Knot Resolver issueshttps://gitlab.nic.cz/knot/knot-resolver/-/issues2020-11-16T09:37:50+01:00https://gitlab.nic.cz/knot/knot-resolver/-/issues/533AF_XDP optimization2020-11-16T09:37:50+01:00Petr ŠpačekAF_XDP optimizationExplore and implement prototype of AF_XDP network stack optimization.Explore and implement prototype of AF_XDP network stack optimization.2020 Q2Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/447rewrite server selection system2020-12-31T17:01:44+01:00Petr Špačekrewrite server selection systemCurrent server selection mechanism is not well defined, and sometimes exhibits hard-to-debug quirks. This is ticket for collecting ideas what we need from a proper server selection system.
Caveats
-------
- **look for an existing litera...Current server selection mechanism is not well defined, and sometimes exhibits hard-to-debug quirks. This is ticket for collecting ideas what we need from a proper server selection system.
Caveats
-------
- **look for an existing literature about server selection!**
- **forwarding and iteration probably need different algorithms!**
- **what should be the overall criteria?** lowest RTT? reliability? lowest RTT when taking reliability into account? :-)
- can we map this to multi-armed bandit (or some other) model in statistics?
- verify that it is okay to operate with *server == IP address* mapping
- multiple NS names can map to a single IP address
- NS names are probably not significant, properties could be associated with IP addresses
- think about unresolved NS names/incomplete glue
- consider lazy NS name -> IP address resolving if we have enough working servers
- what about anycast nodes with different properties? is it worth considering, or just unsupported configuration? read related RFCs about anycast DNS operation
- server selection probably needs to include *transport protocol* selection for each IP address - UDP, TCP, TLS, DTLS, QUIC, DoH, ...
- some errors (REFUSED, SERVFAIL, ...) are not property of an IP address but in fact are property of (IP address, zone) pair
- e.g. one lame delegation to a name server of big web hosting company should not penalize NS IP address as whole
- transport protocols are likely to have different properties/statistics - RTT, reliability, etc.
- think about TLS-to-auth auto discovery
- how can we incorporate https://tools.ietf.org/html/draft-ietf-dnsop-extended-error draft?
- properties can change over time so our stats need to expire
Ideas for attributes
====================
IP address
----------
- supported EDNS version version (to avoid FORMERR loops, but maybe we need only per-query state ...)
- supported transport protocols (TLS configuration etc.)
- DNS cookies
(IP address, protocol)
----------------------
- RTT
- transport layer "reliability" (maybe timeouts should not be mixed with RTT ...)
- transport protocol information (cached TLS certificate, session resumption, 0-RTT data support, ...)
(IP address, zone)
------------------
- usefulness - ok, SERVFAIL, REFUSED, BOGUS (lame delegations, expired zone data etc.)
Obviously storing (server, zone) attributes might lead to state explosion. We need to think twice about this. Maybe there is a way to optimize, e.g. store only "broken" (server, zone) pairs so we can penalize these during server selection but do not bother with vast majority of "working" pairs.
Assorted ideas
--------------
Serve stale
- timestamp of last attempt
- SERVFAIL a ok per server?
- counters for DoS mitigation (query per zone per server or ...)2020 Q2Štěpán BalážikŠtěpán Balážikhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/536declarative config - experiments with sysrepo2020-10-09T19:18:24+02:00Petr Špačekdeclarative config - experiments with sysrepoProblem statement
-----------------
Current configuration is practically a Lua program, which is a nightmare for multiple reasons:
- non-programmers have hard time understanding what is going on
- Lua language makes it hard to detect mis...Problem statement
-----------------
Current configuration is practically a Lua program, which is a nightmare for multiple reasons:
- non-programmers have hard time understanding what is going on
- Lua language makes it hard to detect mistakes in config
- run-time reconfiguration requires doing each change N times for N processes
- gathering statistics from multiple processes is total pain
- currently it exposes low-level stuff and it prone to crashes on invalid use (#182)
Experiment
----------
Do some preliminary experiments with sysrepo and see if it improves situation sufficiently to make it worth investing into it more.
Objectives
----------
- experimental mode - sysrepo **must not** become a hard dependency of Knot Resolver
- put as much code as possible into separate (and optional) module
- minimize code duplication
- current Lua config must work the same way as it did before, sysrepo only complements the Lua config
Once we have sufficient experience with implementation of sysrepo into kresd we will revisit pros and cons and decide what to do next.
