Knot Resolver issueshttps://gitlab.nic.cz/knot/knot-resolver/-/issues2023-06-21T14:19:11+02:00https://gitlab.nic.cz/knot/knot-resolver/-/issues/798OBS build for debian 122023-06-21T14:19:11+02:00Sergio CallegariOBS build for debian 12Hi, I am finding some confusion with the download documentation for debian:
- Main download page (https://www.knot-resolver.cz/download/) says to directly grab `knot-resolver-release.deb` from https://secure.nic.cz/files/knot-resolver/ ...Hi, I am finding some confusion with the download documentation for debian:
- Main download page (https://www.knot-resolver.cz/download/) says to directly grab `knot-resolver-release.deb` from https://secure.nic.cz/files/knot-resolver/ yet it is not clarified whether this will then automatically update in case of security issues, nor whether it is fine for platforms different from amd64;
- There also seems to be an OBS build factory (https://software.opensuse.org/download.html?project=home%3ACZ-NIC%3Aknot-resolver-latest&package=knot-resolver) however going there, there seems to be still no debian 12. Would using `debian_next` be fine for the time being?
Can the download/install info for debian be clarified a little? In case there is an official debian repo, it is important to know where, particularly for cases where debian needs to be updated from one version to another one (e.g. bullseye to bookworm).
Thanks.https://gitlab.nic.cz/knot/knot-resolver/-/issues/797DNS64 synthesis fails for tudelft.account.worldcat.org2024-03-11T22:27:53+01:00Ondřej CaletkaDNS64 synthesis fails for tudelft.account.worldcat.orgIn kresd version 5.6.0 with DNS64 module enabled, when resolving `tudelft.account.worldcat.org`, DNS64 does not kick in:
```
$ dig tudelft.account.worldcat.org a
; <<>> DiG 9.16.37 <<>> tudelft.account.worldcat.org a
;; global optio...In kresd version 5.6.0 with DNS64 module enabled, when resolving `tudelft.account.worldcat.org`, DNS64 does not kick in:
```
$ dig tudelft.account.worldcat.org a
; <<>> DiG 9.16.37 <<>> tudelft.account.worldcat.org a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52064
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;tudelft.account.worldcat.org. IN A
;; ANSWER SECTION:
tudelft.account.worldcat.org. 2459 IN CNAME emea.account.worldcat.org.
emea.account.worldcat.org. 28 IN A 193.240.184.98
$ dig tudelft.account.worldcat.org aaaa
; <<>> DiG 9.16.37 <<>> tudelft.account.worldcat.org aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63626
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 4 (Forged Answer): (BHD4: DNS64 synthesis)
;; QUESTION SECTION:
;tudelft.account.worldcat.org. IN AAAA
;; AUTHORITY SECTION:
worldcat.org. 653 IN SOA michelle.ns.cloudflare.com. dns.cloudflare.com. 2312413286 10000 2400 604800 1800
```
The zone in question is hosted by Cloudflare and has DNSSEC enabled so my wild guess is that it has something to do with the way Cloudflare signs negative answers.https://gitlab.nic.cz/knot/knot-resolver/-/issues/796docs: documentation for version 62024-03-19T12:23:57+01:00Aleš Mrázekdocs: documentation for version 6The goal is to have almost finished documentation for version 6.
Current documentation can be seen with [gitlab pages](https://www.knot-resolver.cz/documentation/latest). (generated on-demand from branches chosen by us)
# Step 1: Writi...The goal is to have almost finished documentation for version 6.
Current documentation can be seen with [gitlab pages](https://www.knot-resolver.cz/documentation/latest). (generated on-demand from branches chosen by us)
# Step 1: Writing the documentation
The structure of documentation is based on #776.
Some related comments can be found in !1377.
- [x] **Getting Started** section: installation, startup, initial configuration (examples)
- [ ] **Configuration** section: rewrite [pages about Lua configuration](https://knot.pages.nic.cz/knot-resolver/config-lua.html) with declarative configuration
- [ ] syntax and conventions (this might be already rewritten somewhere)
- [ ] modules
- [ ] networking
- [ ] performance and resiliency
- [ ] policy, access control and data manipulation
- [ ] logging, monitoring, diagnostics
- [ ] DNSSEC, data verification
- [ ] experimental features
- [ ] **Management** section
- [ ] HTTP API
- [x] kresctl utility
- [ ] **For operators** section
- [ ] upgrading to version 6
- [ ] **For developers** section
- [ ] internal architecture
- [x] **Deployment** guides
- [x] manual
- [x] systemd
- [x] docker
- [x] multiple instances
- [ ] extending the resolver
- [ ] create gitlab issues for all documentation sections that won't be fully completed with this MR
# Step 2: Collect and implement feedback
1. [ ] run spell checker
2. [ ] collect feedback from @vcunat
3. [ ] implement feedback
4. [ ] collect feedback from @llhotka
5. [ ] implement feedback
6. [ ] collect feedback from someone unrelated to the dev team (ODVR admins, someone random, ...)
7. [ ] implement feedback
Related !1377
Closes #7766.1.0Aleš MrázekAleš Mrázekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/790Recursion in STUB zone2023-05-01T18:54:36+02:00skudlik9Recursion in STUB zoneHello,
I'm trying to find a working setup for following scenario:
CZFree is (still) using own DNS root infrastructure (including root zone, dnssec) over private (10.0.0.0/8) addresses. Members of this community has its own DNS servers ...Hello,
I'm trying to find a working setup for following scenario:
CZFree is (still) using own DNS root infrastructure (including root zone, dnssec) over private (10.0.0.0/8) addresses. Members of this community has its own DNS servers (ie. Klfree, Pilsfree, etc). On our primary DNS recursor, I'd like to be able resolve (using recursion) normal Internet addresses, our private addresses (in domain .klfree.czf) and also private adresses of other czfree members (about 50 NS bound together in .czf zone with NS referencing members DNS servers). Recursion is also needed for the czfree part, because there are many distributed authoritative servers all around the members.
Our primary recursive resolving DNS server uses `bind` in "hybrid setup" (allowed recursion, slave for our private zone, slave for "fake-root" .czf zone) and everything works fine. For czfree zones it checks the slave-root .czf zone and continues using recursion.
Secondary/backup is running `knot-resolver` (answers user queries, currently debian 5.5.1-cznic.1 ) and `knot` (slave for our private zones - and also for .czf zone). Here, I'm unable to find any way, how to get it works.
**Original setup** of the knot-resolver is/was to forward everything "local" on the `knot` (running on localhost - port 5301)
```
internalDomains = policy.todnames({'klfree.czf', 'klfree.net', '10.in-addr.arpa', 'czf' })
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), internalDomains))
policy.add(policy.suffix(policy.STUB('127.0.0.1@5301'),internalDomains))
```
This works for our internal zone `klfree.czf` (because here knot is authoritative). But problem is, that `knot` doesn't support recursion, nor `knot-resolver` does it in STUB forward mode. When resolving address like `www.praha12.czf`, knot answers only with NS records (because no recursion), and `knot-resolver` returns this to client (again without the questioned address resolved. So this doesn't work well.
My **next try** was to use two instances of `knot-resolver`:
- main: copy of original setup
- czf: fake-root recursive resolver for just for the `.czf` zone.
Here I tried to use `hints.root()` to force the second instance to be a .czf-only recursive resolver. But again without success. Even when I setup hints.root like this:
```
> hints.root()
{
['a.root-servers.net.'] = {
'10.27.0.68',
},
['b.root-servers.net.'] = {
'10.253.32.129',
},
['c.root-servers.net.'] = {
'10.27.0.68',
},
['d.root-servers.net.'] = {
'10.253.32.129',
},
['e.root-servers.net.'] = {
'10.27.0.68',
},
['f.root-servers.net.'] = {
'10.253.32.129',
},
['g.root-servers.net.'] = {
'10.27.0.68',
},
['h.root-servers.net.'] = {
'10.253.32.129',
},
['i.root-servers.net.'] = {
'10.27.0.68',
},
['j.root-servers.net.'] = {
'10.253.32.129',
},
['k.root-servers.net.'] = {
'10.253.32.129',
},
['l.root-servers.net.'] = {
'10.27.0.68',
},
['m.root-servers.net.'] = {
'10.253.32.129',
},
}
```
`Knot-resolver` uses hardcoded (?) root servers and ignores this setting at all.
