Knot Resolver issueshttps://gitlab.nic.cz/knot/knot-resolver/-/issues2023-04-19T13:13:01+02:00https://gitlab.nic.cz/knot/knot-resolver/-/issues/788Problems with resolution of ldt2.evolvi.co.uk (unexpected NXDOMAIN)2023-04-19T13:13:01+02:00Ondřej BenkovskýProblems with resolution of ldt2.evolvi.co.uk (unexpected NXDOMAIN)Hello, I am investigating the DNS resolution issue of domain `ldt2.evolvi.co.uk` using Knot Resolver, the domain is resolved without problems using public resolvers like GoogleDNS (`8.8.8.8`), but when resolving the same domain using Kno...Hello, I am investigating the DNS resolution issue of domain `ldt2.evolvi.co.uk` using Knot Resolver, the domain is resolved without problems using public resolvers like GoogleDNS (`8.8.8.8`), but when resolving the same domain using Knot Resolver ends up with NXDOMAIN. Based on the resolution plan, I am guessing that there might be a problem with \000 character found during DNS resolution?
See following resolution plan
```
[iterat][66545.00] 'ldt2.evolvi.co.uk.' type 'A' new uid was assigned .01, parent uid .00
[cache ][66545.01] => skipping unfit CNAME RR: rank 030, new TTL -340
[cache ][66545.01] => no NSEC* cached for zone: evolvi.co.uk.
[cache ][66545.01] => skipping zone: evolvi.co.uk., NSEC, hash 0;new TTL -123456789, ret -2
[cache ][66545.01] => skipping zone: evolvi.co.uk., NSEC, hash 0;new TTL -123456789, ret -2
[zoncut][66545.01] found cut: evolvi.co.uk. (rank 010 return codes: DS 1, DNSKEY 1)
[resolv][66545.01] => NS is provably without DS, going insecure
[select][66545.01] => id: '05621' choosing from addresses: 2 v4 + 0 v6; names to resolve: 2 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66545.01] => id: '05621' choosing: 'dns1.mtgsy.co.uk.'@'172.105.69.234#00053' with timeout 54 ms zone cut: 'evolvi.co.uk.'
[resolv][66545.01] => id: '05621' querying: 'dns1.mtgsy.co.uk.'@'172.105.69.234#00053' zone cut: 'evolvi.co.uk.' qname: 'LdT2.eVoLVI.Co.uk.' qtype: 'A' proto: 'udp'
[select][66545.01] => id: '05621' updating: 'dns1.mtgsy.co.uk.'@'172.105.69.234#00053' zone cut: 'evolvi.co.uk.' with rtt 26 to srtt: 30 and variance: 6
[iterat][66545.01] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5621
;; Flags: qr aa cd QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 2
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
ldt2.evolvi.co.uk. A
;; ANSWER SECTION
ldt2.evolvi.co.uk. 300 CNAME azureprodev6ag.\000.
;; ADDITIONAL SECTION
azureprodev6ag.evolvi.co.uk. 600 A 51.105.12.148
[iterat][66545.01] <= rcode: NOERROR
[iterat][66545.01] <= cname chain, following
[cache ][66545.01] => stashed ldt2.evolvi.co.uk. CNAME, rank 030, 34 B total, incl. 0 RRSIGs
[iterat][66545.02] 'azureprodev6ag.\000.' type 'A' new uid was assigned .03, parent uid .00
[cache ][66545.03] => skipping zero-containing name azureprodev6ag.\000.
[zoncut][66545.03] found cut: . (rank 060 return codes: DS -2, DNSKEY 0)
[resolv][66545.03] >< TA: '.'
[select][66545.03] => id: '09381' choosing from addresses: 13 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66545.03] => id: '09381' choosing: 'j.root-servers.net.'@'192.58.128.30#00053' with timeout 23 ms zone cut: '.'
[resolv][66545.03] => id: '09381' querying: 'j.root-servers.net.'@'192.58.128.30#00053' zone cut: '.' qname: '\000.' qtype: 'NS' proto: 'udp'
[select][66545.03] => id: '09381' updating: 'j.root-servers.net.'@'192.58.128.30#00053' zone cut: '.' with rtt 2 to srtt: 3 and variance: 1
[iterat][66545.03] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 9381
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1472 B; ext-rcode: Unused
;; QUESTION SECTION
\000. NS
;; AUTHORITY SECTION
. 86400 NSEC aaa. NS SOA RRSIG NSEC DNSKEY
. 86400 RRSIG NSEC 8 0 86400 1683003600 1681876800 60955 . ntDYSODGiyW725OVm7aEdZi0/52owv36Fp6ZLSd2MELmroK/1TX8VjEUdmM1OXDxO72gNPwVhU4NTGugPGxYjO4deCV7O4VBvTEc+ayksGIpLhoHkHaeTvnEE4JBPgvhGmxkzHjbPsml8X78qLIe1iC9OX3lKCZKicJivA9Mb+4vSsPnRK00O2SS6b95daEeAyMnNl9KN3+Mh0YQAd0EsZ+dLqVV4nKN8Kq9n2iBuZXJEFb2x94qhXHbkA/uiHNGRaQ7WsylDF2A86uQaVelsPdGk5Z3PB7qGeN3QwMdZbN/rHPvnwSxPxJNcgMIli8SMe/I2eTtr1ltU0SbbOyWgQ==
. 86400 SOA a.root-servers.net. nstld.verisign-grs.com. 2023041900 1800 900 604800 86400
. 86400 RRSIG SOA 8 0 86400 1683003600 1681876800 60955 . fJ1IV7H70mU48wQVVaS6FvfFE83Yc6jrvm3BBROrj3bhFaA2Sb1rIC5ZgxIOERVGfCiZuIA2BDmSf+TpK6hNeqE3sfM5uDzJqKD8HSOAwRjBckOyIIY1Ln4rn8vBkDr6sPPgzMinrOjP4/vQLuH3a95nZXYqKOTBL8SF9/BNSCjmtsiNoUvIdSy/l9tgc+cSEMJIxI03C7f4cCbufMF+gPWriQw5M0yBJkmzlVmUIPTNw44VeHX+6RLpumSWcArAUahWSv5AUWLAtKWcvsmbHei5VeCuaRYYHJgyRF39NWvTgQ8y4/VWrT3h9Yox/r3ABdGzYyCkXdbQWiDma8+Ygw==
;; ADDITIONAL SECTION
[iterat][66545.03] <= rcode: NXDOMAIN
[iterat][66545.03] <= retrying with non-minimized name
[cache ][66545.03] => skipping zero-containing name \000.
[iterat][66545.03] 'azureprodev6ag.\000.' type 'A' new uid was assigned .04, parent uid .00
[select][66545.04] => id: '52347' choosing from addresses: 13 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66545.04] => id: '52347' choosing: 'j.root-servers.net.'@'192.58.128.30#00053' with timeout 23 ms zone cut: '.'
