Knot Resolver issueshttps://gitlab.nic.cz/knot/knot-resolver/-/issues2020-12-07T11:00:36+01:00https://gitlab.nic.cz/knot/knot-resolver/-/issues/651dnstap module spawns a thread2020-12-07T11:00:36+01:00Vladimír Čunátvladimir.cunat@nic.czdnstap module spawns a threadThat's not consistent with kresd architecture, though I can't think of a particular reason why it might cause a problem. Note that this thread will get spawned for each kresd process, so it might be a bit wasteful.
We might prefer to r...That's not consistent with kresd architecture, though I can't think of a particular reason why it might cause a problem. Note that this thread will get spawned for each kresd process, so it might be a bit wasteful.
We might prefer to rewrite the module by utilizing the shared libuv loop (to know when socket is ready to receive more data), but maybe the [fstrm tools](https://farsightsec.github.io/fstrm/overview.html) don't provide good support for that. If we drop the thread, this library might not be worth depending on anymore (as the framing is trivial).https://gitlab.nic.cz/knot/knot-resolver/-/issues/650Transform Graphite tags into Prometheus labels2020-12-18T11:43:56+01:00Héctor Molinero FernándezTransform Graphite tags into Prometheus labelsCurrently the http module exposes Prometheus metrics and [replaces the `.` character with `_` in the metrics name](https://gitlab.nic.cz/knot/knot-resolver/-/blob/8ed646c507c43d5aea708dbd7aa90047029b046e/modules/http/prometheus.lua#L105)...Currently the http module exposes Prometheus metrics and [replaces the `.` character with `_` in the metrics name](https://gitlab.nic.cz/knot/knot-resolver/-/blob/8ed646c507c43d5aea708dbd7aa90047029b046e/modules/http/prometheus.lua#L105). Perhaps this can be extended to also transform [Graphite tags](https://graphite.readthedocs.io/en/stable/tags.html) into [Prometheus labels](https://prometheus.io/docs/concepts/data_model/).
Since I don't have permission to fork the project, I leave a patch attached that implements this feature.
[knot-resolver-prometheus-labels.patch](/uploads/bf7fa713617ce3c00fc1770799edf7e6/knot-resolver-prometheus-labels.patch)https://gitlab.nic.cz/knot/knot-resolver/-/issues/649server selection: consider switching to TCP instead of backing off the timeou...2021-02-18T16:56:41+01:00Štěpán Balážikserver selection: consider switching to TCP instead of backing off the timeouts to high valuesThe following discussion from !1030 should be addressed:
- [ ] @sbalazik started a [discussion](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1030#note_184303): (+1 comment)
> `config.hints` test [is timing out sometim...The following discussion from !1030 should be addressed:
- [ ] @sbalazik started a [discussion](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1030#note_184303): (+1 comment)
> `config.hints` test [is timing out sometimes](https://gitlab.nic.cz/knot/knot-resolver/-/jobs/463522) on this branch and so far, I have no idea why.
>
> ```
> 22/36 knot-resolver:postinstall+config+skip_asan / config.hints TIMEOUT 120.05 s
> --- command ---
> KRESD_NO_LISTEN='1' PATH='/builds/knot/knot-resolver/.local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' TEST_FILE='/builds/knot/knot-resolver/modules/hints/tests/hints.test.lua' SOURCE_PATH='/builds/knot/knot-resolver/tests/config' /builds/knot/knot-resolver/tests/config/../../scripts/test-config.sh -c /builds/knot/knot-resolver/build_ci/../tests/config/test.cfg -n
> --- stdout ---
> /builds/knot/knot-resolver/.local/sbin/kresd
> processing test file /builds/knot/knot-resolver/modules/hints/tests/hints.test.lua
> ok 1 - has IP address for a.root-servers.net.
> ok 2 - load root hints from file
> ok 3 - can retrieve root hints
> ok 4 - real IP address for a.root-servers.net. is replaced
> ok 5 - real IP address for a.root-servers.net. is correct
> [65536.00][rplan] [qry tree] badname.lan. A (0) <-
> [65536.00][rplan] [push] pending 1; badname.lan. A (0) | resolved 0
> [65536.03][rplan] [qry tree] . DNSKEY (3) <- badname.lan. A (2) <-
> [65536.03][rplan] [push] pending 2; . DNSKEY (3); badname.lan. A (2) | resolved 0
> ```
This is because the `iter_ns_badip.rpl` workaround allows the pushing of the same query to `rplan` twice in the row which leads to multiple tries with back-off of the timeout to resolve `. DNSKEY` or `a.root-servers.net AAAA` (if DNSSEC is turned off). The old selection implementation switches to TCP after a few tries and there the connection fails and the NS address is `flagged as 'bad'`.
Switching to TCP instead of backing off into big timeouts might be a good idea which might even help with the pathological cases that appear in `respdiff` now.5.3.0https://gitlab.nic.cz/knot/knot-resolver/-/issues/648server selection: implement a way to do asynchronous NS name resolution2020-11-30T14:11:28+01:00Štěpán Balážikserver selection: implement a way to do asynchronous NS name resolutionThe following discussion from !1030 should be addressed:
- [ ] @pspacek started a [discussion](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1030#note_184348): (+6 comments)
> I do not see this flag in use. Is it inten...The following discussion from !1030 should be addressed:
- [ ] @pspacek started a [discussion](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1030#note_184348): (+6 comments)
> I do not see this flag in use. Is it intentional?https://gitlab.nic.cz/knot/knot-resolver/-/issues/647server selection: collect and use TCP connection information2021-11-08T13:39:08+01:00Štěpán Balážikserver selection: collect and use TCP connection informationThe following discussion from !1030 should be addressed:
- [ ] @pspacek started a [discussion](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1030#note_184337): (+3 comments)
> I'm either blind or it is not used anywher...The following discussion from !1030 should be addressed:
- [ ] @pspacek started a [discussion](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1030#note_184337): (+3 comments)
> I'm either blind or it is not used anywhere. Can you point me to the place where it gets used, please?
`tcp_waiting` and `tcp_connected` and respective function and its calls have been commented out (in 6ef74faf922c5962401747b5aa3a9e01e92e50ff) until we use this information in the server selection process.
This will ultimately be related to #629 for example.https://gitlab.nic.cz/knot/knot-resolver/-/issues/645FORMERR does not trigger EDNS fallback2021-10-11T13:06:06+02:00Petr ŠpačekFORMERR does not trigger EDNS fallbackVersion: 5.2.0
Domain `spam.molax.co.kr.` qtype `A` does not work with EDNS. Auth servers correctly return FORMERR but kresd 5.2.0 does not fallback to non-EDNS and SERVFAILs request from client.
[spam.molax.co.kr.A.log](/uploads/edde7...Version: 5.2.0
Domain `spam.molax.co.kr.` qtype `A` does not work with EDNS. Auth servers correctly return FORMERR but kresd 5.2.0 does not fallback to non-EDNS and SERVFAILs request from client.
[spam.molax.co.kr.A.log](/uploads/edde70e988fcf6ab810e693802c8896d/spam.molax.co.kr.A.log)
We need to:
- fix kresd
- investigate why test https://gitlab.nic.cz/knot/deckard/-/blob/master/sets/resolver/iter_formerr.rpl did not detect this and fix it!https://gitlab.nic.cz/knot/knot-resolver/-/issues/643SAD DNS (Side channel AttackeD DNS)2021-01-28T09:36:23+01:00Matt TaggartSAD DNS (Side channel AttackeD DNS)New DNS cache poisoning attack, https://www.saddns.net/
I scanned the [paper](https://dl.acm.org/doi/pdf/10.1145/3372297.3417280) and it explicitly mentions bind, unbound, and dnsmasq as being effected, no mention either way for knot. I...New DNS cache poisoning attack, https://www.saddns.net/
I scanned the [paper](https://dl.acm.org/doi/pdf/10.1145/3372297.3417280) and it explicitly mentions bind, unbound, and dnsmasq as being effected, no mention either way for knot. I'm not sure if they make their tests available. Maybe it makes the most sense to contact the authors and work with them (I wish they had reached out to knot).https://gitlab.nic.cz/knot/knot-resolver/-/issues/642Can't resolve www.hashicorp.com2020-11-12T20:24:46+01:00ThushjandanCan't resolve www.hashicorp.comKnot resolver returns the IP 0.0.0.0 for www.hashicorp.com instead of the correct IP. It looks like that it doesn't use the A record, which was returned with the CNAME in the first request.