```
root@dns-recursive2:/etc/knot-resolver# dig @localhost -p 6663 a.root-servers.net
; <<>> DiG 9.16.37-Debian <<>> @localhost -p 6663 a.root-servers.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20770
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;a.root-servers.net. IN A
;; ANSWER SECTION:
a.root-servers.net. 171361 IN A 198.41.0.4
;; Query time: 0 msec
;; SERVER: 127.0.0.1#6663(127.0.0.1)
;; WHEN: Fri Apr 21 23:10:47 CEST 2023
;; MSG SIZE rcvd: 63
```
My current test setup of `kresd.conf` (czf instance part):
```
elseif string.match(systemd_instance, '^czf') then
modules.unload('priming')
net.listen('127.0.0.1', 6663, { kind = 'dns' })
modules = {
'hints > iterate', -- Load /etc/hosts and allow custom root hints
}
cache.size = 50 * MB
hints.root_file("/etc/knot-resolver/czf.zone")
policy.add(policy.suffix(policy.PASS, {todname('10.in-addr.arpa')}))
policy.add(policy.suffix(policy.PASS, {todname('.czf')}))
log_level('debug')
else
panic("Unknown instance of kresd!")
end
```
Even with `priming` module disabled, and hints.root() returning addresses of our internal czf-root servers, server asks Internet root for answers. :disappointed:
Am I missing some crutial point?
Any "hints" how to deal with "root_hints" or how to "forward with recursion" to solve this riddle ?
Thanks in advance
Janhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/789how to disable qname minimization2023-04-26T14:00:42+02:00makehow to disable qname minimizationI want to use knot resolver without QNAME minimization,how to config itI want to use knot resolver without QNAME minimization,how to config ithttps://gitlab.nic.cz/knot/knot-resolver/-/issues/788Problems with resolution of ldt2.evolvi.co.uk (unexpected NXDOMAIN)2023-04-19T13:13:01+02:00Ondřej BenkovskýProblems with resolution of ldt2.evolvi.co.uk (unexpected NXDOMAIN)Hello, I am investigating the DNS resolution issue of domain `ldt2.evolvi.co.uk` using Knot Resolver, the domain is resolved without problems using public resolvers like GoogleDNS (`8.8.8.8`), but when resolving the same domain using Kno...Hello, I am investigating the DNS resolution issue of domain `ldt2.evolvi.co.uk` using Knot Resolver, the domain is resolved without problems using public resolvers like GoogleDNS (`8.8.8.8`), but when resolving the same domain using Knot Resolver ends up with NXDOMAIN. Based on the resolution plan, I am guessing that there might be a problem with \000 character found during DNS resolution?
See following resolution plan
```
[iterat][66545.00] 'ldt2.evolvi.co.uk.' type 'A' new uid was assigned .01, parent uid .00
[cache ][66545.01] => skipping unfit CNAME RR: rank 030, new TTL -340
[cache ][66545.01] => no NSEC* cached for zone: evolvi.co.uk.
[cache ][66545.01] => skipping zone: evolvi.co.uk., NSEC, hash 0;new TTL -123456789, ret -2
[cache ][66545.01] => skipping zone: evolvi.co.uk., NSEC, hash 0;new TTL -123456789, ret -2
[zoncut][66545.01] found cut: evolvi.co.uk. (rank 010 return codes: DS 1, DNSKEY 1)
[resolv][66545.01] => NS is provably without DS, going insecure
[select][66545.01] => id: '05621' choosing from addresses: 2 v4 + 0 v6; names to resolve: 2 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66545.01] => id: '05621' choosing: 'dns1.mtgsy.co.uk.'@'172.105.69.234#00053' with timeout 54 ms zone cut: 'evolvi.co.uk.'
[resolv][66545.01] => id: '05621' querying: 'dns1.mtgsy.co.uk.'@'172.105.69.234#00053' zone cut: 'evolvi.co.uk.' qname: 'LdT2.eVoLVI.Co.uk.' qtype: 'A' proto: 'udp'
[select][66545.01] => id: '05621' updating: 'dns1.mtgsy.co.uk.'@'172.105.69.234#00053' zone cut: 'evolvi.co.uk.' with rtt 26 to srtt: 30 and variance: 6
[iterat][66545.01] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5621
;; Flags: qr aa cd QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 2
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
ldt2.evolvi.co.uk. A
;; ANSWER SECTION
ldt2.evolvi.co.uk. 300 CNAME azureprodev6ag.\000.
;; ADDITIONAL SECTION
azureprodev6ag.evolvi.co.uk. 600 A 51.105.12.148
[iterat][66545.01] <= rcode: NOERROR
[iterat][66545.01] <= cname chain, following
[cache ][66545.01] => stashed ldt2.evolvi.co.uk. CNAME, rank 030, 34 B total, incl. 0 RRSIGs
[iterat][66545.02] 'azureprodev6ag.\000.' type 'A' new uid was assigned .03, parent uid .00
[cache ][66545.03] => skipping zero-containing name azureprodev6ag.\000.
[zoncut][66545.03] found cut: . (rank 060 return codes: DS -2, DNSKEY 0)
[resolv][66545.03] >< TA: '.'
[select][66545.03] => id: '09381' choosing from addresses: 13 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66545.03] => id: '09381' choosing: 'j.root-servers.net.'@'192.58.128.30#00053' with timeout 23 ms zone cut: '.'
[resolv][66545.03] => id: '09381' querying: 'j.root-servers.net.'@'192.58.128.30#00053' zone cut: '.' qname: '\000.' qtype: 'NS' proto: 'udp'
[select][66545.03] => id: '09381' updating: 'j.root-servers.net.'@'192.58.128.30#00053' zone cut: '.' with rtt 2 to srtt: 3 and variance: 1
[iterat][66545.03] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 9381
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1472 B; ext-rcode: Unused
;; QUESTION SECTION
\000. NS
;; AUTHORITY SECTION
. 86400 NSEC aaa. NS SOA RRSIG NSEC DNSKEY
. 86400 RRSIG NSEC 8 0 86400 1683003600 1681876800 60955 . ntDYSODGiyW725OVm7aEdZi0/52owv36Fp6ZLSd2MELmroK/1TX8VjEUdmM1OXDxO72gNPwVhU4NTGugPGxYjO4deCV7O4VBvTEc+ayksGIpLhoHkHaeTvnEE4JBPgvhGmxkzHjbPsml8X78qLIe1iC9OX3lKCZKicJivA9Mb+4vSsPnRK00O2SS6b95daEeAyMnNl9KN3+Mh0YQAd0EsZ+dLqVV4nKN8Kq9n2iBuZXJEFb2x94qhXHbkA/uiHNGRaQ7WsylDF2A86uQaVelsPdGk5Z3PB7qGeN3QwMdZbN/rHPvnwSxPxJNcgMIli8SMe/I2eTtr1ltU0SbbOyWgQ==
. 86400 SOA a.root-servers.net. nstld.verisign-grs.com. 2023041900 1800 900 604800 86400
. 86400 RRSIG SOA 8 0 86400 1683003600 1681876800 60955 . fJ1IV7H70mU48wQVVaS6FvfFE83Yc6jrvm3BBROrj3bhFaA2Sb1rIC5ZgxIOERVGfCiZuIA2BDmSf+TpK6hNeqE3sfM5uDzJqKD8HSOAwRjBckOyIIY1Ln4rn8vBkDr6sPPgzMinrOjP4/vQLuH3a95nZXYqKOTBL8SF9/BNSCjmtsiNoUvIdSy/l9tgc+cSEMJIxI03C7f4cCbufMF+gPWriQw5M0yBJkmzlVmUIPTNw44VeHX+6RLpumSWcArAUahWSv5AUWLAtKWcvsmbHei5VeCuaRYYHJgyRF39NWvTgQ8y4/VWrT3h9Yox/r3ABdGzYyCkXdbQWiDma8+Ygw==
;; ADDITIONAL SECTION
[iterat][66545.03] <= rcode: NXDOMAIN
[iterat][66545.03] <= retrying with non-minimized name
[cache ][66545.03] => skipping zero-containing name \000.
[iterat][66545.03] 'azureprodev6ag.\000.' type 'A' new uid was assigned .04, parent uid .00
[select][66545.04] => id: '52347' choosing from addresses: 13 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66545.04] => id: '52347' choosing: 'j.root-servers.net.'@'192.58.128.30#00053' with timeout 23 ms zone cut: '.'
