Knot Resolver issueshttps://gitlab.nic.cz/knot/knot-resolver/-/issues2021-12-22T11:04:19+01:00https://gitlab.nic.cz/knot/knot-resolver/-/issues/689policy RPZ/action logging2021-12-22T11:04:19+01:00Jon Polompolicy RPZ/action loggingIs there a list of available [log groups](https://knot-resolver.readthedocs.io/en/stable/config-logging-monitoring.html?highlight=logging#log_level)?Is there a list of available [log groups](https://knot-resolver.readthedocs.io/en/stable/config-logging-monitoring.html?highlight=logging#log_level)?https://gitlab.nic.cz/knot/knot-resolver/-/issues/688DNSSEC validation not occurring2021-12-07T18:00:43+01:00Jon PolomDNSSEC validation not occurringKnot Resolver does not seem to be validating DNSSEC in my test configuration. Perhaps this is actually expected behavior but it is different from what I observe with other validating DNS servers (1.1.1.1, local unbound instances, resolve...Knot Resolver does not seem to be validating DNSSEC in my test configuration. Perhaps this is actually expected behavior but it is different from what I observe with other validating DNS servers (1.1.1.1, local unbound instances, resolved).
I am running Knot Resolver version 5.4.2 on Fedora 35 using the distribution provided packages and distribution provided configuration. At the moment this is a single daemon local resolver for testing, in a virtual machine. The server is being queried over the loopback interface. The default configuration will be posted at the end.
Here are some test cases that suggest something is not right:
### `drill -D sigfail.verteiltesysteme.net @127.0.0.1`
```
[vagrant@fedora knot-resolver]$ drill -D sigfail.verteiltesysteme.net @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 17339
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; sigfail.verteiltesysteme.net. IN A
;; ANSWER SECTION:
sigfail.verteiltesysteme.net. 60 IN A 134.91.78.139
sigfail.verteiltesysteme.net. 60 IN RRSIG A 5 3 60 20220301030001 20211130030001 30665 verteiltesysteme.net. //This+RRSIG+is+deliberately+broken///For+more+information+please+go+to/http+//www+verteiltesysteme+net///////////////////////////////////////////////////////////////////8=
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 140 msec
;; EDNS: version 0; flags: do ; udp: 1232
;; SERVER: 127.0.0.1
;; WHEN: Tue Dec 7 01:12:33 2021
;; MSG SIZE rcvd: 253
```
### Trace for sigfail.verteiltesysteme.net
```
[vagrant@fedora knot-resolver]$ drill -DT sigfail.verteiltesysteme.net @127.0.0.1
;; Number of trusted keys: 1
;; Domain: .
[T] . 172800 IN DNSKEY 256 3 8 ;{id = 14748 (zsk), size = 2048b}
. 172800 IN DNSKEY 257 3 8 ;{id = 20326 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: . 172800 IN DNSKEY 256 3 8 AwEAAY+oUaY0b7Z45vRD1ef/GykZqgHJtfdzRcnQNvGVQAqlH22QChtG+n1EMugw7T/6uDBAGlRIkXASdtHXhxStb9lPpyQe5/JIuMIlg+NhxKxEJ5e3J9SSPCavvDhH/BPrBCJwn8b68QAWRjVW6Rgdx63pUm7lfsimiWGMfplHNvcZWgVbKA9OI2o2lU8rT8n7zuwtlZPNpDLSI5GzrJgIiKR2Id16fmAgTJBOw14Xye/t4/BxTdxeMiiVFwA4KUV2VeqspHKSHFOz+lUIIqBRknEmYpSvnxnyi0n1n4tGnGP8z6ZwRACi1Rw0nCu7BGOU9M6LpInRoW/W4KXLODr6xqU= ;{id = 14748 (zsk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8 AwEAAY+oUaY0b7Z45vRD1ef/GykZqgHJtfdzRcnQNvGVQAqlH22QChtG+n1EMugw7T/6uDBAGlRIkXASdtHXhxStb9lPpyQe5/JIuMIlg+NhxKxEJ5e3J9SSPCavvDhH/BPrBCJwn8b68QAWRjVW6Rgdx63pUm7lfsimiWGMfplHNvcZWgVbKA9OI2o2lU8rT8n7zuwtlZPNpDLSI5GzrJgIiKR2Id16fmAgTJBOw14Xye/t4/BxTdxeMiiVFwA4KUV2VeqspHKSHFOz+lUIIqBRknEmYpSvnxnyi0n1n4tGnGP8z6ZwRACi1Rw0nCu7BGOU9M6LpInRoW/W4KXLODr6xqU= ;{id = 14748 (zsk), size = 2048b}
Key is now trusted!
Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
[T] net. 86400 IN DS 35886 8 2 7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee
;; Domain: net.
[T] net. 86400 IN DNSKEY 257 3 8 ;{id = 35886 (ksk), size = 2048b}
net. 86400 IN DNSKEY 256 3 8 ;{id = 40649 (zsk), size = 1280b}
Checking if signing key is trusted:
New key: net. 86400 IN DNSKEY 256 3 8 AQPc+XHppSgsIokAod79sL0jKA4sBuePSLrBBrcQCAJJSpxto7hsQWGUtmk0sFKAoVMrBto4lVpTBvHuDiaE+S98ptvBw7d5llp9dd9bZvX3Z47U+KVEE3zmPT887w+WZ05PDzib7hy+QMg/uug/F+lJTIr+dGXCGvLyuWtvmWqV+hH0BL40DY2Wy4KE04NgfwWU3B5QqjFaVc9TK3R8BHl1 ;{id = 40649 (zsk), size = 1280b}
Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8 AwEAAY+oUaY0b7Z45vRD1ef/GykZqgHJtfdzRcnQNvGVQAqlH22QChtG+n1EMugw7T/6uDBAGlRIkXASdtHXhxStb9lPpyQe5/JIuMIlg+NhxKxEJ5e3J9SSPCavvDhH/BPrBCJwn8b68QAWRjVW6Rgdx63pUm7lfsimiWGMfplHNvcZWgVbKA9OI2o2lU8rT8n7zuwtlZPNpDLSI5GzrJgIiKR2Id16fmAgTJBOw14Xye/t4/BxTdxeMiiVFwA4KUV2VeqspHKSHFOz+lUIIqBRknEmYpSvnxnyi0n1n4tGnGP8z6ZwRACi1Rw0nCu7BGOU9M6LpInRoW/W4KXLODr6xqU= ;{id = 14748 (zsk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
Trusted key: net. 86400 IN DNSKEY 257 3 8 AQOYBnzqWXIEj6mlgXg4LWC0HP2n8eK8XqgHlmJ/69iuIHsa1TrHDG6TcOra/pyeGKwH0nKZhTmXSuUFGh9BCNiwVDuyyb6OBGy2Nte9Kr8NwWg4q+zhSoOf4D+gC9dEzg0yFdwT0DKEvmNPt0K4jbQDS4Yimb+uPKuF6yieWWrPYYCrv8C9KC8JMze2uT6NuWBfsl2fDUoV4l65qMww06D7n+p7RbdwWkAZ0fA63mXVXBZF6kpDtsYD7SUB9jhhfLQE/r85bvg3FaSs5Wi2BaqN06SzGWI1DHu7axthIOeHwg00zxlhTpoYCH0ldoQz+S65zWYi/fRJiyLSBb6JZOvn ;{id = 35886 (ksk), size = 2048b}
Trusted key: net. 86400 IN DNSKEY 256 3 8 AQPc+XHppSgsIokAod79sL0jKA4sBuePSLrBBrcQCAJJSpxto7hsQWGUtmk0sFKAoVMrBto4lVpTBvHuDiaE+S98ptvBw7d5llp9dd9bZvX3Z47U+KVEE3zmPT887w+WZ05PDzib7hy+QMg/uug/F+lJTIr+dGXCGvLyuWtvmWqV+hH0BL40DY2Wy4KE04NgfwWU3B5QqjFaVc9TK3R8BHl1 ;{id = 40649 (zsk), size = 1280b}
Key is now trusted!
[T] verteiltesysteme.net. 86400 IN DS 61908 5 1 3497d121f4c91369e95dc73d8032e688e1abb1fe
verteiltesysteme.net. 86400 IN DS 61908 5 2 2f87866a60c3603f447658ac3ea72baec053b7f9f85fa4b531aabe88b06f5aee
;; Domain: verteiltesysteme.net.
[T] verteiltesysteme.net. 3600 IN DNSKEY 257 3 5 ;{id = 61908 (ksk), size = 1024b}
verteiltesysteme.net. 3600 IN DNSKEY 256 3 5 ;{id = 30665 (zsk), size = 1024b}
[T] Existence denied: sigfail.verteiltesysteme.net. DS
;; No ds record for delegation
;; Domain: sigfail.verteiltesysteme.net.
