Knot Resolver issueshttps://gitlab.nic.cz/knot/knot-resolver/-/issues2024-02-22T16:39:43+01:00https://gitlab.nic.cz/knot/knot-resolver/-/issues/901Cross-domain CNAME records are not being resolved to IP addreses2024-02-22T16:39:43+01:00Pavel ŠvecCross-domain CNAME records are not being resolved to IP addresesIn a pursuit of DNS management automation (DNS management via web UI / HTTP API), we've chosen Knot for resolver. But seems to lack (or could not find in docs) a feature which would allow us to create CNAME records from internal to exter...In a pursuit of DNS management automation (DNS management via web UI / HTTP API), we've chosen Knot for resolver. But seems to lack (or could not find in docs) a feature which would allow us to create CNAME records from internal to external zones. We're currently using Bind where following works fine:
```service1.internal.eu. IN CNAME publicservice.external.com.```
**What I'd expect is**: Knot resolver asks our internal authoritative DNS (PowerDNS) for `service1.internal.eu.`, returning a CNAME `publicservice.external.com.` if CNAME suffix/pattern is not matched by other policies, then attempted to ask public DNS (like 8.8.8.8, 1.1.1.1, ...) for an IP address resolution, returning result to a client.
**What's happening is**: Knot resolver asks our internal authoritative DNS for `service1.internal.eu.`, returning CNAME `publicservice.external.com.` and satisfied forwards back to client unresolved.
Other queries to internal domains seem to work fine (incl. ones defined as
```
service1.internal.eu. IN CNAME service1a.internal.eu.
service1a.internal.eu. IN A 1.2.3.4
```
)
Reason why we do it this way is because we want to give "public" (read: cloud-based) service used internally a meaningful name instead of something like `auiewrthuiasdvbjas123juiahgi.cloudfront.net`, managed internally or we simply don't know the public IP of a service - sort of similar case really when service is publicly proxied by CloudFlare or similar service and therefore we'd have to check `A` record every once in a while if it changed or not.
Contents of /etc/knot-resolver/kresd.conf
```-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/
-- Network interface configuration
net.listen('1.2.3.4', 53, { kind = 'dns' })
-- Logging
log_level('debug')
log_target('stdout')
-- Load useful modules
modules = {
'hints > iterate', -- Allow loading /etc/hosts or custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
'view', -- restrict IP adresses
}
-- Cache size
cache.size = 100 * MB
internalDomains = policy.todnames({'internal.eu.', 'veryinternal.eu.','in-addr.arpa.'})
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), internalDomains))
policy.add(policy.suffix(policy.STUB({'127.0.0.1@5353'}), internalDomains))
policy.add(policy.pattern(policy.FORWARD({'8.8.8.8'}), '.*'))```https://gitlab.nic.cz/knot/knot-resolver/-/issues/900Manager breaks if network interface name contains a hyphen2024-02-19T10:38:14+01:00Ondřej CaletkaManager breaks if network interface name contains a hyphenOne of my network interfaces is named `mtg-dns`. If I put it into the declarative config like this:
```yaml
network:
listen:
- interface: mtg-dns
- interface: mtg-dns
kind: dot
- interf...One of my network interfaces is named `mtg-dns`. If I put it into the declarative config like this:
```yaml
network:
listen:
- interface: mtg-dns
- interface: mtg-dns
kind: dot
- interface: mtg-dns
kind: doh2
```
kresd fails to start, logging this error:
```
kresd0[7036]: [system] error while loading config: kresd0.conf:137: attempt to perform arithmetic on field 'mtg' (a nil value) (workdir '/run/knot-resolver')
```
I am running kresd 6.0.4 from Fedora COPR on Oracle Linux 9.Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/894How to delete A records2024-02-07T10:31:54+01:00Max MakarovHow to delete A recordsHello. I'm trying to configure knot-resolver to act as DNS64 but I need to drop existing A records.
I have this lua script:
```lua
modules = { 'dns64' }
dns64.config({
exclude_subnets = { '::/0' },
})
function match_query_type(actio...Hello. I'm trying to configure knot-resolver to act as DNS64 but I need to drop existing A records.