[resolv][66545.04] => id: '52347' querying: 'j.root-servers.net.'@'192.58.128.30#00053' zone cut: '.' qname: 'AzureprodEv6ag.\000.' qtype: 'A' proto: 'udp'
[select][66545.04] => id: '52347' updating: 'j.root-servers.net.'@'192.58.128.30#00053' zone cut: '.' with rtt 2 to srtt: 3 and variance: 1
[iterat][66545.04] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 52347
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1472 B; ext-rcode: Unused
;; QUESTION SECTION
azureprodev6ag.\000. A
;; AUTHORITY SECTION
. 86400 NSEC aaa. NS SOA RRSIG NSEC DNSKEY
. 86400 RRSIG NSEC 8 0 86400 1683003600 1681876800 60955 . ntDYSODGiyW725OVm7aEdZi0/52owv36Fp6ZLSd2MELmroK/1TX8VjEUdmM1OXDxO72gNPwVhU4NTGugPGxYjO4deCV7O4VBvTEc+ayksGIpLhoHkHaeTvnEE4JBPgvhGmxkzHjbPsml8X78qLIe1iC9OX3lKCZKicJivA9Mb+4vSsPnRK00O2SS6b95daEeAyMnNl9KN3+Mh0YQAd0EsZ+dLqVV4nKN8Kq9n2iBuZXJEFb2x94qhXHbkA/uiHNGRaQ7WsylDF2A86uQaVelsPdGk5Z3PB7qGeN3QwMdZbN/rHPvnwSxPxJNcgMIli8SMe/I2eTtr1ltU0SbbOyWgQ==
. 86400 SOA a.root-servers.net. nstld.verisign-grs.com. 2023041900 1800 900 604800 86400
. 86400 RRSIG SOA 8 0 86400 1683003600 1681876800 60955 . fJ1IV7H70mU48wQVVaS6FvfFE83Yc6jrvm3BBROrj3bhFaA2Sb1rIC5ZgxIOERVGfCiZuIA2BDmSf+TpK6hNeqE3sfM5uDzJqKD8HSOAwRjBckOyIIY1Ln4rn8vBkDr6sPPgzMinrOjP4/vQLuH3a95nZXYqKOTBL8SF9/BNSCjmtsiNoUvIdSy/l9tgc+cSEMJIxI03C7f4cCbufMF+gPWriQw5M0yBJkmzlVmUIPTNw44VeHX+6RLpumSWcArAUahWSv5AUWLAtKWcvsmbHei5VeCuaRYYHJgyRF39NWvTgQ8y4/VWrT3h9Yox/r3ABdGzYyCkXdbQWiDma8+Ygw==
;; ADDITIONAL SECTION
[iterat][66545.04] <= rcode: NXDOMAIN
[valdtr][66545.04] <= answer valid, OK
[cache ][66545.04] => stashed . SOA, rank 060, 358 B total, incl. 1 RRSIGs
[cache ][66545.04] => stashed . NSEC, rank 060, 308 B total, incl. 1 RRSIGs
[cache ][66545.04] => nsec_p stash for . skipped (extra TTL: 968, hash: 0)
[cache ][66545.04] => skipping zero-containing name azureprodev6ag.\000.
[resolv][66545.04] AD: request NOT classified as SECURE
[resolv][66545.04] finished in state: 4, queries: 2, mempool: 98352 B
;; selected from ANSWER sections:
; ranked rrset to_wire true, rank 030 (auth insecure), cached true, qry_uid 1, revalidations 0
ldt2.evolvi.co.uk. 300 CNAME azureprodev6ag.\000.
;; selected from AUTHORITY sections:
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
. 3600 NSEC aaa. NS SOA RRSIG NSEC DNSKEY
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
. 3600 RRSIG NSEC 8 0 86400 1683003600 1681876800 60955 . ntDYSODGiyW725OVm7aEdZi0/52owv36Fp6ZLSd2MELmroK/1TX8VjEUdmM1OXDxO72gNPwVhU4NTGugPGxYjO4deCV7O4VBvTEc+ayksGIpLhoHkHaeTvnEE4JBPgvhGmxkzHjbPsml8X78qLIe1iC9OX3lKCZKicJivA9Mb+4vSsPnRK00O2SS6b95daEeAyMnNl9KN3+Mh0YQAd0EsZ+dLqVV4nKN8Kq9n2iBuZXJEFb2x94qhXHbkA/uiHNGRaQ7WsylDF2A86uQaVelsPdGk5Z3PB7qGeN3QwMdZbN/rHPvnwSxPxJNcgMIli8SMe/I2eTtr1ltU0SbbOyWgQ==
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
. 3600 SOA a.root-servers.net. nstld.verisign-grs.com. 2023041900 1800 900 604800 86400
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
. 3600 RRSIG SOA 8 0 86400 1683003600 1681876800 60955 . fJ1IV7H70mU48wQVVaS6FvfFE83Yc6jrvm3BBROrj3bhFaA2Sb1rIC5ZgxIOERVGfCiZuIA2BDmSf+TpK6hNeqE3sfM5uDzJqKD8HSOAwRjBckOyIIY1Ln4rn8vBkDr6sPPgzMinrOjP4/vQLuH3a95nZXYqKOTBL8SF9/BNSCjmtsiNoUvIdSy/l9tgc+cSEMJIxI03C7f4cCbufMF+gPWriQw5M0yBJkmzlVmUIPTNw44VeHX+6RLpumSWcArAUahWSv5AUWLAtKWcvsmbHei5VeCuaRYYHJgyRF39NWvTgQ8y4/VWrT3h9Yox/r3ABdGzYyCkXdbQWiDma8+Ygw==```
Thanks!https://gitlab.nic.cz/knot/knot-resolver/-/issues/786LMDB utils not working with the LMDB cache created by Knot2023-03-29T21:19:01+02:00Peter SimanLMDB utils not working with the LMDB cache created by KnotHi,
I am trying to use LMDB utils to dump (`mdb_dump`) and load (`mdb_load`) the cache created by Knot but I am getting this error which points to problem (similar to issue reported [here](https://github.com/princeton-vl/CoqGym/issues/3...Hi,
I am trying to use LMDB utils to dump (`mdb_dump`) and load (`mdb_load`) the cache created by Knot but I am getting this error which points to problem (similar to issue reported [here](https://github.com/princeton-vl/CoqGym/issues/39)) with dump format (probably LMDB version mismatch).
```line 6: unrecognized keyword ignored: db_pagesize```
I am using latest `lmdb-utils` package installed using `apt-get`. I was trying to look into the source code of knot-resolver and find out which version of LMDB is used in it or whether I can use latest version of LMDB. Is this possible.
Thanks!https://gitlab.nic.cz/knot/knot-resolver/-/issues/785manager: API talks only JSON2023-03-29T13:40:03+02:00Vaclav Sraiermanager: API talks only JSONit currently accepts YAML, we don't want that...it currently accepts YAML, we don't want that...Aleš MrázekAleš Mrázekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/784manager: disallow relative paths in config2023-03-08T13:47:12+01:00Vaclav Sraiermanager: disallow relative paths in config- `rundir` should be only absolute
- all other paths should be relative to `rundir`
- kresctl can then accept `--config` and infers socket path from it- `rundir` should be only absolute
- all other paths should be relative to `rundir`
- kresctl can then accept `--config` and infers socket path from itVaclav SraierVaclav Sraierhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/783resolving local zones when there's no internet (issue with policy)2023-03-01T17:44:05+01:00Daniel Baumannresolving local zones when there's no internet (issue with policy)Hi,
use-case:
* our kresd instances have policy.FORWARD/policy.STUB to resolv internal zone files by asking the authoritative
servers directly, rather than to go to the internet.
* when we cut internet access for kresd, it fails...Hi,
use-case:
* our kresd instances have policy.FORWARD/policy.STUB to resolv internal zone files by asking the authoritative
servers directly, rather than to go to the internet.
* when we cut internet access for kresd, it fails to forward the queries to the authoritative servers,
eventhough they are reachable and answer properly when asked.
* when we loose internet (or for extra resilliance), kresd should still resolv all internal zones and only
fail to resolv stuff in the internet.
For hints, this is properly working - they are always answered also when there's no internet connection.
For forwards, I've played a bit arround with 'policy < hints' and such in modules = {}, but to no awail.
Am I missing something or is this not possible? Is the use-case/situation clear enough, or do you want me to provide the exact configuration and debug log to reproduce?
Regards,
Danielhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/782DNSSEC error for gma.vmathlive.com but DNSViz says domain is OK2023-02-22T12:12:06+01:00Peter SimanDNSSEC error for gma.vmathlive.com but DNSViz says domain is OKHi,
I am investigating an issue with `gma.vmathlive.com` domain. Knot resolver states there is a [dnssec] validation error for this domain, but when I am trying to debug this using DNSViz, it seems like the DNSSEC is ok.