;; No DNSKEY record found for sigfail.verteiltesysteme.net.
[B] sigfail.verteiltesysteme.net. 60 IN A 134.91.78.139
;; Error: Bogus DNSSEC signature
;;[S] self sig OK; [B] bogus; [T] trusted
```
### `drill -D sigfail.verteiltesysteme.net @1.1.1.1`
```
[vagrant@fedora knot-resolver]$ drill -D sigfail.verteiltesysteme.net @1.1.1.1
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 15928
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; sigfail.verteiltesysteme.net. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 347 msec
;; EDNS: version 0; flags: do ; udp: 1232
;; Data: \# 12 000f00020006000f00020016
;; SERVER: 1.1.1.1
;; WHEN: Tue Dec 7 01:16:55 2021
;; MSG SIZE rcvd: 69
```
As you can see the answers section is empty and the response is a SERVFAIL when querying 1.1.1.1 for this domain with deliberately broken DNSSEC records. I obtain the same results from running a local unbound recursive server and from other public validating DNS servers.
It seems like DNSSEC validation isn't occurring and Knot is going on to return unvalidated data in its response. It's clear from the trace that this domain does not have valid DNSSEC data associated with it. My expectation is that unless I were to disable DNSSEC in knot that it would not return a result for such a domain.
Perhaps there are some configuration items that need to be changed here? I've read the Knot Resolver documentation on DNSSEC validation and it suggests that it is enabled by default and shouldn't require any configuration. I have checked and it appears the trust anchor is loaded so I don't believe that is the issue.
### Tested configuration
```
[vagrant@fedora knot-resolver]$ cat /etc/knot-resolver/kresd.conf
-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/
-- Network interface configuration
net.listen('127.0.0.1', 53, { kind = 'dns' })
net.listen('127.0.0.1', 853, { kind = 'tls' })
--net.listen('127.0.0.1', 443, { kind = 'doh2' })
net.listen('::1', 53, { kind = 'dns', freebind = true })
net.listen('::1', 853, { kind = 'tls', freebind = true })
--net.listen('::1', 443, { kind = 'doh2' })
-- Load useful modules
modules = {
'hints < iterate', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
}
net.ipv6 = false
-- Cache size
cache.size = 100 * MB
```
Overall I am super impressed with Knot Resolver from a technical perspective. It seems to be incredibly customizable and configurable using a standard language. It's entirely possible I am not understanding what the proper behavior is here, but I feel like I should open an issue in case this is in fact a real problem.https://gitlab.nic.cz/knot/knot-resolver/-/issues/682CNAME forward lookup failing2021-10-25T15:26:50+02:00Ghost UserCNAME forward lookup failingHello there,
I am not sure if this is a bug or not but I am starting to be clueless. I am using a high availibity Pihole-KRESD combination for external lookups to have an ad-free network.
So far it works perfectly without many user int...Hello there,
I am not sure if this is a bug or not but I am starting to be clueless. I am using a high availibity Pihole-KRESD combination for external lookups to have an ad-free network.
So far it works perfectly without many user intervention but today I stumbled into a strange behaviour of Knot Resolver as it seems not to follow all CNAMEs of a domain.
Lookup via Pi-hole + KRESD always give me following lookup:
```
dig go.zextras.com @192.168.20.105
; <<>> DiG 9.16.1-Ubuntu <<>> go.zextras.com @192.168.20.105
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59509
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;go.zextras.com. IN A
;; ANSWER SECTION:
go.zextras.com. 39957 IN CNAME go.pardot.com.
go.pardot.com. 2859 IN CNAME pi.pardot.com.
pi.pardot.com. 523 IN A 127.0.0.1
;; Query time: 10 msec
;; SERVER: 192.168.20.105#53(192.168.20.105)
;; WHEN: Mon Oct 25 12:02:20 CEST 2021
;; MSG SIZE rcvd: 100
```
The correct answer should be:
```
dig go.zextras.com @9.9.9.9
; <<>> DiG 9.16.1-Ubuntu <<>> go.zextras.com @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1953
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;go.zextras.com. IN A
;; ANSWER SECTION:
go.zextras.com. 43200 IN CNAME go.pardot.com.
go.pardot.com. 3602 IN CNAME pi.pardot.com.
pi.pardot.com. 300 IN CNAME pi-ue1.pardot.com.
pi-ue1.pardot.com. 900 IN CNAME pi.t.pardot.com.
pi.t.pardot.com. 30 IN CNAME pi-ue1-lba2.pardot.com.
pi-ue1-lba2.pardot.com. 36 IN A 52.21.178.134
;; Query time: 260 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Mon Oct 25 12:03:28 CEST 2021
;; MSG SIZE rcvd: 166
```
To be totally sure I have also queried all of the DNS servers I have set up within kresd.conf. Everyone is giving me the right answer.
As mentioned: I am not sure if this is a Knot Resolver bug or if there is kind of a config parameter (e.g. just follow x CNAME else return 127.0.0.1).
My current configuration of KRESD would be:
```
-- Default empty Knot DNS Resolver configuration in -*- lua -*-
-- Switch to unprivileged user --
user('knot-resolver','knot-resolver')
-- Unprivileged
-- cache.size = 100*MB
net.listen('127.0.0.1', 5555)
net.listen('192.168.20.105', 5555)
modules = {
'policy',
'view',
'hints',
'serve_stale < cache',
'workarounds < iterate',
'stats',
'predict'
}
--Accept all requests from these subnets
view:addr('127.0.0.1/8', function (req, qry) return policy.PASS end)
view:addr('192.168.10.0/24', function (req, qry) return policy.PASS end)
view:addr('192.168.20.0/24', function (req, qry) return policy.PASS end)
view:addr('192.168.101.0/24', function (req, qry) return policy.PASS end)
-- Drop everything that hasn't matched
view:addr('0.0.0.0/0', function (req, qry) return policy.DROP end)
policy.add(policy.all(policy.TLS_FORWARD({
-- {'80.241.218.68', hostname='fdns1.dismail.de'},
-- {'159.69.114.157', hostname='fdns2.dismail.de'},
-- {'89.233.43.71', hostname='unicast.censurfridns.dk'},
-- {'91.239.100.100', hostname='anycast.censurfridns.dk'},
{'46.182.19.48', hostname='dns2.digitalcourage.de'},
{'176.9.93.198', hostname='dnsforge.de'},
})))
predict.config({ window = 20, period = 72 })
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/680Progressively failing DoT to Quad9 servers2021-10-22T11:34:44+02:00savchenkoProgressively failing DoT to Quad9 serversI am seeing progressively increasing number of endpoints failing with:
```
[tls_client] failed to verify peer certificate: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded.
```
All nodes are ...I am seeing progressively increasing number of endpoints failing with:
```
[tls_client] failed to verify peer certificate: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded.
```
All nodes are running Debian 11.1 and are fully updated including `ca-certificates` and subsequent `update-ca-certificates --fresh`.
Interestingly, I can't reproduce it universally, only select hosts appear to be affected. I do see gradual increase in a number of failing nodes.
All targets are provisioned with the same Ansible playbook. Switching policy to regular DNS-over-UDP "solves" the issue.
Example of the policy that fails:
```lua
-- DNS-over-TLS
policy.add(policy.all(policy.TLS_FORWARD({
{'9.9.9.9', hostname='dns.quad9.net'},
{'149.112.112.112', hostname='dns.quad9.net'}
})))
```
Example of the working policy:
```lua
-- DNS-over-UDP
policy.add(policy.all(policy.FORWARD({'9.9.9.9', '149.112.112.112'})))
```
I would appreciate any suggestions as to what can be the root cause.https://gitlab.nic.cz/knot/knot-resolver/-/issues/678listening sockets receive and send buffer size2021-10-20T09:19:28+02:00Hamza Kılıçlistening sockets receive and send buffer sizeplease add configuration options for socket receive/send buffer sizeplease add configuration options for socket receive/send buffer sizehttps://gitlab.nic.cz/knot/knot-resolver/-/issues/677Erratic stats figures2021-11-22T18:05:11+01:00Ghost UserErratic stats figuresWhen using the http and stats modules. Restarting the services doesn't fully zero out the counters nor does it keep them at their current values but instead resets them to what seems like a random lower value.
Rebooting the server does ...When using the http and stats modules. Restarting the services doesn't fully zero out the counters nor does it keep them at their current values but instead resets them to what seems like a random lower value.
Rebooting the server does fully reset all counters.
