Knot Resolver issueshttps://gitlab.nic.cz/knot/knot-resolver/-/issues2021-04-16T19:20:19+02:00https://gitlab.nic.cz/knot/knot-resolver/-/issues/8daemon: configuration parser/interface2021-04-16T19:20:19+02:00Ghost Userdaemon: configuration parser/interface2015 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/7cache: garbage collection scheme / aging2021-04-16T19:20:19+02:00Ghost Usercache: garbage collection scheme / aging2015 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/6tests: CMocka-based unit tests for current APIs2021-04-16T19:20:19+02:00Ghost Usertests: CMocka-based unit tests for current APIslibrary:
* resolution
* cache
* zone cuts
* utils
daemon:
* tcp
* udp
* workerlibrary:
* resolution
* cache
* zone cuts
* utils
daemon:
* tcp
* udp
* worker2015 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/5tests: test binary using socket_wrapper (cwrap)2021-04-16T19:20:19+02:00Ghost Usertests: test binary using socket_wrapper (cwrap)Things missing:
* [x] Wrap I/O syscalls instead of libknot library calls (more portable, generic)
* [ ] Make Python test server listen on all addresses listed in the test
* [ ] use socket_wrapper to isolate it in a test environmen...Things missing:
* [x] Wrap I/O syscalls instead of libknot library calls (more portable, generic)
* [ ] Make Python test server listen on all addresses listed in the test
* [ ] use socket_wrapper to isolate it in a test environment https://cwrap.org/socket_wrapper.html
* [ ] isolate the binary as well and test if it connects to the faked servers
* [ ] prepare configuration for binary in the test cases
* [ ] check that all tests pass on the binary!
* [ ] Documentation (may reference to the https://www.unbound.net/documentation/doxygen/replay_8h.html#details)
* [ ] Publish this as a tool to test recursive/auth DNS compliance2015 Q3Grigorii DemidovGrigorii Demidovhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/610migrate upstream repositories from OBS2024-01-19T17:08:29+01:00Tomas Krizekmigrate upstream repositories from OBSThe OBS infrastructure has some serious issues, some of which are security related.
The mirrors can get weirdly out of sync, which can cause a different file size / checksums in downloaded repository metadata (`Packages` file for debian...The OBS infrastructure has some serious issues, some of which are security related.
The mirrors can get weirdly out of sync, which can cause a different file size / checksums in downloaded repository metadata (`Packages` file for debian) and the downloaded package. This issue has been observed by our users.
The packages are also downloaded over http, because not all the mirrors support https. Users have complained about this on the [mailing list](https://lists.nic.cz/pipermail/knot-resolver-users/2019/000193.html).
Overall, OBS may be suitable for testing and automation, but the official upstream packages should be somewhere more reliable. I propose to use the same approach as [Knot DNS](https://www.knot-dns.cz/download/) to be more consistent.
Features we want:
- supported distributions
- Debian (9), 10+
- Ubuntu (16.04), 18.04, 20.04, latest rolling?
- Fedora - all supported
- CentOS 7, 8
- openSUSE - Leap 15.x
- Arch is a bonus
- supported architectures
- x86_64
- aarch64 ?
- armv7 ?
- control over build root dependencies (e.g. using a newer/older Knot DNS)
- possibility to use multiple repositories (latest, testing, ...)
- re-builds if distribution packages/dependencies change?
- non-public repositories for security releases for customers?Jakub RužičkaJakub Ružičkahttps://gitlab.nic.cz/knot/knot-resolver/-/issues/601documentation omits how to make examples work if installed lua is not 5.12020-09-07T16:53:50+02:00tobiwwdocumentation omits how to make examples work if installed lua is not 5.1As a new knot-resolver user, I had the darndest time following examples in the documentation. For example, adding 'http' to the modules list gave a non-helpful syntax error. Tried installing lua-http from the os package manager, but that...As a new knot-resolver user, I had the darndest time following examples in the documentation. For example, adding 'http' to the modules list gave a non-helpful syntax error. Tried installing lua-http from the os package manager, but that didn't help. The root cause of the problem was that I wasn't installing the right libraries for the right lua version. What I ended up doing was uninstalling all versions of lua on my system (including things that depended on lua, such as neovim and vs code), and then installing lua (the default 5.4), 'lua51' and luarocks. Then I ran `luarocks --lua-version 5.1 install http` and the http module worked with knot-resolver!