Requirements for next stages
----------------------------
- sysrepo+libyang must be widely available in distros we care about
- sysrepo+libyang must be sufficiently stable
- sysrepo must allow us to build a new user interface with a reasonable complexity
Ideas to try
------------
- [x] build module to translate sysrepo callbacks to Lua config calls
- [x] build command line client which can display and edit declarative config in a text format (probably YAML to make it similar to Knot DNS)2020 Q3https://gitlab.nic.cz/knot/knot-resolver/-/issues/358update sentinel implementation to draft-ietf-dnsop-kskroll-sentinel-142018-06-25T18:38:22+02:00Petr Špačekupdate sentinel implementation to draft-ietf-dnsop-kskroll-sentinel-14Implement https://tools.ietf.org/html/draft-ietf-dnsop-kskroll-sentinel-14 + testsImplement https://tools.ietf.org/html/draft-ietf-dnsop-kskroll-sentinel-14 + tests2018-06-30https://gitlab.nic.cz/knot/knot-resolver/-/issues/350migrate to a standard build system2019-03-12T12:12:25+01:00Petr Špačekmigrate to a standard build systemThe current build system is a mess and confuses users. Something standard (autotools? meson? something else?) would be more familiar and could solve some of these issues "for free":
- #338
- #212 (maybe we should remove support for stat...The current build system is a mess and confuses users. Something standard (autotools? meson? something else?) would be more familiar and could solve some of these issues "for free":
- #338
- #212 (maybe we should remove support for static build)
- #290
- #267
Also something which can gather some parts of C headers for further use in Lua FFI would be useful.4.0.0Tomas KrizekTomas Krizek2019-06-30https://gitlab.nic.cz/knot/knot-resolver/-/issues/336crash while processing malformed query with 0 question with OPT2018-05-31T10:23:09+02:00vendemiatcrash while processing malformed query with 0 question with OPT```
(gdb) bt
#0 knot_wire_is_pointer (pos=0x557aac60607c "\300\f") at ./libknot/packet/wire.h:901
#1 knot_wire_get_pointer (pos=0x557aac60607c "\300\f") at libknot/packet/wire.c:122
#2 0x00007f6bee68c105 in knot_wire_seek_label (wire=...```
(gdb) bt
#0 knot_wire_is_pointer (pos=0x557aac60607c "\300\f") at ./libknot/packet/wire.h:901
#1 knot_wire_get_pointer (pos=0x557aac60607c "\300\f") at libknot/packet/wire.c:122
#2 0x00007f6bee68c105 in knot_wire_seek_label (wire=0x557aac605ff0 "", lp=<optimized out>) at ./libknot/packet/wire.h:910
#3 knot_wire_next_label (wire=0x557aac605ff0 "", lp=<optimized out>) at ./libknot/packet/wire.h:920
#4 knot_dname_labels (name=<optimized out>, pkt=0x557aac605ff0 "") at libknot/dname.c:781
#5 0x00007f6bee68e7e8 in knot_pkt_put (pkt=0x557aac5c9760, compr_hint=<optimized out>, rr=0x557aac5c9868, flags=<optimized out>)
at libknot/packet/pkt.c:563
#6 0x00007f6bee9254e9 in kr_resolve_finish () from /usr/local/lib/libkres.so.6
#7 0x0000557aa81ecb26 in ?? ()
#8 0x0000000000000106 in ?? ()
#9 0x0000557aac5c7eb0 in ?? ()
#10 0x0000000000000106 in ?? ()
#11 0x0000000000000008 in ?? ()
#12 0x00007f6beedad010 in ?? ()
#13 0x0000557aa81edae9 in ?? ()
#14 0x0000000000000000 in ?? ()
(gdb) f 5
#5 0x00007f6bee68e7e8 in knot_pkt_put (pkt=0x557aac5c9760,
compr_hint=<optimized out>, rr=0x557aac5c9868, flags=<optimized out>)
at libknot/packet/pkt.c:563
563 libknot/packet/pkt.c: No such file or directory.
(gdb) print pkt
$4 = (knot_pkt_t *) 0x557aac5c9760
(gdb) print *pkt
$5 = {wire = 0x557aac605ff0 "", size = 12, max_size = 65535, parsed = 0,
reserved = 0, qname_size = 0, rrset_count = 0, flags = 2,
opt_rr = 0x557aac5c9868, tsig_rr = 0x0, tsig_wire = {pos = 0x0, len = 0},
current = KNOT_ADDITIONAL, sections = {{pkt = 0x557aac5c9760, pos = 0,
count = 0}, {pkt = 0x557aac5c9760, pos = 0, count = 0}, {
pkt = 0x557aac5c9760, pos = 0, count = 0}}, rrset_allocd = 16,
rr_info = 0x557aac5c9898, rr = 0x557aac5c9ad8, mm = {ctx = 0x557aac5c7e40,
alloc = 0x557aa81faee0 <mp_alloc>, free = 0x0}, compr = {
wire = 0x557aac605ff0 "", rrinfo = 0x557aac5c9898, suffix = {pos = 12,
labels = 0 '\000'}}}
(gdb) print rr
$6 = (const knot_rrset_t *) 0x557aac5c9868
(gdb) print *rr
$7 = {owner = 0x557aac5c9860 "", type = 41, rclass = 1536, rrs = {
rr_count = 1, data = 0x557aac5c9890 ""}, additional = 0x0}
```
it shouldnt read qname if it's not there
https://github.com/CZ-NIC/knot/blob/master/src/libknot/packet/pkt.c#L522
cc @vavrusam @anbGrigorii DemidovGrigorii Demidovhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/335knot-resolver 2.2.0 segfault when malformed response, which has label "\000".2018-05-31T10:16:51+02:00Toshifumi Sakaguchiknot-resolver 2.2.0 segfault when malformed response, which has label "\000".## Overview
Knot-resolver crashes when malformed response is received from a malicious
authoritative server in my test(fuzzing) environment.
response from authoritative server.
```
;; QUESTION SECTION:
;www.example.com. IN A
;; AUT...## Overview
Knot-resolver crashes when malformed response is received from a malicious
authoritative server in my test(fuzzing) environment.
response from authoritative server.
```
;; QUESTION SECTION:
;www.example.com. IN A
;; AUTHORITY SECTION:
www.example.com. 600 IN NS \000.example.com.
;; ADDITIONAL SECTION:
\000.example.com. 600 IN A 192.168.33.101
```
message at crach.
```
# /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
[system] interactive mode
> Segmentation fault
```
debugger output.
```
# gdb /usr/local/sbin/kresd
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-100.el7_4.1
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/sbin/kresd...(no debugging symbols found)...done.
(gdb) run -c /usr/local/etc/knot-resolver/kresd.conf
Starting program: /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[system] interactive mode
>
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7947488 in knot_dname_lf () from /lib64/libknot.so.7
Missing separate debuginfos, use: debuginfo-install glibc-2.17-196.el7_4.2.x86_64 gmp-6.0.0-15.el7.x86_64 gnutls-3.3.26-9.el7.x86_64 knot-libs-2.6.5-1.el7.x86_64 libcap-ng-0.7.5-4.el7.x86_64 libffi-3.0.13-18.el7.x86_64 libgcc-4.8.5-16.el7_4.2.x86_64 libstdc++-4.8.5-16.el7_4.2.x86_64 libtasn1-4.10-1.el7.x86_64 libuv-1.10.2-1.el7.x86_64 lmdb-libs-0.9.18-1.el7.x86_64 luajit-2.0.4-3.el7.x86_64 nettle-2.7.1-8.el7.x86_64 p11-kit-0.23.5-3.el7.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb) list
No symbol table is loaded. Use the "file" command.
