Hello.
On 09/05/2023 23.05, Ed V. wrote:
However, I would like to point it to OpenNIC for
resolution /forwarding
so that I can resolve the expanded /alternative TLDs.
OpenNIC is a bad practice, on multiple levels in my opinion, so I'll be
brief around supporting that use case. Anyway, here's a working config:
modules = { 'hints > iterate' }
hints.root({
--https://wiki.opennic.org/opennic/t2hints
['some.opennic.root.'] = { '168.119.153.26' }
})
--[[
Replace the official (ICANN) root DNSSEC trust anchor by OpenNIC's.
BEWARE: this gives OpenNIC power to spoof *all* names, not just in the newly added
TLDs.
Current DS can be obtained as mentioned
onhttps://wiki.opennic.org/opennic/dnssec
dig @195.201.99.61 . DNSKEY | dnssec-dsfromkey -2 -f - .
--]]
trust_anchors.remove('.')
trust_anchors.add('. IN DS 60820 8 2
A01E33C8E95712E555FA9E6C09921830F3A518E36C5998F4ADBF5570AA86B538')
-- Avoid some mess that I don't want to debug in knot resolver 5.x
trust_anchors.set_insecure({ 'opennic.glue.', 'glue.' })
Well, it's not 100% reliable. I ran into some of their servers that
don't return signatures when they should, so that leads to SERVFAILs.
And don't forget to clear cache when you change to incompatible trust
anchors, e.g. remove the data.mdb file.
Generally it might be better to overlay just the (selected) TLDs.
Current Knot Resolver can do that well only from another resolver (not
auth), e.g.
extraTrees = policy.todnames({'libre', 'null'})
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), extraTrees))
-- select a couple close resolver IPs, e.g. directly
onhttps://www.opennic.org
-- for simplicity, we don't validate DNSSEC for those
policy.add(policy.suffix(policy.STUB({'2a00:dcc0:eda:88:245:71:858e:a15'}),
extraTrees))
--Vladimir