I propose adding some links in the documentation to describe how to check if you have the right lua version and how to install necessary add-on modules. Since you can land on any of the doc pages from a google search, I suggest that there is a link to the module-install info from every page where there are examples that depend on non-standard modules or libraries.
I use arch linux, which installs lua 5.4 by default (as of Aug 2020). If you install luarocks and run the install command above without lua51 installed, you get a error that lua.h header file is missing. That can be fixed by installing the lua51 package. I understand why lua51 isn't a dependency of knot-resolver, since it's built-in, but the docs should include all these steps needed to install the modules used in the example code.
knot-resolver is really a really amazing package, and for some, it may be the inspiration to learn enough lua to do further automation with it. I'm not suggesting that you duplicate all the lua programming guides, but it might be helpful to have a non-lua programmer do a review pass on the documentation to help point out things that are non-obvious and could benefit with clarification or explanations of the syntax.https://gitlab.nic.cz/knot/knot-resolver/-/issues/580add cache usage to cache.stats()2020-07-16T10:30:27+02:00Petr Špačekadd cache usage to cache.stats()Right now it is PITA to determine real cache usage because LMDB file size does not reflect space freed by garbage collector etc.
I propose to add new item `usage` to table returned by `cache.stats()`. It should be float number <0,100> ...Right now it is PITA to determine real cache usage because LMDB file size does not reflect space freed by garbage collector etc.
I propose to add new item `usage` to table returned by `cache.stats()`. It should be float number <0,100> %.
It's value should be computed like `Number of pages used`/`Max pages`. Command line equivalent for testing purposes is:
```
$ mdb_stat -e <cache_path>
Environment Info
Map address: (nil)
Map size: 104857600
Page size: 4096
Max pages: 25600
Number of pages used: 15
Last transaction ID: 766
Max readers: 126
Number of readers used: 0
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/571broken links in docs2020-05-18T10:16:35+02:00Petr Špačekbroken links in docsVersion 5.1.0 has bunch of broken links in documentation.
List of broken links from urichecker:
[broken_links.html](/uploads/c54dcf6f2955904df3fac322bc314257/broken_lins.html)Version 5.1.0 has bunch of broken links in documentation.
List of broken links from urichecker:
[broken_links.html](/uploads/c54dcf6f2955904df3fac322bc314257/broken_lins.html)https://gitlab.nic.cz/knot/knot-resolver/-/issues/559handle conflicting trust anchor & negative trust anchor definitions2020-05-07T08:36:57+02:00Vladimír Čunátvladimir.cunat@nic.czhandle conflicting trust anchor & negative trust anchor definitionsPeople could reasonably expect that adding a root negative trust anchors would disable validation (everywhere)
```lua
trust_anchors.set_insecure({'.'})
```
but that is not so, at least if built with `-Dkeyfile_default=foo` (usual in dist...People could reasonably expect that adding a root negative trust anchors would disable validation (everywhere)
```lua
trust_anchors.set_insecure({'.'})
```
but that is not so, at least if built with `-Dkeyfile_default=foo` (usual in distros; maybe in some other configs as well).
Our documented way to _completely_ disable validation seems to work
```lua
trust_anchors.remove('.')
```
and we certainly discourage such things, so I don't expect this to be an important issue. In particular, using NTAs below root seems to work fine. _I suspect the issue is having both TA and NTA on the same name._https://gitlab.nic.cz/knot/knot-resolver/-/issues/554Lua command map() does not work with multiple instances started using systemd2020-10-27T11:55:28+01:00Petr ŠpačekLua command map() does not work with multiple instances started using systemdThis affects all instances which do not use `-f` option (which is deprecated anyway).
We need to rewrite `map()` command to use control sockets (instead of pipes inherited from parent process) or replace it with something completely dif...This affects all instances which do not use `-f` option (which is deprecated anyway).