I am getting ...Hi,
I am investigating an issue with `gma.vmathlive.com` domain. Knot resolver states there is a [dnssec] validation error for this domain, but when I am trying to debug this using DNSViz, it seems like the DNSSEC is ok.
I am getting this resolution log from Knot resolver:
```curl localhost:8453/trace/gma.vmathlive.com/AAAA
[iterat][66078.00] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][66078.01] => no NSEC* cached for zone: com.
[cache ][66078.01] => skipping zone: com., NSEC, hash 0;new TTL -123456789, ret -2
[cache ][66078.01] => skipping zone: com., NSEC, hash 0;new TTL -123456789, ret -2
[zoncut][66078.01] found cut: com. (rank 002 return codes: DS 0, DNSKEY 0)
[select][66078.01] => id: '43261' choosing from addresses: 13 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.01] => id: '43261' choosing: 'b.gtld-servers.net.'@'192.33.14.30#00053' with timeout 26 ms zone cut: 'com.'
[resolv][66078.01] => id: '43261' querying: 'b.gtld-servers.net.'@'192.33.14.30#00053' zone cut: 'com.' qname: 'VmAThlIvE.coM.' qtype: 'NS' proto: 'udp'
[select][66078.01] => id: '43261' updating: 'b.gtld-servers.net.'@'192.33.14.30#00053' zone cut: 'com.' with rtt 3 to srtt: 6 and variance: 3
[iterat][66078.01] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 43261
;; Flags: qr cd QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 3
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
vmathlive.com. NS
;; AUTHORITY SECTION
vmathlive.com. 172800 NS ns1.cambiumlearning.com.
vmathlive.com. 172800 NS ns2.cambiumlearning.com.
vmathlive.com. 86400 DS 38134 13 4 DC5F0BEA08FB6D643D89D74A14EDCD210C085E3B6782B9782FEE91BB66A76A83B4181774E0723461AC9B6F18C402C447
vmathlive.com. 86400 DS 38134 13 2 1BA1023E142BCB7B0F7CB6AC4C00771D100F326AC905DAC6074E41AFB25D7870
vmathlive.com. 86400 DS 38134 13 1 902FF916A6140AA401A187EEBDBD636EDFA7EFB1
vmathlive.com. 86400 RRSIG DS 8 2 86400 1677479970 1676870970 36739 com. vOM/iMztbhiYHxhbkI/Yf4t5OWquuKD8OscNNjsapaQ7qruzuAahkk7pD63I1sq+vM62+LvNW1hbK3hWkvqL6yzVPuoNu3fDn/WcxEEn4Kun1/kz2n3PEWdU1jgMnh3WpmzyAmMq33AagPtQT6AvA0hPAoH7nKr7TT+xlh1G9bpI7KFgl3AvMf2xq3N48JwhvxDf/jJx3yhx/xyOz3Hxsw==
;; ADDITIONAL SECTION
ns1.cambiumlearning.com. 172800 A 66.248.224.140
ns2.cambiumlearning.com. 172800 A 50.238.167.169
[iterat][66078.01] <= loaded 2 glue addresses
[iterat][66078.01] <= referral response, follow
[valdtr][66078.01] <= DS: OK
[valdtr][66078.01] <= answer valid, OK
[cache ][66078.01] => stashed vmathlive.com. DS, rank 060, 318 B total, incl. 1 RRSIGs
[cache ][66078.01] => stashed vmathlive.com. NS, rank 002, 70 B total, incl. 0 RRSIGs
[cache ][66078.01] => stashed also 2 nonauth RRsets
[iterat][66078.01] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .02, parent uid .00
[plan ][66078.02] plan 'vmathlive.com.' type 'DNSKEY' uid [66078.03]
[iterat][66078.03] 'vmathlive.com.' type 'DNSKEY' new uid was assigned .04, parent uid .02
[cache ][66078.04] => no NSEC* cached for zone: vmathlive.com.
[cache ][66078.04] => skipping zone: vmathlive.com., NSEC, hash 0;new TTL -123456789, ret -2
[cache ][66078.04] => skipping zone: vmathlive.com., NSEC, hash 0;new TTL -123456789, ret -2
[select][66078.04] => id: '18904' choosing from addresses: 2 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.04] => id: '18904' choosing: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' with timeout 400 ms zone cut: 'vmathlive.com.'
[resolv][66078.04] => id: '18904' querying: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' qname: 'vmatHLiVe.Com.' qtype: 'DNSKEY' proto: 'udp'
[select][66078.04] => id: '18904' updating: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' with rtt 133 to srtt: 133 and variance: 66
[iterat][66078.04] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 18904
;; Flags: qr aa QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
vmathlive.com. DNSKEY
;; ANSWER SECTION
vmathlive.com. 3600 RRSIG DNSKEY 13 2 3600 1677715200 1675900800 38134 vmathlive.com. LGEYXMp94nHpWX1vx7RaIFevV80jc/pOWub8+zkDq+ZnFnZ21KsiTiNwdGXdmDcjfS/DmzbYmQ1uk0PDPkTM8Q==
vmathlive.com. 3600 DNSKEY 257 3 13 WOWG2N+2P72hJS7k0mvEbOFNyo/d7qIa5qb2Kyj0oYz65nPhOIxZ8sc/1C3qAVINMyrOyOK2LtHsjg8sA7pr5Q==
;; ADDITIONAL SECTION
[iterat][66078.04] <= rcode: NOERROR
[valdtr][66078.04] <= parent: updating DNSKEY
[valdtr][66078.04] <= answer valid, OK
[cache ][66078.04] => stashed vmathlive.com. DNSKEY, rank 060, 184 B total, incl. 1 RRSIGs
[iterat][66078.02] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .05, parent uid .00
[select][66078.05] => id: '20059' choosing from addresses: 2 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.05] => id: '20059' choosing: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' with timeout 400 ms zone cut: 'vmathlive.com.'
[resolv][66078.05] => id: '20059' querying: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' zone cut: 'vmathlive.com.' qname: 'Gma.VMaTHLIve.cOM.' qtype: 'AAAA' proto: 'udp'
[select][66078.05] => id: '20059' updating: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' zone cut: 'vmathlive.com.' with rtt 109 to srtt: 109 and variance: 54
[iterat][66078.05] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 20059
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
gma.vmathlive.com. AAAA
;; AUTHORITY SECTION
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. Kd4huzuDTm2sR0FffNa6Cv5bu7hcaQhzaV9seqiL0HfoZ+XdWCf0B7s7/k5bxnVQPuOb1jUAMa7ncCXXB/L3nw==
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. 5lT1gBZAZ3h1C0uRU6TeK3IgRTpxmZttV4ahGbrRPnipMdHrN9B+PQK3Jd0v5jjwgTdcsiOpK6c8tMyRdR3+Fg==
;; ADDITIONAL SECTION
[iterat][66078.05] <= rcode: NOERROR
[valdtr][66078.05] <= bad NODATA proof
[select][66078.05] => id: '20059' noting selection error: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' zone cut: 'vmathlive.com.' error: 14 DNSSEC_ERROR
[cache ][66078.05] => stashed vmathlive.com. NSEC, rank 060, 140 B total, incl. 1 RRSIGs
[cache ][66078.05] => stashed vmathlive.com. SOA, rank 060, 194 B total, incl. 1 RRSIGs
[cache ][66078.05] => nsec_p stashed for vmathlive.com. (new, hash: 0)
[cache ][66078.05] => stashed packet: rank 025, TTL 300, AAAA gma.vmathlive.com. (379 B)
[iterat][66078.05] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .06, parent uid .00
[select][66078.06] => id: '33899' choosing from addresses: 1 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.06] => id: '33899' choosing: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' with timeout 397 ms zone cut: 'vmathlive.com.'