This could be offset if the stats/http modules also listed the uptime of the device or atleast the main thread.https://gitlab.nic.cz/knot/knot-resolver/-/issues/676deb package for latest seems broken2021-10-16T14:01:02+02:00Richard Vencudeb package for latest seems brokenthe terminal freezes at this command in Ubuntu 20.04
wget https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
--2021-10-15 15:46:40-- https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
Resolving secure....the terminal freezes at this command in Ubuntu 20.04
wget https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
--2021-10-15 15:46:40-- https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
Resolving secure.nic.cz (secure.nic.cz)... 217.31.202.45, 2001:1488:ffff::45
Connecting to secure.nic.cz (secure.nic.cz)|217.31.202.45|:443... connected.
Manually inspecting the URL shows a 3.3K file there, seems corrupted since wget freezeshttps://gitlab.nic.cz/knot/knot-resolver/-/issues/673trust_anchors.set_insecure may miss some names2021-05-21T01:52:53+02:00Vladimír Čunátvladimir.cunat@nic.cztrust_anchors.set_insecure may miss some namesIf the same authoritative server IPs serve names both above and below the configured negative trust anchors, the downgrade to insecure may not happen in some cases.If the same authoritative server IPs serve names both above and below the configured negative trust anchors, the downgrade to insecure may not happen in some cases.Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/670"map() error while connecting to control socket" regression [5.2.0, 5.2.1, 5....2022-03-16T16:42:56+01:00Jonathan Coetzee"map() error while connecting to control socket" regression [5.2.0, 5.2.1, 5.3.0]I've noticed this regression when using 5.2.0+ my ARMv7 (32-bit) on Docker on Raspberry Pi OS. My logs will fill up with hundreds of the following entries
map() error while connecting to control socket /srv/knot-resolver/data/contro...I've noticed this regression when using 5.2.0+ my ARMv7 (32-bit) on Docker on Raspberry Pi OS. My logs will fill up with hundreds of the following entries
map() error while connecting to control socket /srv/knot-resolver/data/control/9: socket:connect: Connection refused (ignoring this socket)
map() error while connecting to control socket /srv/knot-resolver/data/control/6: socket:connect: Connection refused (ignoring this socket)
map() error while connecting to control socket /srv/knot-resolver/data/control/9: socket:connect: Connection refused (ignoring this socket)
map() error while connecting to control socket /srv/knot-resolver/data/control/6: socket:connect: Connection refused (ignoring this socket)
map() error while connecting to control socket /srv/knot-resolver/data/control/9: socket:connect: Connection refused (ignoring this socket)
map() error while connecting to control socket /srv/knot-resolver/data/control/6: socket:connect: Connection refused (ignoring this socket)
These logs aren't present on 5.1.3. Please let me know what other information you need.https://gitlab.nic.cz/knot/knot-resolver/-/issues/668Replace potentially zero-length VLAs in selection_iter.c with arrays from lib...2021-05-20T13:20:57+02:00Štěpán BalážikReplace potentially zero-length VLAs in selection_iter.c with arrays from lib/genericOver the weekend I was playing with undefined behavior sanitizer (i.e. compiling with `-fsanitize=undefined`) and ran Deckard with it.
While most of the errors point to `member access within misaligned address type '(const)? struct entr...Over the weekend I was playing with undefined behavior sanitizer (i.e. compiling with `-fsanitize=undefined`) and ran Deckard with it.
While most of the errors point to `member access within misaligned address type '(const)? struct entry_h', which requires 4 byte alignment` in `lib/cache` (which are false positives I suppose, I don't understand the cache implementation enough), there is also this one:
`lib/selection_iter.c:243:16: runtime error: variable length array bound evaluates to non-positive value 0`
The code in question is in the `iter_choose_transport` function and prepares a VLA for flattening of a trie for easier manipulation.
```c
struct choice choices[trie_weight(local_state->addresses)];
/* We may try to resolve A and AAAA record for each name, so therefore
* 2*trie_weight(…) is here. */
struct to_resolve resolvable[2 * trie_weight(local_state->names)];
```
`trie_weight` however can be 0 which leads to undefined behavior.
Replacing these with arrays from `lib/generic` should be easy and would maybe even lead to nicer code since they include a length field which is needed later down the line.
Furthermore coverage from Deckard probably isn't that great so we may consider running more tests with `-fsanitize=undefined` .Štěpán BalážikŠtěpán Balážikhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/667After TCP connect succeeds, resolver gets stuck if the authoritative doesn't ...2021-11-08T13:40:26+01:00Štěpán BalážikAfter TCP connect succeeds, resolver gets stuck if the authoritative doesn't send a replyCurrently resolution of `tipsport.cz A` triggers this sometimes, so let's use it as example:
There are 8 authoritative server for `tipsport.cz`:
```
$ dig @a.ns.nic.cz tipsport.cz NS
[…]
;; QUESTION SECTION:
;tipsport.cz. IN NS
;; A...Currently resolution of `tipsport.cz A` triggers this sometimes, so let's use it as example:
There are 8 authoritative server for `tipsport.cz`:
```
$ dig @a.ns.nic.cz tipsport.cz NS
[…]
;; QUESTION SECTION:
;tipsport.cz. IN NS
;; AUTHORITY SECTION:
tipsport.cz. 3600 IN NS ns1.tipsport.cz.
tipsport.cz. 3600 IN NS ns2.tipsport.cz.
tipsport.cz. 3600 IN NS ns3.tipsport.cz.
tipsport.cz. 3600 IN NS ns4.tipsport.cz.
;; ADDITIONAL SECTION:
ns1.tipsport.cz. 3600 IN A 195.39.239.11
ns1.tipsport.cz. 3600 IN AAAA 2001:678:320:0:f5::1
ns2.tipsport.cz. 3600 IN A 195.39.239.12
ns2.tipsport.cz. 3600 IN AAAA 2001:678:320:0:f5::2
ns3.tipsport.cz. 3600 IN A 195.39.239.13
ns3.tipsport.cz. 3600 IN AAAA 2001:678:320:0:f5::3
ns4.tipsport.cz. 3600 IN A 195.39.239.14
ns4.tipsport.cz. 3600 IN AAAA 2001:678:320:0:f5::4
```
None of the IPv6 will answer the query `tipsport.cz A` but all will accept a TCP connection to them.
The reply to `tipsport.cz A` is too big and the working servers will reply with TC=1.
So, if the resolver chooses one of the working servers first, gets a TC bit and then chooses to connect over TCP to one of the not working ones, the request will starve and eventually be cancelled by a timer and resolver replies with a SERVFAIL.
```
[16708.11][iter] 'tipsport.cz.' type 'A' new uid was assigned .14, parent uid .00
[16708.14][slct] => id: '27900' choosing: 'ns4.tipsport.cz.'@'195.39.239.14#00053' with timeout 1600 ms zone cut: 'tipsport.cz.'
[16708.14][resl] => id: '27900' querying: 'ns4.tipsport.cz.'@'195.39.239.14#00053' zone cut: 'tipsport.cz.' qname: 'tIPSpOrt.cZ.' qtype: 'A' proto: 'udp'
[16708.14][slct] => id: '27900' updating: 'ns4.tipsport.cz.'@'195.39.239.14#00053' zone cut: 'tipsport.cz.' with rtt 14 to srtt: 14 and variance: 7
[16708.14][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27900
;; Flags: qr aa tc QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
tipsport.cz. A
;; ADDITIONAL SECTION
[16708.14][iter] <= truncated response, failover to TCP
[16708.14][slct] => id: '27900' noting selection error: 'ns4.tipsport.cz.'@'195.39.239.14#00053' zone cut: 'tipsport.cz.' error: 12 TRUNCATED
[16708.14][iter] 'tipsport.cz.' type 'A' new uid was assigned .15, parent uid .00
[16708.15][slct] => id: '23152' choosing: 'ns4.tipsport.cz.'@'2001:678:320:0:f5::4#00053' with timeout 1600 ms zone cut: 'tipsport.cz.'
[16708.15][resl] => id: '23152' querying: 'ns4.tipsport.cz.'@'2001:678:320:0:f5::4#00053' zone cut: 'tipsport.cz.' qname: 'TipsPoRt.cz.' qtype: 'A' proto: 'tcp'
[16708.15][wrkr] => connecting to: '2001:678:320:0:f5::4#00053'
[wrkr]=> connected to '2001:678:320:0:f5::4#00053'
… long wait here, the whole request will timeout …
[16708.13][resl] AD: request NOT classified as SECURE
[16708.15][resl] finished in state: 8, queries: 3, mempool: 49200 B
[16708.00][dbg ] answer packet:
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 16708
;; Flags: qr rd ra QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
tipsport.cz. A
;; ADDITIONAL SECTION
[io] => closing connection to '2001:678:320:0:f5::4#00053'
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/666kr_pkt_make_auth_header: Assertion `pkt && pkt->wire' failed2021-01-14T08:47:36+01:00Ghost Userkr_pkt_make_auth_header: Assertion `pkt && pkt->wire' failedHi, I am using knot-resolver on Debian 9 and after upgrade to apt package version 5.2.1-1. I am not able to run daemons because of this error:
```
Jan 14 07:32:57 dnsr-res2 kresd[19169]: kresd: ../lib/utils.c:320: kr_pkt_make_auth_heade...Hi, I am using knot-resolver on Debian 9 and after upgrade to apt package version 5.2.1-1. I am not able to run daemons because of this error:
```
Jan 14 07:32:57 dnsr-res2 kresd[19169]: kresd: ../lib/utils.c:320: kr_pkt_make_auth_header: Assertion `pkt && pkt->wire' failed.