(gdb) bt
#0 0x00007ffff7947488 in knot_dname_lf () from /lib64/libknot.so.7
#1 0x00007ffff7b7736f in peek_exact_real.isra.9 ()
from /usr/local/lib/libkres.so.7
#2 0x00007ffff7b8ea23 in kr_zonecut_find_cached ()
from /usr/local/lib/libkres.so.7
#3 0x00007ffff7b88aae in zone_cut_check () from /usr/local/lib/libkres.so.7
#4 0x00007ffff7b8a657 in kr_resolve_produce ()
from /usr/local/lib/libkres.so.7
#5 0x0000555555561c83 in qr_task_step ()
#6 0x000055555555c19a in udp_recv ()
#7 0x00007ffff72c2696 in uv__udp_io () from /lib64/libuv.so.1
#8 0x00007ffff72c42e8 in uv__io_poll () from /lib64/libuv.so.1
#9 0x00007ffff72b5db8 in uv_run () from /lib64/libuv.so.1
#10 0x000055555555bd19 in main ()
```
## Environment
### IP Addresses of each servers.
* root DNS server: 192.168.33.100/24
* malicious authoritative server: 192.168.33.101/24
* victim full service resolver: 192.168.33.102/24
### OS, Software of each servers.
#### root DNS server
* OS: CentOS 7.4 x86_64 on VirtualBox VM
* DNS: bind
#### Malicious authoritative server
* OS: CentOS 7.4 x86_64 on VirtualBox VM
#### victim full service resolver
* OS: CentOS 7.4 x86_64 on VirtualBox VM
* DNS: knot-resolver 2.2.0
## Setup steps of Environment
### root servers
Install CentOS 7.4 from install ISO image.
Set IP address VM to 192.168.33.100/24.
Set firewalld.
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Bind.
```
# yum install bind bind-utils
```
Upload and extract test-files.tar.gz
```
# cd /tmp
# tar xzf /path/to/test-files.tar.gz
```
Copy named.conf and root zone file.
```
# cp /tmp/test-files/root.named.conf /etc/named.conf
# cp /tmp/test-files/root.zone /var/named/root.zone
# chmod 644 /var/named/root.zone
```
Start named.
```
# systemctl start named
# systemctl enable named
```
#### Malicious authoritative server
Install CentOS 7.4 from install ISO image.
Set IP address to 192.168.33.101/24.
Set firewalld
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Build tools.
```
# yum install epel-release
# yum install gcc-c++ boost-devel wget perl yaml-cpp-devel bind-utils
# wget https://cmake.org/files/v3.10/cmake-3.10.0-Linux-x86_64.sh
# sh cmake-3.10.0-Linux-x86_64.sh --skip-license --prefix=/usr/local
```
Install openssl 1.0.1 from source file.
```
# wget https://www.openssl.org/source/openssl-1.1.0g.tar.gz
# tar xzf openssl-1.1.0g.tar.gz
# cd openssl-1.1.0g
# ./config
# maket
# make install
```
Upload and extract test-tools.tar.gz.
```
# cd /tmp
# tar xzf /path/to/test-tools.tar.gz
# cd test-tools
# OPENSSL_ROOT_DIR=/usr/local/ssl cmake .
# make
```
Start DNS service foreground.
```
# ./bin/knot-dname_lf
```
Login to authoritative server from other terminal, and check response of knot-dname_lf on other terminal.
```
# dig \@127.0.0.1 www.example.com a +norec
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> @127.0.0.1 www.example.com a +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44651
;; flags: qr aa ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.example.com. IN A
;; AUTHORITY SECTION:
www.example.com. 600 IN NS \000.example.com.
;; ADDITIONAL SECTION:
\000.example.com. 600 IN A 192.168.33.101
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 04 01:10:59 JST 2018
;; MSG SIZE rcvd: 104
```
### victim full service resolver
Install CentOS 7.4 from install ISO image.
Set IP address to 192.168.33.102/24.
Install Build tools.
```
# yum install epel-release
# yum install gcc-c++ openssl-devel wget knot-devel bind-utils luajit-devel libuv-devel
```
Install knot-resolver
```
# wget https://secure.nic.cz/files/knot-resolver/knot-resolver-2.2.0.tar.xz
# tar xJf knot-resolver-2.2.0.tar.xz
# cd knot-resolver-2.2.0
# make CFLAGS=-DNDEBUG
# make install
# echo /usr/local/lib > /etc/ld.so.conf.d/knot.conf
# ldconfig
```
Upload and extract test-files.tar.gz.
```
# cd /tmp
# tar xzf /path/to/test-files.tar.gz
```
Copy kresd.conf and hints file.
```
# cp /tmp/test-files/kresd.conf /usr/local/etc/knot-resolver
# cp /tmp/test-files/root.hints /usr/local/etc/knot-resolver
```
Start knot-resolver
```
# mkdir -p /tmp/db
# cd /tmp/db
# rm -f * ; /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
```
Login to victim full service resolver from other terminal, and send queries to knot-resolver.
```
# sh -x /tmp/test-files/crash.sh
```
Check knot-resolver process.
```
# /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
[system] interactive mode
> Segmentation fault
```
[test-files.tar.gz](/uploads/afe8c7be07dd8efdc28b28f28516509c/test-files.tar.gz)
[test-tools.tar.gz](/uploads/79014a2e4e99983e5662412c8d88a0d6/test-tools.tar.gz)https://gitlab.nic.cz/knot/knot-resolver/-/issues/315policy.TLS_FORWARD emits UDP packets (cleartext DNS) on port 853 after some ...2018-02-21T19:59:40+01:00Daniel Kahn Gillmorpolicy.TLS_FORWARD emits UDP packets (cleartext DNS) on port 853 after some timeI set up a local `kresd` instance, version 2.1.0 on debian testing/unstable, with the following policy:
policy.add(policy.all(policy.TLS_FORWARD({{'9.9.9.9', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt'}}))...I set up a local `kresd` instance, version 2.1.0 on debian testing/unstable, with the following policy:
policy.add(policy.all(policy.TLS_FORWARD({{'9.9.9.9', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt'}})))
I did a few queries on it while using wireshark to gather all traffic to/from `9.9.9.9`.