I am using Knot resolver version 5.2.0. Is it m...Knot resolver returns the IP 0.0.0.0 for www.hashicorp.com instead of the correct IP. It looks like that it doesn't use the A record, which was returned with the CNAME in the first request.
I am using Knot resolver version 5.2.0. Is it maybe a bug or can I change the behavior?
Resolve www.hashicorp.com from Knot resolver.
```
$ dig @192.168.12.90 www.hashicorp.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.12.90 www.hashicorp.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52565
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.hashicorp.com. IN A
;; ANSWER SECTION:
www.hashicorp.com. 300 IN CNAME cname.vercel-dns.com.
cname.vercel-dns.com. 60 IN A 0.0.0.0
;; Query time: 217 msec
;; SERVER: 192.168.12.90#53(192.168.12.90)
;; WHEN: Thu Nov 12 19:23:39 CET 2020
;; MSG SIZE rcvd: 93
```
Resolve from Cloudflare DNS
```
$ dig @1.1.1.2 www.hashicorp.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @1.1.1.2 www.hashicorp.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44228
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.hashicorp.com. IN A
;; ANSWER SECTION:
www.hashicorp.com. 300 IN CNAME cname.vercel-dns.com.
cname.vercel-dns.com. 60 IN A 76.76.21.21
;; Query time: 22 msec
;; SERVER: 1.1.1.2#53(1.1.1.2)
;; WHEN: Thu Nov 12 19:23:31 CET 2020
;; MSG SIZE rcvd: 93
```
Trace from the Knot resolver:
```
$ curl http://192.168.12.90:8453/trace/www.hashicorp.com
[69907.00][iter] 'www.hashicorp.com.' type 'A' new uid was assigned .01, parent uid .00
[69907.01][cach] => skipping unfit CNAME RR: rank 030, new TTL -26745
[69907.01][cach] => no NSEC* cached for zone: hashicorp.com.
[69907.01][cach] => skipping zone: hashicorp.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.01][cach] => skipping zone: hashicorp.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.01][plan] plan '.' type 'DNSKEY' uid [69907.02]
[69907.02][iter] '.' type 'DNSKEY' new uid was assigned .03, parent uid .01
[69907.03][cach] => satisfied by exact RRset: rank 060, new TTL 6959
[69907.03][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 21761
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
. DNSKEY
;; ANSWER SECTION
. 6959 DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfiobeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5CsDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdLQHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jEhCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmnNHNmH2FjUE8=
. 6959 DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
. 172800 RRSIG DNSKEY 8 0 172800 20201201000000 20201110000000 20326 . SkIHirgYkYi7NAig66n3yDX00Vmu+nbdwNrjHq3b8F9MjOKrWkymnBpbu/mvkhNhzCEk/6lAkE6u/7oqvu09uP9hvnTTBRVKUk3JjWBROe0RhQqlmwxb7Vu9s2ag9Tr67zHUKj1/0xBvqRCfq3EPSqd/CjWYw+93s4+32ZEkMmLGdAu5I5phTgAxesjCy550m7xsFwWo5SKotP3g1420D4iaCpZE1SpkEybQ9WoveCWBNnZnnMI8BdN33W+EOVHEkAKevYRYIpG93XP/IeIcf3MetEmBt+DD0AcGIyorfiBQVrvNsha1Ek+iMm59KS8pYqiXhS1zmFz91cvKueMgsQ==
[69907.03][iter] <= rcode: NOERROR
[69907.03][vldr] <= parent: updating DNSKEY
[69907.03][vldr] <= answer valid, OK
[69907.01][iter] 'www.hashicorp.com.' type 'A' new uid was assigned .04, parent uid .00
[69907.04][plan] plan 'com.' type 'DS' uid [69907.05]
[69907.05][iter] 'com.' type 'DS' new uid was assigned .06, parent uid .04
[69907.06][cach] => satisfied by exact RRset: rank 060, new TTL 80465
[69907.06][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 13789
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
com. DS
;; ANSWER SECTION
com. 80465 DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com. 86400 RRSIG DS 8 1 86400 20201125050000 20201112040000 26116 . RowjzJyN/XzMW/4Rpt2D4wPdI/cHQHlX05FhT/WQ0QXSat/0T4kzM+ND+R7lQNnOf6i2rC0ZAxwnEbbKyUHZl8eXdLMVmNSWfVKaQQ6LOUB9k2TBbBY6v4M4vCt1VH++CwYkLafxVs8QuhUTYXmhPdfWAlRQTdZEvAdltuhIDpsYhjRMh67LO12fCD1j54JGRJvoJP+mi7gSQ9VrLwc4fyiAqLbirbHXWtWO6jehnN3hdPLquFgVNJQaxqZUmE0LVSEheT6l3Dlckj9yFZ5WKE2WvHXgLE9F+A+1qK2e0o21Xy4hY0fXL9zL4nd83hHV3amWhVdWfLuio5OkJKZVsQ==
[69907.06][iter] <= rcode: NOERROR
[69907.06][vldr] <= DS: OK
[69907.06][vldr] <= parent: updating DS
[69907.06][vldr] <= answer valid, OK
[69907.04][iter] 'www.hashicorp.com.' type 'A' new uid was assigned .07, parent uid .00
[69907.07][plan] plan 'com.' type 'DNSKEY' uid [69907.08]
[69907.08][iter] 'com.' type 'DNSKEY' new uid was assigned .09, parent uid .07
[69907.09][cach] => satisfied by exact RRset: rank 060, new TTL 4771
[69907.09][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 32862
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
com. DNSKEY
;; ANSWER SECTION
com. 4771 DNSKEY 256 3 8 AwEAAadfNlrLwDe1W0klTRoNDeeEfZAop76YMUvOtl2pu0lXE5Fzj1sDROflxnOGTI9RfwrA0rD0ixBkW32Pu1nheytLBrPZ32hva+iY8jYQ/TPiMsbc/soa8KHQ77eaJtJAImc+VLuXrI1QmRyrywJWU1fkZ9GyPP5YAhgnttH6ZDXgMeJYjzs5CLfMiV9vAWFgJvy98bG97JP3PpHL9/8BTGM=
com. 4771 DNSKEY 257 3 8 AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsBfKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEmu/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPNIwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0HXvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpKNnv4oPo/
