Knot Resolver issueshttps://gitlab.nic.cz/knot/knot-resolver/-/issues2022-06-05T13:49:36+02:00https://gitlab.nic.cz/knot/knot-resolver/-/issues/717manager: ci: add missing integration tests to the CI2022-06-05T13:49:36+02:00Vaclav Sraiermanager: ci: add missing integration tests to the CIAfter integration of repositories and after fixing the CI in !1249, manager's integration tests started by `poe integration` are not running within the CI.After integration of repositories and after fixing the CI in !1249, manager's integration tests started by `poe integration` are not running within the CI.https://gitlab.nic.cz/knot/knot-resolver/-/issues/716manager: datamodel: unit tests improvements2022-04-20T14:18:38+02:00Aleš Mrázekmanager: datamodel: unit tests improvementsPossibilities for improvement
- tests parametrization as mentioned in [!1250](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1250#note_242078)
- split tests of configuration schemas into two separate tests (for `valid` and `in...Possibilities for improvement
- tests parametrization as mentioned in [!1250](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1250#note_242078)
- split tests of configuration schemas into two separate tests (for `valid` and `invalid` config) also mentioned in [!1250](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1250#note_242079)https://gitlab.nic.cz/knot/knot-resolver/-/issues/713manager: Add packaging tests2022-08-06T22:33:42+02:00Vaclav Sraiermanager: Add packaging testsFollow up after closed !1214.
Basic packaging is done, we need a way to test that the packages work properly.Follow up after closed !1214.
Basic packaging is done, we need a way to test that the packages work properly.https://gitlab.nic.cz/knot/knot-resolver/-/issues/712DoH can't be configured2022-02-21T11:27:23+01:00Vladimír Čunátvladimir.cunat@nic.czDoH can't be configured`kind: doh` in config generates `kind = 'doh'` for lua, but that won't work (at least for now), and might be better to generate `'doh2'` even in case the alias will work in future.`kind: doh` in config generates `kind = 'doh'` for lua, but that won't work (at least for now), and might be better to generate `'doh2'` even in case the alias will work in future.https://gitlab.nic.cz/knot/knot-resolver/-/issues/711systemd: handle exited kresd instances2022-02-19T10:39:24+01:00Vladimír Čunátvladimir.cunat@nic.czsystemd: handle exited kresd instancesWhen a kresd instance exits (could be a crash or whatever), it does not get auto-restarted by systemd like in the manager-less case. What's worse, it blocks manager itself from reloading or even ^C-quitting, as it expects the service to...When a kresd instance exits (could be a crash or whatever), it does not get auto-restarted by systemd like in the manager-less case. What's worse, it blocks manager itself from reloading or even ^C-quitting, as it expects the service to be running.
Tested with systemd-session controller, assuming OS-level systemd will behave similarly. This seems important to improve for production-level reliability.Vaclav SraierVaclav Sraierhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/710modelling: more readable error messages2022-03-31T16:37:05+02:00Vaclav Sraiermodelling: more readable error messagessee https://relaxng.org/jclark/derivative.html#Error_handling for inspiration
an implementation of that is this https://relaxng.org/jclark/jing.html
cc @llhotkasee https://relaxng.org/jclark/derivative.html#Error_handling for inspiration
an implementation of that is this https://relaxng.org/jclark/jing.html
cc @llhotkaVaclav SraierVaclav Sraierhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/708datamodel: renaming 'server' section2022-05-18T16:26:17+02:00Aleš Mrázekdatamodel: renaming 'server' sectionThis section is basically a summary of things that do not fit elsewhere, so the name of this section may be confusing.
examples of the new name: `general`, `management`, ...
Or maybe try to split the section.
Current `server` section
...This section is basically a summary of things that do not fit elsewhere, so the name of this section may be confusing.
examples of the new name: `general`, `management`, ...
Or maybe try to split the section.