```
My configuration file:
```
-- Config file example useable for multi-user ISP resolver
-- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration
-- Drop root privileges
user('knot-resolver', 'knot-resolver')
-- Set Internal hostname
hostname("xxxxxx")
net.listen('127.0.0.1', 53, { kind = 'dns' })
net.listen('109.202.xx.xx', 53, { kind = 'dns' })
net.listen('::1', 53, { kind = 'dns', freebind = true })
net.listen('2a06:x:x:x::x', 53, { kind = 'dns', freebind = true })
-- Auto-maintain root TA
--trust_anchors.file = 'root.keys'
-- Large cache size, so we don't need to flush often
-- This can be larger than available RAM, least frequently accessed
-- records will be paged out
cache.size = 500 * MB
-- Load Useful modules
modules = {
'hints > iterate',
'bogus_log',
'view',
'stats',
'predict',
graphite = {
prefix = 'xxx',
host = 'xxx',
tcp = false
}
}
view:addr('127.0.0.1', policy.all(policy.PASS))
view:addr('::1', policy.all(policy.PASS))
view:addr('10.0.0.0/8', policy.all(policy.PASS))
view:addr('172.20.0.0/21', policy.all(policy.PASS))
view:addr('172.29.0.0/16', policy.all(policy.PASS))
view:addr('172.30.15.42', policy.all(policy.PASS))
view:addr('192.168.0.0/16', policy.all(policy.PASS))
view:addr('100.64.0.0/10', policy.all(policy.PASS))
view:addr('0.0.0.0/0', policy.all(policy.DROP))
view:addr('::/0', policy.all(policy.DROP))
local rpz_hazard = require('rpz-hazard_xxxxx')
-- Apply RPZ for all clients
policy.add(policy.suffix(rpz_hazard.genRPZ_RR, {
kres.str2dname('1-x-bet.com.'),
kres.str2dname('1x-bet.com.'),
kres.str2dname('1x-02.com.'),
kres.str2dname('1xbet.com.'),
kres.str2dname('1xbet1.com.'),
kres.str2dname('1xbet10.com.'),
kres.str2dname('1xbet101.com.'),
kres.str2dname('1xbet102.com.'),
kres.str2dname('1xbet103.com.'),
kres.str2dname('1xbet104.com.'),
kres.str2dname('1xbet105.com.'),
kres.str2dname('1xbet106.com.'),
kres.str2dname('1xbet107.com.'),
kres.str2dname('1xbet108.com.'),
kres.str2dname('1xbet109.com.'),
kres.str2dname('1xbet11.com.'),
kres.str2dname('1xbet110.com.'),
kres.str2dname('1xbet12.com.'),
kres.str2dname('1xbet13.com.'),
kres.str2dname('1xbet14.com.'),
kres.str2dname('1xbet15.com.'),
kres.str2dname('1xbet16.com.'),
kres.str2dname('1xbet17.com.'),
kres.str2dname('1xbet18.com.'),
kres.str2dname('1xbet19.com.'),
kres.str2dname('1xbet2.com.'),
kres.str2dname('1xbet20.com.'),
kres.str2dname('1xbet21.com.'),
kres.str2dname('1xbet23.com.'),
kres.str2dname('1xbet24.com.'),
kres.str2dname('1xbet25.com.'),
kres.str2dname('1xbet26.com.'),
kres.str2dname('1xbet27.com.'),
kres.str2dname('1xbet28.com.'),
kres.str2dname('1xbet29.com.'),
kres.str2dname('1xbet3.com.'),
kres.str2dname('1xbet30.com.'),
kres.str2dname('1xbet31.com.'),
kres.str2dname('1xbet32.com.'),
kres.str2dname('1xbet34.com.'),
kres.str2dname('1xbet35.com.'),
kres.str2dname('1xbet36.com.'),
kres.str2dname('1xbet37.com.'),
kres.str2dname('1xbet38.com.'),
kres.str2dname('1xbet39.com.'),
kres.str2dname('1xbet4.com.'),
kres.str2dname('1xbet40.com.'),
kres.str2dname('1xbet41.com.'),
kres.str2dname('1xbet42.com.'),
kres.str2dname('1xbet43.com.'),
kres.str2dname('1xbet45.com.'),
kres.str2dname('1xbet46.com.'),
kres.str2dname('1xbet47.com.'),
kres.str2dname('1xbet48.com.'),
kres.str2dname('1xbet49.com.'),
kres.str2dname('1xbet5.com.'),
kres.str2dname('1xbet50.com.'),
kres.str2dname('1xbet51.com.'),
kres.str2dname('1xbet52.com.'),
kres.str2dname('1xbet53.com.'),
kres.str2dname('1xbet54.com.'),
kres.str2dname('1xbet6.com.'),
kres.str2dname('1xbet60.com.'),
kres.str2dname('1xbet61.com.'),
kres.str2dname('1xbet62.com.'),
kres.str2dname('1xbet63.com.'),
kres.str2dname('1xbet64.com.'),
kres.str2dname('1xbet65.com.'),
kres.str2dname('1xbet67.com.'),
kres.str2dname('1xbet68.com.'),
kres.str2dname('1xbet69.com.'),
kres.str2dname('1xbet7.com.'),
kres.str2dname('1xbet70.com.'),
kres.str2dname('1xbet71.com.'),
kres.str2dname('1xbet72.com.'),
kres.str2dname('1xbet73.com.'),
kres.str2dname('1xbet74.com.'),
kres.str2dname('1xbet75.com.'),
kres.str2dname('1xbet76.com.'),
kres.str2dname('1xbet78.com.'),
kres.str2dname('1xbet79.com.'),
kres.str2dname('1xbet8.com.'),
kres.str2dname('1xbet80.com.'),
kres.str2dname('1xbet82.com.'),
kres.str2dname('1xbet84.com.'),
kres.str2dname('1xbet86.com.'),
kres.str2dname('1xbet87.com.'),
kres.str2dname('1xbet9.com.'),
kres.str2dname('1xbet90.com.'),
kres.str2dname('1xbet91.com.'),
kres.str2dname('1xbet92.com.'),
kres.str2dname('1xbet94.com.'),
kres.str2dname('1xbet95.com.'),
kres.str2dname('1xbetbk6.com.'),
kres.str2dname('1xbetbk13.com.'),
kres.str2dname('1xbkbet-1.com.'),
kres.str2dname('1xhov.xyz.'),
kres.str2dname('1xiiv.xyz.'),
kres.str2dname('betworld.com.'),
kres.str2dname('bk-1x-bet.com.'),
kres.str2dname('bosscasino.eu.'),
kres.str2dname('eatsleepbet.com.'),
kres.str2dname('sportingbull.com.'),
kres.str2dname('thelotter.com.'),
kres.str2dname('webmoneycasino.com.'),
kres.str2dname('xbet-1.com.'),
kres.str2dname('betworld1.com.'),
kres.str2dname('betworld2.com.'),
kres.str2dname('betworld3.com.'),
kres.str2dname('betworld4.com.'),
kres.str2dname('betworld5.com.'),
kres.str2dname('betworld6.com.'),
kres.str2dname('betworld7.com.'),
kres.str2dname('betworld8.com.'),
kres.str2dname('betworld9.com.'),
kres.str2dname('betworld10.com.'),
kres.str2dname('cz.sportingbull174.com.'),
kres.str2dname('agentlotto3.ru.'),
kres.str2dname('agentlotto.com.'),
kres.str2dname('lottoevents.com.'),
kres.str2dname('bet2u.com.'),
kres.str2dname('gunsbet.com.'),
kres.str2dname('playamo.com.'),
kres.str2dname('lokicasino.com.'),
}))
```
and lua script:
```
local policy = require('kres_modules/policy')
local ffi = require('ffi')
local rpz = {}
function rpz.gen_answer_section(answer, sname, cname, answer_type, ip)
answer:begin(kres.section.ANSWER)
answer:put(sname, 5, answer:qclass(), kres.type.CNAME, kres.str2dname(cname))
answer:put(kres.str2dname(cname), 900, answer:qclass(), answer_type, kres.str2ip(ip))
end
function rpz.gen_authority_section(answer)
answer:begin(kres.section.AUTHORITY)
answer:put(kres.str2dname('xxxx'), 900, answer:qclass(), kres.type.NS, kres.str2dname('dnsa1.xxxx'))
answer:put(kres.str2dname('xxxx'), 900, answer:qclass(), kres.type.NS, kres.str2dname('dnsa2.xxxx'))
answer:put(kres.str2dname('xxxx'), 900, answer:qclass(), kres.type.NS, kres.str2dname('dnsa3.xxxx'))
end
function rpz.gen_additional_section(answer)
answer:begin(kres.section.ADDITIONAL)
answer:put(kres.str2dname('dnsa1.xxxx'), 900, answer:qclass(), kres.type.A, kres.str2ip('109.202.xxxx'))
answer:put(kres.str2dname('dnsa1.xxxx'), 900, answer:qclass(), kres.type.AAAA, kres.str2ip('2a06:xxx'))
answer:put(kres.str2dname('dnsa2.xxxx'), 900, answer:qclass(), kres.type.A, kres.str2ip('109.202.xxx'))
answer:put(kres.str2dname('dnsa2.xxxx'), 900, answer:qclass(), kres.type.AAAA, kres.str2ip('2a06:xxx'))
answer:put(kres.str2dname('dnsa3.xxxx'), 900, answer:qclass(), kres.type.A, kres.str2ip('85.xxxxx'))
answer:put(kres.str2dname('dnsa3.xxxx'), 900, answer:qclass(), kres.type.AAAA, kres.str2ip('2a02xxxx'))