com. 86400 RRSIG DNSKEY 8 1 86400 20201126192421 20201111191921 30909 com. p+3loL9LZjCTV2qOLVrHGTQUJpRsILARSVfNyu3DgnMKL+PnyAf01536ptf8R4hOL5dotMExgKySfE3MjogoWz+Y+C34jYoasWKTctMmT8xDW5Cv7Md3Apz7XyXprdy6aZedWfDTeWvYPgGOhLVY7KnL2TezDQ0n08lpeK70QJv6kD9kCTfwq45VWo5aPhDTFt7RqW7Qlkva0GtnYdSJRiH7QtfIvLZddp6ZIAZ/7INllsbdIn0THHPPiiyYwe7WEz25cEU6LR9t7NdmLjEFwgCD5IJzcWk0VXy9Ca9b/17hodH7HsvlR1hrx56ay0SQ2E16wAfKhYlLGAENMzQnWg==
[69907.09][iter] <= rcode: NOERROR
[69907.09][vldr] <= parent: updating DNSKEY
[69907.09][vldr] <= answer valid, OK
[69907.07][iter] 'www.hashicorp.com.' type 'A' new uid was assigned .10, parent uid .00
[69907.10][plan] plan 'hashicorp.com.' type 'DS' uid [69907.11]
[69907.11][iter] 'hashicorp.com.' type 'DS' new uid was assigned .12, parent uid .10
[69907.12][cach] => skipping exact packet: rank 060 (min. 030), new TTL -26145
[69907.12][cach] => trying zone: ., NSEC, hash 0
[69907.12][cach] => NSEC sname: range search miss (!covers)
[69907.12][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[69907.12][resl] => id: '16684' querying: '2606:4700:4700::1112#00053' score: 1 zone cut: 'com.' qname: 'HasHiCorP.Com.' qtype: 'DS' proto: 'udp'
[69907.12][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 16684
;; Flags: qr rd ra cd QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
hashicorp.com. DS
;; AUTHORITY SECTION
com. 209 SOA a.gtld-servers.net. nstld.verisign-grs.com. 1605203800 1800 900 604800 86400
com. 900 RRSIG SOA 8 1 900 20201119175640 20201112164640 31510 com. jvN32o59bVS1f8KkIEFLP4NtQg41m8sOAqbzFVixQGSZQewKOJZ+lzJx472f+/pGBe+77RySnHKUH4X50r61wnrU3HoTF0WVyPsB7Zecav8qk/WF0kKVoOjUeKytIWd30noatVI+AEaYf2f5wfaRYDRFtRHONf8W09i9W74IoPlH+8/3agwgrt9Ph5LWpYFjjIbpY9pD5D4VNSrFV6lgXw==
ck0pojmg874ljref7efn8430qvit8bsm.com. 85709 NSEC3 1 1 0 - ck0q1gin43n1arrc9osm6qpqr81h5m9a NS SOA RRSIG DNSKEY NSEC3PARAM
ck0pojmg874ljref7efn8430qvit8bsm.com. 86400 RRSIG NSEC3 8 2 86400 20201117054050 20201110043050 31510 com. QcCRv0+WLMMhx/fo86861gisW7X+bjfa2dNfTCc8NT+8lGOccnPlELGCrupodzjN4aJ8eSDV6k2y5c+S8LdA2N9hRmN6gKA+BjRxIcdh2Yg5v1UUoG4/szoFZT34lzkDX8KtIePwBGIEH8LEMXYhf3gtkD7TLd5UfNpokZwyzEeeRQz5eD68Ax1bO4TkaYRN2Z9KiiE6SzQRMXuhSmg2Cw==
55ajmvj26qps66dvcfjf4qgitlh6olfd.com. 85709 NSEC3 1 1 0 - 55ak9166puhhq99kh7ojjhtk6un1fvs4 NS DS RRSIG
55ajmvj26qps66dvcfjf4qgitlh6olfd.com. 86400 RRSIG NSEC3 8 2 86400 20201116053951 20201109042951 31510 com. CVq6J1Gcv3Hu/lYiYwMCN4waTw6rlshFq2mdItEiBTLGRcPm3myhOL1GveU5lLe6s+xkTKjZdJ6yRRCbZoip/aV8QbQbMW4TDIe4LKeOpSdOltNt9cG0fpjSW6kBP3xnG/EH4ziq7Jq+OXAx4aaW+j2MkPeFwWkd44EdqoIJwZnyl2LmN7GS2VXzwVyonD7uKPf2OmQsNRQNcgxm+Y7PMg==
;; ADDITIONAL SECTION
[69907.12][iter] <= rcode: NOERROR
[69907.12][vldr] <= can't prove NODATA due to optout, going insecure
[69907.12][vldr] <= parent: updating DS
[69907.12][vldr] <= answer valid, OK
[69907.12][cach] => stashed com. SOA, rank 060, 266 B total, incl. 1 RRSIGs
[69907.12][cach] => stashed packet: rank 060, TTL 209, DS hashicorp.com. (871 B)
[69907.12][resl] <= server: '2606:4700:4700::1112' rtt: 14 ms
[69907.10][iter] 'www.hashicorp.com.' type 'A' new uid was assigned .13, parent uid .00
[69907.13][plan] plan 'hashicorp.com.' type 'NS' uid [69907.14]
[69907.14][iter] 'hashicorp.com.' type 'NS' new uid was assigned .15, parent uid .13
[69907.15][cach] => skipping exact RR: rank 020 (min. 030), new TTL 56518
[69907.15][cach] => no NSEC* cached for zone: hashicorp.com.
[69907.15][cach] => skipping zone: hashicorp.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.15][cach] => skipping zone: hashicorp.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.15][resl] => id: '60605' querying: '2606:4700:4700::1112#00053' score: 1 zone cut: 'com.' qname: 'hASHicorp.coM.' qtype: 'NS' proto: 'udp'
[69907.15][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 60605
;; Flags: qr rd ra cd QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
hashicorp.com. NS
;; ANSWER SECTION
hashicorp.com. 86400 NS sam.ns.cloudflare.com.
hashicorp.com. 86400 NS zara.ns.cloudflare.com.
;; ADDITIONAL SECTION
[69907.15][iter] <= rcode: NOERROR
[69907.15][cach] => not overwriting NS hashicorp.com.
[69907.15][resl] <= server: '2606:4700:4700::1112' rtt: 15 ms
[69907.13][iter] 'www.hashicorp.com.' type 'A' new uid was assigned .16, parent uid .00
[69907.16][resl] => id: '54728' querying: '2606:4700:4700::1112#00053' score: 1 zone cut: 'hashicorp.com.' qname: 'www.hAsHIcorp.coM.' qtype: 'A' proto: 'udp'
[69907.16][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 54728
;; Flags: qr rd ra cd QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
www.hashicorp.com. A
;; ANSWER SECTION
www.hashicorp.com. 300 CNAME cname.vercel-dns.com.
cname.vercel-dns.com. 60 A 76.76.21.21
;; ADDITIONAL SECTION
[69907.16][iter] <= rcode: NOERROR
[69907.16][iter] <= cname chain, following
[69907.16][cach] => stashed www.hashicorp.com. CNAME, rank 030, 38 B total, incl. 0 RRSIGs
[69907.16][resl] <= server: '2606:4700:4700::1112' rtt: 23 ms
[69907.17][iter] 'cname.vercel-dns.com.' type 'A' new uid was assigned .18, parent uid .00
[69907.18][cach] => skipping exact RR: rank 030 (min. 030), new TTL -26922
[69907.18][cach] => no NSEC* cached for zone: vercel-dns.com.