I have this lua script:
```lua
modules = { 'dns64' }
dns64.config({
exclude_subnets = { '::/0' },
})
function match_query_type(action, target_qtype)
return function (state, query)
if query.stype == target_qtype then
return action
else
return nil
end
end
end
policy.add(match_query_type(policy.DROP, kres.type.A))
```
But in this case, knot-resolver returns `SERVFAIL`.
If I use `policy.DENY` knot-resolver returns `NXDOMAIN`.
How to return `NOERROR` with empty response?https://gitlab.nic.cz/knot/knot-resolver/-/issues/886tmpfiles config is only installed with systemd_files enabled; should be indep...2024-03-02T16:57:29+01:00Antontmpfiles config is only installed with systemd_files enabled; should be independentI appreciate that libsystemd use and installing systemd_files are decoupled in this project.
However, the `systemd/tmpfiles.d/knot-resolver.conf.in` tmpfiles config only gets processed / installed if systemd_files is enabled when buildi...I appreciate that libsystemd use and installing systemd_files are decoupled in this project.
However, the `systemd/tmpfiles.d/knot-resolver.conf.in` tmpfiles config only gets processed / installed if systemd_files is enabled when building.
There are distros which have a working tmpfiles provider but do not use systemd as the init system.
Enabling systemd_files is not the correct solution, as this also installs the other systemd files which is not desired on systems which do not actually use systemd as the init system.
Therefore, the coupling of tmpfiles support to systemd_files is incorrect.
In Gentoo, the `systemd-tmpfiles` binary is provided by the `sys-apps/systemd-utils` package.
```console
$ equery b $(which systemd-tmpfiles)
* Searching for /bin/systemd-tmpfiles ...
sys-apps/systemd-utils-254.8 (/bin/systemd-tmpfiles)
$ eix sys-apps/systemd-utils
[I] sys-apps/systemd-utils
Available versions: 254.5-r2^t 254.7^t (~)254.8^t {+acl boot kernel-install +kmod secureboot selinux split-usr sysusers test +tmpfiles +udev ukify ABI_MIPS="n32 n64 o32" ABI_S390="32 64" ABI_X86="32 64 x32" PYTHON_SINGLE_TARGET="python3_10 python3_11 python3_12"}
Installed versions: 254.8^t(05:00:50 25.12.2023)(kmod split-usr tmpfiles udev -acl -boot -kernel-install -secureboot -selinux -sysusers -test -ukify ABI_MIPS="-n32 -n64 -o32" ABI_S390="-32 -64" ABI_X86="64 -32 -x32" PYTHON_SINGLE_TARGET="python3_11 -python3_10 -python3_12")
Homepage: https://systemd.io/
Description: Utilities split out from systemd for OpenRC users
```
This package is depended upon by a few other crucial bits and it is therefore always installed on a Gentoo OpenRC system.
```console
$ equery d systemd-utils
* These packages depend on systemd-utils:
virtual/libudev-251-r2 (!systemd ? >=sys-apps/systemd-utils-251[udev,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_s390_32(-)?,abi_s390_64(-)?])
virtual/tmpfiles-0-r5 (!systemd ? sys-apps/systemd-utils[tmpfiles])
virtual/udev-217-r7 (!systemd ? sys-apps/systemd-utils[udev])
```
I suspect Alpine and [other non-systemd distros](https://ungleich.ch/en-us/cms/blog/2019/05/20/linux-distros-without-systemd/) also run into this.
I do not think this is a distro issue since the underlying assumption of the build scripts that a full systemd installation is the only possible tmpfiles provider does not hold true.
In this case we do not need the unit or other files for systemd since the init system is OpenRC but we do support and would like to have the tmpfiles config.
So ideally these should be decoupled from each other with enabling systemd_files also enabling the tmpfiles config but enabling tmpfiles being available independently of enabling systemd_files.