[resolv][66078.06] => id: '33899' querying: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' qname: 'GmA.VmaTHlIVE.Com.' qtype: 'AAAA' proto: 'udp'
[select][66078.06] => id: '33899' updating: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' with rtt 126 to srtt: 132 and variance: 51
[iterat][66078.06] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33899
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
gma.vmathlive.com. AAAA
;; AUTHORITY SECTION
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. tua7ePdyjjRyyRDyr3gdankU7Xz2QUVOgfbErT6ssGtxGhLueKj8TLy3fgdkAZlsUtLTQoHParWTek6wc3ccSg==
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. wbGfikMJDqGkfDCn+7XQX7leUDIoAfYwZRtA0yysmg0MDJNFi7Cn6sw1He+JlWkX7zX2Vsk2oNhQE7a+u5fZNA==
;; ADDITIONAL SECTION
[iterat][66078.06] <= rcode: NOERROR
[valdtr][66078.06] <= bad NODATA proof
[select][66078.06] => id: '33899' noting selection error: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' error: 14 DNSSEC_ERROR
[cache ][66078.06] => stashed vmathlive.com. NSEC, rank 060, 140 B total, incl. 1 RRSIGs
[cache ][66078.06] => stashed vmathlive.com. SOA, rank 060, 194 B total, incl. 1 RRSIGs
[cache ][66078.06] => nsec_p stash for vmathlive.com. skipped (extra TTL: 0, hash: 0)
[cache ][66078.06] => not overwriting AAAA gma.vmathlive.com.
[iterat][66078.06] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .07, parent uid .00
[select][66078.07] => id: '57610' choosing from addresses: 0 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.07] => id: '57610' no suitable transport, zone cut: 'vmathlive.com.'
[iterat][66078.07] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .08, parent uid .00
[select][66078.08] => id: '47107' choosing from addresses: 0 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.08] => id: '47107' no suitable transport, zone cut: 'vmathlive.com.'
[resolv][66078.00] request failed, answering with empty SERVFAIL
[resolv][66078.08] finished in state: 8, queries: 2, mempool: 98352 B
;; selected from ANSWER sections:
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
vmathlive.com. 3600 RRSIG DNSKEY 13 2 3600 1677715200 1675900800 38134 vmathlive.com. LGEYXMp94nHpWX1vx7RaIFevV80jc/pOWub8+zkDq+ZnFnZ21KsiTiNwdGXdmDcjfS/DmzbYmQ1uk0PDPkTM8Q==
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
vmathlive.com. 3600 DNSKEY 257 3 13 WOWG2N+2P72hJS7k0mvEbOFNyo/d7qIa5qb2Kyj0oYz65nPhOIxZ8sc/1C3qAVINMyrOyOK2LtHsjg8sA7pr5Q==
;; selected from AUTHORITY sections:
; ranked rrset to_wire false, rank 002 (try), cached true, qry_uid 1, revalidations 0
vmathlive.com. 3600 NS ns1.cambiumlearning.com.
vmathlive.com. 3600 NS ns2.cambiumlearning.com.
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 1, revalidations 0
vmathlive.com. 3600 DS 38134 13 1 902FF916A6140AA401A187EEBDBD636EDFA7EFB1
vmathlive.com. 3600 DS 38134 13 2 1BA1023E142BCB7B0F7CB6AC4C00771D100F326AC905DAC6074E41AFB25D7870
vmathlive.com. 3600 DS 38134 13 4 DC5F0BEA08FB6D643D89D74A14EDCD210C085E3B6782B9782FEE91BB66A76A83B4181774E0723461AC9B6F18C402C447
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 1, revalidations 0
vmathlive.com. 3600 RRSIG DS 8 2 86400 1677479970 1676870970 36739 com. vOM/iMztbhiYHxhbkI/Yf4t5OWquuKD8OscNNjsapaQ7qruzuAahkk7pD63I1sq+vM62+LvNW1hbK3hWkvqL6yzVPuoNu3fDn/WcxEEn4Kun1/kz2n3PEWdU1jgMnh3WpmzyAmMq33AagPtQT6AvA0hPAoH7nKr7TT+xlh1G9bpI7KFgl3AvMf2xq3N48JwhvxDf/jJx3yhx/xyOz3Hxsw==
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. Kd4huzuDTm2sR0FffNa6Cv5bu7hcaQhzaV9seqiL0HfoZ+XdWCf0B7s7/k5bxnVQPuOb1jUAMa7ncCXXB/L3nw==
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. 5lT1gBZAZ3h1C0uRU6TeK3IgRTpxmZttV4ahGbrRPnipMdHrN9B+PQK3Jd0v5jjwgTdcsiOpK6c8tMyRdR3+Fg==
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. tua7ePdyjjRyyRDyr3gdankU7Xz2QUVOgfbErT6ssGtxGhLueKj8TLy3fgdkAZlsUtLTQoHParWTek6wc3ccSg==
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. wbGfikMJDqGkfDCn+7XQX7leUDIoAfYwZRtA0yysmg0MDJNFi7Cn6sw1He+JlWkX7zX2Vsk2oNhQE7a+u5fZNA==
;; selected from ADDITIONAL sections:
; ranked rrset to_wire false, rank 001 (omit), cached true, qry_uid 1, revalidations 0
ns1.cambiumlearning.com. 3600 A 66.248.224.140
; ranked rrset to_wire false, rank 001 (omit), cached true, qry_uid 1, revalidations 0
ns2.cambiumlearning.com. 3600 A 50.238.167.169
```
DNSViz DNSSEC analysis [result](https://dnsviz.net/d/gma.vmathlive.com/responses/)
Any idea what might be wrong?
Thanks in advance for your assistance!https://gitlab.nic.cz/knot/knot-resolver/-/issues/781Build on MSYS2023-03-20T09:15:18+01:00Christopher NgBuild on MSYSCurrently this doesn't build on MSYS (i.e. Cygwin). I've managed to get it to build/run on MSYS, but it also required minor fixes to `LMDB` and `knot-dns` (mostly build flags etc). Is there any interest in merging support for this enviro...Currently this doesn't build on MSYS (i.e. Cygwin). I've managed to get it to build/run on MSYS, but it also required minor fixes to `LMDB` and `knot-dns` (mostly build flags etc). Is there any interest in merging support for this environment?
It has to run under MSYS, running under 'native native' windows (ie MSVC runtime or similar) needs a lot more changes to `knot-dns`, I didn't get very far into investigating it.https://gitlab.nic.cz/knot/knot-resolver/-/issues/780Issues of EDNS buffer size2023-01-21T07:23:19+01:00idealeerIssues of EDNS buffer sizeAlthough the `edns buffer size` is set to 1232 for a query, Knot Resolver still receives a response with a size larger than 1232, even than 4096.
As suggested here https://www.dnsflagday.net/2020/:
```
It is important for DNS software ...Although the `edns buffer size` is set to 1232 for a query, Knot Resolver still receives a response with a size larger than 1232, even than 4096.
As suggested here https://www.dnsflagday.net/2020/:
```
It is important for DNS software vendors to comply with DNS standards,
and to use a default EDNS buffer size (1232 bytes) that will not cause
fragmentation on typical network links.
```
We recommend following current practices by only accepting responses less than 1,232 by default, which are implemented by PowerDNS Recursor.
We also wonder why Knot Resolver does this.https://gitlab.nic.cz/knot/knot-resolver/-/issues/778Tab completion for kresctl utility2023-01-10T19:25:43+01:00Aleš MrázekTab completion for kresctl utility- [ ] top-level options/args completion
- [ ] cmds name completion
- [ ] cmds options/args completion
- [ ] config path completion
- [ ] completion for different shells
- [ ] bash
- [ ] fish- [ ] top-level options/args completion
- [ ] cmds name completion
- [ ] cmds options/args completion
- [ ] config path completion
- [ ] completion for different shells
- [ ] bash
- [ ] fishhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/776docs: new sphinx documentation and its structure2023-06-06T16:23:45+02:00Aleš Mrázekdocs: new sphinx documentation and its structureThis issue is intended as a space for discussion about structure and content of the new sphinx documentation.
## New top level sections
Sections do not differ much from the original ones, rather the name is slightly modified for consis...This issue is intended as a space for discussion about structure and content of the new sphinx documentation.
## New top level sections
Sections do not differ much from the original ones, rather the name is slightly modified for consistency or better naming of the content inside.
- GETTING STARTED
- The resolver introduction (manager introduction and its (dis)advantages)
- Installation from packages
- The resolver systemd startup with manager and legacy daemon. First DNS query(kdig).
- Configuration: YAML config file, management API, kresctl utility, legacy Lua
- COMMON USE CASES
- The resolver common use cases with configuration and related info.
- Perhaps some guides HTTP API, kresctl, no-systemd, ansible, etc... (It would require better name for the section.)
- CONFIGURATION
- Structure will be very similar to the current except for added YAML configuration using `sphinx-tabs`. Mayme it will be slightly modified in favor of the new declarative configuration schema.