As expected, most traffic was TCP port 853, consisting of TLS traffic.
However, i did see occasional bursts of UDP traffic, also on port 853.
that traffic appears to actually be cleartext UDP traffic, described by wireshark (when i decode it as DNS) as:
W.X.Y.Z 9.9.9.9 DNS 70 Standard query 0x1c30 DNSKEY <Root> OPT
perhaps this is intended to be a priming query?
note that 9.9.9.9 sends ICMP "Host administratively prohibited" responses to UDP traffic on port 853. They only support TLS (over TCP).
In another case, i saw a query going out for an actual A record:
W.X.Y.Z 9.9.9.9 DNS 83 Standard query 0x08ee A WWW.IetF.org OPT
So in addition to a bug, this appears to be a leak of the private dns request! I have not tried to debug it further.Grigorii DemidovGrigorii Demidovhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/270CI: optimize package installation2017-11-27T17:27:21+01:00Petr ŠpačekCI: optimize package installationIt seems that new Docker image introduced in !375 is not fully used because e.g.
https://gitlab.labs.nic.cz/knot/knot-resolver/blob/master/.gitlab-ci.yml#L47
is still doing some package installation etc. which slows whole CI down.
Most ...It seems that new Docker image introduced in !375 is not fully used because e.g.
https://gitlab.labs.nic.cz/knot/knot-resolver/blob/master/.gitlab-ci.yml#L47
is still doing some package installation etc. which slows whole CI down.
Most of the package preparations should be done in Dockerfile so the CI just runs the image and we do not spend time on waiting while running CI jobs.https://gitlab.nic.cz/knot/knot-resolver/-/issues/257improve cache flushing/eviction mechanism2019-07-03T15:43:16+02:00Petr Špačekimprove cache flushing/eviction mechanismRight now cache flushing is kind of dumb because it flushes whole cache as soon as it is full. This does not behave very well under high load because it leads to bursts of queries.
We need to find a way to implement proper cache evictio...Right now cache flushing is kind of dumb because it flushes whole cache as soon as it is full. This does not behave very well under high load because it leads to bursts of queries.
We need to find a way to implement proper cache eviction so items can be removed incrementally instead of dropping whole cache.
See https://gitlab.labs.nic.cz/knot/knot-resolver/wikis/Knot-Resolver-Cache-Garbage-CollectorLibor PeltanLibor Peltanhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/234RFC 6672: DNAME support2020-04-27T15:23:29+02:00Vladimír Čunátvladimir.cunat@nic.czRFC 6672: DNAME supporthttps://tools.ietf.org/html/rfc6672 Mainly their validation doesn't work probably; the mandatory CNAMEs should make DNAMEs work on unsigned domains.
Related: #108, as DNAMEs are another way of generating RRs that haven't been seen.https://tools.ietf.org/html/rfc6672 Mainly their validation doesn't work probably; the mandatory CNAMEs should make DNAMEs work on unsigned domains.
Related: #108, as DNAMEs are another way of generating RRs that haven't been seen.https://gitlab.nic.cz/knot/knot-resolver/-/issues/153support forwarding to kresd so DNSSEC validation can work2019-09-13T17:17:15+02:00Petr Špačeksupport forwarding to kresd so DNSSEC validation can workIn cases when `kresd` is run without a configured trust anchor it strips DNSSEC records (like `RRSIG`). It also happens if kresd thinks that particular zone is insecure.
This breaks any validator using this non-validating `kresd` as for...In cases when `kresd` is run without a configured trust anchor it strips DNSSEC records (like `RRSIG`). It also happens if kresd thinks that particular zone is insecure.
This breaks any validator using this non-validating `kresd` as forwarder and also cases where validating client has different set of trust achors than kresd it forwards to.
Affected version: 96d29c0e91d161ad6e50d96d0be2c647af08f120
~~~
# rm *.mdb && sudo kresd -v &
# dig @127.0.0.1 +dnssec .
[ 0][plan] plan '.' type 'A'
[12071][iter] '.' type 'A' id was assigned, parent id 0
[12071][resl] => using root hints
[15848][iter] '.' type 'A' id was assigned, parent id 0
[15848][resl] => querying: '2001:dc3::35' score: 10 zone cut: '.' m12n: '.' type: 'A' proto: 'udp'
[15848][resl] => querying: '202.12.27.33' score: 10 zone cut: '.' m12n: '.' type: 'A' proto: 'udp'
[15848][iter] <= rcode: NOERROR
[15848][ pc ] => answer cached for TTL=900
[15848][resl] <= server: '2001:dc3::35' rtt: >=285 ms
[15848][resl] <= server: '202.12.27.33' rtt: 35 ms
[ 0][resl] finished: 4, queries: 1, mempool: 16400 B
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41638
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN A
;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2017020600 1800 900 604800 86400
;; Query time: 286 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Po úno 06 12:20:15 CET 2017
;; MSG SIZE rcvd: 103
~~~
Further inspection in Wireshark showed that `DO` bit is received by `kresd` but not set in queries to upstream servers.https://gitlab.nic.cz/knot/knot-resolver/-/issues/112DNSSEC Validation in FORWARDing mode2017-10-31T01:10:18+01:00Ondřej SurýDNSSEC Validation in FORWARDing modeIn addition to `policy.FORWARD` that just passes query to upstream resolver and answer back to OP, there should be a `policy.FULLFORWARD` that would do a full DNSSEC Validation in forwarding mode (behind a resolver that supports DNSSEC V...In addition to `policy.FORWARD` that just passes query to upstream resolver and answer back to OP, there should be a `policy.FULLFORWARD` that would do a full DNSSEC Validation in forwarding mode (behind a resolver that supports DNSSEC Validation).1.3.0 releaseGrigorii DemidovGrigorii Demidovhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/45lib/dnssec: validation is slow2022-04-08T16:14:02+02:00Ghost Userlib/dnssec: validation is slowResolver uses ±2.2x more CPU time with validation enabled on Alexa data set.
