16 Lis
2021
16 Lis
'21
12:48
Hello,
I have a problem with knot-resolver and resolving CNAME on my domain, but
request to bind-resolver is ok. Some configuration parameter (such as
--trust_anchors.set_insecure,remove) doesn't solve my problem. Could you
help me please?
Commands (data is anonymized) :
[ ~]$ nslookup elearning.mycompany.sk 192.168.1.53 # kresd -failed
Server: 192.168.1.53
Address: 192.168.1.53#53
Non-authoritative answer:
elearning.mycompany.sk canonical name = elearning.netcompany.sk.
[ ~]$ nslookup elearning.mycompany.sk 192.168.1.33 # bind -ok
Server: 192.168.1.33
Address: 192.168.1.33#53
Non-authoritative answer:
elearning.mycompany.sk canonical name = elearning.netcompany.sk.
Name: elearning.netcompany.sk.
Address: 53.53.53.153
[~]$ nslookup elearning.netcompany.sk. 192.168.1.53 # kresd -ok
Server: 192.168.1.53
Address: 192.168.1.53#53
Non-authoritative answer:
Name: elearning.netcompany.sk
Address: 53.53.53.153
Here is trace command from kresd:
[ ~]$ curl -s --noproxy "*"
http://127.0.0.1:8453/trace/elearning.mycompany.sk
[iterat][205086.00] 'elearning.mycompany.sk.' type 'A' new uid was
assigned .01, parent uid .00
[cache ][205086.01] => satisfied by exact packet: rank 021, new TTL 7110
[iterat][205086.01] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 31993
;; Flags: qr aa rd QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
elearning.mycompany.sk. A
;; ANSWER SECTION
elearning.mycompany.sk. 7110 CNAME elearning.netcompany.sk.
;; ADDITIONAL SECTION
[resolv][205086.01] AD: request NOT classified as SECURE
[resolv][205086.01] finished in state: 4, queries: 1, mempool: 131152 B
;; selected from ANSWER sections:
; ranked rrset to_wire true, rank 021 (omit auth), cached false, qry_uid 1,
revalidations 0
elearning.mycompany.sk. 7110 CNAME elearning.netcompany.sk.
curl -s --noproxy "*" http://127.0.0.1:8453/trace/elearning.netcompany.sk.
[iterat][65580.00] 'elearning.netcompany.sk.' type 'A' new uid was
assigned .01, parent uid .00
[cache ][65580.01] => satisfied by exact RRset: rank 030, new TTL 1187
[iterat][65580.01] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 21817
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
elearning.netcompany.sk. A
;; ANSWER SECTION
elearning.netcompany.sk. 1187 A 53.53.53.153
elearning.netcompany.sk. 1187 RRSIG A 7 3 1800 ....
[iterat][65580.01] <= rcode: NOERROR
[resolv][65580.01] AD: request NOT classified as SECURE
[resolv][65580.01] finished in state: 4, queries: 1, mempool: 147552 B
;; selected from ANSWER sections:
; ranked rrset to_wire true, rank 030 (insecure auth), cached false,
qry_uid 1, revalidations 0
elearning.netcompany.sk. 1187 A 53.53.53.153
; ranked rrset to_wire true, rank 030 (insecure auth), cached false,
qry_uid 1, revalidations 0
elearning.netcompany.sk. 1187 RRSIG A 7 3 1800 .....
[ ~]$ journalctl -u kresd@1
kresd[18169]: [iterat][34703.00] 'elearning.mycompany.sk.' type 'A' new
uid was assigned .01, parent uid .00
kresd[18169]: [cache ][34703.01] => satisfied by exact packet: rank 021,
new TTL 6811
kresd[18169]: [resolv][34703.01] AD: request NOT classified as SECURE
kresd[18169]: [resolv][34703.01] finished in state: 4, queries: 1,
mempool: 65600 B
kresd[18169]: [plan ][00000.00] plan 'elearning.netcompany.sk.' type
'AAAA' uid [17932.00]
kresd[18169]: [iterat][17932.00] 'elearning.netcompany.sk.' type 'AAAA'
new uid was assigned .01, parent uid .00
kresd[18169]: [cache ][17932.01] => satisfied by exact packet: rank 020,
new TTL 1411
kresd[18169]: [iterat][17932.01] <= rcode: NOERROR
kresd[18169]: [resolv][17932.01] AD: request NOT classified as SECURE
My kresd.conf:
log_level('warning')
net.listen('192.168.1.53', 53, { kind = 'dns', freebind = true })
net.listen('192.168.1.53', 853, { kind = 'tls', freebind = true })
net.listen('127.0.0.1', 8453, { kind = 'webmgmt' })
user('knot-resolver','knot-resolver')
modules = {
'hints > iterate', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
'policy',
'view', -- view:addr(..)
'prefill', -- Cache prefilling
'http'
}
internalDomains = policy.todnames({'mycompany.sk'})
externalIP = policy.todnames({'53.53.53.in-addr.arpa.'})
policy.add(policy.suffix(policy.STUB({'192.168.1.3','192.168.1.4'}),
internalDomains))
policy.add(policy.suffix(policy.STUB({'192.168.1.3','192.168.1.4'}),
externalIP))
view:addr('192.168.0.0/16', policy.all(policy.PASS))
view:addr('172.16.0.0/12', policy.all(policy.PASS))
view:addr('10.0.0.0/8', policy.all(policy.PASS))
view:addr('0.0.0.0/0', policy.all(policy.DROP))
--trust_anchors.set_insecure({ 'mycompany.sk.', 'netcompany.sk.' })
--trust_anchors.remove('.')
cache.size = cache.fssize() - 10*MB
thanks
Tomas
16 Lis
16 Lis
13:01
Hello.
On 16/11/2021 13.48, tomas tomas wrote:
I have a problem with knot-resolver and resolving
CNAME on my domain,
but request to bind-resolver is ok.
It looks like you don't understand what policy.STUB does. The target IP
address is assumed to be full *resolver*. It returned just the CNAME
with RCODE=NOERROR, i.e. implying that the CNAME's target exists but has
no data of the requested type (A in this case).
Unfortunately, kresd currently does not have a suitable "redirection"
configuration for the case where the target IP address is meant as
*authoritative* server for some sub-tree. STUB often kind-of works as a
hack for such cases, but as you see it's certainly not perfect.
--Vladimir
13:05
On 16/11/2021 14.01, Vladimír Čunát wrote:
kresd currently does not have a suitable
"redirection" configuration [...]
I think all resources related to this missing feature are linked from
around this place:
https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/651#note_130192
1402
days inactive
1402
days old
knot-resolver-users@lists.nic.cz
2 comments
2 participants
participants (2)
-
tomas tomas -
Vladimír Čunát