- FOR OPERATORS
- Information for users who already operate the resolver.
- upgrading guides, 5.x -> 6.0, release notes, ...
- FOR DEVELOPERS
- Information for developers and advanced users (lib, lua modules, Lua stuff)
- Building from source (apkg, meson, doc)
## Related comments:
- [In current docs, -rosetta would seem to fit well into the "Upgrading" section.](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1351#note_268322)https://gitlab.nic.cz/knot/knot-resolver/-/issues/775Knot Resolver mishandles some cases when bad dns response packet is received2022-12-02T14:34:53+01:00mingkwindKnot Resolver mishandles some cases when bad dns response packet is receivedHi,
When Knot Resolver iteratively queries the malicious domain name server, it returns some malformed dns packets, and dnsmasq returns the packet to the client without proper verification, which will give the user a distrust or malicio...Hi,
When Knot Resolver iteratively queries the malicious domain name server, it returns some malformed dns packets, and dnsmasq returns the packet to the client without proper verification, which will give the user a distrust or malicious data. Other authoritative dns resolver have done correct verification.
There are two bugs below, you can start a fake domain name server locally and return specific data.
In order to easily reproduce these bugs, I turn off case randomlization by adding `policy.add(policy.all(policy.FLAGS({'NO_0X20'})))` to the `knot.conf`.
# First Bug
## Description
When the return answer type in the answer section dose not match the query class type, (for example, the query class type is *0x0001* and the return answer type is *0xdf01*), the answer packet is forwarded to the client and the RCODE of the Knot Resolver return packet is **0**.
## Expected/Actual behavior
Bind and Pdns return the response packet with a RCODE of **2**.
## Steps to reproduce
### 1、Turn on a fake name server and return a specific payload.
https://643684107.oss-cn-beijing.aliyuncs.com/knot-test/dns_server.py
https://643684107.oss-cn-beijing.aliyuncs.com/knot-test/response1
The details of the response packet(response1) from the fake server are as follows:
```
+ HEADER
+ transaction, flags, questions, answers, authority, additional:
+ 38 CB 81 80 00 01 00 01 00 02 00 01
+
+ QUESTION
+ 06 63 65 72 74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01
+
+ ANSWER
+ C0 0C 00 25 DF 01 00 00 00 00 00 55
+ FF FE FF FF FE 33 11 5C 6F 2F 64 FF 2B DE 74 C7
+ D0 80 AC E1 1F 97 AB D0 CB BF BC 82 F3 E3 92 24
+ B2 47 1E 14 68 22 58 29 FF 1B 11 E1 6A 2E 95 02
+ E1 C0 A0 D5 33 E1 8A 14 D6 D5 5F 48 24 AA 41 89
+ FA FF FD 75 53 A3 65 77 CD 23 11 E0 BC 69 3A CE
+ F8 A2 A6 09 A6
+
+ AUTHORITY
+ C0 13 00 02 00 01 00 00 00 00 00 06
+ 03 6E 73 34 C0 13
+ C0 13 00 02 00 01 00 00 00 00 00 06
+ 03 6E 73 32 C0 13
+
+ ADDITIONAL
+ 00 00 29 10 00 00 00 00 00 00 00
```
Download them and run this script like so:
```
python3 dns_server.py response1
```
### 2、Start Knot Resolver.
The configuration options are as follows:
```
-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/
-- Network interface configuration
net.listen('127.0.0.1', 5555, { kind = 'dns' })
--net.listen('127.0.0.1', 853, { kind = 'tls' })
--net.listen('127.0.0.1', 443, { kind = 'doh2' })
--net.listen('::1', 53, { kind = 'dns', freebind = true })
--net.listen('::1', 853, { kind = 'tls', freebind = true })
--net.listen('::1', 443, { kind = 'doh2' })
-- Load useful modules
modules = {
'policy',
'view',
}
modules.unload('priming')
trust_anchors.remove('.')
log_level('debug')
-- Cache size
-- cache.size = 100 * MB
-- view:addr('127.0.0.1/8', function (req, qry) return policy.PASS end)
policy.add(policy.all(policy.FLAGS({'NO_0X20'})))
policy.add(policy.all(policy.FLAGS({'NO_CACHE'})))
policy.add(policy.all(policy.STUB({'127.0.0.1'})))
```
Then run like this:
```
./kresd -c knot.conf -n
```
### 3、Send the corresponding dns request.
https://643684107.oss-cn-beijing.aliyuncs.com/knot-test/dns_request.py
https://643684107.oss-cn-beijing.aliyuncs.com/knot-test/request1
The details of the request packet(request1) from client are as follows:
```
+ HEADER
+ transaction, flags, questions, answers, authority, additional:
+ 31 32 01 00 00 01 00 00 00 00 00 00
+
+ QUESTION
+ 06 63 65 72 74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01
+
+ ANSWER
+
+ AUTHORITY
+
+ ADDITIONAL
```
Download them and run this script like so:
```
python3 dns_request.py request1 5555
```
# Second bug
## Description
When Knot Resolver iteratively queries the malicious domain name server as a DNS forwarder, the domain name server returns some malformed dns packets, (for exameple, the Addtional RRS is _0x0001_ but the number of records in the Addtional Records section is _2_ ), and Knot Resolver returns a correctly formatted packet with a RCODE of **0** to the client.
## Expected/Actual behavior
Bind and Pdns returns the response packet with a RCODE of **2**.
According to **RFC5625-6.3**(https://datatracker.ietf.org/doc/html/rfc5625#section-6.3), when dns resolver receives malformed packet, it SHOULD synthesise a suitable DNS error(i.e., SERVFAIL) response to the client.
## Steps to reproduce
### 1、Turn on a fake name server and return a specific payload.
https://643684107.oss-cn-beijing.aliyuncs.com/knot-test/dns_server.py
https://643684107.oss-cn-beijing.aliyuncs.com/knot-test/response3
The details of the response packet(response3) from the fake server are as follows:
```
+ 0000 31 32 81 80 00 01 00 00 00 02 00 01 06 63 65 72 .............cer
+ 0010 74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01 t01.example..%..
+ 0020 C0 0C 00 25 00 01 00 00 00 00 00 55 FF FE FF FF ...%.......U....
+ 0030 FE 33 11 5C 6F 2F 64 FF 2B DE 74 C7 D0 80 AC E1 .3.\o/d.+.t.....
+ 0040 1F 97 AB D0 CB BF BC 82 F3 E3 92 24 B2 47 1E 14 ...........$.G..
+ 0050 68 22 58 29 FF 1B 11 E1 6A 2E 95 02 E1 C0 A0 D5 h"X)....j.......
+ 0060 33 E1 8A 14 D6 D5 5F 48 24 AA 41 89 FA FF FD 75 3....._H$.A....u
+ 0070 53 A3 65 77 CD 23 11 E0 BC 69 3A CE F8 A2 A6 09 S.ew.#...i:.....
+ 0080 A6 C0 13 00 02 00 01 00 00 00 00 00 06 03 6E 73 ..............ns
+ 0090 34 C0 13 C0 13 00 02 00 01 00 00 00 00 00 06 03 4...............
+ 00A0 6E 73 32 C0 13 00 00 29 10 00 00 00 00 00 00 00 ns2....)........
```
Download them and run this script like so:
```bash
python3 dns_server.py response3
```
### 2、Start Knot Resolver.
The configuration options are as follows:
```
-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/
-- Network interface configuration
net.listen('127.0.0.1', 5555, { kind = 'dns' })
--net.listen('127.0.0.1', 853, { kind = 'tls' })
--net.listen('127.0.0.1', 443, { kind = 'doh2' })
--net.listen('::1', 53, { kind = 'dns', freebind = true })
--net.listen('::1', 853, { kind = 'tls', freebind = true })
--net.listen('::1', 443, { kind = 'doh2' })
-- Load useful modules
modules = {
'policy',
'view',
}
modules.unload('priming')
trust_anchors.remove('.')