Current `server` section
```yaml
server:
id:
hostname:
nsid:
workers:
use-cache-gc:
backend:
watchdog:
rundir:
management:
webmgmt:
```Aleš MrázekAleš Mrázekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/706docs: annotate data model with docstrings2022-04-08T16:14:03+02:00Vaclav Sraierdocs: annotate data model with docstringsAleš MrázekAleš Mrázekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/705docs: create man page2022-12-08T11:09:37+01:00Vaclav Sraierdocs: create man pageShould it contain configuration schema or are only CLI arguments sufficient?Should it contain configuration schema or are only CLI arguments sufficient?Vaclav SraierVaclav Sraierhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/703Optimize network configuration for lower verbosity2022-04-08T16:13:59+02:00Vaclav SraierOptimize network configuration for lower verbosityWhen we look at a more complicated configuration, for example our ODVR, the network section is unnecessarily verbose. We should make it more concise...
Note: issue changed topic due to a developing discussion. The previous topic was rec...When we look at a more complicated configuration, for example our ODVR, the network section is unnecessarily verbose. We should make it more concise...
Note: issue changed topic due to a developing discussion. The previous topic was recreated under knot-resolver-manager#46Aleš MrázekAleš Mrázekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/702datamodel: zone name as key in forward/stub-zones dictionary2022-06-21T11:56:53+02:00Aleš Mrázekdatamodel: zone name as key in forward/stub-zones dictionaryCurrently, the zone name is a key of stub/forward zone [dict](https://gitlab.nic.cz/knot/knot-resolver-manager/-/blob/datamodel-policy/knot_resolver_manager/datamodel/config_schema.py#L57), so it is not possible to create two configurati...Currently, the zone name is a key of stub/forward zone [dict](https://gitlab.nic.cz/knot/knot-resolver-manager/-/blob/datamodel-policy/knot_resolver_manager/datamodel/config_schema.py#L57), so it is not possible to create two configurations for one zone.
However, this can be a problem, for example, if I want to set up different stub/forward servers for `view` which differs from the global configuration.Aleš MrázekAleš Mrázekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/701full partial config updates2022-08-30T14:43:29+02:00Vaclav Sraierfull partial config updatesCurrently, we can only change configuration model with whole subtrees. So for example, you can't update a list or a dictionary with one value, you have to replace it whole.Currently, we can only change configuration model with whole subtrees. So for example, you can't update a list or a dictionary with one value, you have to replace it whole.Vaclav SraierVaclav Sraierhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/699prometheus & graphite: aggregation and relaying of metrics in manager2022-02-19T10:42:49+01:00Vaclav Sraierprometheus & graphite: aggregation and relaying of metrics in managerfollowing [this discussion on Slack](https://cznic.slack.com/archives/C01EC5ADMB6/p1637675341005100)following [this discussion on Slack](https://cznic.slack.com/archives/C01EC5ADMB6/p1637675341005100)https://gitlab.nic.cz/knot/knot-resolver/-/issues/698logging: aggregation of records in the log of individual processes2022-10-12T16:03:55+02:00Aleš Mrázeklogging: aggregation of records in the log of individual processesThe user should have easy access to log records of all knot-resolver processes(kresd instances, cache garbage collector and manager).
With systemd, the solution could look like `systemctl status knot-resolver` or `journalctl -u knot-res...The user should have easy access to log records of all knot-resolver processes(kresd instances, cache garbage collector and manager).
With systemd, the solution could look like `systemctl status knot-resolver` or `journalctl -u knot-resolver`Vaclav SraierVaclav Sraierhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/696datamodel: progress in configuration modeling2022-06-21T11:56:39+02:00Aleš Mrázekdatamodel: progress in configuration modelingThis issue is used to track the progress of modeling configuration designed in the [table](https://docs.google.com/spreadsheets/d/1MelBh9b20_OVoUvjy7qMinIJt7sJZ50frdYDStA9dtw/edit#gid=421811660).
Modeling also includes creating a jinja2 ...This issue is used to track the progress of modeling configuration designed in the [table](https://docs.google.com/spreadsheets/d/1MelBh9b20_OVoUvjy7qMinIJt7sJZ50frdYDStA9dtw/edit#gid=421811660).
Modeling also includes creating a jinja2 template to generate Lua configuration.