[69907.18][cach] => skipping zone: vercel-dns.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.18][cach] => skipping zone: vercel-dns.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.18][plan] plan '.' type 'DNSKEY' uid [69907.19]
[69907.19][iter] '.' type 'DNSKEY' new uid was assigned .20, parent uid .18
[69907.20][cach] => satisfied by exact RRset: rank 060, new TTL 6959
[69907.20][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 39615
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
. DNSKEY
;; ANSWER SECTION
. 6959 DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfiobeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5CsDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdLQHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jEhCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmnNHNmH2FjUE8=
. 6959 DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
. 172800 RRSIG DNSKEY 8 0 172800 20201201000000 20201110000000 20326 . SkIHirgYkYi7NAig66n3yDX00Vmu+nbdwNrjHq3b8F9MjOKrWkymnBpbu/mvkhNhzCEk/6lAkE6u/7oqvu09uP9hvnTTBRVKUk3JjWBROe0RhQqlmwxb7Vu9s2ag9Tr67zHUKj1/0xBvqRCfq3EPSqd/CjWYw+93s4+32ZEkMmLGdAu5I5phTgAxesjCy550m7xsFwWo5SKotP3g1420D4iaCpZE1SpkEybQ9WoveCWBNnZnnMI8BdN33W+EOVHEkAKevYRYIpG93XP/IeIcf3MetEmBt+DD0AcGIyorfiBQVrvNsha1Ek+iMm59KS8pYqiXhS1zmFz91cvKueMgsQ==
[69907.20][iter] <= rcode: NOERROR
[69907.20][vldr] <= parent: updating DNSKEY
[69907.20][vldr] <= answer valid, OK
[69907.18][iter] 'cname.vercel-dns.com.' type 'A' new uid was assigned .21, parent uid .00
[69907.21][plan] plan 'com.' type 'DS' uid [69907.22]
[69907.22][iter] 'com.' type 'DS' new uid was assigned .23, parent uid .21
[69907.23][cach] => satisfied by exact RRset: rank 060, new TTL 80465
[69907.23][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 40853
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
com. DS
;; ANSWER SECTION
com. 80465 DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com. 86400 RRSIG DS 8 1 86400 20201125050000 20201112040000 26116 . RowjzJyN/XzMW/4Rpt2D4wPdI/cHQHlX05FhT/WQ0QXSat/0T4kzM+ND+R7lQNnOf6i2rC0ZAxwnEbbKyUHZl8eXdLMVmNSWfVKaQQ6LOUB9k2TBbBY6v4M4vCt1VH++CwYkLafxVs8QuhUTYXmhPdfWAlRQTdZEvAdltuhIDpsYhjRMh67LO12fCD1j54JGRJvoJP+mi7gSQ9VrLwc4fyiAqLbirbHXWtWO6jehnN3hdPLquFgVNJQaxqZUmE0LVSEheT6l3Dlckj9yFZ5WKE2WvHXgLE9F+A+1qK2e0o21Xy4hY0fXL9zL4nd83hHV3amWhVdWfLuio5OkJKZVsQ==
[69907.23][iter] <= rcode: NOERROR
[69907.23][vldr] <= DS: OK
[69907.23][vldr] <= parent: updating DS
[69907.23][vldr] <= answer valid, OK
[69907.21][iter] 'cname.vercel-dns.com.' type 'A' new uid was assigned .24, parent uid .00
[69907.24][plan] plan 'com.' type 'DNSKEY' uid [69907.25]
[69907.25][iter] 'com.' type 'DNSKEY' new uid was assigned .26, parent uid .24
[69907.26][cach] => satisfied by exact RRset: rank 060, new TTL 4771
[69907.26][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 1785
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
com. DNSKEY
;; ANSWER SECTION
com. 4771 DNSKEY 256 3 8 AwEAAadfNlrLwDe1W0klTRoNDeeEfZAop76YMUvOtl2pu0lXE5Fzj1sDROflxnOGTI9RfwrA0rD0ixBkW32Pu1nheytLBrPZ32hva+iY8jYQ/TPiMsbc/soa8KHQ77eaJtJAImc+VLuXrI1QmRyrywJWU1fkZ9GyPP5YAhgnttH6ZDXgMeJYjzs5CLfMiV9vAWFgJvy98bG97JP3PpHL9/8BTGM=
com. 4771 DNSKEY 257 3 8 AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsBfKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEmu/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPNIwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0HXvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpKNnv4oPo/
com. 86400 RRSIG DNSKEY 8 1 86400 20201126192421 20201111191921 30909 com. p+3loL9LZjCTV2qOLVrHGTQUJpRsILARSVfNyu3DgnMKL+PnyAf01536ptf8R4hOL5dotMExgKySfE3MjogoWz+Y+C34jYoasWKTctMmT8xDW5Cv7Md3Apz7XyXprdy6aZedWfDTeWvYPgGOhLVY7KnL2TezDQ0n08lpeK70QJv6kD9kCTfwq45VWo5aPhDTFt7RqW7Qlkva0GtnYdSJRiH7QtfIvLZddp6ZIAZ/7INllsbdIn0THHPPiiyYwe7WEz25cEU6LR9t7NdmLjEFwgCD5IJzcWk0VXy9Ca9b/17hodH7HsvlR1hrx56ay0SQ2E16wAfKhYlLGAENMzQnWg==
[69907.26][iter] <= rcode: NOERROR
[69907.26][vldr] <= parent: updating DNSKEY
[69907.26][vldr] <= answer valid, OK
[69907.24][iter] 'cname.vercel-dns.com.' type 'A' new uid was assigned .27, parent uid .00
[69907.27][plan] plan 'vercel-dns.com.' type 'DS' uid [69907.28]
[69907.28][iter] 'vercel-dns.com.' type 'DS' new uid was assigned .29, parent uid .27
[69907.29][cach] => skipping exact packet: rank 060 (min. 030), new TTL -26566
[69907.29][cach] => trying zone: ., NSEC, hash 0
[69907.29][cach] => NSEC sname: range search miss (!covers)
[69907.29][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[69907.29][resl] => id: '24114' querying: '2606:4700:4700::1112#00053' score: 1 zone cut: 'com.' qname: 'VErCel-dNs.coM.' qtype: 'DS' proto: 'udp'
[69907.29][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 24114
;; Flags: qr rd ra cd QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
vercel-dns.com. DS
;; AUTHORITY SECTION
com. 900 SOA a.gtld-servers.net. nstld.verisign-grs.com. 1605204490 1800 900 604800 86400
com. 900 RRSIG SOA 8 1 900 20201119180810 20201112165810 31510 com. jHymJ9+FoWKJ80bnJyvqpgPlbEW+uaIT9lFNMNgZUf+lgp3NaR+e0F59wN36B/R4eL2ejbB+I5x3vWK9MgD6wt0f+1AK84nAEDNYndp5CYRtjTNBHGeieO6S/RJKUJQSTjM3KKlewVT0QoRtNiRjhJ4VsdeX85AoMfOcxup9kDHnq2UN4RFr/ba2w9Y9z5ajEaKip2GraYYZt7mUOKF7mw==
ck0pojmg874ljref7efn8430qvit8bsm.com. 86400 NSEC3 1 1 0 - ck0q1gin43n1arrc9osm6qpqr81h5m9a NS SOA RRSIG DNSKEY NSEC3PARAM
ck0pojmg874ljref7efn8430qvit8bsm.com. 86400 RRSIG NSEC3 8 2 86400 20201117054050 20201110043050 31510 com. QcCRv0+WLMMhx/fo86861gisW7X+bjfa2dNfTCc8NT+8lGOccnPlELGCrupodzjN4aJ8eSDV6k2y5c+S8LdA2N9hRmN6gKA+BjRxIcdh2Yg5v1UUoG4/szoFZT34lzkDX8KtIePwBGIEH8LEMXYhf3gtkD7TLd5UfNpokZwyzEeeRQz5eD68Ax1bO4TkaYRN2Z9KiiE6SzQRMXuhSmg2Cw==
28va0kf9hvfvhk3rij8dd0uhlvld2bk3.com. 86400 NSEC3 1 1 0 - 28vasp4p2jno8gj0l2doqd24npevik9l NS DS RRSIG
28va0kf9hvfvhk3rij8dd0uhlvld2bk3.com. 86400 RRSIG NSEC3 8 2 86400 20201118070201 20201111055201 31510 com. gvdrxGsODv/hZtLqUzZcSG+LVJPJX2gEEWj9eulb3jtooiG7dpUZnRVcbXauZZ6jaW62u0JKxjjYY13/1adnBtvCSAZBKLVFZtmq2N9JEfxKRpcm1+p6R72NcY3QDML4jdCOS2VfFHIFH1SjpxQEK9VM6F+A6UDJVshb7mjG8t0HTo2ag+tVynJxl1jsqKnIaQxGo8lHmXqjMrOPRAhTXQ==
;; ADDITIONAL SECTION
[69907.29][iter] <= rcode: NOERROR
[69907.29][vldr] <= can't prove NODATA due to optout, going insecure
[69907.29][vldr] <= parent: updating DS
[69907.29][vldr] <= answer valid, OK
[69907.29][cach] => stashed com. SOA, rank 060, 266 B total, incl. 1 RRSIGs
[69907.29][cach] => stashed packet: rank 060, TTL 900, DS vercel-dns.com. (872 B)
[69907.29][resl] <= server: '2606:4700:4700::1112' rtt: 33 ms
[69907.27][iter] 'cname.vercel-dns.com.' type 'A' new uid was assigned .30, parent uid .00
[69907.30][plan] plan 'vercel-dns.com.' type 'NS' uid [69907.31]
[69907.31][iter] 'vercel-dns.com.' type 'NS' new uid was assigned .32, parent uid .30
[69907.32][cach] => skipping exact RR: rank 020 (min. 030), new TTL 5668
[69907.32][cach] => no NSEC* cached for zone: vercel-dns.com.