There are several reasons for it:
* libdnssec key setup and conversion from rdata->key is expensive and puts small allocations in hotpath, in resolver this is...Resolver uses ±2.2x more CPU time with validation enabled on Alexa data set.
There are several reasons for it:
* libdnssec key setup and conversion from rdata->key is expensive and puts small allocations in hotpath, in resolver this is not unfortunately sunk cost
* the same for signing context setup
* signature verification itself is expensive, but that's expected
There are several high-level crypto operations we need:
* `keytag from dnskey rr` (this algo is described in dnssec rfc)
* `dnskey rr has SEP` (implemented)
* `dnskey rr is revoked` (implemented)
* `dnskey rr matches another` (compare algo + pubkey parts)
* `nsec3 hash of name` (not so critical, as most of the answers are positive)
* `hasher init/put/finalize` (for comparing DS/DNSKEY pairing, RRSIGs)
* `verify(digest,signature,pubkey)`
All of these should work on RR, as there is no metadata storage required.
Steps:
* [ ] Formalize described API and create a header
* [ ] Implement it using libdnssec current API
* [ ] Trim/cleanup current dnssec interface with only this API
* [ ] Implement it using mbed
https://gitlab.nic.cz/knot/knot-resolver/-/issues/747Expired gpg key in OBS2022-09-03T18:37:20+02:00Vladimír Čunátvladimir.cunat@nic.czExpired gpg key in OBS.deb users of our [upstream repo](https://www.knot-resolver.cz/download/) can't update anymore (Debian, Ubuntu).
Message examples:
```
# apt update
[...]
W: GPG error: http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolve....deb users of our [upstream repo](https://www.knot-resolver.cz/download/) can't update anymore (Debian, Ubuntu).
Message examples:
```
# apt update
[...]
W: GPG error: http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/Debian_11 InRelease: The following signatures were invalid: EXPKEYSIG 74062DB36A1F4009 home:CZ-NIC OBS Project <home:CZ-NIC@build.opensuse.org>
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
```
The key:
```
pub rsa2048 2018-02-15 [SC] [expired: 2022-06-21]
45737F9C8BC3F3ED2791818274062DB36A1F4009
uid [ expired] home:CZ-NIC OBS Project <home:CZ-NIC@build.opensuse.org>
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/369log DNSSEC validation failures on normal level2018-06-28T13:22:46+02:00Petr Špačeklog DNSSEC validation failures on normal levelDNSSEC validation failures should not occur at all during normal operations.
Feedback from operators indicates that at least at least domain name and qtype
from queries which failed DNSSEC validation should be logged by default.DNSSEC validation failures should not occur at all during normal operations.
Feedback from operators indicates that at least at least domain name and qtype
from queries which failed DNSSEC validation should be logged by default.https://gitlab.nic.cz/knot/knot-resolver/-/issues/366knot-resolver 2.3.0 aborted with "kresd: libknot/packet/pkt.c:84: pkt_wire_al...2018-08-02T16:15:47+02:00Toshifumi Sakaguchiknot-resolver 2.3.0 aborted with "kresd: libknot/packet/pkt.c:84: pkt_wire_alloc: Assertion `len >= KNOT_WIRE_HEADER_SIZE' failed."## Overview
Kresd aborted with following messages in my test(fuzzing) environment.
```
# rm -f *mdb ; /usr/local/sbin/kresd -c /usr/local/etc/knotolver/kresd.conf
[system] interactive mode
> [ ta ] key: 59407 state: Valid
[ ta ] next ...## Overview
Kresd aborted with following messages in my test(fuzzing) environment.
```
# rm -f *mdb ; /usr/local/sbin/kresd -c /usr/local/etc/knotolver/kresd.conf
[system] interactive mode
> [ ta ] key: 59407 state: Valid
[ ta ] next refresh for . in 12 hours
kresd: libknot/packet/pkt.c:84: pkt_wire_alloc: Assertion `len >= KNOT_WIRE_HEADER_SIZE' failed.
Aborted (core dumped)
```
debugger output.
```
# gdb /usr/local/sbin/kresd
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-110.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/sbin/kresd...done.
(gdb) core-file core.25240
[New LWP 25240]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf'.
Program terminated with signal 6, Aborted.