I am happy to submit a patch if there is consensus that this is the correct approach.https://gitlab.nic.cz/knot/knot-resolver/-/issues/883knot-resolver_5.7.0-cznic.1_amd64.deb and Packages, md5sum mismatch at http:...2024-01-19T17:08:28+01:00super bobykknot-resolver_5.7.0-cznic.1_amd64.deb and Packages, md5sum mismatch at http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/xUbuntu_22.04Not sure if it is the right place to ask. But let me try...
When trying to install knot-resolver_5.7.0-cznic.1_amd64.deb from http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/xUbuntu_22.04/amd64/knot-resol...Not sure if it is the right place to ask. But let me try...
When trying to install knot-resolver_5.7.0-cznic.1_amd64.deb from http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/xUbuntu_22.04/amd64/knot-resolver_5.7.0-cznic.1_amd64.deb, I am getting this
```
Hashes of expected file:
- SHA256:bca49480d98030ded758f44757aecfe6f823dfbf115e53b91017f91742cfbad8
- SHA1:447e3aaf84839d1824e063e10a3b449ca920e1e6 [weak]
- MD5Sum:6a0aab0ad0d8e5f9bf79afd904c8c78f [weak]
- Filesize:346568 [weak]
Hashes of received file:
- SHA256:cd2155af40524e2718796f37501ddd1682d814bb8cc7273c157b4da31953f86e
- SHA1:80a87ba1afacbb6f7fd355585ee665c282dedc77 [weak]
- MD5Sum:b499935ecfbfbe8c0800cddddc84a4a9 [weak]
- Filesize:346568 [weak]
```
The file size is still the correct one, 346568 bytes.https://gitlab.nic.cz/knot/knot-resolver/-/issues/880DNS Resolution issues for domains using hyp.net domains server.2023-11-07T08:01:02+01:00MariusDNS Resolution issues for domains using hyp.net domains server.
I am encountering consistent DNS resolution failures for domains using hyp.net as their DNS server, as indicated by recurring SERVFAIL responses from the DNS resolver.
It appears that the DNSKEY has a negative TTL (Time to Live) value....
I am encountering consistent DNS resolution failures for domains using hyp.net as their DNS server, as indicated by recurring SERVFAIL responses from the DNS resolver.
It appears that the DNSKEY has a negative TTL (Time to Live) value. Clearing the cache and resolving the domain again seems to temporarily resolve the issue.
I have disabled IPv6 in the resolver settings since my network does not support IPv6 connectivity.
Any guidance or insights you can provide on this issue would be greatly appreciated.
Logs:
[dns_query.txt](/uploads/d8d79f33531664a4625c160275e8e96a/dns_query.txt)https://gitlab.nic.cz/knot/knot-resolver/-/issues/876manager: API: cache clearance implementation via HTTP API2024-02-15T13:38:42+01:00Aleš Mrázekmanager: API: cache clearance implementation via HTTP APIClearing the resolvers cache is possible by connecting to running `kresd` using its unix domain socket and calling [cache.clear()](https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-cache.html#cache.clear).
Starting with ver...Clearing the resolvers cache is possible by connecting to running `kresd` using its unix domain socket and calling [cache.clear()](https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-cache.html#cache.clear).
Starting with version 6, it would be nice to be able to clear the cache via the HTTP management API and the `kresctl` tool.
For example:
```bash
$ kresctl cache-clear # like 'cache.clear()', removes max. 100 records by default
$ kresctl cache-clear --name example.net. # and so on with other 'cache.clear()' parameters
```6.1.0https://gitlab.nic.cz/knot/knot-resolver/-/issues/874Docker image for arm642023-10-09T10:18:12+02:00derritter88Docker image for arm64Hello there,
after my initial approach to have Knot & Knot resolver side by side on the same server but with different IPs (failed due to different library version requirements) I tried to run Knot DNS at a Docker container but unfortun...Hello there,
after my initial approach to have Knot & Knot resolver side by side on the same server but with different IPs (failed due to different library version requirements) I tried to run Knot DNS at a Docker container but unfortunatley there is no arm64 support.