Sections:
- [x] server
- [x] options
- [x] network
- [x] static-hints
- [x] slices
- [x] view
- [x] policy/daf
- [x] stub-zones
- [x] forward-zones
- [x] rpz
- [x] dnssec
- [x] cache
- [x] dns64
- [x] logging
- [x] monitoring
- [x] luaAleš MrázekAleš Mrázekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/695docs: datamodel: write simple documentation for modeling configuration2022-07-18T12:56:00+02:00Aleš Mrázekdocs: datamodel: write simple documentation for modeling configurationThis will not be part of the official documentation just readme file in datamodel directory.This will not be part of the official documentation just readme file in datamodel directory.https://gitlab.nic.cz/knot/knot-resolver/-/issues/694docs: generating documentation from configuration datamodel2022-02-19T10:40:59+01:00Aleš Mrázekdocs: generating documentation from configuration datamodelLightweight documentation of every declarative configuration option should be generated automatically from our configuration schema. If something is changed in the configuration model, it will be automatically reflected in the documentat...Lightweight documentation of every declarative configuration option should be generated automatically from our configuration schema. If something is changed in the configuration model, it will be automatically reflected in the documentation.
It includes:
- structure defined by `SchemaNode` subclasses
- configuration options/fields names, types and default values
- docstrings of `SchemaNode` subclassesVaclav SraierVaclav Sraierhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/693At some random time cache starts returning NXDOMAIN for valid addresses2022-01-09T11:41:32+01:00Jayson ReisAt some random time cache starts returning NXDOMAIN for valid addressesHi there, first, thank you for this project, it is really amazing.
I am with sort of bug which I cannot understand from the trace what is actually happening, I have a stub with suffix which resolves `cluster.local` on the IP `10.43.0.10...Hi there, first, thank you for this project, it is really amazing.
I am with sort of bug which I cannot understand from the trace what is actually happening, I have a stub with suffix which resolves `cluster.local` on the IP `10.43.0.10` which always resolve with dig on that IP:
```
dig transmission-server-2.transmission-server-statefulset.default.svc.cluster.local @10.43.0.10
; <<>> DiG 9.16.1-Ubuntu <<>> transmission-server-2.transmission-server-statefulset.default.svc.cluster.local @10.43.0.10
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22425
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: bc00b8ee2c0fb66e (echoed)
;; QUESTION SECTION:
;transmission-server-2.transmission-server-statefulset.default.svc.cluster.local. IN A
;; ANSWER SECTION:
transmission-server-2.transmission-server-statefulset.default.svc.cluster.local. 5 IN A 10.42.0.109
;; Query time: 51 msec
;; SERVER: 10.43.0.10#53(10.43.0.10)
;; WHEN: Wed Jan 05 10:39:01 UTC 2022
;; MSG SIZE rcvd: 215
```