We need to rewrite `map()` command to use control sockets (instead of pipes inherited from parent process) or replace it with something completely different.https://gitlab.nic.cz/knot/knot-resolver/-/issues/529deprecate -f option (forking)2020-10-23T17:01:53+02:00Petr Špačekdeprecate -f option (forking)Current option `-f` allows users to run multiple kresd instances at once. That is good in theory has many shortcomings, namely:
- parent kresd process does not monitor child processes
- processes cannot be re/started without breaking kre...Current option `-f` allows users to run multiple kresd instances at once. That is good in theory has many shortcomings, namely:
- parent kresd process does not monitor child processes
- processes cannot be re/started without breaking kresd inter-process communication
- current implementation of `map()` command has convoluted error handling (and is error prone)
- it is harder to monitor processes from outside, e.g. using standard tools in systemd
- forking and file descriptor passing between instances is a mess
Fixing these shortcomings is of course possible, but it ultimately leads to re-implementation of supervisor process, which is even worse idea. We already have systemd/supervisord/procd for this task so let's rely on that instead of re-inventing wheel.
Proposal:
- deprecate `-f` option and `map()` command in 5.0.0
- add warning if `-f` or `map()` are used
- add new option `-n`/`--noninteractive` which should be used instead of `-f 1`
- update manuals to use new option `-n` + systemd instances to run multiple processes
Wild idea:
- update `map()` command to use sockets in `rundir` instead of FDs inherited from parent? Is it worth the complexity?5.0.0Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/528control socket logging is too noisy2019-12-11T10:48:23+01:00Petr Špačekcontrol socket logging is too noisyOn busy systems the control socket is too noisy.
Originally I thought it is a "security"/"audit" feature that all the traffic will get into kresd logs, but it turns out that some users use the API heavily and this leads to voluminous an...On busy systems the control socket is too noisy.
Originally I thought it is a "security"/"audit" feature that all the traffic will get into kresd logs, but it turns out that some users use the API heavily and this leads to voluminous and at the same time useless log.
Proposal:
Log socket communication only if verbose mode is enabled.
Better solution would be fine-grained logging configuration (#527) but that's out out of scope of this ticket.5.0.0Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/525cache preallocation2020-01-13T09:28:49+01:00Petr Špačekcache preallocationWe should consider pre-allocating cache file when cache size is being changed. That would eliminate problems like #197.We should consider pre-allocating cache file when cache size is being changed. That would eliminate problems like #197.https://gitlab.nic.cz/knot/knot-resolver/-/issues/524cache size = "max"2020-01-29T17:07:42+01:00Petr Špačekcache size = "max"For use-cases where cache is on a dedicated partition (like RAM disk) it would be useful to have option "cache size = max".
In that case kresd would allocate as big cache as possible, obviating need to specify cache size in two differen...For use-cases where cache is on a dedicated partition (like RAM disk) it would be useful to have option "cache size = max".
In that case kresd would allocate as big cache as possible, obviating need to specify cache size in two different places - kresd config + RAM disk spec.https://gitlab.nic.cz/knot/knot-resolver/-/issues/521replace lua-socket depedency with lua-http2019-12-20T14:32:36+01:00Petr Špačekreplace lua-socket depedency with lua-httpAt the moment we are using two packages for HTTP requests from Lua:
- lua-socket (Lua library `ssl.https`)
- lua-http (Lua library `http`)
This complicates packaging and is generally unnecessary.
It seems that package lua-socket (Lua l...At the moment we are using two packages for HTTP requests from Lua:
- lua-socket (Lua library `ssl.https`)
- lua-http (Lua library `http`)
This complicates packaging and is generally unnecessary.
It seems that package lua-socket (Lua library `ssl.https`) offers only blocking API, and that is causing problems like e.g. #512, so let's replace `lua-socket` with `lua-http`.
It should "accidentally" fix #512 and also make packaging easier.