[69907.32][cach] => skipping zone: vercel-dns.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.32][cach] => skipping zone: vercel-dns.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.32][resl] => id: '37850' querying: '2606:4700:4700::1112#00053' score: 1 zone cut: 'com.' qname: 'VErcEL-dns.com.' qtype: 'NS' proto: 'udp'
[69907.32][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 37850
;; Flags: qr rd ra cd QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
vercel-dns.com. NS
;; ANSWER SECTION
vercel-dns.com. 86400 NS ns1.vercel-dns.com.
vercel-dns.com. 86400 NS ns2.vercel-dns.com.
;; ADDITIONAL SECTION
[69907.32][iter] <= rcode: NOERROR
[69907.32][cach] => not overwriting NS vercel-dns.com.
[69907.32][resl] <= server: '2606:4700:4700::1112' rtt: 18 ms
[69907.30][iter] 'cname.vercel-dns.com.' type 'A' new uid was assigned .33, parent uid .00
[69907.33][resl] => id: '36105' querying: '2606:4700:4700::1112#00053' score: 1 zone cut: 'vercel-dns.com.' qname: 'CNAmE.VeRcel-dns.cOm.' qtype: 'A' proto: 'udp'
[69907.33][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 36105
;; Flags: qr rd ra QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
cname.vercel-dns.com. A
;; ANSWER SECTION
cname.vercel-dns.com. 60 A 0.0.0.0
;; ADDITIONAL SECTION
[69907.33][iter] <= rcode: NOERROR
[69907.33][cach] => stashed cname.vercel-dns.com. A, rank 030, 20 B total, incl. 0 RRSIGs
[69907.33][resl] <= server: '2606:4700:4700::1112' rtt: 13 ms
[69907.33][resl] AD: request NOT classified as SECURE
[69907.33][resl] finished in state: 4, queries: 12, mempool: 163952 B
[69907.00][dbg ] selected rrsets from answer sections:
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 3, revalidations 0
. 6959 DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfiobeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5CsDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdLQHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jEhCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmnNHNmH2FjUE8=
. 6959 DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 3, revalidations 0
. 172800 RRSIG DNSKEY 8 0 172800 20201201000000 20201110000000 20326 . SkIHirgYkYi7NAig66n3yDX00Vmu+nbdwNrjHq3b8F9MjOKrWkymnBpbu/mvkhNhzCEk/6lAkE6u/7oqvu09uP9hvnTTBRVKUk3JjWBROe0RhQqlmwxb7Vu9s2ag9Tr67zHUKj1/0xBvqRCfq3EPSqd/CjWYw+93s4+32ZEkMmLGdAu5I5phTgAxesjCy550m7xsFwWo5SKotP3g1420D4iaCpZE1SpkEybQ9WoveCWBNnZnnMI8BdN33W+EOVHEkAKevYRYIpG93XP/IeIcf3MetEmBt+DD0AcGIyorfiBQVrvNsha1Ek+iMm59KS8pYqiXhS1zmFz91cvKueMgsQ==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 6, revalidations 0
com. 80465 DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 6, revalidations 0
com. 86400 RRSIG DS 8 1 86400 20201125050000 20201112040000 26116 . RowjzJyN/XzMW/4Rpt2D4wPdI/cHQHlX05FhT/WQ0QXSat/0T4kzM+ND+R7lQNnOf6i2rC0ZAxwnEbbKyUHZl8eXdLMVmNSWfVKaQQ6LOUB9k2TBbBY6v4M4vCt1VH++CwYkLafxVs8QuhUTYXmhPdfWAlRQTdZEvAdltuhIDpsYhjRMh67LO12fCD1j54JGRJvoJP+mi7gSQ9VrLwc4fyiAqLbirbHXWtWO6jehnN3hdPLquFgVNJQaxqZUmE0LVSEheT6l3Dlckj9yFZ5WKE2WvHXgLE9F+A+1qK2e0o21Xy4hY0fXL9zL4nd83hHV3amWhVdWfLuio5OkJKZVsQ==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 9, revalidations 0
com. 4771 DNSKEY 256 3 8 AwEAAadfNlrLwDe1W0klTRoNDeeEfZAop76YMUvOtl2pu0lXE5Fzj1sDROflxnOGTI9RfwrA0rD0ixBkW32Pu1nheytLBrPZ32hva+iY8jYQ/TPiMsbc/soa8KHQ77eaJtJAImc+VLuXrI1QmRyrywJWU1fkZ9GyPP5YAhgnttH6ZDXgMeJYjzs5CLfMiV9vAWFgJvy98bG97JP3PpHL9/8BTGM=
com. 4771 DNSKEY 257 3 8 AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsBfKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEmu/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPNIwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0HXvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpKNnv4oPo/
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 9, revalidations 0
com. 86400 RRSIG DNSKEY 8 1 86400 20201126192421 20201111191921 30909 com. p+3loL9LZjCTV2qOLVrHGTQUJpRsILARSVfNyu3DgnMKL+PnyAf01536ptf8R4hOL5dotMExgKySfE3MjogoWz+Y+C34jYoasWKTctMmT8xDW5Cv7Md3Apz7XyXprdy6aZedWfDTeWvYPgGOhLVY7KnL2TezDQ0n08lpeK70QJv6kD9kCTfwq45VWo5aPhDTFt7RqW7Qlkva0GtnYdSJRiH7QtfIvLZddp6ZIAZ/7INllsbdIn0THHPPiiyYwe7WEz25cEU6LR9t7NdmLjEFwgCD5IJzcWk0VXy9Ca9b/17hodH7HsvlR1hrx56ay0SQ2E16wAfKhYlLGAENMzQnWg==
; ranked rrset to_wire false, rank 020 (initial auth), cached false, qry_uid 15, revalidations 0
hashicorp.com. 86400 NS sam.ns.cloudflare.com.
hashicorp.com. 86400 NS zara.ns.cloudflare.com.
; ranked rrset to_wire true, rank 030 (insecure auth), cached true, qry_uid 16, revalidations 0
www.hashicorp.com. 300 CNAME cname.vercel-dns.com.