end
function rpz.genRPZ_RR (state, req)
local answer = req.answer
local qry = req:current()
if qry.stype == kres.type.A then
ffi.C.kr_pkt_make_auth_header(answer)
answer:rcode(kres.rcode.NOERROR)
rpz.gen_answer_section(answer, qry.sname, 'hazard.xxxx', kres.type.A, '109.xxxxx')
rpz.gen_authority_section(answer)
rpz.gen_additional_section(answer)
return kres.DONE
elseif qry.stype == kres.type.AAAA then
ffi.C.kr_pkt_make_auth_header(answer)
answer:rcode(kres.rcode.NOERROR)
rpz.gen_answer_section(answer, qry.sname, 'hazard.xxxxx', kres.type.AAAA, '2a06:xxxxx')
rpz.gen_authority_section(answer)
rpz.gen_additional_section(answer)
return kres.DONE
else
return state
end
end
return rpz
```
Can you tell me where I should look to find some bug, please?https://gitlab.nic.cz/knot/knot-resolver/-/issues/662SERVFAIL when resolving `www.cdc.gov` (knot-resolver 3.2.1, 5.1.3, and 5.2.1)2022-01-04T13:48:58+01:00Daniel Kahn GillmorSERVFAIL when resolving `www.cdc.gov` (knot-resolver 3.2.1, 5.1.3, and 5.2.1)starting from a cleared cache, I tried to resolve `www.cdc.gov` from a `knot-resolver` instance. I got a SERVFAIL.
I've seen this behavior in knot-resolver 3.2.1 and 5.1.3 and 5.2.1.
I think it has something to do with DNSSEC and QNAM...starting from a cleared cache, I tried to resolve `www.cdc.gov` from a `knot-resolver` instance. I got a SERVFAIL.
I've seen this behavior in knot-resolver 3.2.1 and 5.1.3 and 5.2.1.
I think it has something to do with DNSSEC and QNAME minimization, but i might be misunderstanding it too. in particular, Akamai seems to be authoritative for the `akam.cdc.gov` zone, which maybe has a `DS` record but no `DNSKEY` record? maybe there are other issues i don't understand though.
Below is a log from a 5.2.1 instance running with `verbose(true)`:
```
Dec 22 14:01:50 alice kresd[814779]: [00000.00][plan] plan 'www.cdc.gov.' type 'A' uid [49186.00]
Dec 22 14:01:50 alice kresd[814779]: [49186.00][iter] 'www.cdc.gov.' type 'A' new uid was assigned .01, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.01][resl] => using root hints
Dec 22 14:01:50 alice kresd[814779]: [49186.01][iter] 'www.cdc.gov.' type 'A' new uid was assigned .02, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.02][resl] >< TA: '.'
Dec 22 14:01:50 alice kresd[814779]: [49186.02][plan] plan '.' type 'DNSKEY' uid [49186.03]
Dec 22 14:01:50 alice kresd[814779]: [49186.03][iter] '.' type 'DNSKEY' new uid was assigned .04, parent uid .02
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl] => id: '54881' querying: '2001:500:9f::42#00053' score: 10 zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl] => id: '54881' querying: '199.7.83.42#00053' score: 10 zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.04][iter] <= rcode: NOERROR
Dec 22 14:01:50 alice kresd[814779]: [49186.04][vldr] <= parent: updating DNSKEY
Dec 22 14:01:50 alice kresd[814779]: [49186.04][vldr] <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [49186.04][cach] => stashed . DNSKEY, rank 060, 1090 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [ta_signal_query] signalling query trigered: _ta-4f66.
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl] <= server: '2001:500:9f::42' rtt: >= 220 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl] <= server: '199.7.83.42' rtt: 20 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.02][iter] 'www.cdc.gov.' type 'A' new uid was assigned .05, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl] => id: '15349' querying: '2001:dc3::35#00053' score: 10 zone cut: '.' qname: 'GOV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [00000.00][plan] plan '_ta-4f66.' type 'NULL' uid [65566.00]
Dec 22 14:01:50 alice kresd[814779]: [65566.00][iter] '_ta-4f66.' type 'NULL' new uid was assigned .01, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [65566.01][resl] => using root hints
Dec 22 14:01:50 alice kresd[814779]: [65566.01][iter] '_ta-4f66.' type 'NULL' new uid was assigned .02, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [65566.02][resl] >< TA: '.'
Dec 22 14:01:50 alice kresd[814779]: [65566.02][plan] plan '.' type 'DNSKEY' uid [65566.03]
Dec 22 14:01:50 alice kresd[814779]: [65566.03][iter] '.' type 'DNSKEY' new uid was assigned .04, parent uid .02
Dec 22 14:01:50 alice kresd[814779]: [65566.04][cach] => satisfied by exact RRset: rank 060, new TTL 172800
Dec 22 14:01:50 alice kresd[814779]: [65566.04][iter] <= rcode: NOERROR
Dec 22 14:01:50 alice kresd[814779]: [65566.04][vldr] <= parent: updating DNSKEY
Dec 22 14:01:50 alice kresd[814779]: [65566.04][vldr] <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [65566.02][iter] '_ta-4f66.' type 'NULL' new uid was assigned .05, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl] => id: '48678' querying: '199.7.83.42#00053' score: 20 zone cut: '.' qname: '_tA-4f66.' qtype: 'NULL' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [65566.05][iter] <= rcode: NXDOMAIN
Dec 22 14:01:50 alice kresd[814779]: [65566.05][vldr] <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [65566.05][cach] => stashed . SOA, rank 060, 358 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [65566.05][cach] => stashed . NSEC, rank 060, 308 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [65566.05][cach] => nsec_p stashed for . (new, hash: 0)
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl] <= server: '199.7.83.42' rtt: 21 ms
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl] AD: request classified as SECURE
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl] finished in state: 4, queries: 2, mempool: 98352 B
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl] => id: '15349' querying: '202.12.27.33#00053' score: 10 zone cut: '.' qname: 'GOV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.05][iter] <= loaded 8 glue addresses
Dec 22 14:01:50 alice kresd[814779]: [49186.05][iter] <= referral response, follow
Dec 22 14:01:50 alice kresd[814779]: [49186.05][vldr] <= DS: OK
Dec 22 14:01:50 alice kresd[814779]: [49186.05][vldr] <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [49186.05][cach] => stashed gov. DS, rank 060, 356 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [49186.05][cach] => stashed gov. NS, rank 002, 102 B total, incl. 0 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [49186.05][cach] => stashed also 8 nonauth RRsets
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl] <= server: '2001:dc3::35' rtt: >= 279 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl] <= server: '202.12.27.33' rtt: 79 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.05][iter] 'www.cdc.gov.' type 'A' new uid was assigned .06, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.06][plan] plan 'gov.' type 'DNSKEY' uid [49186.07]
Dec 22 14:01:50 alice kresd[814779]: [49186.07][iter] 'gov.' type 'DNSKEY' new uid was assigned .08, parent uid .06
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach] => no NSEC* cached for zone: gov.