[resolv][66545.04] => id: '52347' querying: 'j.root-servers.net.'@'192.58.128.30#00053' zone cut: '.' qname: 'AzureprodEv6ag.\000.' qtype: 'A' proto: 'udp'
[select][66545.04] => id: '52347' updating: 'j.root-servers.net.'@'192.58.128.30#00053' zone cut: '.' with rtt 2 to srtt: 3 and variance: 1
[iterat][66545.04] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 52347
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1472 B; ext-rcode: Unused
;; QUESTION SECTION
azureprodev6ag.\000. A
;; AUTHORITY SECTION
. 86400 NSEC aaa. NS SOA RRSIG NSEC DNSKEY
. 86400 RRSIG NSEC 8 0 86400 1683003600 1681876800 60955 . ntDYSODGiyW725OVm7aEdZi0/52owv36Fp6ZLSd2MELmroK/1TX8VjEUdmM1OXDxO72gNPwVhU4NTGugPGxYjO4deCV7O4VBvTEc+ayksGIpLhoHkHaeTvnEE4JBPgvhGmxkzHjbPsml8X78qLIe1iC9OX3lKCZKicJivA9Mb+4vSsPnRK00O2SS6b95daEeAyMnNl9KN3+Mh0YQAd0EsZ+dLqVV4nKN8Kq9n2iBuZXJEFb2x94qhXHbkA/uiHNGRaQ7WsylDF2A86uQaVelsPdGk5Z3PB7qGeN3QwMdZbN/rHPvnwSxPxJNcgMIli8SMe/I2eTtr1ltU0SbbOyWgQ==
. 86400 SOA a.root-servers.net. nstld.verisign-grs.com. 2023041900 1800 900 604800 86400
. 86400 RRSIG SOA 8 0 86400 1683003600 1681876800 60955 . fJ1IV7H70mU48wQVVaS6FvfFE83Yc6jrvm3BBROrj3bhFaA2Sb1rIC5ZgxIOERVGfCiZuIA2BDmSf+TpK6hNeqE3sfM5uDzJqKD8HSOAwRjBckOyIIY1Ln4rn8vBkDr6sPPgzMinrOjP4/vQLuH3a95nZXYqKOTBL8SF9/BNSCjmtsiNoUvIdSy/l9tgc+cSEMJIxI03C7f4cCbufMF+gPWriQw5M0yBJkmzlVmUIPTNw44VeHX+6RLpumSWcArAUahWSv5AUWLAtKWcvsmbHei5VeCuaRYYHJgyRF39NWvTgQ8y4/VWrT3h9Yox/r3ABdGzYyCkXdbQWiDma8+Ygw==
;; ADDITIONAL SECTION
[iterat][66545.04] <= rcode: NXDOMAIN
[valdtr][66545.04] <= answer valid, OK
[cache ][66545.04] => stashed . SOA, rank 060, 358 B total, incl. 1 RRSIGs
[cache ][66545.04] => stashed . NSEC, rank 060, 308 B total, incl. 1 RRSIGs
[cache ][66545.04] => nsec_p stash for . skipped (extra TTL: 968, hash: 0)
[cache ][66545.04] => skipping zero-containing name azureprodev6ag.\000.
[resolv][66545.04] AD: request NOT classified as SECURE
[resolv][66545.04] finished in state: 4, queries: 2, mempool: 98352 B
;; selected from ANSWER sections:
; ranked rrset to_wire true, rank 030 (auth insecure), cached true, qry_uid 1, revalidations 0
ldt2.evolvi.co.uk. 300 CNAME azureprodev6ag.\000.
;; selected from AUTHORITY sections:
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
. 3600 NSEC aaa. NS SOA RRSIG NSEC DNSKEY
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
. 3600 RRSIG NSEC 8 0 86400 1683003600 1681876800 60955 . ntDYSODGiyW725OVm7aEdZi0/52owv36Fp6ZLSd2MELmroK/1TX8VjEUdmM1OXDxO72gNPwVhU4NTGugPGxYjO4deCV7O4VBvTEc+ayksGIpLhoHkHaeTvnEE4JBPgvhGmxkzHjbPsml8X78qLIe1iC9OX3lKCZKicJivA9Mb+4vSsPnRK00O2SS6b95daEeAyMnNl9KN3+Mh0YQAd0EsZ+dLqVV4nKN8Kq9n2iBuZXJEFb2x94qhXHbkA/uiHNGRaQ7WsylDF2A86uQaVelsPdGk5Z3PB7qGeN3QwMdZbN/rHPvnwSxPxJNcgMIli8SMe/I2eTtr1ltU0SbbOyWgQ==
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
. 3600 SOA a.root-servers.net. nstld.verisign-grs.com. 2023041900 1800 900 604800 86400
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
. 3600 RRSIG SOA 8 0 86400 1683003600 1681876800 60955 . fJ1IV7H70mU48wQVVaS6FvfFE83Yc6jrvm3BBROrj3bhFaA2Sb1rIC5ZgxIOERVGfCiZuIA2BDmSf+TpK6hNeqE3sfM5uDzJqKD8HSOAwRjBckOyIIY1Ln4rn8vBkDr6sPPgzMinrOjP4/vQLuH3a95nZXYqKOTBL8SF9/BNSCjmtsiNoUvIdSy/l9tgc+cSEMJIxI03C7f4cCbufMF+gPWriQw5M0yBJkmzlVmUIPTNw44VeHX+6RLpumSWcArAUahWSv5AUWLAtKWcvsmbHei5VeCuaRYYHJgyRF39NWvTgQ8y4/VWrT3h9Yox/r3ABdGzYyCkXdbQWiDma8+Ygw==```
Thanks!https://gitlab.nic.cz/knot/knot-resolver/-/issues/786LMDB utils not working with the LMDB cache created by Knot2023-03-29T21:19:01+02:00Peter SimanLMDB utils not working with the LMDB cache created by KnotHi,
I am trying to use LMDB utils to dump (`mdb_dump`) and load (`mdb_load`) the cache created by Knot but I am getting this error which points to problem (similar to issue reported [here](https://github.com/princeton-vl/CoqGym/issues/3...Hi,
I am trying to use LMDB utils to dump (`mdb_dump`) and load (`mdb_load`) the cache created by Knot but I am getting this error which points to problem (similar to issue reported [here](https://github.com/princeton-vl/CoqGym/issues/39)) with dump format (probably LMDB version mismatch).
```line 6: unrecognized keyword ignored: db_pagesize```
I am using latest `lmdb-utils` package installed using `apt-get`. I was trying to look into the source code of knot-resolver and find out which version of LMDB is used in it or whether I can use latest version of LMDB. Is this possible.
Thanks!https://gitlab.nic.cz/knot/knot-resolver/-/issues/785manager: API talks only JSON2023-03-29T13:40:03+02:00Vaclav Sraiermanager: API talks only JSONit currently accepts YAML, we don't want that...it currently accepts YAML, we don't want that...Aleš MrázekAleš Mrázekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/783resolving local zones when there's no internet (issue with policy)2023-03-01T17:44:05+01:00Daniel Baumannresolving local zones when there's no internet (issue with policy)Hi,
use-case:
* our kresd instances have policy.FORWARD/policy.STUB to resolv internal zone files by asking the authoritative
servers directly, rather than to go to the internet.
* when we cut internet access for kresd, it fails...Hi,
use-case:
* our kresd instances have policy.FORWARD/policy.STUB to resolv internal zone files by asking the authoritative
servers directly, rather than to go to the internet.
* when we cut internet access for kresd, it fails to forward the queries to the authoritative servers,
eventhough they are reachable and answer properly when asked.
* when we loose internet (or for extra resilliance), kresd should still resolv all internal zones and only
fail to resolv stuff in the internet.
For hints, this is properly working - they are always answered also when there's no internet connection.
For forwards, I've played a bit arround with 'policy < hints' and such in modules = {}, but to no awail.
Am I missing something or is this not possible? Is the use-case/situation clear enough, or do you want me to provide the exact configuration and debug log to reproduce?
Regards,
Danielhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/782DNSSEC error for gma.vmathlive.com but DNSViz says domain is OK2023-02-22T12:12:06+01:00Peter SimanDNSSEC error for gma.vmathlive.com but DNSViz says domain is OKHi,
I am investigating an issue with `gma.vmathlive.com` domain. Knot resolver states there is a [dnssec] validation error for this domain, but when I am trying to debug this using DNSViz, it seems like the DNSSEC is ok.
I am getting ...Hi,
I am investigating an issue with `gma.vmathlive.com` domain. Knot resolver states there is a [dnssec] validation error for this domain, but when I am trying to debug this using DNSViz, it seems like the DNSSEC is ok.
I am getting this resolution log from Knot resolver:
```curl localhost:8453/trace/gma.vmathlive.com/AAAA
[iterat][66078.00] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][66078.01] => no NSEC* cached for zone: com.