log_level('debug')
-- Cache size
-- cache.size = 100 * MB
-- view:addr('127.0.0.1/8', function (req, qry) return policy.PASS end)
policy.add(policy.all(policy.FLAGS({'NO_0X20'})))
policy.add(policy.all(policy.FLAGS({'NO_CACHE'})))
policy.add(policy.all(policy.STUB({'127.0.0.1'})))
```
Then run like this:
```
./kresd -c knot.conf -n
```
### 3、Send the corresponding dns request.
https://643684107.oss-cn-beijing.aliyuncs.com/knot-test/dns_request.py
https://643684107.oss-cn-beijing.aliyuncs.com/knot-test/request3
The details of the request packet(request1) from client are as follows:
```
+ HEADER
+ transaction, flags, questions, answers, authority, additional:
+ 31 32 81 80 00 01 00 00 00 02 00 00
+
+ QUESTION
+ 06 63 65 72 74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01
+
+ ANSWER
+
+ AUTHORITY
+ C0 0C 00 25 00 01 00 00 00 00 00 55
+ FF FE FF FF FE 33 11 5C 6F 2F 64 FF 2B DE 74 C7
+ D0 80 AC E1 1F 97 AB D0 CB BF BC 82 F3 E3 92 24
+ B2 47 1E 14 68 22 58 29 FF 1B 11 E1 6A 2E 95 02
+ E1 C0 A0 D5 33 E1 8A 14 D6 D5 5F 48 24 AA 41 89
+ FA FF FD 75 53 A3 65 77 CD 23 11 E0 BC 69 3A CE
+ F8 A2 A6 09 A6
+ C0 13 00 02 00 01 00 00 00 00 00 06
+ 03 6E 73 34 C0 13
+
+ ADDITIONAL
```
Download them and run this script like so:
```bash
python3 dns_request.py request3 5555
```
Thankshttps://gitlab.nic.cz/knot/knot-resolver/-/issues/774Why KnotDNS return a packet with rcode 2 after receiving the unique packet fr...2022-11-25T11:02:40+01:00mingkwindWhy KnotDNS return a packet with rcode 2 after receiving the unique packet from the upstream DNS server?Hi,
**Describe**
When KnotDNS receives the unique packet from the upstream DNS server, it returns a packet with a RCODE of 2 to the client. While
other authoritative dns servers like Unbound and Bind do the same test then they send bac...Hi,
**Describe**
When KnotDNS receives the unique packet from the upstream DNS server, it returns a packet with a RCODE of 2 to the client. While
other authoritative dns servers like Unbound and Bind do the same test then they send back a RCODE of 0.
**To reproduce**
1. Start the fake upstream dns server
Download these tow file and run like this:
https://643684107.oss-cn-beijing.aliyuncs.com/knot/dns_server_from_file.py
https://643684107.oss-cn-beijing.aliyuncs.com/knot/dns_response
```bash
python3 dns_server_from_file.py dns_response
```
2. Start the KnotDNS, the `knot.conf` are as follows:
```
-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/
-- Network interface configuration
net.listen('127.0.0.1', 5555, { kind = 'dns' })
--net.listen('127.0.0.1', 853, { kind = 'tls' })
--net.listen('127.0.0.1', 443, { kind = 'doh2' })
--net.listen('::1', 53, { kind = 'dns', freebind = true })
--net.listen('::1', 853, { kind = 'tls', freebind = true })
--net.listen('::1', 443, { kind = 'doh2' })
-- Load useful modules
modules = {
'policy',
'view',
}
modules.unload('priming')
trust_anchors.remove('.')
log_level('debug')
-- Cache size
cache.size = 100 * MB
-- view:addr('127.0.0.1/8', function (req, qry) return policy.PASS end)
policy.add(policy.all(policy.STUB({'127.0.0.1'})))
```
Then run like this:
```
./kresd -c knot.conf -n
```
3. Use python script to send the request packet to KnotDNS.
Download these tow file and run like this:
https://643684107.oss-cn-beijing.aliyuncs.com/knot/dns_request.py
https://643684107.oss-cn-beijing.aliyuncs.com/knot/dns_request
```
python3 dns_request.py dns_request 5555
```
The result of the script:
```
Sending DNS query to 127.0.0.1:5555
DNS query data:
0000 31 32 01 00 00 01 00 00 00 00 00 00 03 66 6F 6F 12...........foo
0010 07 65 78 61 6D 70 6C 65 00 00 FF 00 01 .example.....
Received DNS response from 127.0.0.1:5555
DNS response data:
0000 31 32 81 82 00 01 00 00 00 00 00 00 03 66 6F 6F 12...........foo
0010 07 65 78 61 6D 70 6C 65 00 00 FF 00 01 .example.....
QR: 1
Opcode: 0
AA: 0
TC: 0
RD: 1
RA: 1
Z: 0
AD: 0
CD: 0
Rcode: 2
```
We can find that the Rcode is 2, but I try other DNS resolver like Bind or PowerDNS to do the same test, the result are as follows:
```
DNS query data:
0000 31 32 01 00 00 01 00 00 00 00 00 00 03 66 6F 6F 12...........foo
0010 07 65 78 61 6D 70 6C 65 00 00 FF 00 01 .example.....
Received DNS response from 127.0.0.1:7777
DNS response data:
0000 31 32 81 80 00 01 00 06 00 00 00 00 03 66 6F 6F 12...........foo
0010 07 65 78 61 6D 70 6C 65 00 00 FF 00 01 C0 0C 00 .example........
0020 2E 00 01 00 00 0E 10 00 44 00 2F 03 02 00 00 0E ........D./.....
0030 10 55 C2 6E 21 55 9A E1 21 44 F4 07 65 78 61 6D .U.n!U..!D..exam
0040 70 6C 65 00 04 4A 1F 3F FB 59 60 5A 09 DE 2F 23 ple..J.?.Y`Z../#
0050 EA EC C9 8C 9E 22 BE 33 ED C6 81 93 12 27 8C E8 .....".3.....'..
0060 53 38 E8 29 A2 9C 39 98 2E 1C 0D CD 02 C0 0C 00 S8.)..9.........
0070 2F 00 01 00 00 0E 10 00 18 06 66 75 74 75 72 65 /.........future
0080 07 65 78 61 6D 70 6C 65 00 00 06 40 00 80 00 00 .example...@....
0090 03 C0 0C 00 2E 00 01 00 00 01 2C 00 44 00 10 03 ..........,.D...
00A0 02 00 00 01 2C 55 C2 6E 21 55 9A E1 21 44 F4 07 ....,U.n!U..!D..
00B0 65 78 61 6D 70 6C 65 00 04 58 21 E2 42 05 05 54 example..X!.B..T
00C0 03 F4 0F 49 9B 53 29 2F 82 47 04 CB 1A AB 5F D1 ...I.S)/.G...._.
00D0 93 C3 F2 56 28 13 0F 01 B4 A5 4E 93 69 4D 78 C2 ...V(.....N.iMx.
00E0 5C C0 0C 00 10 00 01 00 00 01 2C 00 08 07 74 65 \.........,...te
00F0 73 74 69 6E 67 C0 0C 00 2E 00 01 00 00 01 2C 00 sting.........,.
0100 44 00 01 03 02 F7 FF 01 2C 55 C2 6E 21 55 9A E1 D.......,U.n!U..
0110 21 44 F4 07 65 78 61 6D 70 6C 65 00 04 89 C7 D2 !D..example.....
0120 4E E3 23 E9 1C A9 C7 B6 85 53 7F 12 72 9A E3 48 N.#......S..r..H
0130 D8 06 C6 29 70 67 1C E7 5D 6F D5 74 EF BB 96 14 ...)pg..]o.t....
0140 CB 72 4B 74 A2 C0 0C 00 01 00 01 00 00 01 2C 00 .rKt..........,.
0150 04 0A 00 01 00 .....
QR: 1
Opcode: 0
AA: 0
TC: 0
RD: 1
RA: 1
Z: 0
AD: 0
CD: 0
Rcode: 0
```
The Rcode is 0. So which Rcode is true? Why?