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 20, revalidations 0
. 6959 DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfiobeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5CsDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdLQHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jEhCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmnNHNmH2FjUE8=
. 6959 DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 20, revalidations 0
. 172800 RRSIG DNSKEY 8 0 172800 20201201000000 20201110000000 20326 . SkIHirgYkYi7NAig66n3yDX00Vmu+nbdwNrjHq3b8F9MjOKrWkymnBpbu/mvkhNhzCEk/6lAkE6u/7oqvu09uP9hvnTTBRVKUk3JjWBROe0RhQqlmwxb7Vu9s2ag9Tr67zHUKj1/0xBvqRCfq3EPSqd/CjWYw+93s4+32ZEkMmLGdAu5I5phTgAxesjCy550m7xsFwWo5SKotP3g1420D4iaCpZE1SpkEybQ9WoveCWBNnZnnMI8BdN33W+EOVHEkAKevYRYIpG93XP/IeIcf3MetEmBt+DD0AcGIyorfiBQVrvNsha1Ek+iMm59KS8pYqiXhS1zmFz91cvKueMgsQ==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 23, revalidations 0
com. 80465 DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 23, revalidations 0
com. 86400 RRSIG DS 8 1 86400 20201125050000 20201112040000 26116 . RowjzJyN/XzMW/4Rpt2D4wPdI/cHQHlX05FhT/WQ0QXSat/0T4kzM+ND+R7lQNnOf6i2rC0ZAxwnEbbKyUHZl8eXdLMVmNSWfVKaQQ6LOUB9k2TBbBY6v4M4vCt1VH++CwYkLafxVs8QuhUTYXmhPdfWAlRQTdZEvAdltuhIDpsYhjRMh67LO12fCD1j54JGRJvoJP+mi7gSQ9VrLwc4fyiAqLbirbHXWtWO6jehnN3hdPLquFgVNJQaxqZUmE0LVSEheT6l3Dlckj9yFZ5WKE2WvHXgLE9F+A+1qK2e0o21Xy4hY0fXL9zL4nd83hHV3amWhVdWfLuio5OkJKZVsQ==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 26, revalidations 0
com. 4771 DNSKEY 256 3 8 AwEAAadfNlrLwDe1W0klTRoNDeeEfZAop76YMUvOtl2pu0lXE5Fzj1sDROflxnOGTI9RfwrA0rD0ixBkW32Pu1nheytLBrPZ32hva+iY8jYQ/TPiMsbc/soa8KHQ77eaJtJAImc+VLuXrI1QmRyrywJWU1fkZ9GyPP5YAhgnttH6ZDXgMeJYjzs5CLfMiV9vAWFgJvy98bG97JP3PpHL9/8BTGM=
com. 4771 DNSKEY 257 3 8 AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsBfKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEmu/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPNIwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0HXvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpKNnv4oPo/
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 26, revalidations 0
com. 86400 RRSIG DNSKEY 8 1 86400 20201126192421 20201111191921 30909 com. p+3loL9LZjCTV2qOLVrHGTQUJpRsILARSVfNyu3DgnMKL+PnyAf01536ptf8R4hOL5dotMExgKySfE3MjogoWz+Y+C34jYoasWKTctMmT8xDW5Cv7Md3Apz7XyXprdy6aZedWfDTeWvYPgGOhLVY7KnL2TezDQ0n08lpeK70QJv6kD9kCTfwq45VWo5aPhDTFt7RqW7Qlkva0GtnYdSJRiH7QtfIvLZddp6ZIAZ/7INllsbdIn0THHPPiiyYwe7WEz25cEU6LR9t7NdmLjEFwgCD5IJzcWk0VXy9Ca9b/17hodH7HsvlR1hrx56ay0SQ2E16wAfKhYlLGAENMzQnWg==
; ranked rrset to_wire false, rank 020 (initial auth), cached false, qry_uid 32, revalidations 0
vercel-dns.com. 86400 NS ns1.vercel-dns.com.
vercel-dns.com. 86400 NS ns2.vercel-dns.com.
; ranked rrset to_wire true, rank 030 (insecure auth), cached true, qry_uid 33, revalidations 0
cname.vercel-dns.com. 60 A 0.0.0.0
[69907.00][dbg ] selected rrsets from authority sections:
; ranked rrset to_wire false, rank 060 (secure auth), cached true, qry_uid 12, revalidations 0
com. 209 SOA a.gtld-servers.net. nstld.verisign-grs.com. 1605203800 1800 900 604800 86400
; ranked rrset to_wire false, rank 060 (secure auth), cached true, qry_uid 12, revalidations 0
com. 900 RRSIG SOA 8 1 900 20201119175640 20201112164640 31510 com. jvN32o59bVS1f8KkIEFLP4NtQg41m8sOAqbzFVixQGSZQewKOJZ+lzJx472f+/pGBe+77RySnHKUH4X50r61wnrU3HoTF0WVyPsB7Zecav8qk/WF0kKVoOjUeKytIWd30noatVI+AEaYf2f5wfaRYDRFtRHONf8W09i9W74IoPlH+8/3agwgrt9Ph5LWpYFjjIbpY9pD5D4VNSrFV6lgXw==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 12, revalidations 0
ck0pojmg874ljref7efn8430qvit8bsm.com. 85709 NSEC3 1 1 0 - ck0q1gin43n1arrc9osm6qpqr81h5m9a NS SOA RRSIG DNSKEY NSEC3PARAM
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 12, revalidations 0
ck0pojmg874ljref7efn8430qvit8bsm.com. 86400 RRSIG NSEC3 8 2 86400 20201117054050 20201110043050 31510 com. QcCRv0+WLMMhx/fo86861gisW7X+bjfa2dNfTCc8NT+8lGOccnPlELGCrupodzjN4aJ8eSDV6k2y5c+S8LdA2N9hRmN6gKA+BjRxIcdh2Yg5v1UUoG4/szoFZT34lzkDX8KtIePwBGIEH8LEMXYhf3gtkD7TLd5UfNpokZwyzEeeRQz5eD68Ax1bO4TkaYRN2Z9KiiE6SzQRMXuhSmg2Cw==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 12, revalidations 0
55ajmvj26qps66dvcfjf4qgitlh6olfd.com. 85709 NSEC3 1 1 0 - 55ak9166puhhq99kh7ojjhtk6un1fvs4 NS DS RRSIG
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 12, revalidations 0
55ajmvj26qps66dvcfjf4qgitlh6olfd.com. 86400 RRSIG NSEC3 8 2 86400 20201116053951 20201109042951 31510 com. CVq6J1Gcv3Hu/lYiYwMCN4waTw6rlshFq2mdItEiBTLGRcPm3myhOL1GveU5lLe6s+xkTKjZdJ6yRRCbZoip/aV8QbQbMW4TDIe4LKeOpSdOltNt9cG0fpjSW6kBP3xnG/EH4ziq7Jq+OXAx4aaW+j2MkPeFwWkd44EdqoIJwZnyl2LmN7GS2VXzwVyonD7uKPf2OmQsNRQNcgxm+Y7PMg==
; ranked rrset to_wire false, rank 060 (secure auth), cached true, qry_uid 29, revalidations 0
com. 900 SOA a.gtld-servers.net. nstld.verisign-grs.com. 1605204490 1800 900 604800 86400
; ranked rrset to_wire false, rank 060 (secure auth), cached true, qry_uid 29, revalidations 0
com. 900 RRSIG SOA 8 1 900 20201119180810 20201112165810 31510 com. jHymJ9+FoWKJ80bnJyvqpgPlbEW+uaIT9lFNMNgZUf+lgp3NaR+e0F59wN36B/R4eL2ejbB+I5x3vWK9MgD6wt0f+1AK84nAEDNYndp5CYRtjTNBHGeieO6S/RJKUJQSTjM3KKlewVT0QoRtNiRjhJ4VsdeX85AoMfOcxup9kDHnq2UN4RFr/ba2w9Y9z5ajEaKip2GraYYZt7mUOKF7mw==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 29, revalidations 0
ck0pojmg874ljref7efn8430qvit8bsm.com. 86400 NSEC3 1 1 0 - ck0q1gin43n1arrc9osm6qpqr81h5m9a NS SOA RRSIG DNSKEY NSEC3PARAM
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 29, revalidations 0
ck0pojmg874ljref7efn8430qvit8bsm.com. 86400 RRSIG NSEC3 8 2 86400 20201117054050 20201110043050 31510 com. QcCRv0+WLMMhx/fo86861gisW7X+bjfa2dNfTCc8NT+8lGOccnPlELGCrupodzjN4aJ8eSDV6k2y5c+S8LdA2N9hRmN6gKA+BjRxIcdh2Yg5v1UUoG4/szoFZT34lzkDX8KtIePwBGIEH8LEMXYhf3gtkD7TLd5UfNpokZwyzEeeRQz5eD68Ax1bO4TkaYRN2Z9KiiE6SzQRMXuhSmg2Cw==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 29, revalidations 0
28va0kf9hvfvhk3rij8dd0uhlvld2bk3.com. 86400 NSEC3 1 1 0 - 28vasp4p2jno8gj0l2doqd24npevik9l NS DS RRSIG
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 29, revalidations 0
28va0kf9hvfvhk3rij8dd0uhlvld2bk3.com. 86400 RRSIG NSEC3 8 2 86400 20201118070201 20201111055201 31510 com. gvdrxGsODv/hZtLqUzZcSG+LVJPJX2gEEWj9eulb3jtooiG7dpUZnRVcbXauZZ6jaW62u0JKxjjYY13/1adnBtvCSAZBKLVFZtmq2N9JEfxKRpcm1+p6R72NcY3QDML4jdCOS2VfFHIFH1SjpxQEK9VM6F+A6UDJVshb7mjG8t0HTo2ag+tVynJxl1jsqKnIaQxGo8lHmXqjMrOPRAhTXQ==
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/640remove SAFEMODE2021-02-09T13:54:01+01:00Štěpán Balážikremove SAFEMODEI have no real solution in mind, I'll just keep a running list of what `SAFEMODE` does here, since I have been bitten in the backparts by it multiple times and the documentation really doesn't cut it (“Don’t use fancy stuff (EDNS, 0x20, ...I have no real solution in mind, I'll just keep a running list of what `SAFEMODE` does here, since I have been bitten in the backparts by it multiple times and the documentation really doesn't cut it (“Don’t use fancy stuff (EDNS, 0x20, …)”).