[cache ][66078.01] => skipping zone: com., NSEC, hash 0;new TTL -123456789, ret -2
[cache ][66078.01] => skipping zone: com., NSEC, hash 0;new TTL -123456789, ret -2
[zoncut][66078.01] found cut: com. (rank 002 return codes: DS 0, DNSKEY 0)
[select][66078.01] => id: '43261' choosing from addresses: 13 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.01] => id: '43261' choosing: 'b.gtld-servers.net.'@'192.33.14.30#00053' with timeout 26 ms zone cut: 'com.'
[resolv][66078.01] => id: '43261' querying: 'b.gtld-servers.net.'@'192.33.14.30#00053' zone cut: 'com.' qname: 'VmAThlIvE.coM.' qtype: 'NS' proto: 'udp'
[select][66078.01] => id: '43261' updating: 'b.gtld-servers.net.'@'192.33.14.30#00053' zone cut: 'com.' with rtt 3 to srtt: 6 and variance: 3
[iterat][66078.01] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 43261
;; Flags: qr cd QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 3
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
vmathlive.com. NS
;; AUTHORITY SECTION
vmathlive.com. 172800 NS ns1.cambiumlearning.com.
vmathlive.com. 172800 NS ns2.cambiumlearning.com.
vmathlive.com. 86400 DS 38134 13 4 DC5F0BEA08FB6D643D89D74A14EDCD210C085E3B6782B9782FEE91BB66A76A83B4181774E0723461AC9B6F18C402C447
vmathlive.com. 86400 DS 38134 13 2 1BA1023E142BCB7B0F7CB6AC4C00771D100F326AC905DAC6074E41AFB25D7870
vmathlive.com. 86400 DS 38134 13 1 902FF916A6140AA401A187EEBDBD636EDFA7EFB1
vmathlive.com. 86400 RRSIG DS 8 2 86400 1677479970 1676870970 36739 com. vOM/iMztbhiYHxhbkI/Yf4t5OWquuKD8OscNNjsapaQ7qruzuAahkk7pD63I1sq+vM62+LvNW1hbK3hWkvqL6yzVPuoNu3fDn/WcxEEn4Kun1/kz2n3PEWdU1jgMnh3WpmzyAmMq33AagPtQT6AvA0hPAoH7nKr7TT+xlh1G9bpI7KFgl3AvMf2xq3N48JwhvxDf/jJx3yhx/xyOz3Hxsw==
;; ADDITIONAL SECTION
ns1.cambiumlearning.com. 172800 A 66.248.224.140
ns2.cambiumlearning.com. 172800 A 50.238.167.169
[iterat][66078.01] <= loaded 2 glue addresses
[iterat][66078.01] <= referral response, follow
[valdtr][66078.01] <= DS: OK
[valdtr][66078.01] <= answer valid, OK
[cache ][66078.01] => stashed vmathlive.com. DS, rank 060, 318 B total, incl. 1 RRSIGs
[cache ][66078.01] => stashed vmathlive.com. NS, rank 002, 70 B total, incl. 0 RRSIGs
[cache ][66078.01] => stashed also 2 nonauth RRsets
[iterat][66078.01] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .02, parent uid .00
[plan ][66078.02] plan 'vmathlive.com.' type 'DNSKEY' uid [66078.03]
[iterat][66078.03] 'vmathlive.com.' type 'DNSKEY' new uid was assigned .04, parent uid .02
[cache ][66078.04] => no NSEC* cached for zone: vmathlive.com.
[cache ][66078.04] => skipping zone: vmathlive.com., NSEC, hash 0;new TTL -123456789, ret -2
[cache ][66078.04] => skipping zone: vmathlive.com., NSEC, hash 0;new TTL -123456789, ret -2
[select][66078.04] => id: '18904' choosing from addresses: 2 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.04] => id: '18904' choosing: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' with timeout 400 ms zone cut: 'vmathlive.com.'
[resolv][66078.04] => id: '18904' querying: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' qname: 'vmatHLiVe.Com.' qtype: 'DNSKEY' proto: 'udp'
[select][66078.04] => id: '18904' updating: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' with rtt 133 to srtt: 133 and variance: 66
[iterat][66078.04] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 18904
;; Flags: qr aa QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
vmathlive.com. DNSKEY
;; ANSWER SECTION
vmathlive.com. 3600 RRSIG DNSKEY 13 2 3600 1677715200 1675900800 38134 vmathlive.com. LGEYXMp94nHpWX1vx7RaIFevV80jc/pOWub8+zkDq+ZnFnZ21KsiTiNwdGXdmDcjfS/DmzbYmQ1uk0PDPkTM8Q==
vmathlive.com. 3600 DNSKEY 257 3 13 WOWG2N+2P72hJS7k0mvEbOFNyo/d7qIa5qb2Kyj0oYz65nPhOIxZ8sc/1C3qAVINMyrOyOK2LtHsjg8sA7pr5Q==
;; ADDITIONAL SECTION
[iterat][66078.04] <= rcode: NOERROR
[valdtr][66078.04] <= parent: updating DNSKEY
[valdtr][66078.04] <= answer valid, OK
[cache ][66078.04] => stashed vmathlive.com. DNSKEY, rank 060, 184 B total, incl. 1 RRSIGs
[iterat][66078.02] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .05, parent uid .00
[select][66078.05] => id: '20059' choosing from addresses: 2 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.05] => id: '20059' choosing: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' with timeout 400 ms zone cut: 'vmathlive.com.'
[resolv][66078.05] => id: '20059' querying: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' zone cut: 'vmathlive.com.' qname: 'Gma.VMaTHLIve.cOM.' qtype: 'AAAA' proto: 'udp'
[select][66078.05] => id: '20059' updating: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' zone cut: 'vmathlive.com.' with rtt 109 to srtt: 109 and variance: 54
[iterat][66078.05] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 20059
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
gma.vmathlive.com. AAAA
;; AUTHORITY SECTION
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. Kd4huzuDTm2sR0FffNa6Cv5bu7hcaQhzaV9seqiL0HfoZ+XdWCf0B7s7/k5bxnVQPuOb1jUAMa7ncCXXB/L3nw==
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. 5lT1gBZAZ3h1C0uRU6TeK3IgRTpxmZttV4ahGbrRPnipMdHrN9B+PQK3Jd0v5jjwgTdcsiOpK6c8tMyRdR3+Fg==
;; ADDITIONAL SECTION
[iterat][66078.05] <= rcode: NOERROR
[valdtr][66078.05] <= bad NODATA proof
[select][66078.05] => id: '20059' noting selection error: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' zone cut: 'vmathlive.com.' error: 14 DNSSEC_ERROR
[cache ][66078.05] => stashed vmathlive.com. NSEC, rank 060, 140 B total, incl. 1 RRSIGs
[cache ][66078.05] => stashed vmathlive.com. SOA, rank 060, 194 B total, incl. 1 RRSIGs
[cache ][66078.05] => nsec_p stashed for vmathlive.com. (new, hash: 0)
[cache ][66078.05] => stashed packet: rank 025, TTL 300, AAAA gma.vmathlive.com. (379 B)
[iterat][66078.05] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .06, parent uid .00
[select][66078.06] => id: '33899' choosing from addresses: 1 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.06] => id: '33899' choosing: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' with timeout 397 ms zone cut: 'vmathlive.com.'