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach] => skipping zone: gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach] => skipping zone: gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl] => id: '16918' querying: '2620:74:28::2:30#00053' score: 10 zone cut: 'gov.' qname: 'gov.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl] => id: '16918' querying: '69.36.153.30#00053' score: 10 zone cut: 'gov.' qname: 'gov.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.08][iter] <= rcode: NOERROR
Dec 22 14:01:50 alice kresd[814779]: [49186.08][vldr] <= parent: updating DNSKEY
Dec 22 14:01:50 alice kresd[814779]: [49186.08][vldr] <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach] => stashed gov. DNSKEY, rank 060, 730 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl] <= server: '2620:74:28::2:30' rtt: >= 237 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl] <= server: '69.36.153.30' rtt: 37 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.06][iter] 'www.cdc.gov.' type 'A' new uid was assigned .09, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.09][resl] => id: '06201' querying: '2620:74:27::2:30#00053' score: 10 zone cut: 'gov.' qname: 'cdc.goV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.09][resl] => id: '06201' querying: '209.112.123.30#00053' score: 10 zone cut: 'gov.' qname: 'cdc.goV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.09][iter] <= loaded 3 glue addresses
Dec 22 14:01:51 alice kresd[814779]: [49186.09][iter] <= referral response, follow
Dec 22 14:01:51 alice kresd[814779]: [49186.09][vldr] <= DS: OK
Dec 22 14:01:51 alice kresd[814779]: [49186.09][vldr] <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.09][cach] => stashed cdc.gov. DS, rank 060, 264 B total, incl. 1 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.09][cach] => stashed cdc.gov. NS, rank 002, 104 B total, incl. 0 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.09][cach] => stashed also 3 nonauth RRsets
Dec 22 14:01:51 alice kresd[814779]: [49186.09][resl] <= server: '2620:74:27::2:30' rtt: >= 257 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.09][resl] <= server: '209.112.123.30' rtt: 57 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.09][iter] 'www.cdc.gov.' type 'A' new uid was assigned .10, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.10][plan] plan 'cdc.gov.' type 'DNSKEY' uid [49186.11]
Dec 22 14:01:51 alice kresd[814779]: [49186.11][iter] 'cdc.gov.' type 'DNSKEY' new uid was assigned .12, parent uid .10
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach] => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.12][resl] => id: '05583' querying: '198.246.96.92#00053' score: 10 zone cut: 'cdc.gov.' qname: 'cDC.gOv.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.12][iter] <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.12][vldr] <= parent: updating DNSKEY
Dec 22 14:01:51 alice kresd[814779]: [49186.12][vldr] <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach] => stashed cdc.gov. DNSKEY, rank 060, 862 B total, incl. 2 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.12][resl] <= server: '198.246.96.92' rtt: 52 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.10][iter] 'www.cdc.gov.' type 'A' new uid was assigned .13, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.13][resl] => id: '31795' querying: '198.246.96.61#00053' score: 10 zone cut: 'cdc.gov.' qname: 'Www.Cdc.Gov.' qtype: 'A' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.13][iter] <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.13][iter] <= cname chain, following
Dec 22 14:01:51 alice kresd[814779]: [00000.00][plan] plan 'www.akam.cdc.gov.' type 'A' uid [49186.14]
Dec 22 14:01:51 alice kresd[814779]: [49186.13][vldr] <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.13][cach] => stashed www.cdc.gov. CNAME, rank 060, 192 B total, incl. 1 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.13][resl] <= server: '198.246.96.61' rtt: 55 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.14][iter] 'www.akam.cdc.gov.' type 'A' new uid was assigned .15, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.15][cach] => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.15][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.15][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.15][zcut] found cut: cdc.gov. (rank 002 return codes: DS 0, DNSKEY 0)
Dec 22 14:01:51 alice kresd[814779]: [49186.15][resl] => id: '24013' querying: '198.246.125.10#00053' score: 10 zone cut: 'cdc.gov.' qname: 'aKam.cdC.Gov.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.15][iter] <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.15][iter] <= continuing with qname minimization
Dec 22 14:01:51 alice kresd[814779]: [49186.15][resl] <= server: '198.246.125.10' rtt: 53 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.15][iter] 'www.akam.cdc.gov.' type 'A' new uid was assigned .16, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.16][plan] plan 'akam.cdc.gov.' type 'DS' uid [49186.17]
Dec 22 14:01:51 alice kresd[814779]: [49186.17][iter] 'akam.cdc.gov.' type 'DS' new uid was assigned .18, parent uid .16
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach] => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.18][zcut] found cut: cdc.gov. (rank 002 return codes: DS 0, DNSKEY 0)
Dec 22 14:01:51 alice kresd[814779]: [49186.18][resl] => id: '02506' querying: '198.246.96.92#00053' score: 52 zone cut: 'cdc.gov.' qname: 'aKAM.cdc.GOv.' qtype: 'DS' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.18][iter] <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.18][vldr] <= DS: OK
Dec 22 14:01:51 alice kresd[814779]: [49186.18][vldr] <= parent: updating DS
Dec 22 14:01:51 alice kresd[814779]: [49186.18][vldr] <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach] => stashed akam.cdc.gov. DS, rank 060, 210 B total, incl. 1 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.18][resl] <= server: '198.246.96.92' rtt: 50 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.16][iter] 'www.akam.cdc.gov.' type 'A' new uid was assigned .19, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.19][plan] plan 'akam.cdc.gov.' type 'DNSKEY' uid [49186.20]
Dec 22 14:01:51 alice kresd[814779]: [49186.20][iter] 'akam.cdc.gov.' type 'DNSKEY' new uid was assigned .21, parent uid .19
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach] => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl] => id: '42245' querying: '198.246.96.92#00053' score: 51 zone cut: 'akam.cdc.gov.' qname: 'akaM.CdC.Gov.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.21][iter] <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.21][vldr] >< cut changed, needs revalidation
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl] <= server: '198.246.96.92' rtt: 48 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl] => resuming yielded answer
Dec 22 14:01:51 alice kresd[814779]: [49186.21][vldr] <= bad NODATA proof
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach] => stashed packet: rank 025, TTL 3600, DNSKEY akam.cdc.gov. (125 B)
Dec 22 14:01:51 alice kresd[814779]: [49186.00][resl] request failed, answering with empty SERVFAIL
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl] finished in state: 8, queries: 5, mempool: 49200 B
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/661resolution of `mail.comcast.com MX` fails2021-01-28T12:25:07+01:00Štěpán Balážikresolution of `mail.comcast.com MX` fails`respdiff` suggests it should succeed.
I haven't looked closely into this, but from the surface it looks related to #626 and #659.
Log from 63d02c443f8217650cc84c32cc9fb27d207f18d0.
```
[00000.00][plan] plan 'mail.comcast.net.' type '...`respdiff` suggests it should succeed.
I haven't looked closely into this, but from the surface it looks related to #626 and #659.
Log from 63d02c443f8217650cc84c32cc9fb27d207f18d0.
```
[00000.00][plan] plan 'mail.comcast.net.' type 'MX' uid [46333.00]
[46333.00][iter] 'mail.comcast.net.' type 'MX' new uid was assigned .01, parent uid .00
[46333.01][cach] => no NSEC* cached for zone: net.
[46333.01][cach] => skipping zone: net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.01][cach] => skipping zone: net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.01][zcut] found cut: net. (rank 002 return codes: DS 0, DNSKEY 0)
[46333.01][resl] => id: '15433' querying: '2001:503:eea3::30#00053' score: 79 zone cut: 'net.' qname: 'CoMCAst.neT.' qtype: 'NS' proto: 'udp'
[46333.01][iter] <= loaded 10 glue addresses
[46333.01][iter] <= referral response, follow
[46333.01][vldr] <= DS: OK
[46333.01][vldr] <= answer valid, OK
[46333.01][cach] => stashed comcast.net. DS, rank 060, 264 B total, incl. 1 RRSIGs
[46333.01][cach] => stashed comcast.net. NS, rank 002, 124 B total, incl. 0 RRSIGs
[46333.01][cach] => stashed also 10 nonauth RRsets
[46333.01][resl] <= server: '2001:503:eea3::30' rtt: 43 ms
[46333.01][iter] 'mail.comcast.net.' type 'MX' new uid was assigned .02, parent uid .00
[46333.02][plan] plan 'comcast.net.' type 'DNSKEY' uid [46333.03]
[46333.03][iter] 'comcast.net.' type 'DNSKEY' new uid was assigned .04, parent uid .02
[46333.04][cach] => no NSEC* cached for zone: comcast.net.