* turns off `Ox20` randomization
* turns off server selection (to be changed in !1030)
* turns off some EDNS stuff that I don't understand
* ensures that there is a retry after REFUSED (see code below; this means that if you overwrite `query->SAFEMODE` after this, the resolver may cycle on REFUSED)
```
static int resolve_badmsg(knot_pkt_t *pkt, struct kr_request *req, struct kr_query *query)
{
#ifndef STRICT_MODE
/* Work around broken auths/load balancers */
if (query->flags.SAFEMODE) {
return resolve_error(pkt, req);
} else if (query->flags.NO_MINIMIZE) {
query->flags.SAFEMODE = true;
return KR_STATE_DONE;
} else {
query->flags.NO_MINIMIZE = true;
return KR_STATE_DONE;
}
#else
return resolve_error(pkt, req);
#endif
}
```
Removing it, is probably a better idea: especially with the new server selection error reporting we could probably make the workarounds more granular than they are now.Štěpán BalážikŠtěpán Balážikhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/639kdig TLS, handshake failed (A TLS fatal alert has been received.)2020-11-05T10:38:44+01:00Windy Gkdig TLS, handshake failed (A TLS fatal alert has been received.)I am trying DNS resolution via HTTPS. Other popular servers (google, cloudflare) work fine, but fail to run with `free.bravedns.com`, which is one of the URLs provided by the `curl` project here: https://github.com/curl/curl/wiki/DNS-ove...I am trying DNS resolution via HTTPS. Other popular servers (google, cloudflare) work fine, but fail to run with `free.bravedns.com`, which is one of the URLs provided by the `curl` project here: https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers
```
kdig -d @free.bravedns.com +https=/dns-query +https-get example.com -t A -4
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(free.bravedns.com), port(443), protocol(TCP)
;; WARNING: TLS, handshake failed (A TLS fatal alert has been received.)
;; WARNING: TLS, handshake failed (A TLS fatal alert has been received.)
;; WARNING: TLS, handshake failed (A TLS fatal alert has been received.)
;; ERROR: failed to query server free.bravedns.com@443(TCP)
```
Resolving the same domain using the same server with `curl` works fine though:
```
curl -H 'accept: application/dns-json' 'https://free.bravedns.com/dns-query?name=example.com&type=A'
"Status":0,"TC":false,"RD":true,"RA":true,"AD":true,"CD":false,"Question":[{"name":"example.com","type":1}],"Answer":[{"name":"example.com","type":1,"TTL":77546,"data":"93.184.216.34"}]}
```
Similarly, I could use `doh-jp.blahdns.com` with `curl` but got errors with `kdig`.
```
kdig -d @doh-jp.blahdns.com +https=/dns-query example.com -t A -4 +timeout=15
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(doh-jp.blahdns.com), port(443), protocol(TCP)
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, CN=dot-jp.blahdns.com
;; DEBUG: SHA-256 PIN: gIoiNFxX1Nw+7/pVsmUKBU941bMBYjEYuB2T9drULOM=
;; DEBUG: #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG: SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, skipping certificate verification
;; WARNING: TLS, peer has closed the connection
;; ERROR: failed to query server doh-jp.blahdns.com@443(TCP)
```
```
curl -H 'accept: application/dns-json' 'https://doh-jp.blahdns.com/dns-query?name=example.com&type=A'
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":true,"CD":false,"Question":[{"name":"example.com.","type":1}],"Answer":[{"name":"example.com.","type":1,"TTL":26102,"Expires":"Thu, 05 Nov 2020 13:36:21 UTC","data":"93.184.216.34"},{"name":"example.com.","type":46,"TTL":26102,"Expires":"Thu, 05 Nov 2020 13:36:21 UTC","data":"A 8 2 86400 20201115051118 20201025154454 62811 example.com. P8BE247EZ54+DZ1aZOVDYv3MxnxT+XAmd1W41PyBCB0QopMxAe7l6brVVXQtfDwsY6wL71BKZL7eTsyWYP9x4JQTYeY6UIwXeuOQ+uS8A+fGlQBaaPCIZCw0JQQTCCmCmmrrwpkIDAiunF0UOeRZl3CzE5QOX0lw4db/3M6nIKg="}]}
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/638[discussion] cache backend redesign2020-12-04T16:34:21+01:00Petr Špaček[discussion] cache backend redesignLet's discuss problems we have with current LMDB-based cache backend. We need to analyze if these are fixable or we need to redesign cache backend.
Problems with LMDB itself
- Database overfill leads to irrecoverable state where while D...Let's discuss problems we have with current LMDB-based cache backend. We need to analyze if these are fixable or we need to redesign cache backend.
Problems with LMDB itself
- Database overfill leads to irrecoverable state where while DB practically becomes read only and the only ways forward are either enlarge database or delete it. Together with inability to detect if committing a transaction will lead to this state prevents us from reliably keeping cache with constant size, leading to race conditions in overflow handling etc. (#605)
- Transactions have [undefined limits](https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/message/VI7K5NWV46J6DACITXVS7X2SM3HZIXVB/) on them, forcing us to [jump through hoops](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1042/diffs?commit_id=c651fbf24017f26435b86e69e9ce73c7f5976b97).
- LMDB depends on unique PID values - this assumption does not hold when sharing cache across containers (#637).
Other cache-related problems: #602, #604https://gitlab.nic.cz/knot/knot-resolver/-/issues/637cache: sharing across containers requires special options2022-11-18T16:56:08+01:00Petr Špačekcache: sharing across containers requires special optionsVersion: 5.1.3 originally but any version really
Error
=====
```
[cache] LMDB error: Resource temporarily unavailable
[cache] LMDB error: Resource temporarily unavailable
[cache] incompatible cache database detected, purging
[cache] rea...Version: 5.1.3 originally but any version really
Error
=====
```
[cache] LMDB error: Resource temporarily unavailable
[cache] LMDB error: Resource temporarily unavailable
[cache] incompatible cache database detected, purging
[cache] reading version returned: -11
[system] interactive mode
[00000.00][plan] plan '.' type 'NS' uid [65536.00]
[65536.00][iter] '.' type 'NS' new uid was assigned .01, parent uid .00
[cache] LMDB error: Resource temporarily unavailable
[65536.01][cach] => exact hit error: -11 Resource temporarily unavailable
```
Reproducer
==========
Attempt to share cache across two or more Docker containers:
```
docker run -P -w /tmp/kresd -v /tmp/shared:/tmp/kresd -ti cznic/knot-resolver:v5.1.3
```
Minimal reproducer without Docker: Run two processes using command
```
unshare -Up --fork kresd
```
Root cause
==========
This is caused by LMDB dependency on unique PID numbers (for reader slots?). This assumption does not hold for Docker containers (because of its use of PID namespaces). LMDB upstream [does not seem to care](https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/thread/TL4XPCHRRGBV6SWBQIARC6E5XZNJ4SDX/).
Workaround
==========
Disable PID namespace, i.e. run Docker containers using `docker run --pid=host`, which prevents non-unique PIDs among containers.
Alternative is to run additional containers with the same PID namespace as the first container using `docker run --pid=container:name_of_the_first_container`, but disadvantage is that exiting the first container will terminate all others as well. I.e. this prevents dynamic instance restarts.https://gitlab.nic.cz/knot/knot-resolver/-/issues/636doh2: restrict/configure URI path endpoints2021-01-07T13:49:52+01:00Tomas Krizekdoh2: restrict/configure URI path endpointsCurrent `doh2` implementation answers HTTP/2 requests on any URI path, although only `/dns-query` is documented (and supported). This path seems to be the most widespread among implementations.
