Oto:
Second follow-up, I did catch that 'policy.FORWARD' goof and repointed
to the first two IPv4 and IPv6 servers that show up with the
"auto-detect" homepage of
So:
policy.add(policy.all(
policy.FORWARD(
{'2001:19f0:b001:379:5400:3ff:fe68:1cc6',
'138.197.140.189',
'2600:3c04::f03c:93ff:febd:be27',
'45.61.49.203'})))
If I dig directly at one of those servers, 'grep.geek' resolves:
$ dig @138.197.140.189 grep.geek +short
161.97.219.84
If I dig with knot-resolver - NXDOMAIN.
--
Ed V.
On Wed, 10 May 2023 07:46:16 +0200
Oto Šťáva <oto.stava(a)nic.cz> wrote:
Hi, Ed.
This looks to me like Knot Resolver is not pointed to the same
configuration file you are editing since your changes are not taking
effect at all. The 'hints.root()' function really should replace the
default root hints, which it does not seem to be doing in your case.
How exactly are you running Knot Resolver? Are you pointing it to the
correct 'kresd.conf' file?
Also, your first attempt with 'policy' would not work because
'policy.FORWARD' expects the provided addresses to be resolvers, but
the OpenNIC root servers are authoritative.
Using 'hints.root' is correct, BUT it is not enough to only set that.
You will run into SERVFAILs because you also need to set the correct
DNSSEC trust anchors [1], which Knot Resolver verifies. You will need
the correct keys from OpenNIC root servers [2].
[1]
https://knot-resolver.readthedocs.io/en/stable/config-dnssec.html#trust_anc…
[2]
https://wiki.opennic.org/opennic/dnssec
On 09. 05. 23 23:05, Ed V. wrote:
Hoping someone can help...
Built Knot Resolver v5.6.0 from source.
It works and resolves correctly for "regular" TLDs.
However, I would like to point it to OpenNIC for resolution
/forwarding so that I can resolve the expanded /alternative TLDs.
Default configuration with:
policy.add(policy.all(
policy.FORWARD(
{'2001:19f0:b001:379:5400:3ff:fe68:1cc6',
'138.197.140.189',
'2600:3c04::f03c:93ff:febd:be27',
'45.61.49.203'})))
and it fails to find "grep.geek" using the standard root zone
/hints:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22871
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;grep.geek. IN A
;; AUTHORITY SECTION:
. 86077 IN SOA
a.root-servers.net.
nstld.verisign-grs.com. 2023050902 1800 900 604800 86400
So I checked the Documentation site and found "hints.root" which
theoretically will override any other root hints.
Using the OpenNIC root zone file (downloads as "db.root") I set:
hints.root ({
['ns13.opennic.glue.'] = { '2a01:4f8:192:43a5::2',
'144.76.103.143' } })
in kresd.conf.
Still no joy - "grep.geek" is NXDOMAIN from
a.root-servers.net
again.
Any thoughts? Things I might have missed along the way?
--
--