[resolv][66078.06] => id: '33899' querying: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' qname: 'GmA.VmaTHlIVE.Com.' qtype: 'AAAA' proto: 'udp'
[select][66078.06] => id: '33899' updating: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' with rtt 126 to srtt: 132 and variance: 51
[iterat][66078.06] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33899
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
gma.vmathlive.com. AAAA
;; AUTHORITY SECTION
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. tua7ePdyjjRyyRDyr3gdankU7Xz2QUVOgfbErT6ssGtxGhLueKj8TLy3fgdkAZlsUtLTQoHParWTek6wc3ccSg==
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. wbGfikMJDqGkfDCn+7XQX7leUDIoAfYwZRtA0yysmg0MDJNFi7Cn6sw1He+JlWkX7zX2Vsk2oNhQE7a+u5fZNA==
;; ADDITIONAL SECTION
[iterat][66078.06] <= rcode: NOERROR
[valdtr][66078.06] <= bad NODATA proof
[select][66078.06] => id: '33899' noting selection error: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' error: 14 DNSSEC_ERROR
[cache ][66078.06] => stashed vmathlive.com. NSEC, rank 060, 140 B total, incl. 1 RRSIGs
[cache ][66078.06] => stashed vmathlive.com. SOA, rank 060, 194 B total, incl. 1 RRSIGs
[cache ][66078.06] => nsec_p stash for vmathlive.com. skipped (extra TTL: 0, hash: 0)
[cache ][66078.06] => not overwriting AAAA gma.vmathlive.com.
[iterat][66078.06] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .07, parent uid .00
[select][66078.07] => id: '57610' choosing from addresses: 0 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.07] => id: '57610' no suitable transport, zone cut: 'vmathlive.com.'
[iterat][66078.07] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .08, parent uid .00
[select][66078.08] => id: '47107' choosing from addresses: 0 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.08] => id: '47107' no suitable transport, zone cut: 'vmathlive.com.'
[resolv][66078.00] request failed, answering with empty SERVFAIL
[resolv][66078.08] finished in state: 8, queries: 2, mempool: 98352 B
;; selected from ANSWER sections:
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
vmathlive.com. 3600 RRSIG DNSKEY 13 2 3600 1677715200 1675900800 38134 vmathlive.com. LGEYXMp94nHpWX1vx7RaIFevV80jc/pOWub8+zkDq+ZnFnZ21KsiTiNwdGXdmDcjfS/DmzbYmQ1uk0PDPkTM8Q==
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
vmathlive.com. 3600 DNSKEY 257 3 13 WOWG2N+2P72hJS7k0mvEbOFNyo/d7qIa5qb2Kyj0oYz65nPhOIxZ8sc/1C3qAVINMyrOyOK2LtHsjg8sA7pr5Q==
;; selected from AUTHORITY sections:
; ranked rrset to_wire false, rank 002 (try), cached true, qry_uid 1, revalidations 0
vmathlive.com. 3600 NS ns1.cambiumlearning.com.
vmathlive.com. 3600 NS ns2.cambiumlearning.com.
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 1, revalidations 0
vmathlive.com. 3600 DS 38134 13 1 902FF916A6140AA401A187EEBDBD636EDFA7EFB1
vmathlive.com. 3600 DS 38134 13 2 1BA1023E142BCB7B0F7CB6AC4C00771D100F326AC905DAC6074E41AFB25D7870
vmathlive.com. 3600 DS 38134 13 4 DC5F0BEA08FB6D643D89D74A14EDCD210C085E3B6782B9782FEE91BB66A76A83B4181774E0723461AC9B6F18C402C447
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 1, revalidations 0
vmathlive.com. 3600 RRSIG DS 8 2 86400 1677479970 1676870970 36739 com. vOM/iMztbhiYHxhbkI/Yf4t5OWquuKD8OscNNjsapaQ7qruzuAahkk7pD63I1sq+vM62+LvNW1hbK3hWkvqL6yzVPuoNu3fDn/WcxEEn4Kun1/kz2n3PEWdU1jgMnh3WpmzyAmMq33AagPtQT6AvA0hPAoH7nKr7TT+xlh1G9bpI7KFgl3AvMf2xq3N48JwhvxDf/jJx3yhx/xyOz3Hxsw==
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. Kd4huzuDTm2sR0FffNa6Cv5bu7hcaQhzaV9seqiL0HfoZ+XdWCf0B7s7/k5bxnVQPuOb1jUAMa7ncCXXB/L3nw==
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. 5lT1gBZAZ3h1C0uRU6TeK3IgRTpxmZttV4ahGbrRPnipMdHrN9B+PQK3Jd0v5jjwgTdcsiOpK6c8tMyRdR3+Fg==
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. tua7ePdyjjRyyRDyr3gdankU7Xz2QUVOgfbErT6ssGtxGhLueKj8TLy3fgdkAZlsUtLTQoHParWTek6wc3ccSg==
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. wbGfikMJDqGkfDCn+7XQX7leUDIoAfYwZRtA0yysmg0MDJNFi7Cn6sw1He+JlWkX7zX2Vsk2oNhQE7a+u5fZNA==
;; selected from ADDITIONAL sections:
; ranked rrset to_wire false, rank 001 (omit), cached true, qry_uid 1, revalidations 0
ns1.cambiumlearning.com. 3600 A 66.248.224.140
; ranked rrset to_wire false, rank 001 (omit), cached true, qry_uid 1, revalidations 0
ns2.cambiumlearning.com. 3600 A 50.238.167.169
```
DNSViz DNSSEC analysis [result](https://dnsviz.net/d/gma.vmathlive.com/responses/)
Any idea what might be wrong?
Thanks in advance for your assistance!https://gitlab.nic.cz/knot/knot-resolver/-/issues/781Build on MSYS2023-03-20T09:15:18+01:00Christopher NgBuild on MSYSCurrently this doesn't build on MSYS (i.e. Cygwin). I've managed to get it to build/run on MSYS, but it also required minor fixes to `LMDB` and `knot-dns` (mostly build flags etc). Is there any interest in merging support for this enviro...Currently this doesn't build on MSYS (i.e. Cygwin). I've managed to get it to build/run on MSYS, but it also required minor fixes to `LMDB` and `knot-dns` (mostly build flags etc). Is there any interest in merging support for this environment?
It has to run under MSYS, running under 'native native' windows (ie MSVC runtime or similar) needs a lot more changes to `knot-dns`, I didn't get very far into investigating it.https://gitlab.nic.cz/knot/knot-resolver/-/issues/780Issues of EDNS buffer size2023-01-21T07:23:19+01:00idealeerIssues of EDNS buffer sizeAlthough the `edns buffer size` is set to 1232 for a query, Knot Resolver still receives a response with a size larger than 1232, even than 4096.
As suggested here https://www.dnsflagday.net/2020/:
```
It is important for DNS software ...Although the `edns buffer size` is set to 1232 for a query, Knot Resolver still receives a response with a size larger than 1232, even than 4096.
As suggested here https://www.dnsflagday.net/2020/:
```
It is important for DNS software vendors to comply with DNS standards,
and to use a default EDNS buffer size (1232 bytes) that will not cause
fragmentation on typical network links.
```
We recommend following current practices by only accepting responses less than 1,232 by default, which are implemented by PowerDNS Recursor.
We also wonder why Knot Resolver does this.https://gitlab.nic.cz/knot/knot-resolver/-/issues/774Why KnotDNS return a packet with rcode 2 after receiving the unique packet fr...2022-11-25T11:02:40+01:00mingkwindWhy KnotDNS return a packet with rcode 2 after receiving the unique packet from the upstream DNS server?Hi,
**Describe**
When KnotDNS receives the unique packet from the upstream DNS server, it returns a packet with a RCODE of 2 to the client. While
other authoritative dns servers like Unbound and Bind do the same test then they send bac...Hi,
**Describe**
When KnotDNS receives the unique packet from the upstream DNS server, it returns a packet with a RCODE of 2 to the client. While
other authoritative dns servers like Unbound and Bind do the same test then they send back a RCODE of 0.