[46333.04][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.04][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.04][resl] => id: '01302' querying: '2001:558:1014:c:68:87:76:228#00053' score: 10 zone cut: 'comcast.net.' qname: 'COMcasT.neT.' qtype: 'DNSKEY' proto: 'udp'
[46333.04][iter] <= rcode: NOERROR
[46333.04][vldr] <= parent: updating DNSKEY
[46333.04][vldr] <= answer valid, OK
[46333.04][cach] => stashed comcast.net. DNSKEY, rank 060, 870 B total, incl. 2 RRSIGs
[46333.04][resl] <= server: '2001:558:1014:c:68:87:76:228' rtt: 191 ms
[46333.02][iter] 'mail.comcast.net.' type 'MX' new uid was assigned .05, parent uid .00
[46333.05][resl] => id: '50780' querying: '68.87.76.228#00053' score: 10 zone cut: 'comcast.net.' qname: 'MaIL.COmCAST.Net.' qtype: 'MX' proto: 'udp'
[46333.05][iter] <= rcode: NOERROR
[46333.05][iter] <= cname chain, following
[00000.00][plan] plan 'imap.ge.xfinity.com.' type 'MX' uid [46333.06]
[46333.05][vldr] <= answer valid, OK
[46333.05][cach] => stashed mail.comcast.net. CNAME, rank 060, 200 B total, incl. 1 RRSIGs
[46333.05][resl] <= server: '68.87.76.228' rtt: 194 ms
[46333.06][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .07, parent uid .00
[46333.07][cach] => trying zone: ., NSEC, hash 0
[46333.07][cach] => NSEC sname: range search miss (!covers)
[46333.07][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[46333.07][zcut] found cut: . (rank 060 return codes: DS -2, DNSKEY 0)
[46333.07][resl] >< TA: '.'
[46333.07][resl] => id: '16802' querying: '2001:500:12::d0d#00053' score: 53 zone cut: '.' qname: 'Com.' qtype: 'NS' proto: 'udp'
[46333.07][iter] <= loaded 26 glue addresses
[46333.07][iter] <= referral response, follow
[46333.07][vldr] <= DS: OK
[46333.07][vldr] <= answer valid, OK
[46333.07][cach] => stashed com. DS, rank 060, 330 B total, incl. 1 RRSIGs
[46333.07][cach] => stashed com. NS, rank 002, 300 B total, incl. 0 RRSIGs
[46333.07][cach] => not overwriting AAAA a.gtld-servers.net.
[46333.07][cach] => not overwriting A a.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA e.gtld-servers.net.
[46333.07][cach] => not overwriting A e.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA h.gtld-servers.net.
[46333.07][cach] => not overwriting A h.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA k.gtld-servers.net.
[46333.07][cach] => not overwriting A k.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA m.gtld-servers.net.
[46333.07][cach] => not overwriting A m.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA g.gtld-servers.net.
[46333.07][cach] => not overwriting A g.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA i.gtld-servers.net.
[46333.07][cach] => not overwriting A i.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA c.gtld-servers.net.
[46333.07][cach] => not overwriting A c.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA f.gtld-servers.net.
[46333.07][cach] => not overwriting A f.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA d.gtld-servers.net.
[46333.07][cach] => not overwriting A d.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA b.gtld-servers.net.
[46333.07][cach] => not overwriting A b.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA j.gtld-servers.net.
[46333.07][cach] => not overwriting A j.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA l.gtld-servers.net.
[46333.07][cach] => not overwriting A l.gtld-servers.net.
[46333.07][resl] <= server: '2001:500:12::d0d' rtt: 53 ms
[46333.07][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .08, parent uid .00
[46333.08][plan] plan 'com.' type 'DNSKEY' uid [46333.09]
[46333.09][iter] 'com.' type 'DNSKEY' new uid was assigned .10, parent uid .08
[46333.10][cach] => no NSEC* cached for zone: com.
[46333.10][cach] => skipping zone: com., NSEC, hash 0;new TTL -123456789, ret -2
[46333.10][cach] => skipping zone: com., NSEC, hash 0;new TTL -123456789, ret -2
[46333.10][resl] => id: '64293' querying: '2001:503:83eb::30#00053' score: 72 zone cut: 'com.' qname: 'cOM.' qtype: 'DNSKEY' proto: 'udp'
[46333.10][iter] <= rcode: NOERROR
[46333.10][vldr] <= parent: updating DNSKEY
[46333.10][vldr] <= answer valid, OK
[46333.10][cach] => stashed com. DNSKEY, rank 060, 730 B total, incl. 1 RRSIGs
[46333.10][resl] <= server: '2001:503:83eb::30' rtt: 46 ms
[46333.08][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .11, parent uid .00
[46333.11][resl] => id: '12580' querying: '2001:502:8cc::30#00053' score: 44 zone cut: 'com.' qname: 'xFiNiTy.COm.' qtype: 'NS' proto: 'udp'
[46333.11][iter] <= referral response, follow
[46333.11][vldr] <= DS: OK
[46333.11][vldr] <= answer valid, OK
[46333.11][cach] => stashed xfinity.com. DS, rank 060, 264 B total, incl. 1 RRSIGs
[46333.11][cach] => stashed xfinity.com. NS, rank 002, 124 B total, incl. 0 RRSIGs
[46333.11][resl] <= server: '2001:502:8cc::30' rtt: 45 ms
[46333.11][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .12, parent uid .00
[46333.12][plan] plan 'xfinity.com.' type 'DNSKEY' uid [46333.13]
[46333.13][iter] 'xfinity.com.' type 'DNSKEY' new uid was assigned .14, parent uid .12
[46333.14][cach] => no NSEC* cached for zone: xfinity.com.
[46333.14][cach] => skipping zone: xfinity.com., NSEC, hash 0;new TTL -123456789, ret -2
[46333.14][cach] => skipping zone: xfinity.com., NSEC, hash 0;new TTL -123456789, ret -2
[46333.14][plan] plan 'dns103.comcast.net.' type 'AAAA' uid [46333.15]
[46333.15][iter] 'dns103.comcast.net.' type 'AAAA' new uid was assigned .16, parent uid .14
[46333.16][cach] => satisfied by exact RRset: rank 001, new TTL 172800
[46333.16][iter] <= rcode: NOERROR
[46333.14][iter] 'xfinity.com.' type 'DNSKEY' new uid was assigned .17, parent uid .12
[46333.17][resl] => id: '36870' querying: '2001:558:1014:c:68:87:76:228#00053' score: 191 zone cut: 'xfinity.com.' qname: 'XFINiTY.coM.' qtype: 'DNSKEY' proto: 'udp'
[46333.17][iter] <= rcode: NOERROR
[46333.17][vldr] <= parent: updating DNSKEY
[46333.17][vldr] <= answer valid, OK
[46333.17][cach] => stashed xfinity.com. DNSKEY, rank 060, 870 B total, incl. 2 RRSIGs
[46333.17][resl] <= server: '2001:558:1014:c:68:87:76:228' rtt: 193 ms
[46333.12][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .18, parent uid .00
[46333.18][plan] plan 'dns104.comcast.net.' type 'AAAA' uid [46333.19]
[46333.19][iter] 'dns104.comcast.net.' type 'AAAA' new uid was assigned .20, parent uid .18
[46333.20][cach] => satisfied by exact RRset: rank 001, new TTL 172800
[46333.20][iter] <= rcode: NOERROR
[46333.18][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .21, parent uid .00
[46333.21][resl] => id: '58082' querying: '2001:558:100a:5:68:87:68:244#00053' score: 10 zone cut: 'xfinity.com.' qname: 'ge.xFINIty.CoM.' qtype: 'NS' proto: 'udp'
[46333.21][iter] <= referral response, follow
[46333.21][vldr] <= answer valid, OK
[46333.21][cach] => stashed ge.xfinity.com. NSEC, rank 060, 210 B total, incl. 1 RRSIGs
[46333.21][cach] => stashed ge.xfinity.com. NS, rank 010, 188 B total, incl. 0 RRSIGs
[46333.21][cach] => nsec_p stashed for xfinity.com. (new, hash: 0)
[46333.21][resl] <= server: '2001:558:100a:5:68:87:68:244' rtt: 144 ms
[46333.21][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .22, parent uid .00
[46333.22][resl] <= DS doesn't exist, going insecure
[46333.22][plan] plan 'gtd03-d.hillsboro.or.ndchlsbr.comcast.net.' type 'AAAA' uid [46333.23]
[46333.23][iter] 'gtd03-d.hillsboro.or.ndchlsbr.comcast.net.' type 'AAAA' new uid was assigned .24, parent uid .22
[46333.24][cach] => no NSEC* cached for zone: comcast.net.