Affected modules:
- prefill (#512)
- trust_anchors bootstrap
- possibly others
Example of a non-blocking HTTP request:
```
function blacklist_reload()
local url = 'https://raw.githubusercontent.com/CSNOG/MFCR-blacklist/master/blacklist.txt'
local headers, stream = http_request.new_from_uri(uri):go()
assert(headers, 'HTTP client library error')
assert(tonumber(headers:get(':status')) == 200,
string.format('HTTP status %s instead of expected 200\n', headers:get(':status')))
local tmpfile = stream:get_body_as_file(5)
assert(tmpfile, 'error while getting blacklist HTTP body in limit 5 seconds')
end
worker.bg_worker.cq:wrap(blacklist_reload)
```
Error handling needs more work etc.5.0.0https://gitlab.nic.cz/knot/knot-resolver/-/issues/520prefill: remove depedency on lua-filesystem (lfs)2019-12-18T16:20:43+01:00Petr Špačekprefill: remove depedency on lua-filesystem (lfs)Package lua-filesystem (library lfs) in version for Lua 5.1 is not available in RHEL 8, and we in fact need only one little function from it. Let's get rid of the dependency.
Proposed approach:
- [x] add small C function to get value eq...Package lua-filesystem (library lfs) in version for Lua 5.1 is not available in RHEL 8, and we in fact need only one little function from it. Let's get rid of the dependency.
Proposed approach:
- [x] add small C function to get value equivalent to `lfs.attributes(filenamename).modification`
to our auxiliary library lib/utils.c
- [x] replace lfs library in `modules/prefill.lua` with call to `ffi.C.our_new_func()`
- [x] remove lua-filesystem references from packaging files5.0.0https://gitlab.nic.cz/knot/knot-resolver/-/issues/500Quickstart guide: ISP resolver2019-12-23T20:08:35+01:00Petr ŠpačekQuickstart guide: ISP resolverOutline for scenario "ISP resolver":
- package installation (common to all quickstart guides)
- listening on network interfaces
- limiting access to clients in ISP networks (view + policy.REFUSE)
- policy to comply with mandatory domain ...Outline for scenario "ISP resolver":
- package installation (common to all quickstart guides)
- listening on network interfaces
- limiting access to clients in ISP networks (view + policy.REFUSE)
- policy to comply with mandatory domain blocking
- a) RPZ
- b) hand-made list
- configuring cache size
- running multiple instances (kresd@1, kresd@2, ...)
- monitoring - cache hit and other stats5.0.0Aleš MrázekAleš Mrázekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/499Quickstart guide: personal privacy-preserving resolver2019-12-23T20:08:36+01:00Petr ŠpačekQuickstart guide: personal privacy-preserving resolverOutline for scenario "personal privacy-preserving resolver" (localhost only):
- package installation (common to all quickstart guides)
- policy to TLS-forward queries to a trusted third parties (policy TLS_FORWARD, slicing to split queri...Outline for scenario "personal privacy-preserving resolver" (localhost only):
- package installation (common to all quickstart guides)
- policy to TLS-forward queries to a trusted third parties (policy TLS_FORWARD, slicing to split queries to multiple targets)
- moving cache to tmpfs to avoid cache writes to permanent storage5.0.0Aleš MrázekAleš Mrázekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/498Quickstart guide: internal resolver2019-12-23T20:08:37+01:00Petr ŠpačekQuickstart guide: internal resolverOutline for scenario "internal resolver":
- package installation (common to all quickstart guides)
- listening on network interfaces
- policy to resolve internal-only domains (e.g. `company.example` domain which is not available on the p...Outline for scenario "internal resolver":
- package installation (common to all quickstart guides)
- listening on network interfaces
- policy to resolve internal-only domains (e.g. `company.example` domain which is not available on the public Internet)5.0.0Aleš MrázekAleš Mrázekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/495improve error reporting and handling2021-06-01T11:02:38+02:00Tomas Krizekimprove error reporting and handlingCurrently, some assertions seem to be used as a way to report unlikely events, and when these are used in production, they can cause needless crashes (even though they're then handled by systemd's `Restart=on-abnormal` facility)
I propo...Currently, some assertions seem to be used as a way to report unlikely events, and when these are used in production, they can cause needless crashes (even though they're then handled by systemd's `Restart=on-abnormal` facility)
I propose the following changes:
- The code should not rely on assertions, if it does, it's a bug that should be fixed.
- Errors, even unlikely ones (currently handled by assertions) should be logged properly.
- ~~There could be an option (off by default) to enable reporting these remotely.~~Tomas KrizekTomas Krizek