**To reproduce**
1. Start the fake upstream dns server
Download these tow file and run like this:
https://643684107.oss-cn-beijing.aliyuncs.com/knot/dns_server_from_file.py
https://643684107.oss-cn-beijing.aliyuncs.com/knot/dns_response
```bash
python3 dns_server_from_file.py dns_response
```
2. Start the KnotDNS, the `knot.conf` are as follows:
```
-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/
-- Network interface configuration
net.listen('127.0.0.1', 5555, { kind = 'dns' })
--net.listen('127.0.0.1', 853, { kind = 'tls' })
--net.listen('127.0.0.1', 443, { kind = 'doh2' })
--net.listen('::1', 53, { kind = 'dns', freebind = true })
--net.listen('::1', 853, { kind = 'tls', freebind = true })
--net.listen('::1', 443, { kind = 'doh2' })
-- Load useful modules
modules = {
'policy',
'view',
}
modules.unload('priming')
trust_anchors.remove('.')
log_level('debug')
-- Cache size
cache.size = 100 * MB
-- view:addr('127.0.0.1/8', function (req, qry) return policy.PASS end)
policy.add(policy.all(policy.STUB({'127.0.0.1'})))
```
Then run like this:
```
./kresd -c knot.conf -n
```
3. Use python script to send the request packet to KnotDNS.
Download these tow file and run like this:
https://643684107.oss-cn-beijing.aliyuncs.com/knot/dns_request.py
https://643684107.oss-cn-beijing.aliyuncs.com/knot/dns_request
```
python3 dns_request.py dns_request 5555
```
The result of the script:
```
Sending DNS query to 127.0.0.1:5555
DNS query data:
0000 31 32 01 00 00 01 00 00 00 00 00 00 03 66 6F 6F 12...........foo
0010 07 65 78 61 6D 70 6C 65 00 00 FF 00 01 .example.....
Received DNS response from 127.0.0.1:5555
DNS response data:
0000 31 32 81 82 00 01 00 00 00 00 00 00 03 66 6F 6F 12...........foo
0010 07 65 78 61 6D 70 6C 65 00 00 FF 00 01 .example.....
QR: 1
Opcode: 0
AA: 0
TC: 0
RD: 1
RA: 1
Z: 0
AD: 0
CD: 0
Rcode: 2
```
We can find that the Rcode is 2, but I try other DNS resolver like Bind or PowerDNS to do the same test, the result are as follows:
```
DNS query data:
0000 31 32 01 00 00 01 00 00 00 00 00 00 03 66 6F 6F 12...........foo
0010 07 65 78 61 6D 70 6C 65 00 00 FF 00 01 .example.....
Received DNS response from 127.0.0.1:7777
DNS response data:
0000 31 32 81 80 00 01 00 06 00 00 00 00 03 66 6F 6F 12...........foo
0010 07 65 78 61 6D 70 6C 65 00 00 FF 00 01 C0 0C 00 .example........
0020 2E 00 01 00 00 0E 10 00 44 00 2F 03 02 00 00 0E ........D./.....
0030 10 55 C2 6E 21 55 9A E1 21 44 F4 07 65 78 61 6D .U.n!U..!D..exam
0040 70 6C 65 00 04 4A 1F 3F FB 59 60 5A 09 DE 2F 23 ple..J.?.Y`Z../#
0050 EA EC C9 8C 9E 22 BE 33 ED C6 81 93 12 27 8C E8 .....".3.....'..
0060 53 38 E8 29 A2 9C 39 98 2E 1C 0D CD 02 C0 0C 00 S8.)..9.........
0070 2F 00 01 00 00 0E 10 00 18 06 66 75 74 75 72 65 /.........future
0080 07 65 78 61 6D 70 6C 65 00 00 06 40 00 80 00 00 .example...@....
0090 03 C0 0C 00 2E 00 01 00 00 01 2C 00 44 00 10 03 ..........,.D...
00A0 02 00 00 01 2C 55 C2 6E 21 55 9A E1 21 44 F4 07 ....,U.n!U..!D..
00B0 65 78 61 6D 70 6C 65 00 04 58 21 E2 42 05 05 54 example..X!.B..T
00C0 03 F4 0F 49 9B 53 29 2F 82 47 04 CB 1A AB 5F D1 ...I.S)/.G...._.
00D0 93 C3 F2 56 28 13 0F 01 B4 A5 4E 93 69 4D 78 C2 ...V(.....N.iMx.
00E0 5C C0 0C 00 10 00 01 00 00 01 2C 00 08 07 74 65 \.........,...te
00F0 73 74 69 6E 67 C0 0C 00 2E 00 01 00 00 01 2C 00 sting.........,.
0100 44 00 01 03 02 F7 FF 01 2C 55 C2 6E 21 55 9A E1 D.......,U.n!U..
0110 21 44 F4 07 65 78 61 6D 70 6C 65 00 04 89 C7 D2 !D..example.....
0120 4E E3 23 E9 1C A9 C7 B6 85 53 7F 12 72 9A E3 48 N.#......S..r..H
0130 D8 06 C6 29 70 67 1C E7 5D 6F D5 74 EF BB 96 14 ...)pg..]o.t....
0140 CB 72 4B 74 A2 C0 0C 00 01 00 01 00 00 01 2C 00 .rKt..........,.
0150 04 0A 00 01 00 .....
QR: 1
Opcode: 0
AA: 0
TC: 0
RD: 1
RA: 1
Z: 0
AD: 0
CD: 0
Rcode: 0
```
The Rcode is 0. So which Rcode is true? Why?
**Additional information**
The details of the request packet(dns_client) from client are as follows:
```
HEADER
31 32 01 00 00 01 00 00 00 00 00 00
QUESTION
03 66 6F 6F 07 65 78 61 6D 70 6C 65 00 00 FF 00 01
ANSWER
AUTHORITY
ADDITIONAL
```
The details of the response packe(dns_response) from the fake server are as follows:
```
HEADER
31 32 84 00 00 01 00 06 00 03 00 05
QUESTION
03 66 6F 6F 07 65 78 61 6D 70 6C 65 00 00 FF 00 01
ANSWER
C0 0C 00 01 00 01 00 00 01 2C 00 04
0A 00 01 00
C0 0C 00 2E 00 01 00 00 01 2C 00 44
00 01 03 02 F7 FF 01 2C 55 C2 6E 21 55 9A E1 21
44 F4 07 65 78 61 6D 70 6C 65 00 04 89 C7 D2 4E
E3 23 E9 1C A9 C7 B6 85 53 7F 12 72 9A E3 48 D8
06 C6 29 70 67 1C E7 5D 6F D5 74 EF BB 96 14 CB
72 4B 74 A2
C0 0C 00 10 00 01 00 00 01 2C 00 08
07 74 65 73 74 69 6E 67
C0 0C 00 2E 00 01 00 00 01 2C 00 44
00 10 03 02 00 00 01 2C 55 C2 6E 21 55 9A E1 21
44 F4 07 65 78 61 6D 70 6C 65 00 04 58 21 E2 42
05 05 54 03 F4 0F 49 9B 53 29 2F 82 47 04 CB 1A
AB 5F D1 93 C3 F2 56 28 13 0F 01 B4 A5 4E 93 69
4D 78 C2 5C
C0 0C 00 2F 00 01 00 00 0E 10 00 18
06 66 75 74 75 72 65 07 65 78 61 6D 70 6C 65 00
00 06 40 00 80 00 00 03
C0 0C 00 2E 00 01 00 00 0E 10 00 44
00 2F 03 02 00 00 0E 10 55 C2 6E 21 55 9A E1 21
44 F4 07 65 78 61 6D 70 6C 65 00 04 4A 1F 3F FB
59 60 5A 09 DE 2F 23 EA EC C9 8C 9E 22 BE 33 ED
C6 81 93 12 27 8C E8 53 38 E8 29 A2 9C 39 98 2E
1C 0D CD 02
AUTHORITY
C1 23 00 02 00 01 00 00 01 2C 00 06
03 6E 73 32 C1 23
C1 23 00 02 00 01 00 00 01 2C 00 06
03 6E 73 33 C1 23
C1 23 00 2E 00 01 00 00 01 2C 00 44
00 02 03 01 00 00 01 2C 55 C2 6E 21 55 9A E1 21
44 F4 07 65 78 61 6D 70 6C 65 00 04 44 68 1F B4
AA C3 2C C8 54 4B CC 9D 82 77 C6 23 37 74 77 5A
2B 66 21 00 2C 61 C5 DD 6C 0A 05 2F 1C 7F B6 45
D4 7B 12 6A
ADDITIONAL
C1 61 00 01 00 01 00 00 01 2C 00 04
0A 35 00 02
C1 73 00 01 00 01 00 00 01 2C 00 04
0A 35 00 03
C1 61 00 2E 00 01 00 00 01 2C 00 44
00 01 03 02 00 00 01 2C 55 C2 6E 21 55 9A E1 21
44 F4 07 65 78 61 6D 70 6C 65 00 04 23 15 51 F3
86 59 19 10 8B 39 69 6C EF 9A F9 16 AD B6 A4 FB
1B 96 0C DB 14 8D A4 0F A9 0B E1 DB A1 EA 65 D5
ED 56 1C EA
C1 73 00 2E 00 01 00 00 01 2C 00 44
00 01 03 02 00 00 01 2C 55 C2 6E 21 55 9A E1 21
44 F4 07 65 78 61 6D 70 6C 65 00 04 D2 B2 19 3A
04 AF 2B A5 A8 43 1F 03 EE 60 8F 44 47 BF F8 36
C5 DB 35 FA 08 6B 86 96 0F 26 6C EE 5C 0A DF 56
25 D1 01 A6
00 00 29 10 00 00 00 80 00 00 00
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/772Forwarding to ISP servers doesn't work in Omnia after update to TOS 6.0.2022-10-30T00:42:07+02:00Martin PeckaForwarding to ISP servers doesn't work in Omnia after update to TOS 6.0.On Turris OS 5, I used DNS forwarding via kresd without issues. After update to 6.0, it doesn't work. I did not do anything custom with DNS on my router.