but then, with kresd it never gets resolved
```
curl localhost:8053/trace/transmission-server-2.transmission-server-statefulset.default.svc.cluster.local
[iterat][66025.00] 'transmission-server-2.transmission-server-statefulset.default.svc.cluster.local.' type 'A' new uid was assigned .01, parent uid .00 [0/895][cache ][66025.01] => skipping exact packet: rank 021 (min. 020), new TTL -561
[cache ][66025.01] => trying zone: ., NSEC, hash 0
[cache ][66025.01] => NSEC sname: covered by: loans. -> locker., new TTL 85824
[cache ][66025.01] => NSEC wildcard: covered by: . -> aaa., new TTL 85824
[iterat][66025.01] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 8040
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
transmission-server-2.transmission-server-statefulset.default.svc.cluster.local. A
;; AUTHORITY SECTION
. 85714 SOA a.root-servers.net. nstld.verisign-grs.com. 2022010500 1800 900 604800 86400
. 85714 RRSIG SOA 8 0 86400 1642482000 1641355200 9799 . PBUfopj8CcHa5BSiFMPrxYmE4RXh0ychS2itywyQh53uDIt1SbekqCWWtCgzUCfPzX+EMa0fKIfGdFMdgICOrZjfWpvBb4jzPrxxtLtJIaaEL20iRLl0Q4Oh/sC7FVHnXgxNNvQBRLjTwjNcrVgwCWdOmS9DOJxqb4OAYI4EZbcqD1rWjjy0tqfeqrQyzsquVNJYxUDMxfAOx4Ki2hyxVig/SZUi2IvpI50oyceLpvr7qerqKYUipoAtnxWWPA+Ko4cKjXr8IpzdcENmToiEZmTVKilCbcfi/JLAO9M/CKu9Mt4UGJlsByGKB2ne2N5+IxQmKQR3HAaXknQk09YUUw==
loans. 85824 NSEC locker. NS DS RRSIG NSEC
loans. 85824 RRSIG NSEC 8 1 86400 1642482000 1641355200 9799 . e7fCMBhzNi5oqQ2qR0x91JOHisj/v+k+ekwEPNvtnhpqpA15kd6x+ZcNol5tewW9NKQv/hOidyWSGDB0X75fLjSvBah4+KWrzUMLt3X7XxXqwzoCOzgfGqcwI/pY5OlCCmnidrpALAv62QGiziMSiPwIvUwJwJ2ZjAtKramFyYTp+GJIf1TyLCyaQH7e7ATrn6ChIpWY3v6zGWuSVODiuYBvCtBdVB+ydddVAdYvAtPylaQ/tLBYyQYsX8P2s1GpSDo+WwFHJE0s8mpqDROz5/Q1taRCr+K98xt173iApdt/qfp2wSM4MY/Mnrw0ksFbUfo4Am+YAf9+8EST7/glfA==
. 85824 NSEC aaa. NS SOA RRSIG NSEC DNSKEY
. 85824 RRSIG NSEC 8 0 86400 1642482000 1641355200 9799 . OLjHvokrSTOIELcevP7HxUx9G+OIz1V8vUE5JnlXJHHrKxq68IsBmM07A7GzQlHADHp/cpcvsbkrxLTB5+t6E3wfMvxDPvdJkTtMSBFJjszhX+VEgNlGJYiv5RuhDVeVltZe8O2/5oMCfSQyl+CUtexmW4lWBlSzHN4Nlnuuu3N1+fTle/rrtb0/JZTA54guI359tPaFgwZn5F4WoOo723Ge4AH6O6pJdl9EZNUAeqGqRIBLFoSNBgkJ4Luo3dYe9oWtSb+/1JVvXUnq2wxE7octNja9TnupYxutGKjod6QrNMelt2PVxpfkG198GbrQkOv3Jaqlp0vChJVEPdGbMw==
[resolv][66025.01] AD: request NOT classified as SECURE
[resolv][66025.01] finished in state: 4, queries: 1, mempool: 163952 B
;; selected from AUTHORITY sections:
; ranked rrset to_wire true, rank 060 (secure auth), cached false, qry_uid 1, revalidations 0
. 85714 SOA a.root-servers.net. nstld.verisign-grs.com. 2022010500 1800 900 604800 86400
; ranked rrset to_wire true, rank 021 (omit auth), cached false, qry_uid 1, revalidations 0
. 85714 RRSIG SOA 8 0 86400 1642482000 1641355200 9799 . PBUfopj8CcHa5BSiFMPrxYmE4RXh0ychS2itywyQh53uDIt1SbekqCWWtCgzUCfPzX+EMa0fKIfGdFMdgICOrZjfWpvBb4jzPrxxtLtJIaaEL20iRLl0Q4Oh/sC7FVHnXgxNNvQBRLjTwjNcrVgwCWdOmS9DOJxqb4OAYI4EZbcqD1rWjjy0tqfeqrQyzsquVNJYxUDMxfAOx4Ki2hyxVig/SZUi2IvpI50oyceLpvr7qerqKYUipoAtnxWWPA+Ko4cKjXr8IpzdcENmToiEZmTVKilCbcfi/JLAO9M/CKu9Mt4UGJlsByGKB2ne2N5+IxQmKQR3HAaXknQk09YUUw==