**Additional information**
The details of the request packet(dns_client) from client are as follows:
```
HEADER
31 32 01 00 00 01 00 00 00 00 00 00
QUESTION
03 66 6F 6F 07 65 78 61 6D 70 6C 65 00 00 FF 00 01
ANSWER
AUTHORITY
ADDITIONAL
```
The details of the response packe(dns_response) from the fake server are as follows:
```
HEADER
31 32 84 00 00 01 00 06 00 03 00 05
QUESTION
03 66 6F 6F 07 65 78 61 6D 70 6C 65 00 00 FF 00 01
ANSWER
C0 0C 00 01 00 01 00 00 01 2C 00 04
0A 00 01 00
C0 0C 00 2E 00 01 00 00 01 2C 00 44
00 01 03 02 F7 FF 01 2C 55 C2 6E 21 55 9A E1 21
44 F4 07 65 78 61 6D 70 6C 65 00 04 89 C7 D2 4E
E3 23 E9 1C A9 C7 B6 85 53 7F 12 72 9A E3 48 D8
06 C6 29 70 67 1C E7 5D 6F D5 74 EF BB 96 14 CB
72 4B 74 A2
C0 0C 00 10 00 01 00 00 01 2C 00 08
07 74 65 73 74 69 6E 67
C0 0C 00 2E 00 01 00 00 01 2C 00 44
00 10 03 02 00 00 01 2C 55 C2 6E 21 55 9A E1 21
44 F4 07 65 78 61 6D 70 6C 65 00 04 58 21 E2 42
05 05 54 03 F4 0F 49 9B 53 29 2F 82 47 04 CB 1A
AB 5F D1 93 C3 F2 56 28 13 0F 01 B4 A5 4E 93 69
4D 78 C2 5C
C0 0C 00 2F 00 01 00 00 0E 10 00 18
06 66 75 74 75 72 65 07 65 78 61 6D 70 6C 65 00
00 06 40 00 80 00 00 03
C0 0C 00 2E 00 01 00 00 0E 10 00 44
00 2F 03 02 00 00 0E 10 55 C2 6E 21 55 9A E1 21
44 F4 07 65 78 61 6D 70 6C 65 00 04 4A 1F 3F FB
59 60 5A 09 DE 2F 23 EA EC C9 8C 9E 22 BE 33 ED
C6 81 93 12 27 8C E8 53 38 E8 29 A2 9C 39 98 2E
1C 0D CD 02
AUTHORITY
C1 23 00 02 00 01 00 00 01 2C 00 06
03 6E 73 32 C1 23
C1 23 00 02 00 01 00 00 01 2C 00 06
03 6E 73 33 C1 23
C1 23 00 2E 00 01 00 00 01 2C 00 44
00 02 03 01 00 00 01 2C 55 C2 6E 21 55 9A E1 21
44 F4 07 65 78 61 6D 70 6C 65 00 04 44 68 1F B4
AA C3 2C C8 54 4B CC 9D 82 77 C6 23 37 74 77 5A
2B 66 21 00 2C 61 C5 DD 6C 0A 05 2F 1C 7F B6 45
D4 7B 12 6A
ADDITIONAL
C1 61 00 01 00 01 00 00 01 2C 00 04
0A 35 00 02
C1 73 00 01 00 01 00 00 01 2C 00 04
0A 35 00 03
C1 61 00 2E 00 01 00 00 01 2C 00 44
00 01 03 02 00 00 01 2C 55 C2 6E 21 55 9A E1 21
44 F4 07 65 78 61 6D 70 6C 65 00 04 23 15 51 F3
86 59 19 10 8B 39 69 6C EF 9A F9 16 AD B6 A4 FB
1B 96 0C DB 14 8D A4 0F A9 0B E1 DB A1 EA 65 D5
ED 56 1C EA
C1 73 00 2E 00 01 00 00 01 2C 00 44
00 01 03 02 00 00 01 2C 55 C2 6E 21 55 9A E1 21
44 F4 07 65 78 61 6D 70 6C 65 00 04 D2 B2 19 3A
04 AF 2B A5 A8 43 1F 03 EE 60 8F 44 47 BF F8 36
C5 DB 35 FA 08 6B 86 96 0F 26 6C EE 5C 0A DF 56
25 D1 01 A6
00 00 29 10 00 00 00 80 00 00 00
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/772Forwarding to ISP servers doesn't work in Omnia after update to TOS 6.0.2022-10-30T00:42:07+02:00Martin PeckaForwarding to ISP servers doesn't work in Omnia after update to TOS 6.0.On Turris OS 5, I used DNS forwarding via kresd without issues. After update to 6.0, it doesn't work. I did not do anything custom with DNS on my router.
DNS settings in Reforis often time-out instead of applying what I set. In console,...On Turris OS 5, I used DNS forwarding via kresd without issues. After update to 6.0, it doesn't work. I did not do anything custom with DNS on my router.
DNS settings in Reforis often time-out instead of applying what I set. In console, I see this:
```
# after setting forward_upstream to 1
# /etc/init.d/resolver restart
Called /etc/init.d/kresd stop
set dhcp script
sh: invalid number ''
job 9 at Fri Oct 28 23:29:00 2022
Called /etc/init.d/kresd start
set dhcp script
Called /etc/resolver/dhcp_host_domain_ng.py
```
When I try to query the DNS server on the router after this, all requests time out.
With `forward_upstream` set to 0, restart of kresd works without the reported error and DNS resolution actually works.https://gitlab.nic.cz/knot/knot-resolver/-/issues/771Failed to allocate some buffers on AF_XDP ZC enabled Rx ring 0 (pf_q 0)2023-09-28T04:49:34+02:00CybertronicFailed to allocate some buffers on AF_XDP ZC enabled Rx ring 0 (pf_q 0)When enabling XDP on an interface, I am getting this error.
i40e 0000:03:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 0
i40e 0000:03:00.0: Failed to allocate some buffers on AF_XDP ZC enabled Rx ring 0 (pf_q 0)
Is the...When enabling XDP on an interface, I am getting this error.
i40e 0000:03:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 0
i40e 0000:03:00.0: Failed to allocate some buffers on AF_XDP ZC enabled Rx ring 0 (pf_q 0)
Is there a tunable I need to set somewhere?
please advise. thankshttps://gitlab.nic.cz/knot/knot-resolver/-/issues/770Ubuntu 22.04 - [system] error while loading config: /usr/lib/knot-resolver/kr...2022-10-17T10:24:16+02:00Pål SollieUbuntu 22.04 - [system] error while loading config: /usr/lib/knot-resolver/kres_modules/policy.lua:579: [poli] lua-cqueues required to watch and reload RPZ file (workdir '/var/lib/knot-resolver')After upgrading a box to Ubuntu 22.04 kresd started complaining about cqueues when I try to start it.
It errors out with the following message.
`[system] error while loading config: /usr/lib/knot-resolver/kres_modules/policy.lua:579: [p...After upgrading a box to Ubuntu 22.04 kresd started complaining about cqueues when I try to start it.
It errors out with the following message.
`[system] error while loading config: /usr/lib/knot-resolver/kres_modules/policy.lua:579: [poli] lua-cqueues required to watch and reload RPZ file (workdir '/var/lib/knot-resolver')`
I'm running 5.5.3
```
❯ kresd -V
Knot Resolver, version 5.5.3
```
I have the same config running on the same version of kresd on an Ubuntu 20.04 server, so I was expecting a straight upgrade to just work.
knot-resolver and all related packages were purged and reinstalled with `apt install knot-resolver`, which resulted in the following packages being installed.
```dns-root-data
knot-resolver
libdnssec8
libknot12
libluajit-5.1-2
libluajit-5.1-common
lua-basexx
lua-binaryheap
lua-bit32
lua-compat53
lua-cqueues
lua-fifo
lua-http
lua-lpeg
lua-lpeg-patterns
lua-luaossl
lua-psl
```
The packages are installed from following the instructions on `https://www.knot-resolver.cz/download/`
Source repo was updated after OS upgrade.
Looking at an strace, it seems to be able to read the cqueues.notify source file `strace -e trace=open,openat,close,read,write,connect,accept /usr/sbin/kresd -c /usr/lib/knot-resolver/distro-preconfig.lua -c /etc/knot-resolver/kresd.conf -n`
```openat(AT_FDCWD, "/etc/knot-resolver/kresd.conf.d/150-blacklist.conf", O_RDONLY) = 19
read(19, "-- Add blacklist zone\n\npolicy.ad"..., 8192) = 133
read(19, "", 4096) = 0
close(19) = 0
openat(AT_FDCWD, "/var/lib/knot-resolver/hblock.rpz", O_RDONLY) = 19
close(19) = 0
openat(AT_FDCWD, "/usr/lib/knot-resolver/cqueues/notify.lua", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/knot-resolver/cqueues/notify/init.lua", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "./cqueues/notify.lua", O_RDONLY) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/usr/share/luajit-2.1.0-beta3/cqueues/notify.lua", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/local/share/lua/5.1/cqueues/notify.lua", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/local/share/lua/5.1/cqueues/notify/init.lua", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/lua/5.1/cqueues/notify.lua", O_RDONLY) = 19
close(19) = 0
openat(AT_FDCWD, "/usr/share/lua/5.1/cqueues/notify.lua", O_RDONLY) = 19
read(19, "local loader = function(loader, "..., 8192) = 1364
read(19, "", 4096) = 0
```
Any suggestions for further debugging?