DNS settings in Reforis often time-out instead of applying what I set. In console,...On Turris OS 5, I used DNS forwarding via kresd without issues. After update to 6.0, it doesn't work. I did not do anything custom with DNS on my router.
DNS settings in Reforis often time-out instead of applying what I set. In console, I see this:
```
# after setting forward_upstream to 1
# /etc/init.d/resolver restart
Called /etc/init.d/kresd stop
set dhcp script
sh: invalid number ''
job 9 at Fri Oct 28 23:29:00 2022
Called /etc/init.d/kresd start
set dhcp script
Called /etc/resolver/dhcp_host_domain_ng.py
```
When I try to query the DNS server on the router after this, all requests time out.
With `forward_upstream` set to 0, restart of kresd works without the reported error and DNS resolution actually works.https://gitlab.nic.cz/knot/knot-resolver/-/issues/769failure to start the manager2023-07-04T12:35:27+02:00Vaclav Sraierfailure to start the managerHappens just about once in a while in our CI, nothing regular. Don't know how to reproduce. Rerunning the job always fixes the issue.
```
Oct 10 11:56:00 runner-114-project-147-concurrent-1-799966 env[5260]: 428ms:INFO:knot_resolver_man...Happens just about once in a while in our CI, nothing regular. Don't know how to reproduce. Rerunning the job always fixes the issue.
```
Oct 10 11:56:00 runner-114-project-147-concurrent-1-799966 env[5260]: 428ms:INFO:knot_resolver_manager.server:Loading initial configuration from /etc/knot-resolver/config.yml
Oct 10 11:56:00 runner-114-project-147-concurrent-1-799966 env[5260]: 437ms:INFO:knot_resolver_manager.server:Validating initial configuration...
Oct 10 11:56:00 runner-114-project-147-concurrent-1-799966 env[5260]: 439ms:WARNING:knot_resolver_manager.log:Changing logging level to 'INFO'
Oct 10 11:56:00 runner-114-project-147-concurrent-1-799966 env[5260]: 440ms:INFO:knot_resolver_manager.kresd_controller:Starting service manager auto-selection...
Oct 10 11:56:00 runner-114-project-147-concurrent-1-799966 env[5260]: 440ms:INFO:knot_resolver_manager.kresd_controller:Available subprocess controllers are ('supervisord',)
Oct 10 11:56:00 runner-114-project-147-concurrent-1-799966 env[5260]: 440ms:INFO:knot_resolver_manager.kresd_controller:Selected controller 'supervisord'
Oct 10 11:56:00 runner-114-project-147-concurrent-1-799966 env[5260]: 441ms:INFO:knot_resolver_manager.kresd_controller.supervisord:Supervisord is already running, we will just update its config...
Oct 10 11:56:05 runner-114-project-147-concurrent-1-799966 systemd[1]: knot-resolver.service: Main process exited, code=exited, status=1/FAILURE
Oct 10 11:56:05 runner-114-project-147-concurrent-1-799966 systemd[1]: knot-resolver.service: Failed with result 'exit-code'.
Oct 10 11:56:05 runner-114-project-147-concurrent-1-799966 systemd[1]: Failed to start Knot Resolver Manager.
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/767kresd always returning SERVFAIL2022-09-26T16:35:45+02:00Sergio Callegarikresd always returning SERVFAILHi, I am recently experiencing a complete breakage of my instance of the knot resolver daemon after it has worked perfectly for a long time.
It is unclear to me if the issues are related to the latest update to the 5.5.3 release or to s...Hi, I am recently experiencing a complete breakage of my instance of the knot resolver daemon after it has worked perfectly for a long time.
It is unclear to me if the issues are related to the latest update to the 5.5.3 release or to some other change in my networking environment.
I have the knot resolver daemon working on an ARM64 system with the armbian OS.
The knot resolver binary is from http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/Debian_11/
In the latest days, kresd cannot start properly, so that when I query `systemctl` for the status of `kresd@0`, I get
```
Sep 25 19:54:12 xxx kresd[1850]: [taupd ] active refresh failed for . with rcode: 2
Sep 25 19:54:12 xxx kresd[1850]: [timesk] cannot resolve '.' NS
```
If I enable the debug, I get flooded with messages. For the most part they look like repetitions of sequences similar to
```
Sep 25 20:09:11 xxx kresd[2256]: [select][65538.02] => id: '58484' choosing from addresses: 13 v4 + 13 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
Sep 25 20:09:11 xxx kresd[2256]: [select][65538.02] => id: '58484' choosing: 'K.ROOT-SERVERS.NET.'@'193.0.14.129#00053' with timeout 25 ms zone cut: '.'
Sep 25 20:09:11 xxx kresd[2256]: [select][65538.02] => id: '59806' noting selection error: 'D.ROOT-SERVERS.NET.'@'199.7.91.13#00053' zone cut: '.' error: 6 SERVFAIL
Sep 25 20:09:11 xxx kresd[2256]: [iterat][65538.02] <= rcode: SERVFAIL
```
...until I get to
```
Sep 25 20:09:11 xxx kresd[2256]: [resolv][65538.00] => too many failures in a row, bail out (mitigation for NXNSAttack CVE-2020-12667)
```
Changes that I have recently experienced in my setup include:
- Update to the knot resolver release 5.5.3. Not easy to test downgrading as I cannot found previous releases on http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/Debian_11/
- Update of the ARM machine to kernel 5.19.10-rockchip64
- Update of my ISP from Wind 3 (Italy) to Vodafone (Italy), both on fiber.
It looks like there are no major networking problems. The machine running kresd can ping outside and resolve via kdig using public nameservers such as quad9 or google. For sure the new vodafone ISP is nasty. Does not let you set the DNS on its router, nor publish a different NS via the DHCP server on its router, nor select a ssid without the word "vodafone" in it, but it would appear strange to me if it ended up mangling trafic to the point of blocking a private caching nameserver from operating.