[46333.24][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.24][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.24][zcut] found cut: comcast.net. (rank 002 return codes: DS 0, DNSKEY 0)
[46333.24][resl] => id: '62333' querying: '2001:558:1004:7:68:87:85:132#00053' score: 10 zone cut: 'comcast.net.' qname: 'NdchLsbR.CoMCAST.nEt.' qtype: 'NS' proto: 'udp'
[46333.24][iter] <= rcode: NOERROR
[46333.24][iter] <= retrying with non-minimized name
[46333.24][resl] <= server: '2001:558:1004:7:68:87:85:132' rtt: 165 ms
[46333.24][iter] 'gtd03-d.hillsboro.or.ndchlsbr.comcast.net.' type 'AAAA' new uid was assigned .25, parent uid .22
[46333.25][resl] => id: '33890' querying: '2001:558:fe23:8:69:252:250:103#00053' score: 10 zone cut: 'comcast.net.' qname: 'GTD03-D.HiLLsBoRO.OR.ndChLsbR.cOMCASt.NET.' qtype: 'AAAA' proto: 'udp'
[46333.25][iter] <= rcode: NOERROR
[46333.25][vldr] >< cut changed, needs revalidation
[46333.25][resl] <= server: '2001:558:fe23:8:69:252:250:103' rtt: 127 ms
[46333.25][resl] => resuming yielded answer
[46333.25][vldr] >< no valid RRSIGs found: gtd03-d.hillsboro.or.ndchlsbr.comcast.net. AAAA (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[46333.25][plan] plan 'ndchlsbr.comcast.net.' type 'DS' uid [46333.26]
[46333.26][iter] 'ndchlsbr.comcast.net.' type 'DS' new uid was assigned .27, parent uid .25
[46333.27][cach] => no NSEC* cached for zone: comcast.net.
[46333.27][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.27][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.27][resl] => id: '63949' querying: '2001:558:100e:5:68:87:72:244#00053' score: 10 zone cut: 'comcast.net.' qname: 'ndchLsbr.COMCAST.net.' qtype: 'DS' proto: 'udp'
[46333.27][iter] <= rcode: NOERROR
[46333.27][vldr] <= parent: updating DS
[46333.27][vldr] <= answer valid, OK
[46333.27][cach] => stashed northlake.il.ndchgo.comcast.net. NSEC, rank 060, 222 B total, incl. 1 RRSIGs
[46333.27][cach] => stashed comcast.net. SOA, rank 060, 248 B total, incl. 1 RRSIGs
[46333.27][cach] => nsec_p stashed for comcast.net. (new, hash: 0)
[46333.27][resl] <= server: '2001:558:100e:5:68:87:72:244' rtt: 146 ms
[46333.25][resl] => resuming yielded answer
[46333.25][vldr] >< no valid RRSIGs found: gtd03-d.hillsboro.or.ndchlsbr.comcast.net. AAAA (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[46333.25][plan] plan 'ndchlsbr.comcast.net.' type 'DS' uid [46333.28]
[46333.28][iter] 'ndchlsbr.comcast.net.' type 'DS' new uid was assigned .29, parent uid .25
[46333.29][cach] => trying zone: comcast.net., NSEC, hash 0
[46333.29][cach] => NSEC sname: covered by: northlake.il.ndchgo.comcast.net. -> hillsboro.or.ndchlsbr.comcast.net., new TTL 3600
[46333.29][cach] => NSEC sname: empty non-terminal by the same RR
[46333.29][iter] <= rcode: NOERROR
[46333.29][vldr] <= parent: updating DS
[46333.29][vldr] <= answer valid, OK
[46333.25][resl] => resuming yielded answer
[46333.25][vldr] >< no valid RRSIGs found: gtd03-d.hillsboro.or.ndchlsbr.comcast.net. AAAA (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[46333.25][vldr] <= continuous revalidation, fails
[46333.25][cach] => stashed gtd03-d.hillsboro.or.ndchlsbr.comcast.net. AAAA, rank 027, 32 B total, incl. 0 RRSIGs
[46333.25][cach] => not overwriting AAAA gtd03-d.hillsboro.or.ndchlsbr.comcast.net.
[46333.00][resl] request failed, answering with empty SERVFAIL
[46333.25][resl] finished in state: 8, queries: 8, mempool: 65600 B
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/660kresd won't resolve if zone doesn't support both TCP and 0x202020-12-18T17:44:20+01:00Štěpán Balážikkresd won't resolve if zone doesn't support both TCP and 0x20This is because fallback from not supporting 0x20 is a switch to TCP.
Example at the time of writing: md.tvzhe.com.cname284.yjs-cdn.comThis is because fallback from not supporting 0x20 is a switch to TCP.
Example at the time of writing: md.tvzhe.com.cname284.yjs-cdn.comhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/657policy: actions don't populate OPT when they should2021-11-23T19:52:44+01:00Vladimír Čunátvladimir.cunat@nic.czpolicy: actions don't populate OPT when they should[RFC 6891](https://tools.ietf.org/html/rfc6891#section-6.1.1):
> If an OPT record is present in a received request, compliant responders MUST include an OPT record in their respective responses.
Original report: https://forum.turris.cz...[RFC 6891](https://tools.ietf.org/html/rfc6891#section-6.1.1):
> If an OPT record is present in a received request, compliant responders MUST include an OPT record in their respective responses.
Original report: https://forum.turris.cz/t/kresd-response-missing-opt-pseudo-rr/14437
It causes practical issues with systemd-resolved (see the report).https://gitlab.nic.cz/knot/knot-resolver/-/issues/655create package for dnstap module2021-01-15T14:51:35+01:00Tomas Krizekcreate package for dnstap moduleSupport for `dnstap` module should be packaged. Using a separate package, such as `knot-resolver-module-dnstap` probably makes the most sense. It also needs to be mentioned in dnstap documentation that an extra package is needed.
Report...Support for `dnstap` module should be packaged. Using a separate package, such as `knot-resolver-module-dnstap` probably makes the most sense. It also needs to be mentioned in dnstap documentation that an extra package is needed.
Reported from: https://github.com/CZ-NIC/knot-resolver/issues/71Jakub RužičkaJakub Ružičkahttps://gitlab.nic.cz/knot/knot-resolver/-/issues/653Make kresd 5.x build reproducible2020-12-10T15:32:23+01:00SantiagoMake kresd 5.x build reproducibleHi,
5.2.0 failed to build reproducibly in Debian due to scripts/get-date.sh used to populate the date on manages. See
Debian bug [#976827](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976827) and [diffoscope results](https://tests...Hi,
5.2.0 failed to build reproducibly in Debian due to scripts/get-date.sh used to populate the date on manages. See
Debian bug [#976827](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976827) and [diffoscope results](https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/knot-resolver.html). The attached patch by Chris Lamb should solve the issue.[0002-reproducible-build.patch](/uploads/9bcfbfcbd2e5b19749babbd682bd8fc6/0002-reproducible-build.patch)
Thanks,
-- Shttps://gitlab.nic.cz/knot/knot-resolver/-/issues/650Transform Graphite tags into Prometheus labels2020-12-18T11:43:56+01:00Héctor Molinero FernándezTransform Graphite tags into Prometheus labelsCurrently the http module exposes Prometheus metrics and [replaces the `.` character with `_` in the metrics name](https://gitlab.nic.cz/knot/knot-resolver/-/blob/8ed646c507c43d5aea708dbd7aa90047029b046e/modules/http/prometheus.lua#L105)...Currently the http module exposes Prometheus metrics and [replaces the `.` character with `_` in the metrics name](https://gitlab.nic.cz/knot/knot-resolver/-/blob/8ed646c507c43d5aea708dbd7aa90047029b046e/modules/http/prometheus.lua#L105). Perhaps this can be extended to also transform [Graphite tags](https://graphite.readthedocs.io/en/stable/tags.html) into [Prometheus labels](https://prometheus.io/docs/concepts/data_model/).
Since I don't have permission to fork the project, I leave a patch attached that implements this feature.
[knot-resolver-prometheus-labels.patch](/uploads/bf7fa713617ce3c00fc1770799edf7e6/knot-resolver-prometheus-labels.patch)https://gitlab.nic.cz/knot/knot-resolver/-/issues/645FORMERR does not trigger EDNS fallback2021-10-11T13:06:06+02:00Petr ŠpačekFORMERR does not trigger EDNS fallbackVersion: 5.2.0
Domain `spam.molax.co.kr.` qtype `A` does not work with EDNS. Auth servers correctly return FORMERR but kresd 5.2.0 does not fallback to non-EDNS and SERVFAILs request from client.
[spam.molax.co.kr.A.log](/uploads/edde7...Version: 5.2.0
Domain `spam.molax.co.kr.` qtype `A` does not work with EDNS. Auth servers correctly return FORMERR but kresd 5.2.0 does not fallback to non-EDNS and SERVFAILs request from client.
[spam.molax.co.kr.A.log](/uploads/edde70e988fcf6ab810e693802c8896d/spam.molax.co.kr.A.log)
We need to:
- fix kresd
- investigate why test https://gitlab.nic.cz/knot/deckard/-/blob/master/sets/resolver/iter_formerr.rpl did not detect this and fix it!