#0 0x00007fc078ef3277 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.17-222.el7.x86_64 gmp-6.0.0-15.el7.x86_64 gnutls-3.3.26-9.el7.x86_64 libffi-3.0.13-18.el7.x86_64 libgcc-4.8.5-28.el7_5.1.x86_64 libstdc++-4.8.5-28.el7_5.1.x86_64 libtasn1-4.10-1.el7.x86_64 libuv-1.19.2-1.el7.x86_64 luajit-2.0.4-3.el7.x86_64 nettle-2.7.1-8.el7.x86_64 p11-kit-0.23.5-3.el7.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb) bt
#0 0x00007fc078ef3277 in raise () from /lib64/libc.so.6
#1 0x00007fc078ef4968 in abort () from /lib64/libc.so.6
#2 0x00007fc078eec096 in __assert_fail_base () from /lib64/libc.so.6
#3 0x00007fc078eec142 in __assert_fail () from /lib64/libc.so.6
#4 0x00007fc07a719f04 in pkt_wire_alloc (len=11, pkt=0x559f324636b8)
at libknot/packet/pkt.c:84
#5 pkt_init (mm=0x559f324608a8, len=11, wire=0x0, pkt=0x559f324636b8)
at libknot/packet/pkt.c:200
#6 pkt_new_mm (mm=0x559f324608a8, len=11, wire=0x0)
at libknot/packet/pkt.c:252
#7 knot_pkt_new (wire=wire@entry=0x0, len=11, mm=mm@entry=0x559f324608a8)
at libknot/packet/pkt.c:270
#8 0x00007fc07a96d817 in consume_yield (ctx=ctx@entry=0x7ffd9c03a850,
pkt=pkt@entry=0x559f2983d500) at lib/resolve.c:78
#9 0x00007fc07a96f3a7 in kr_resolve_consume (
request=request@entry=0x559f32460770, src=src@entry=0x7ffd9c03aa10,
packet=packet@entry=0x559f2983d500) at lib/resolve.c:935
#10 0x0000559f27ac3455 in qr_task_step (task=0x559f32461a20,
packet_source=0x7ffd9c03aa10, packet=0x559f2983d500)
at daemon/worker.c:1565
#11 0x0000559f27ac5406 in worker_submit (worker=worker@entry=0x7fc07ad0e010,
handle=handle@entry=0x559f29842830, query=<optimized out>,
addr=<optimized out>, addr@entry=0x7ffd9c03aa10) at daemon/worker.c:1897
---Type <return> to continue, or q <return> to quit---
#12 0x0000559f27abd92a in udp_recv (handle=0x559f29842830,
nread=<optimized out>, buf=<optimized out>, addr=0x7ffd9c03aa10,
flags=<optimized out>) at daemon/io.c:166
#13 0x00007fc07a08fec6 in uv__udp_io () from /lib64/libuv.so.1
#14 0x00007fc07a091bb8 in uv__io_poll () from /lib64/libuv.so.1
#15 0x00007fc07a082f28 in uv_run () from /lib64/libuv.so.1
#16 0x0000559f27abd4a9 in run_worker (args=0x7ffd9c03de20,
leader=<optimized out>, ipc_set=0x7ffd9c03dca0, engine=0x7ffd9c03dfd0,
loop=0x7fc07a29dd00) at daemon/main.c:422
#17 main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:755
(gdb)
```
## Environments.
### IP Addresses of each servers.
* root DNS server: 192.168.33.100/24
* malicious authoritative server: 192.168.33.101/24
* victim full service resolver: 192.168.33.102/24
### OS, Software of each servers.
root DNS server
* OS: CentOS 7.5 x86_64 on VirtualBox VM
* DNS: bind
Malicious authoritative server
* OS: CentOS 7.5 x86_64 on VirtualBox VM
victim full service resolver
* OS: CentOS 7.5 x86_64 on VirtualBox VM
* DNS: knot-resolver 2.3.0, knot-dns(libknot) 2.6.7
## Reproduce steps
### root server
Install CentOS 7.5 from install ISO image.
Set IP address VM to 192.168.33.100/24.
Set firewalld.
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Bind.
```
# yum install -y bind bind-utils
```
Upload and extract test-files.tar.gz
```
# cd /tmp
# tar xzf /path/to/test-files.tar.gz
```
Copy named.conf and root zone file.
```
# cp /tmp/test-files/root.named.conf /etc/named.conf
# cp /tmp/test-files/root.zone.signed /var/named/root.zone.signed
# chmod 644 /var/named/root.zone.signed
```
Start named.
```
# systemctl start named
# systemctl enable named
```
### Malicious authoritative server
Install CentOS 7.5 from install ISO image.
Set IP address to 192.168.33.101/24.
Set firewalld
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Build tools.
```
# yum install -y epel-release
# yum install -y gcc-c++ boost-devel wget perl yaml-cpp-devel bind-utils gtest-devel
# wget https://cmake.org/files/v3.10/cmake-3.10.0-Linux-x86_64.sh
# sh cmake-3.10.0-Linux-x86_64.sh --skip-license --prefix=/usr/local
```
Install openssl 1.1.0 from source file.
```
# wget https://www.openssl.org/source/openssl-1.1.0g.tar.gz
# tar xzf openssl-1.1.0g.tar.gz
# cd openssl-1.1.0g
# ./config shared
# make
# make install
# echo /usr/local/lib64 > /etc/ld.so.conf.d/local.conf
# ldconfig
```
Upload and extract dns-fuzz-server.tar.gz.
```
# tar xzf /path/to/dns-fuzz-server.tar.gz
# cd dns-fuzz-server
# cmake .
# make
```
Start DNS service foreground.
```
# ./bin/fuzz_server -z example.com -f data/example.com.zone.full -K data/example.com.ksk.yaml -Z data/example.com.zsk.yaml -n 4
```
### victim full service resolver
Install CentOS 7.5 from install ISO image.
Set IP address to 192.168.33.102/24.
Set firewalld
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Build tools.
```
# yum install -y epel-release
# yum install -y gcc-c++ openssl-devel wget luajit-devel libuv-devel userspace-rcu-devel.x86_64 libedit-devel.x86_64 gcc-c++ gnutls-devel
```
Install knot-dns(libnot) 2.6.7 from source file.
```
$ wget https://secure.nic.cz/files/knot-dns/knot-2.6.7.tar.xz
$ tar xJf knot-2.6.7.tar.xz
$ cd knot-2.6.7
$ ./configure
$ make
$ su
# make install
```
Install knot-resolver 2.3.0 from source.
```
# wget https://secure.nic.cz/files/knot-resolver/knot-resolver-2.3.0.tar.xz
# tar xJf knot-resolver-2.3.0.tar.xz
# cd knot-resolver-2.3.0
# PKG_CONFIG_PATH=/usr/local/lib/pkgconfig make LDFLAGS="-Wl,-rpath=/usr/local/lib" PREFIX="/usr/local" CFLAGS="-DNDEBUG -g" install
```
Upload and extract test-files.tar.gz.
```
# cd /tmp
# tar xzf /path/to/test-files.tar.gz
```
Copy kresd.conf, trust anchor and hints file.
