20 Dub
2018
20 Dub
'18
12:33
Hi,
I would like to run Knot Resolver with DNS-over-TLS on my laptop, but I
need to configure 'policy.FORWARD' whenever I connect to our corporate
network. The information about new connection is provided by the Network
Manager, that is not a problem, but then I need to configure the
resolver somehow. I was thinking about creating a new configuration file
and simply restarting the server, but it fails with "Start request
repeated too quickly".
Is there a way to add/remove policy rules "on the fly"?
The HTTP/2 module seems like a good candidate for doing this. Can this
module be used to accomplish this task?
Best regards,
Martin Sehnoutka
PS: If there is anyone using dnssec-trigger, this would be similar, but
less complicated.
--
Martin Sehnoutka | Associate Software Engineer
PGP: 5FD64AF5
UTC+1 (CET)
RED HAT | TRIED. TESTED. TRUSTED.
20 Dub
20 Dub
12:52
New subject: Modifying policy rules of a running resolver instance
Hi,
you can talk to Unix socket, please see example here:
http://knot-resolver.readthedocs.io/en/latest/daemon.html#scaling-out
It accepts the same syntax as in configuration file, i.e.
http://knot-resolver.readthedocs.io/en/latest/modules.html#query-policies
applies here as well.
You might want to use `policy.del` to get rid of previous policy rule,
please see
http://knot-resolver.readthedocs.io/en/latest/modules.html#policy-examples
... and let us know if you need any help.
Petr Špaček @ CZ.NIC
On 20.4.2018 12:33, Martin Sehnoutka wrote:
Hi,
I would like to run Knot Resolver with DNS-over-TLS on my laptop, but I
need to configure 'policy.FORWARD' whenever I connect to our corporate
network. The information about new connection is provided by the Network
Manager, that is not a problem, but then I need to configure the
resolver somehow. I was thinking about creating a new configuration file
and simply restarting the server, but it fails with "Start request
repeated too quickly".
Is there a way to add/remove policy rules "on the fly"?
The HTTP/2 module seems like a good candidate for doing this. Can this
module be used to accomplish this task?
Best regards,
Martin Sehnoutka
PS: If there is anyone using dnssec-trigger, this would be similar, but
less complicated.
23 Dub
23 Dub
14:45
New subject: Modifying policy rules of a running resolver instance
Hi,
thanks, I was able to write a script, that takes data from
NetworkManager and configures running Knot Resolver. I have follow up
question though. Is is possible with current implementation of the
policy module to see configured rules?
~ $ sudo nc -U /run/knot-resolver/control@1
policy.rules
[1] => {
[count] => 339
[id] => 0
[cb] => function: 0x415a9f68
}
[2] => {
[count] => 0
[id] => 1
[cb] => function: 0x415b6700
}
[3] => {
[count] => 3
[id] => 2
[cb] => function: 0x41d6d8a0
}
[4] => {
[count] => 1622
[id] => 3
[cb] => function: 0x415c5170
}
Looking at the output and the code in "policy.lua" I think there is not,
but I am asking just to be sure :-). I think it would be nice to see
configured policy using the "kresc" utility.
Finally, in the Fedora spec file, the http module is removed due to
unsatisfied dependencies. Is it just lua-http what is missing? Because I
tried the docker image, and the REST api seems really nice and I'd like
to see it in Fedora.
Best regards,
Martin Sehnoutka
On 04/20/2018 12:52 PM, Petr Špaček wrote:
Hi,
you can talk to Unix socket, please see example here:
http://knot-resolver.readthedocs.io/en/latest/daemon.html#scaling-out
It accepts the same syntax as in configuration file, i.e.
http://knot-resolver.readthedocs.io/en/latest/modules.html#query-policies
applies here as well.
You might want to use `policy.del` to get rid of previous policy rule,
please see
http://knot-resolver.readthedocs.io/en/latest/modules.html#policy-examples
... and let us know if you need any help.
Petr Špaček @ CZ.NIC
On 20.4.2018 12:33, Martin Sehnoutka wrote:
--
Martin Sehnoutka | Associate Software Engineer
PGP: 5FD64AF5
UTC+1 (CET)
RED HAT | TRIED. TESTED. TRUSTED.
Hi,
I would like to run Knot Resolver with DNS-over-TLS on my laptop, but I
need to configure 'policy.FORWARD' whenever I connect to our corporate
network. The information about new connection is provided by the Network
Manager, that is not a problem, but then I need to configure the
resolver somehow. I was thinking about creating a new configuration file
and simply restarting the server, but it fails with "Start request
repeated too quickly".
Is there a way to add/remove policy rules "on the fly"?
The HTTP/2 module seems like a good candidate for doing this. Can this
module be used to accomplish this task?
Best regards,
Martin Sehnoutka
PS: If there is anyone using dnssec-trigger, this would be similar, but
less complicated.
24 Dub
24 Dub
10:17
New subject: Modifying policy rules of a running resolver instance
On 2018-04-23 14:45, Martin Sehnoutka wrote:
Finally, in the Fedora spec file, the http module is
removed due to
unsatisfied dependencies. Is it just lua-http what is missing? Because I
tried the docker image, and the REST api seems really nice and I'd like
to see it in Fedora.
I don't think the http module was ever a part of the Fedora spec file.
I'm not sure if it's due to missing dependencies, or simply because we
omitted it. I don't think it's currently our priority to package the
http module in Fedora/EPEL, but we might look into it in the future.