Any clue?https://gitlab.nic.cz/knot/knot-resolver/-/issues/766manager: datamodel: make sure JSON Schema is valid2022-10-09T13:35:39+02:00Aleš Mrázekmanager: datamodel: make sure JSON Schema is validhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/764SERVFAIL for www.pinterest.com and TLS_FORWARD (kresd 5.5.2)2022-10-11T15:54:10+02:00Markus Donko-HuberSERVFAIL for www.pinterest.com and TLS_FORWARD (kresd 5.5.2)Hi knot-resolver maintenance team,
I spend some time to debug an issue to resolve a specific FQDN: **`www.pinterest.com`**
After debugging, I found that the **SERVFAIL** error only occurs in the CNAME CHAIN once I configure a TLS_FORWAR...Hi knot-resolver maintenance team,
I spend some time to debug an issue to resolve a specific FQDN: **`www.pinterest.com`**
After debugging, I found that the **SERVFAIL** error only occurs in the CNAME CHAIN once I configure a TLS_FORWARD example.
Steps to re-produce the issue:
- use the latest knot-resolver version (5.5.2), e.g. from **docker cznic/knot-resolver**
- Forward all requests to Cloudflare Upstream: `policy.add(policy.all(policy.TLS_FORWARD({{'1.1.1.1', hostname='cloudflare-dns.com'}})))`
- Attempts to resolve `www.pinterest` result in a `SERVFAIL`error
```
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24362
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.pinterest.com. IN A
;; ANSWER SECTION:
www.pinterest.com. 439 IN CNAME www-pinterest-com.gslb.pinterest.com.
www-pinterest-com.gslb.pinterest.com. 159 IN CNAME www.gslb.pinterest.net.
;; Query time: 919 msec
;; SERVER: 192.168.10.240#53(192.168.10.240) (UDP)
;; WHEN: Mon Sep 12 13:35:07 CEST 2022
;; MSG SIZE rcvd: 119
```
It seems that the request fails because of DNSSEC and `pinterest.net` in the cname chain. Interesting enough, once the **TLS_FORWARD** policy has been removed, **www.pinterest.com** resolves as expected.
I have too little knowledge to understand why the request fails in combination with **TLS_FORWARD**.
I am happy to contribute with additional debug information.https://gitlab.nic.cz/knot/knot-resolver/-/issues/760daf: rewrite not working in 5.5.12022-09-21T17:07:23+02:00Michael Peleshenkodaf: rewrite not working in 5.5.1My daf config stopped working after upgrading from 5.4.3 to 5.5.1. It seems related to the recent changes to the renumber module.
**Config**
```
daf.add('src = 192.168.0.0/24 rewrite host.domain.local. A 192.168.0.1')
```
After adding ...My daf config stopped working after upgrading from 5.4.3 to 5.5.1. It seems related to the recent changes to the renumber module.
**Config**
```
daf.add('src = 192.168.0.0/24 rewrite host.domain.local. A 192.168.0.1')
```
After adding the below debug config, I noticed an error related to the renumber module.
**Debug Config**
```
policy.add(policy.suffix(policy.DEBUG_ALWAYS, policy.todnames({'host.domain.local'})))
```
**Logs**
```
[system] error: /usr/lib/knot-resolver/kres_modules/renumber.lua:33: attempt to compare number with nil
```
After reverting to the 5.4.3 version of renumber.lua, daf rewrite works again, so the recent renumber changes seem to have broken this in 5.5.1.https://gitlab.nic.cz/knot/knot-resolver/-/issues/759manager API: versioning2022-10-10T20:58:01+02:00Vaclav Sraiermanager API: versioning
I think it's quite unlikely that manager's HTTP API will have flawless design from the start. At some point in the future, there might be a need to make a new backwards incompatible API. I think we should prepare for it now as it's stil...
I think it's quite unlikely that manager's HTTP API will have flawless design from the start. At some point in the future, there might be a need to make a new backwards incompatible API. I think we should prepare for it now as it's still not too late and it's really easy to do so now.
# Ideas
- version in URL path (`/config/v2/...`)
- version in the configuration (that would allow us to change the schema, but not the API itself)
- version in HTTP header (probably something like `X-API-Version: latest` or `X-API-Version: 6.0.0`)
- ...Vaclav SraierVaclav Sraierhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/758Timeout in config.ta_bootstrap test on Meson 0.57.0 onwards2022-07-13T11:06:13+02:00Héctor Molinero FernándezTimeout in config.ta_bootstrap test on Meson 0.57.0 onwardsIt seems that on Meson 0.57.0 onwards the config.ta_bootstrap test fails with a timeout because the webserv.lua process does not terminate. If stdout and stderr are redirected to `/dev/null` this problem does not occur.
I think this is ...It seems that on Meson 0.57.0 onwards the config.ta_bootstrap test fails with a timeout because the webserv.lua process does not terminate. If stdout and stderr are redirected to `/dev/null` this problem does not occur.
I think this is a regression in Meson, but since I doubt there will be a backport for the version of Meson included in the current distros and the workaround is simple, it is worth fixing it here.
I encountered this problem when trying to build Knot Resolver on Ubuntu 22.04.https://gitlab.nic.cz/knot/knot-resolver/-/issues/753manager: datamodel: max_workers configuration2022-08-05T16:40:29+02:00Aleš Mrázekmanager: datamodel: max_workers configurationIssue follows the [comment](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1280#note_256315) in !1280.
Basically, we're not sure if it's a good idea to allow `max-workers` to be configured, capping the max number of workers. ...Issue follows the [comment](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1280#note_256315) in !1280.
Basically, we're not sure if it's a good idea to allow `max-workers` to be configured, capping the max number of workers. It could confuse users with `workers` option that determines the requred number of workers.
Currently, the maximum number of workers is also capped during [validation](https://gitlab.nic.cz/knot/knot-resolver/-/blob/manager/manager/knot_resolver_manager/datamodel/config_schema.py#L183) by 10 workers per CPU.Vaclav SraierVaclav Sraierhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/751manager: declarative configuration examples2023-10-16T11:50:49+02:00Aleš Mrázekmanager: declarative configuration examples# Configuration examples
A current detailed configuration datamodel can be seen [here](https://gitlab.nic.cz/knot/knot-resolver/-/tree/manager/manager/knot_resolver_manager/datamodel).
## Minimal config
The minimal configuration to start...# Configuration examples
A current detailed configuration datamodel can be seen [here](https://gitlab.nic.cz/knot/knot-resolver/-/tree/manager/manager/knot_resolver_manager/datamodel).
## Minimal config
The minimal configuration to start the manager.
```yaml
id: dev # identifier of the manager instance
```
## Complete config without policy rules
```yaml
id: dev
hostname: &name manager-dev
nsid: *name
rundir: etc/knot-resolver/runtime
workers: 1
management:
interface: 127.0.0.1@5000 # or unix-socket: '/path/to/unix-socket'
webmgmt:
interface: 127.0.0.1@5000
tls: true
cert-file: /path/to/file.cert
key-file: /path/to/file.key
supervisor:
backend: systemd-session
watchdog:
qname: nic.cz.
qtype: AAAA
options:
glue-checking: normal # strict, permissive
qname-minimisation: true
query-loopback: false
reorder-rrset: true
query-case-randomization: false
priming: true
rebinding-protection: false
refuse-no-rd: true
time-jump-detection: true
violators-workarounds: false
serve-stale: false
prediction: # can be also set to 'false' or 'true'
window: 15m
period: 24
network:
listen:
- interface: 127.0.0.1@5353 # or unix-socket: /path/to/socket
kind: dns # xdp, dot, doh-legacy, doh2
freebind: false
do-ipv4: true
do-ipv6: true
tcp-pipeline: 100
edns-tcp-keepalive: true
edns-buffer-size:
upstream: 1232B
downstream: 1232B
address-renumbering:
- source: 10.10.10.0/24
destination: 192.168.1.0
tls:
cert-file: /path/to/file.cert
key-file: /path/to/file.key
sticket-secret: some-secret # or sticket-secret-file: /path/to/secret
auto-discovery: false
padding: true # or int value 0-512
proxy-protocol:
allow: [172.22.0.1, 172.18.1.0/24]
static-hints:
ttl: 1d
nodata: true
etc-hosts: true
root-hints:
j.root-servers.net.: [2001:503:c27::2:30, 192.58.128.30]
root-hints-file: /path/to/root.hints
hints:
foo.bar: [127.0.0.1]
hints-files: [/path/to/custom.hints]
# policy rules examples will be separate
# views, slices, policy, rpz, stub-zones, forward-zones
cache:
garbage-collector: true
storage: /var/cache/knot-resolver
size-max: 100M
ttl-min: 5s
ttl-max: 6d
ns-timeout: 1000ms
prefill:
- origin: '.'