```
# cp /tmp/test-files/kresd.conf /usr/local/etc/knot-resolver
# cp /tmp/test-files/root.hints /usr/local/etc/knot-resolver
# cp /tmp/test-files/root.keys /usr/local/etc/knot-resolver
```
Start knot-resolver.
```
# mkdir -p /tmp/db
# cd /tmp/db
# rm -f * ; /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
```
Login to malicios authoritative server, and send queries by `fuzz_client`.
```
# cd /path/to/dns-fuzz-server
# ./bin/fuzz_client -s 192.168.33.102 -b example.com -i 100
```
Please wait sevral hours or days.
[test-files.tar.gz](/uploads/014e5a07c6c80a5f29f03f1b31b4a15c/test-files.tar.gz)
[dns-fuzz-server.tar.gz](/uploads/39148d8d68c200350a0a34e7c85a8943/dns-fuzz-server.tar.gz)https://gitlab.nic.cz/knot/knot-resolver/-/issues/342logging: extra message when systemd fails to provide socket during service st...2019-12-18T15:41:41+01:00Tomas Krizeklogging: extra message when systemd fails to provide socket during service startupWhen kresd is running under systemd with socket activation and systemd fails to provide the socket, kresd falls back to attempt to bind to a port directly. This fails, because the service doesn't have these privileges. When examining the...When kresd is running under systemd with socket activation and systemd fails to provide the socket, kresd falls back to attempt to bind to a port directly. This fails, because the service doesn't have these privileges. When examining the service log, the user finds:
```
kresd[9105]: [system] bind to '127.0.0.1@53' Permission denied
kresd[9105]: [system] bind to '::1@53' Permission denied
kresd[9105]: [string "init"]:12: error: not listening on any interface, exiting...
systemd[1]: kresd@1.service: Main process exited, code=exited, status=1/FAILURE
```
Which is misleading and provides no useful pointers to what has actually gone wrong. The log should explicitly mention that systemd socket wasn't provided and make it clear that this is most likely the cause of the issue.https://gitlab.nic.cz/knot/knot-resolver/-/issues/339Qname minimisation is disabled on authoritative answers2019-08-12T16:45:44+02:00Colin PetrieQname minimisation is disabled on authoritative answersHi,
I found that qname minimisation gets disabled (in layer/iterate.c:643) when an authoritative answer is received with status NOERROR, as it does not treat this as a referral.
This means that in zones where the parent is also authorit...Hi,
I found that qname minimisation gets disabled (in layer/iterate.c:643) when an authoritative answer is received with status NOERROR, as it does not treat this as a referral.
This means that in zones where the parent is also authoritative for the child (because the NS set for parent and child is the same, or overlaps), qname minimisation is disabled.
Unfortunately, this affects entire countries:
* .co.uk (same name servers as .uk)
* .co.nz (same name servers as .nz)
* .co.ke (same name servers as .ke)
Example:
```
[ 0][plan] plan 'super.secret.host.name.co.uk.' type 'A'
[16339][iter] 'super.secret.host.name.co.uk.' type 'A' id was assigned, parent id 0
[16339][zcut] found cut: . (return codes: DS -2, DNSKEY -2)
[16339][resl] => querying: '2001:500:1::53' score: 10 zone cut: '.' qname: 'uk.' qtype: 'NS' proto: 'udp'
[16339][resl] => querying: '198.97.190.53' score: 10 zone cut: '.' qname: 'uk.' qtype: 'NS' proto: 'udp'
[16339][iter] <= loaded 13 glue addresses
[16339][iter] <= referral response, follow
[16339][resl] <= server: '2001:500:1::53' rtt: >= 290 ms
[16339][resl] <= server: '198.97.190.53' rtt: 90 ms
[56102][iter] 'super.secret.host.name.co.uk.' type 'A' id was assigned, parent id 0
[56102][resl] => querying: '2401:fd80:404::1' score: 10 zone cut: 'uk.' qname: 'CO.Uk.' qtype: 'NS' proto: 'udp'
[56102][resl] => querying: '43.230.48.1' score: 10 zone cut: 'uk.' qname: 'CO.Uk.' qtype: 'NS' proto: 'udp'
[56102][iter] <= rcode: NOERROR
[56102][iter] <= found cut, retrying with non-minimized name
[56102][resl] <= server: '2401:fd80:404::1' rtt: >= 208 ms
[56102][resl] <= server: '43.230.48.1' rtt: 8 ms
[28449][iter] 'super.secret.host.name.co.uk.' type 'A' id was assigned, parent id 0
[28449][resl] => querying: '43.230.48.1' score: 11 zone cut: 'uk.' qname: 'SupER.SEcrET.HoST.naMe.co.UK.' qtype: 'A' proto: 'udp'
[28449][iter] <= referral response, follow
[28449][resl] <= server: '43.230.48.1' rtt: 10 ms
[60788][iter] 'super.secret.host.name.co.uk.' type 'A' id was assigned, parent id 0
[60788][plan] plan 'dns1.namemagic.com.' type 'AAAA'
[13623][iter] 'dns1.namemagic.com.' type 'AAAA' id was assigned, parent id 60788
[13623][zcut] found cut: . (return codes: DS -2, DNSKEY -2)
[13623][resl] => querying: '2001:500:12::d0d' score: 10 zone cut: '.' qname: 'Com.' qtype: 'NS' proto: 'udp'
[13623][resl] => querying: '192.112.36.4' score: 10 zone cut: '.' qname: 'Com.' qtype: 'NS' proto: 'udp'
[13623][iter] <= loaded 26 glue addresses
[13623][iter] <= referral response, follow
```
Note that:
```
[56102][iter] <= found cut, retrying with non-minimized name
```
now sends:
```
querying: '43.230.48.1' score: 11 zone cut: 'uk.' qname: 'SupER.SEcrET.HoST.naMe.co.UK.' qtype: 'A' proto: 'udp'
```
the full hostname (SupER.SEcrET.HoST.naMe.co.UK) was sent to 43.230.48.1
```
$ dig +short -x 43.230.48.1
dns4.nic.uk
```
This is effectively disabling qname minimisation for whole countries, and sending the full hostnames to the TLD registry.