Of course, if you or anyone else would like to contribute it to our
spec, we can maintain it afterwards. :)
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
10:40
New subject: Modifying policy rules of a running resolver instance
On 04/24/2018 10:17 AM, Tomas Krizek wrote:
On 2018-04-23 14:45, Martin Sehnoutka wrote:
Yeah, I understand that it is not your priority :-), just curious if you
tried to package it. I will try to communicate with Fedora Lua SIG and
see what can be done in order to support it.
Regards,
Finally, in the Fedora spec file, the http module
is removed due to
unsatisfied dependencies. Is it just lua-http what is missing? Because I
tried the docker image, and the REST api seems really nice and I'd like
to see it in Fedora.
I don't think the http module was ever a part of the Fedora spec file.
I'm not sure if it's due to missing dependencies, or simply because we
omitted it. I don't think it's currently our priority to package the
http module in Fedora/EPEL, but we might look into it in the future.
Of course, if you or anyone else would like to contribute it to our
spec, we can maintain it afterwards. :)
--
Martin Sehnoutka | Associate Software Engineer
PGP: 5FD64AF5
UTC+1 (CET)
RED HAT | TRIED. TESTED. TRUSTED.
14:48
New subject: Modifying policy rules of a running resolver instance
On 24.4.2018 10:40, Martin Sehnoutka wrote:
On 04/24/2018 10:17 AM, Tomas Krizek wrote:
This is correct, the HTTP module depedencies are missing in Fedora.
The HTTP module depends on the following Lua modules:
cqueues
http
openssl
All of them are general-purpose modules so it might be doable if you
want to do so :-)
Please note that we need modules packaged for LuaJIT which is Lua
version 5.1. Typically Lua packages in Fedora have two flavors, e.g.:
lua-sec (Lua 5.3)
lua-sec-compat (Lua 5.1/LuaJIT)
Let us know if you want us to test some pre-release version of RPMs, we
can help you with that.
Speaking of kresc you have mentioned, well, it is super-experimental and
needs complete rewrite, one day ... Please do not rely on its specific
implementation details.
Petr Špaček @ CZ.NIC
On 2018-04-23 14:45, Martin Sehnoutka wrote:
Yeah, I understand that it is not your priority :-), just curious if you
tried to package it. I will try to communicate with Fedora Lua SIG and
see what can be done in order to support it. Finally, in the Fedora spec file, the http module
is removed due to
unsatisfied dependencies. Is it just lua-http what is missing? Because I
tried the docker image, and the REST api seems really nice and I'd like
to see it in Fedora.
I don't think the http module was ever a part of the Fedora spec file.
I'm not sure if it's due to missing dependencies, or simply because we
omitted it. I don't think it's currently our priority to package the
http module in Fedora/EPEL, but we might look into it in the future.
Regards,
>
> Of course, if you or anyone else would like to contribute it to our
> spec, we can maintain it afterwards. :)
31 Kvě
31 Kvě
12:02
New subject: Modifying policy rules of a running resolver instance
On 24.4.2018 10:40, Martin Sehnoutka wrote:
On 04/24/2018 10:17 AM, Tomas Krizek wrote:
Hi Martin,
do you have any news regarding Fedora packages?
--
Petr Špaček @ CZ.NIC
On 2018-04-23 14:45, Martin Sehnoutka wrote:
Yeah, I understand that it is not your priority :-), just curious if you
tried to package it. I will try to communicate with Fedora Lua SIG and
see what can be done in order to support it. Finally, in the Fedora spec file, the http module
is removed due to
unsatisfied dependencies. Is it just lua-http what is missing? Because I
tried the docker image, and the REST api seems really nice and I'd like
to see it in Fedora.
I don't think the http module was ever a part of the Fedora spec file.
I'm not sure if it's due to missing dependencies, or simply because we
omitted it. I don't think it's currently our priority to package the
http module in Fedora/EPEL, but we might look into it in the future.
13:48
New subject: Modifying policy rules of a running resolver instance
On 05/31/2018 12:02 PM, Petr Špaček wrote:
On 24.4.2018 10:40, Martin Sehnoutka wrote:
Hi,
I asked in the Fedora Lua SIG if there is any plan to create some
automatic tool for package creation from LuaRocks so that I don't have
to package it by hand. There was a plan to create such tool but
unfortunately, it was never really created. So the bottom line here is
that the HTTP package would have to be created by hand and I haven't had
time yet to create it.
I will definitely contact you if there is an update.
Best regards,
--
Martin Sehnoutka | Associate Software Engineer
PGP: 5FD64AF5
UTC+1 (CET)
RED HAT | TRIED. TESTED. TRUSTED.
On 04/24/2018 10:17 AM, Tomas Krizek wrote:
Hi Martin,
do you have any news regarding Fedora packages?
On 2018-04-23 14:45, Martin Sehnoutka wrote:
Yeah, I understand that it is not your priority :-), just curious if you
tried to package it. I will try to communicate with Fedora Lua SIG and
see what can be done in order to support it. Finally, in the Fedora spec file, the http module
is removed due to
unsatisfied dependencies. Is it just lua-http what is missing?
Because I
tried the docker image, and the REST api seems really nice and I'd like
to see it in Fedora.
I don't think the http module was ever a part of the Fedora spec file.
I'm not sure if it's due to missing dependencies, or simply because we
omitted it. I don't think it's currently our priority to package the
http module in Fedora/EPEL, but we might look into it in the future.
2367
days inactive
2408
days old
knot-resolver-users@lists.nic.cz
7 comments
3 participants
participants (3)
-
Martin Sehnoutka -
Petr Špaček -
Tomas Krizek