2 Srp
2024
2 Srp
'24
16:47
Hello,
I am attempting to migrate some internal bind servers to
knot+knot-resolver. We have knot acting as the authoritative server for
internal views of our public zones and we're attempting to use Knot
Resolver to forward to Knot to provide recursive resolution on the internal
network.
In this configuration, when Knot is resolving a CNAME record from an
internal stub zone, it doesn't chase the target of the CNAME for the client.
To demonstrate, here are two example zones served by knot:
# zone1.com
test-a 30 IN A 192.168.1.1
# zone2.com
test-cname 30 CNAME test-a.zone1.com.
With these configured as stubs in Knot Resolver, if you query
test-cname.zone2.com, knot resolver won't chase it across zones to get the
A record value like it would for non-stub zones.
Both Bind9 and Unbound chase this as expected. Is there any way to
configure Knot Resolver to do the same?
Thanks!
- Paul
2 Srp
2 Srp
17:33
Hello Paul,
I've got some good news and some bad news.
The bad news is that the current stable Knot Resolver 5 is not able to
reliably chase CNAMEs when forwarding, as you've discovered.
The good news is that Knot Resolver 6 - currently in a sort of
"early-access" / "beta" state - has been reworked to cover exactly
this
case. It can be done by using the 'authoritative' option in 'forward'.
Of course, whether you want to use v6 or not depends on how critical the
infrastructure you're running is. Mainly, some breaking changes to the
configuration may happen between versions. The configuration format has
also changed considerably (from Lua to YAML - with Lua being optionally
available for expert tweaks) between 5 and 6.
Here is the documentation for v6 covering the topic:
https://www.knot-resolver.cz/documentation/latest/config-forward.html
Best regards
--
Oto Šťáva | Knot Resolver team lead | CZ.NIC z.s.p.o.
PGP: 6DC2 B0CB 5935 EA7A 3961 4AA7 32B2 2D20 C9B4 E680
On 8/2/24 4:47 PM, Paul Furtado wrote:
Hello,
I am attempting to migrate some internal bind servers to
knot+knot-resolver. We have knot acting as the authoritative server
for internal views of our public zones and we're attempting to use
Knot Resolver to forward to Knot to provide recursive resolution on
the internal network.
In this configuration, when Knot is resolving a CNAME record from an
internal stub zone, it doesn't chase the target of the CNAME for the
client.
To demonstrate, here are two example zones served by knot:
# zone1.com <http://zone1.com>
test-a 30 IN A 192.168.1.1
# zone2.com <http://zone2.com>
test-cname 30 CNAME test-a.zone1.com <http://test-a.zone1.com>.
With these configured as stubs in Knot Resolver, if you query
test-cname.zone2.com <http://test-cname.zone2.com>, knot resolver
won't chase it across zones to get the A record value like it would
for non-stub zones.
Both Bind9 and Unbound chase this as expected. Is there any way to
configure Knot Resolver to do the same?
Thanks!
- Paul
--
19:45
Hi Oto,
Thanks for the quick response!
As a workaround, we'll migrate to knot for our authoritative server for now
and keep bind in front of it for the stub zone handling, but we look
forward to migrating to Knot Resolver in the future so it's great news that
this is solved in version 6. Looking forward to that release!
Thanks,
Paul
On Fri, Aug 2, 2024 at 11:34 AM Oto Šťáva via knot-resolver-users <
knot-resolver-users(a)lists.nic.cz> wrote:
Hello Paul,
I've got some good news and some bad news.
The bad news is that the current stable Knot Resolver 5 is not able to
reliably chase CNAMEs when forwarding, as you've discovered.
The good news is that Knot Resolver 6 - currently in a sort of
"early-access" / "beta" state - has been reworked to cover exactly
this
case. It can be done by using the 'authoritative' option in 'forward'.
Of
course, whether you want to use v6 or not depends on how critical the
infrastructure you're running is. Mainly, some breaking changes to the
configuration may happen between versions. The configuration format has
also changed considerably (from Lua to YAML - with Lua being optionally
available for expert tweaks) between 5 and 6.
Here is the documentation for v6 covering the topic:
https://www.knot-resolver.cz/documentation/latest/config-forward.html
Best regards
--
Oto Šťáva | Knot Resolver team lead | CZ.NIC z.s.p.o.
PGP: 6DC2 B0CB 5935 EA7A 3961 4AA7 32B2 2D20 C9B4 E680
On 8/2/24 4:47 PM, Paul Furtado wrote:
Hello,
I am attempting to migrate some internal bind servers to
knot+knot-resolver. We have knot acting as the authoritative server for
internal views of our public zones and we're attempting to use Knot
Resolver to forward to Knot to provide recursive resolution on the internal
network.
In this configuration, when Knot is resolving a CNAME record from an
internal stub zone, it doesn't chase the target of the CNAME for the client.
To demonstrate, here are two example zones served by knot:
# zone1.com
test-a 30 IN A 192.168.1.1
# zone2.com
test-cname 30 CNAME test-a.zone1.com.
With these configured as stubs in Knot Resolver, if you query
test-cname.zone2.com, knot resolver won't chase it across zones to get
the A record value like it would for non-stub zones.
Both Bind9 and Unbound chase this as expected. Is there any way to
configure Knot Resolver to do the same?
Thanks!
- Paul
--
--
48
days inactive
48
days old
knot-resolver-users@lists.nic.cz
2 comments
2 participants
participants (2)
-
Oto Šťáva -
Paul Furtado