Here is an example zone configuration, although you can find other countries with this setup:
```
$ kdig NS uk @k.root-servers.net
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 37077
;; Flags: qr rd; QUERY: 1; ANSWER: 0; AUTHORITY: 8; ADDITIONAL: 13
;; QUESTION SECTION:
;; uk. IN NS
;; AUTHORITY SECTION:
uk. 172800 IN NS dns2.nic.uk.
uk. 172800 IN NS dns1.nic.uk.
uk. 172800 IN NS dns3.nic.uk.
uk. 172800 IN NS nsb.nic.uk.
uk. 172800 IN NS nsd.nic.uk.
uk. 172800 IN NS nsc.nic.uk.
uk. 172800 IN NS dns4.nic.uk.
uk. 172800 IN NS nsa.nic.uk.
;; ADDITIONAL SECTION:
nsa.nic.uk. 172800 IN AAAA 2001:502:ad09::3
dns1.nic.uk. 172800 IN AAAA 2a01:618:400::1
dns2.nic.uk. 172800 IN AAAA 2401:fd80:400::1
dns3.nic.uk. 172800 IN AAAA 2a01:618:404::1
dns4.nic.uk. 172800 IN AAAA 2401:fd80:404::1
nsa.nic.uk. 172800 IN A 156.154.100.3
nsb.nic.uk. 172800 IN A 156.154.101.3
nsc.nic.uk. 172800 IN A 156.154.102.3
nsd.nic.uk. 172800 IN A 156.154.103.3
dns1.nic.uk. 172800 IN A 213.248.216.1
dns2.nic.uk. 172800 IN A 103.49.80.1
dns3.nic.uk. 172800 IN A 213.248.220.1
dns4.nic.uk. 172800 IN A 43.230.48.1
;; Received 440 B
;; Time 2018-04-06 16:07:44 CEST
;; From 2001:7fd::1@53(UDP) in 3.1 ms
```
and
```
$ kdig NS co.uk @nsa.nic.uk.
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 31233
;; Flags: qr aa rd; QUERY: 1; ANSWER: 8; AUTHORITY: 0; ADDITIONAL: 13
;; QUESTION SECTION:
;; co.uk. IN NS
;; ANSWER SECTION:
co.uk. 172800 IN NS nsc.nic.uk.
co.uk. 172800 IN NS nsd.nic.uk.
co.uk. 172800 IN NS dns4.nic.uk.
co.uk. 172800 IN NS dns2.nic.uk.
co.uk. 172800 IN NS dns1.nic.uk.
co.uk. 172800 IN NS dns3.nic.uk.
co.uk. 172800 IN NS nsa.nic.uk.
co.uk. 172800 IN NS nsb.nic.uk.
;; ADDITIONAL SECTION:
nsa.nic.uk. 172800 IN AAAA 2001:502:ad09::3
dns1.nic.uk. 172800 IN AAAA 2a01:618:400::1
dns2.nic.uk. 172800 IN AAAA 2401:fd80:400::1
dns3.nic.uk. 172800 IN AAAA 2a01:618:404::1
dns4.nic.uk. 172800 IN AAAA 2401:fd80:404::1
nsa.nic.uk. 172800 IN A 156.154.100.3
nsb.nic.uk. 172800 IN A 156.154.101.3
nsc.nic.uk. 172800 IN A 156.154.102.3
nsd.nic.uk. 172800 IN A 156.154.103.3
dns1.nic.uk. 172800 IN A 213.248.216.1
dns2.nic.uk. 172800 IN A 103.49.80.1
dns3.nic.uk. 172800 IN A 213.248.220.1
dns4.nic.uk. 172800 IN A 43.230.48.1
;; Received 443 B
;; Time 2018-04-06 16:08:17 CEST
;; From 2001:502:ad09::3@53(UDP) in 15.9 ms
```
Note that the .uk servers answer authoritatively for .co.uk.
If you need further information, just let me know.
Kind Regards, ColinVladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/329Daemon is leaking requests2018-06-20T20:02:58+02:00Marek VavrusaDaemon is leaking requestsThe server seems to be leaking requests since version 2.0. This is the graph of `worker.stats().concurrent` between restarts:
![Screen_Shot_2018-03-18_at_11.55.51_PM](/uploads/312ed5998f674b4cff442dc614744512/Screen_Shot_2018-03-18_at_1...The server seems to be leaking requests since version 2.0. This is the graph of `worker.stats().concurrent` between restarts:
![Screen_Shot_2018-03-18_at_11.55.51_PM](/uploads/312ed5998f674b4cff442dc614744512/Screen_Shot_2018-03-18_at_11.55.51_PM.png)
This counter gets increment every time a new task gets created https://gitlab.labs.nic.cz/knot/knot-resolver/blob/master/daemon/worker.c#L690 and decremented every time it gets freed, so that doesn't right.
I managed to reproduce it:
1. Compile from latest master, start with no special configuration: `/usr/local/sbin/kresd -a 127.0.0.1#5354 -k root.keys`
2. Run dnsperf with the sample query data from https://www.nominum.com/measurement-tools/ for some time (~ 125651 queries) and stop it
3. Check `worker.stats()` in console, it should drain to zero over time, but it stays 5-20 concurrent queries forever
```
> worker.stats()
[rss] => 73400320
[pagefaults] => 5330
[concurrent_requests] => 18
[queries] => 125651
[systime] => 198.250469
[timeout] => 8186
[csw] => 151011
[swaps] => 0
[udp] => 156770
[dropped] => 0
[ipv6] => 50576
[concurrent] => 18
[tcp] => 1848
[ipv4] => 108042
[usertime] => 22.501294
```
(I added tracking of `worker->stats.rconcurrent` just to make sure it's the same as `worker->stats.concurrent`)
cc @anb @vendemiatMarek VavrusaMarek Vavrusa