Since our legacy DoH supported `/doh`, I'd...Current `doh2` implementation answers HTTP/2 requests on any URI path, although only `/dns-query` is documented (and supported). This path seems to be the most widespread among implementations.
Since our legacy DoH supported `/doh`, I'd also keep that path for the new implementation.
However, it'd probably be better to not answer to any random path, such as `/odksjafo`.
It might be worth considering whether making these endpoints user-configurable would be useful.https://gitlab.nic.cz/knot/knot-resolver/-/issues/635ci: add respdiff tests for XDP2020-10-30T15:21:26+01:00Tomas Krizekci: add respdiff tests for XDPXDP should be tested on real interfaces, which requires some changes to respdiff configuration (using real interface instead of loopback, root privileges, ...). This might be easier to achieve once we simplify our testing infrastructure....XDP should be tested on real interfaces, which requires some changes to respdiff configuration (using real interface instead of loopback, root privileges, ...). This might be easier to achieve once we simplify our testing infrastructure. (https://gitlab.nic.cz/knot/knot-resolver-ansible/-/issues/3)https://gitlab.nic.cz/knot/knot-resolver/-/issues/633Plans to distribute snap package of Knot Resolver?2020-10-29T09:57:00+01:00Ghost UserPlans to distribute snap package of Knot Resolver?Are there any plans to distribute an official snap package of Knot Resolver?Are there any plans to distribute an official snap package of Knot Resolver?https://gitlab.nic.cz/knot/knot-resolver/-/issues/632control protocol redesign2020-10-27T17:39:35+01:00Petr Špačekcontrol protocol redesignVersion affected: 5.2.0
Current control protocol has several deficiencies:
- Input commands are read as text, individual commands are delimited with `\n` byte. This prevents user from sending multi-line commands or their parameters beca...Version affected: 5.2.0
Current control protocol has several deficiencies:
- Input commands are read as text, individual commands are delimited with `\n` byte. This prevents user from sending multi-line commands or their parameters because the embedded `\n` breaks implicit command boundaries.
- Output is always string from `table_print()`. Consequently:
- control protocol cannot represent e.g. Lua errors - these lead to empty output.
- sending structured data to another instance is PITA as it has to be serialized into string before it is returned to `table_print()`, and this serialized string is then (again) decorated by `table_print()` with string delimiters `'`
I don't know what's best approach to address this but I think it is worth exploring existing solutions (protobuf? something else?) before inventing our own serialization format and control protocol.https://gitlab.nic.cz/knot/knot-resolver/-/issues/631remove deprecated -f/--forks option2020-10-27T17:13:01+01:00Tomas Krizekremove deprecated -f/--forks optionProblems with `--forks` feature:
- Does not support dynamic restart (related: #268)
- Does not support watchdog
- First process is single point of failure
- Per-instance configuration via environment variables is harder
- Fixing this pra...Problems with `--forks` feature:
- Does not support dynamic restart (related: #268)
- Does not support watchdog
- First process is single point of failure
- Per-instance configuration via environment variables is harder
- Fixing this practically means re-implementing systemd or supervisord, which is obviously a bad idea.
Related: #529
Task list:
- [ ] remove `-f` option and related forking code
- [ ] `worker.count` should also be removed
- [ ] remove -f usage from all testing scripts, deckard, respdiff etc.
- [ ] update our benchmakring docker image to be able to run multiple kresd instances without `-f`6.0.0https://gitlab.nic.cz/knot/knot-resolver/-/issues/630daf: improve multi-instance support2020-10-23T12:02:33+02:00Tomas Krizekdaf: improve multi-instance supportCurrently, the DAF module can work when using multiple instances, but only as long as:
- all the instances are started before any rules are configured
- no instance is ever separately restarted (or crashes)
This could be improved by:
- ...Currently, the DAF module can work when using multiple instances, but only as long as:
- all the instances are started before any rules are configured
- no instance is ever separately restarted (or crashes)
This could be improved by:
- using deterministic IDs that are tied to the rule (e.g. a hash)
- have some mechanism that can be used to pull/push the entire current configuration instead of a single update (to sync an instance state with others after restart)https://gitlab.nic.cz/knot/knot-resolver/-/issues/629early detection for dropped answers over TCP connection2021-12-08T10:24:06+01:00Petr Špačekearly detection for dropped answers over TCP connectionProblem
=======
Currently individual DNS queries over TCP connection do not have per-query timer and we leave to TCP stack to handle packet loss. This works fine for network-level problems but does not work for queries dropped at applica...Problem
=======
Currently individual DNS queries over TCP connection do not have per-query timer and we leave to TCP stack to handle packet loss. This works fine for network-level problems but does not work for queries dropped at application-level.
Issue seen in the field: #551
I.e. queries are dropped on server side and clients get SERVFAIL once the whole TCP connection times out.
Another instance of this problem is Unbound's default limit for number of queries resolved in parallel over a single TCP connection: Before commit https://github.com/NLnetLabs/unbound/commit/f81d0ac0474cc8904e1240a512b935c8e466f81b Unbound would process only 32 queries in parallel and keep other queries on the same TCP connection hanging, potentially leading to long periods without responses.
Vague proposal
==============
- Use per-query timeout also for queries over TCP/TLS/HTTPS and evaluate if the query should be resent using other transport if it times out.
- Detect "suspicious" TCP connection states when deduplicating connections and skip over "suspicious" connections. For example, do not reuse connection if it has queries hanging on it for longer than 3 seconds.
TODO: Is there some other TCP-level tunning we can do?
Related: #447https://gitlab.nic.cz/knot/knot-resolver/-/issues/627mdb.c:3240: Assertion 'len >= 0 && id <= env->me_pglast' failed in mdb_freeli...2020-10-22T03:19:07+02:00Tom Kochmdb.c:3240: Assertion 'len >= 0 && id <= env->me_pglast' failed in mdb_freelist_save()Howdy,
I hate using issues to report crashes, but as far as I can tell, I have a very unmodified build that started crashing when the VM was migrated between hosts. I then ran a yum update to see if it helped, but no dice. It explicitly...Howdy,
I hate using issues to report crashes, but as far as I can tell, I have a very unmodified build that started crashing when the VM was migrated between hosts. I then ran a yum update to see if it helped, but no dice. It explicitly lists the same line in mdb.c every time so I think that could be helpful.
Linux 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
CentOS Linux release 7.8.2003 (Core)
P.S. If I run kresd on the command line it does run, but gives a warning:
[system] warning: hard limit for number of file-descriptors is only 4096 but recommended value is 524288
```
kres-cache-gc[21289]: Knot Resolver Cache Garbage Collector, version 5.1.3
kres-cache-gc[21289]: mdb.c:3240: Assertion 'len >= 0 && id <= env->me_pglast' failed in mdb_freelist_save()
systemd[1]: kres-cache-gc.service: main process exited, code=killed, status=6/ABRT
systemd[1]: Unit kres-cache-gc.service entered failed state.
systemd[1]: kres-cache-gc.service failed.
systemd[1]: kres-cache-gc.service holdoff time over, scheduling restart.
systemd[1]: Stopped Knot Resolver Garbage Collector daemon.
```
```
Process: 21287 ExecStart=/usr/sbin/kresd -c /usr/lib64/knot-resolver/distro-preconfig.lua -c /etc/knot-resolver/kresd.conf -n (code=killed, signal=ABRT)
Main PID: 21287 (code=killed, signal=ABRT)
systemd[1]: Failed to start Knot Resolver daemon.
systemd[1]: Unit kresd@1.service entered failed state.
systemd[1]: kresd@1.service failed.
systemd[1]: kresd@1.service holdoff time over, scheduling restart.
systemd[1]: Stopped Knot Resolver daemon.
systemd[1]: start request repeated too quickly for kresd@1.service
systemd[1]: Failed to start Knot Resolver daemon.
systemd[1]: Unit kresd@1.service entered failed state.
systemd[1]: kresd@1.service failed.
```
If there's anything I can do to provide further info, let me know.