; ranked rrset to_wire true, rank 060 (secure auth), cached false, qry_uid 1, revalidations 0
loans. 85824 NSEC locker. NS DS RRSIG NSEC
; ranked rrset to_wire true, rank 021 (omit auth), cached false, qry_uid 1, revalidations 0
loans. 85824 RRSIG NSEC 8 1 86400 1642482000 1641355200 9799 . e7fCMBhzNi5oqQ2qR0x91JOHisj/v+k+ekwEPNvtnhpqpA15kd6x+ZcNol5tewW9NKQv/hOidyWSGDB0X75fLjSvBah4+KWrzUMLt3X7XxXqwzoCOzgfGqcwI/pY5OlCCmnidrpALAv62QGiziMSiPwIvUwJwJ2ZjAtKramFyYTp+GJIf1TyLCyaQH7e7ATrn6ChIpWY3v6zGWuSVODiuYBvCtBdVB+ydddVAdYvAtPylaQ/tLBYyQYsX8P2s1GpSDo+WwFHJE0s8mpqDROz5/Q1taRCr+K98xt173iApdt/qfp2wSM4MY/Mnrw0ksFbUfo4Am+YAf9+8EST7/glfA==
; ranked rrset to_wire true, rank 060 (secure auth), cached false, qry_uid 1, revalidations 0
. 85824 NSEC aaa. NS SOA RRSIG NSEC DNSKEY
; ranked rrset to_wire true, rank 021 (omit auth), cached false, qry_uid 1, revalidations 0
. 85824 RRSIG NSEC 8 0 86400 1642482000 1641355200 9799 . OLjHvokrSTOIELcevP7HxUx9G+OIz1V8vUE5JnlXJHHrKxq68IsBmM07A7GzQlHADHp/cpcvsbkrxLTB5+t6E3wfMvxDPvdJkTtMSBFJjszhX+VEgNlGJYiv5RuhDVeVltZe8O2/5oMCfSQyl+CUtexmW4lWBlSzHN4Nlnuuu3N1+fTle/rrtb0/JZTA54guI359tPaFgwZn5F4WoOo723Ge4AH6O6pJdl9EZNUAeqGqRIBLFoSNBgkJ4Luo3dYe9oWtSb+/1JVvXUnq2wxE7octNja9TnupYxutGKjod6QrNMelt2PVxpfkG198GbrQkOv3Jaqlp0vChJVEPdGbMw==
```
unless I clear the whole cache with this:
```
echo 'cache.clear(".")' | sudo nc -U /run/knot-resolver/control/0 -N
> {
['count'] = 504,
}
```
then it starts resolving again
```
curl localhost:8053/trace/transmission-server-2.transmission-server-statefulset.default.svc.cluster.local
[iterat][65580.00] 'transmission-server-2.transmission-server-statefulset.default.svc.cluster.local.' type 'A' new uid was assigned .01, parent uid .00
[resolv][65580.01] => id: '43911' querying: '.'@'10.43.0.10#00053' zone cut: '.' qname: 'TranSMissIon-SERVeR-2.tRAnSmIsSIOn-sERver-staTEFUlSet.dEFaUlT.SVC.clUSter.locAL.' qtype: 'A' proto: 'udp'
[select][65580.01] => id: '43911' updating: '.'@'10.43.0.10#00053' zone cut: '.' with rtt 24 to srtt: 24 and variance: 12
[iterat][65580.01] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 43911
;; Flags: qr aa rd QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
transmission-server-2.transmission-server-statefulset.default.svc.cluster.local. A
;; ANSWER SECTION
transmission-server-2.transmission-server-statefulset.default.svc.cluster.local. 5 A 10.42.0.109
;; ADDITIONAL SECTION
[cache ][65580.01] => stashed packet: rank 021, TTL 5, A transmission-server-2.transmission-server-statefulset.default.svc.cluster.local. (215 B)
[resolv][65580.01] AD: request NOT classified as SECURE
[resolv][65580.01] finished in state: 4, queries: 1, mempool: 180352 B
;; selected from ANSWER sections:
; ranked rrset to_wire true, rank 021 (omit auth), cached false, qry_uid 1, revalidations 0
transmission-server-2.transmission-server-statefulset.default.svc.cluster.local. 5 A 10.42.0.109
```
Funny thing is that it only works if I clear the whole cache, `cluster.local` or `local` never do the trick.
