemd[1]: kresd@1.service: main process exited, code= exited, status=1/FAILURE
Oct 04 11:32:54 dns systemd[1]: Failed to start Knot Resolver daemon.
-- load HTTP module with defaults (self-signed TLS cert)
modules.load('http')
http.config()
-- Load Useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'view', -- Handle requests by source IP
'stats', -- Track internal statistics
'hints', -- Add static records to resolver
}
Where should be written the path to module http? What I did wrong?
-- Smil Milan Jeskyňka Kazatel -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nic.cz/pipermail/knot-resolver-users/attachments/20191004/5fb13703/attachment.html>