url: https://www.internic.net/domain/root.zone
refresh-interval: 1d
ca-file: /etc/pki/tls/certs/ca-bundle.crt
dnssec: # can be set to 'false' or 'true'
trust-anchor-sentinel: true
trust-anchor-signal-query: true
time-skew-detection: true
keep-removed: 0
refresh-time: 10s
hold-down-time: 30d
trust-anchors:
- . 3600 IN DS 19036 8 2 49AAC11...
negative-trust-anchors: [bad.boy, example.com]
trust-anchors-files:
- file: root.key
read-only: false
dns64: # can be set to 'false' or 'true'
prefix: 64:ff9b::/96
logging:
level: notice # crit, err, warning, notice, info, debug
target: syslog # stderr, stdout
groups: [manager, cache]
dnssec-bogus: false
dnstap: # can be set to 'false'
unix-socket: /tmp/dnstap.sock
log-queries: true
log-responses: true
log-tcp-rtt: true
debugging:
assertion-abort: false
assertion-fork: 5m
monitoring:
enabled: lazy # manager-only, always
graphite:
prefix: *name
host: 127.0.0.1 # or domain-name
port: 2003
interval: 5s
tcp: false
lua:
script-only: false # if 'true', no declarative config is used, just lua script
script: | # or script-file: '/path/to/lua/script.lua'
-- this is lua script
```
## Policy rules and config
These are only examples, there is no guarantee that they will work together in single configuration.
```yaml
# Definition of views
# https://knot-resolver.readthedocs.io/en/stable/modules-view.html?highlight=views#views-and-acls
views:
view-1:
subnets: [127.0.0.1, '::']
options: [no-minimize]
view-2:
tsig: [\5mykey]
slices:
# Forwarding to multiple targets
# https://knot-resolver.readthedocs.io/en/stable/modules-policy.html?highlight=slices#forwarding-to-multiple-targets
- function: randomize-psl
actions:
- action: forward
servers:
- address: 192.0.2.1
hostname: res.example.com
- action: forward
servers:
- address: 193.17.47.1
hostname: odvr.nic.cz
- address: 185.43.135.1
hostname: odvr.nic.cz
# RPZ blocklist
# https://knot-resolver.readthedocs.io/en/stable/modules-policy.html?highlight=rpz#policy.rpz
rpz:
- action: deny
file: /etc/knot-resolver/blocklist.rpz
watch: true
message: domain blocked by your resolver operator
# Policy rules examples
# https://knot-resolver.readthedocs.io/en/stable/modules-policy.html
policy:
# Mirror query trafic
- action: mirror
servers: [127.0.0.2]
# Whitelist 'good.example.com'
- action: pass
filter:
pattern: good.example.com.
# Deny query based on suffix filter for 'view-1' and 'view-2'
- action: deny
filter:
suffix: example.net
views: [view-1, view-2]
# Change IPv4 address and TTL for example.com
- action: answer
filter:
domain: example.com
answer:
rtype: A
rdata: 192.0.2.7
ttl: 300s
# Stub zones
# https://knot-resolver.readthedocs.io/en/stable/modules-policy.html?highlight=stub#policy.STUB
stub-zones:
- name: 1.168.192.in-addr.arpa
servers: [192.0.2.1@5353]
# internal-only domain
# https://knot-resolver.readthedocs.io/en/stable/quickstart-config.html?highlight=local%20domains#internal-only-domains
- name: company.example
servers: [192.0.2.44]
options: [no-cache]
# Forwarding
# https://knot-resolver.readthedocs.io/en/stable/modules-policy.html?highlight=stub#forwarding
forward-zones:
# Forward all queries to public resolvers https://www.nic.cz/odvr
- name: '.'
servers: [2001:148f:fffe::1, 2001:148f:ffff::1, 185.43.135.1, 193.14.47.1]
# TLS forward, server authenticated using hostname and system-wide CA certificates
# https://knot-resolver.readthedocs.io/en/stable/modules-policy.html?highlight=forward#tls-examples
- name: '.'
tls: true
servers:
- address: 192.0.2.1
pin-sha256: Wg==
- address: 2001:DB8::d0c
hostname: res.example.com
ca-file: /etc/knot-resolver/tlsca.crt
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/747Expired gpg key in OBS2022-09-03T18:37:20+02:00Vladimír Čunátvladimir.cunat@nic.czExpired gpg key in OBS.deb users of our [upstream repo](https://www.knot-resolver.cz/download/) can't update anymore (Debian, Ubuntu).
Message examples:
```
# apt update
[...]
W: GPG error: http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolve....deb users of our [upstream repo](https://www.knot-resolver.cz/download/) can't update anymore (Debian, Ubuntu).
Message examples:
```
# apt update
[...]
W: GPG error: http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/Debian_11 InRelease: The following signatures were invalid: EXPKEYSIG 74062DB36A1F4009 home:CZ-NIC OBS Project <home:CZ-NIC@build.opensuse.org>
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
```
The key:
```
pub rsa2048 2018-02-15 [SC] [expired: 2022-06-21]
45737F9C8BC3F3ED2791818274062DB36A1F4009
uid [ expired] home:CZ-NIC OBS Project <home:CZ-NIC@build.opensuse.org>
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/746daemon/http: returning status 400 to handshake with dnscrypt-proxy2022-06-23T09:39:55+02:00Oto Šťávadaemon/http: returning status 400 to handshake with dnscrypt-proxyWhen [`dnscrypt-proxy`](https://github.com/DNSCrypt/dnscrypt-proxy) attempts a handshake with `kresd`, status code 400 is returned.
On Gitter, user `jlongua` reported getting this log message:
```
Jun 16 13:41:55 draco.plan9-ns2.com dn...When [`dnscrypt-proxy`](https://github.com/DNSCrypt/dnscrypt-proxy) attempts a handshake with `kresd`, status code 400 is returned.
On Gitter, user `jlongua` reported getting this log message:
```
Jun 16 13:41:55 draco.plan9-ns2.com dnscrypt-proxy[5775]: [2022-06-16 13:41:55] [ERROR] Webserver returned code 400
```
When I try it locally with a simple Docker image of dnscrypt-proxy, I get this:
```
dnscrypt-proxy-dnsdist-1 | [2022-06-17 06:58:33] [NOTICE] dnscrypt-proxy 2.1.1
dnscrypt-proxy-dnsdist-1 | [2022-06-17 06:58:33] [NOTICE] Network connectivity detected
dnscrypt-proxy-dnsdist-1 | [2022-06-17 06:58:33] [NOTICE] Now listening to 0.0.0.0:53 [UDP]
dnscrypt-proxy-dnsdist-1 | [2022-06-17 06:58:33] [NOTICE] Now listening to 0.0.0.0:53 [TCP]
dnscrypt-proxy-dnsdist-1 | [2022-06-17 06:58:33] [NOTICE] Source [relays] loaded
dnscrypt-proxy-dnsdist-1 | [2022-06-17 06:58:33] [NOTICE] Source [public-resolvers] loaded
dnscrypt-proxy-dnsdist-1 | [2022-06-17 06:58:33] [NOTICE] Firefox workaround initialized
dnscrypt-proxy-dnsdist-1 | [2022-06-17 06:58:33] [ERROR] 400 Bad Request
dnscrypt-proxy-dnsdist-1 | [2022-06-17 06:58:33] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable
```Oto ŠťávaOto Šťáva