My configuration is the following:
```lua
-- Network interface configuration
net.listen('192.168.1.21', 53, { kind = 'dns' })
net.listen('192.168.1.22', 53, { kind = 'dns' })
net.listen('127.0.0.1', 53, { kind = 'dns' })
net.listen('127.0.0.1', 853, { kind = 'tls' })
net.listen('::1', 53, { kind = 'dns', freebind = true })
net.listen('::1', 853, { kind = 'tls', freebind = true })
--net.listen('::1', 443, { kind = 'doh2' })
net.listen('127.0.0.1', 8053, { kind = 'webmgmt' })
-- Load useful modules
modules = {
'hints > iterate', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
'serve_stale < cache',
http = {
host = 'localhost',
port = 8053,
--geoip = '/usr/share/GeoIP/GeoIP.dat',
}
}
-- Cache size
cache.size = 100 * MB
policy.add(policy.suffix(policy.STUB('10.43.0.10'), {todname('cluster.local')}))
--policy.add(policy.pattern(policy.DEBUG_ALWAYS, '.*?cluster'))
policy.add(policy.all(policy.TLS_FORWARD({
{'1.1.1.1', hostname='cloudflare-dns.com'},
})))
```
Versions:
Ubuntu 20.04.3
```
cat /etc/apt/sources.list.d/knot-resolver-latest.list
deb http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/xUbuntu_20.04/ /
ii knot-resolver 5.4.3-cznic.1 amd64 caching, DNSSEC-validating DNS resolver
ii knot-resolver-module-http 5.4.3-cznic.1 all HTTP module for Knot Resolver
ii knot-resolver-release 1.9-1 all Knot Resolver official upstream repositories
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/692Release schedule of Knot resolver and recent AWS issue2022-01-05T15:16:03+01:00Ondřej BenkovskýRelease schedule of Knot resolver and recent AWS issueHello,
I have not found this information anywhere, but how often is the Knot Resolver released? We are heavily hitting the issue https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1237 on production, which was recently fixed in ...Hello,
I have not found this information anywhere, but how often is the Knot Resolver released? We are heavily hitting the issue https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1237 on production, which was recently fixed in the master. Would it be possible to push forward the release schedule?
Thanks!https://gitlab.nic.cz/knot/knot-resolver/-/issues/690CNAME chain not being followed while resolving ap-southeast-1.console.aws.ama...2021-12-21T11:55:58+01:00Ondřej BenkovskýCNAME chain not being followed while resolving ap-southeast-1.console.aws.amazon.com.Hello, we are currently running instance of Knot Resolver with these settings [config](/uploads/8fd91f71d1bbcfbd96842c8b771a1e0d/config)
and we were alerted that when we are resolving `ap-southeast-1.console.aws.amazon.com.` domain thr...Hello, we are currently running instance of Knot Resolver with these settings [config](/uploads/8fd91f71d1bbcfbd96842c8b771a1e0d/config)
and we were alerted that when we are resolving `ap-southeast-1.console.aws.amazon.com.` domain through the instance of Knot Resolver (100.64.0.104 is the address of our instance of Knot Resolver), we receive this answer with no answer section
```
dig @100.64.0.104 ap-southeast-1.console.aws.amazon.com.
; <<>> DiG 9.16.20 <<>> @100.64.0.104 ap-southeast-1.console.aws.amazon.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27863
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ap-southeast-1.console.aws.amazon.com. IN A
;; Query time: 220 msec
;; SERVER: 100.64.0.104#53(100.64.0.104)
;; WHEN: Mon Dec 20 09:20:43 UTC 2021
;; MSG SIZE rcvd: 66
```
on the other hand, when we resolve the same domain using GoogleDNS(8.8.8.8), we get this proper answer
```
dig @8.8.8.8 ap-southeast-1.console.aws.amazon.com.
; <<>> DiG 9.16.20 <<>> @8.8.8.8 ap-southeast-1.console.aws.amazon.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1185
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ap-southeast-1.console.aws.amazon.com. IN A
;; ANSWER SECTION:
ap-southeast-1.console.aws.amazon.com. 28 IN CNAME gr.console-geo.ap-southeast-1.amazonaws.com.
gr.console-geo.ap-southeast-1.amazonaws.com. 60 IN CNAME a299197c08ba4f000.awsglobalaccelerator.com.
a299197c08ba4f000.awsglobalaccelerator.com. 9 IN A 3.3.14.1
a299197c08ba4f000.awsglobalaccelerator.com. 9 IN A 3.3.15.1
;; Query time: 16 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Dec 20 11:11:35 UTC 2021
;; MSG SIZE rcvd: 205
```
**the logs from the Knot Resolver for problematic resolution looks like this** [logs.log](/uploads/ab755a2cc002c36ac86374f1dfb529aa/logs.log)
**Do you see where is the problem? Could you assist me?** It seems that we are hitting this issue only for some subdomains of console.aws.amazon.com. For example us-east-1.console.aws.com resolves through the instance of Knot Resolver with no problems