Is this planned/on the road map?https://gitlab.nic.cz/knot/knot-resolver/-/issues/808/local-data/addresses: make multiple addresses work2023-08-17T16:00:13+02:00Vladimír Čunátvladimir.cunat@nic.cz/local-data/addresses: make multiple addresses workThe implementation will currently overwrite single address per type, so only the last IPv4+IPv6 will remain.The implementation will currently overwrite single address per type, so only the last IPv4+IPv6 will remain.6.1.0Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/807Infinite resolution loop2023-07-25T03:08:05+02:00Damien DALYInfinite resolution loopHello,
I have found a case where there is an infinite recursion on DNS resolution in your product, leading to SERVFAIL responses.
Our DNS server is configured to resolve wildcard `*.customers.company.tld` as a CNAME to `customers.compa...Hello,
I have found a case where there is an infinite recursion on DNS resolution in your product, leading to SERVFAIL responses.
Our DNS server is configured to resolve wildcard `*.customers.company.tld` as a CNAME to `customers.company.tld` that resolves itself as A (ip address). This configuration works everywhere in the world, but it does not when using knot-resolver (tested with 5.5.3 and 5.6.0).
We have an other domain that resolves the same kind of wildcard directly to ip address, with the same behavior.
Here is log extract for dns resolution of `selftest.customers.company.tld` :
```
[plan ][00000.00] plan 'selftest.customers.company.tld.' type 'A' uid [64792.00]
[iterat][64792.00] 'selftest.customers.company.tld.' type 'A' new uid was assigned .01, parent uid .00
[cache ][64792.01] => no NSEC* cached for zone: company.tld.
[cache ][64792.01] => skipping zone: company.tld., NSEC, hash 0;new TTL -123456789, ret -2
[cache ][64792.01] => skipping zone: company.tld., NSEC, hash 0;new TTL -123456789, ret -2
[zoncut][64792.01] found cut: company.tld. (rank 002 return codes: DS 0, DNSKEY 0)
[select][64792.01] => id: '51966' choosing from addresses: 2 v4 + 0 v6; names to resolve: 0 v4 + 2 v6; force_resolve: 0; NO6: IPv6 is KO
[select][64792.01] => id: '51966' choosing: 'ns2.company.tld.'@'999.999.999.999#00053' with timeout 21 ms zone cut: 'company.tld.'
[resolv][64792.01] => id: '51966' querying: 'ns2.company.tld.'@'999.999.999.999#00053' zone cut: 'company.tld.' qname: 'CUsTOmerS.company.tld.' qtype: 'NS' proto: 'udp'
[select][64792.01] => id: '51966' updating: 'ns2.company.tld.'@'999.999.999.999#00053' zone cut: 'company.tld.' with rtt 3 to srtt: 1 and variance: 1
[iterat][64792.01] <= rcode: NOERROR
[iterat][64792.01] <= continuing with qname minimization
[iterat][64792.01] 'selftest.customers.company.tld.' type 'A' new uid was assigned .02, parent uid .00
[plan ][64792.02] plan 'customers.company.tld.' type 'DS' uid [64792.03]
[iterat][64792.03] 'customers.company.tld.' type 'DS' new uid was assigned .04, parent uid .02
[cache ][64792.04] => satisfied by exact packet: rank 060, new TTL 32464
[iterat][64792.04] <= rcode: NOERROR
[valdtr][64792.04] <= parent: updating DS
[valdtr][64792.04] <= answer valid, OK
[iterat][64792.02] 'selftest.customers.company.tld.' type 'A' new uid was assigned .05, parent uid .00
[plan ][64792.05] plan 'customers.company.tld.' type 'DS' uid [64792.06]
[iterat][64792.06] 'customers.company.tld.' type 'DS' new uid was assigned .07, parent uid .05
[cache ][64792.07] => satisfied by exact packet: rank 060, new TTL 32464
[iterat][64792.07] <= rcode: NOERROR
[valdtr][64792.07] <= parent: updating DS
[valdtr][64792.07] <= answer valid, OK
[iterat][64792.05] 'selftest.customers.company.tld.' type 'A' new uid was assigned .08, parent uid .00
....
[plan ][64792.149] plan 'customers.company.tld.' type 'DS' uid [64792.150]
[iterat][64792.150] 'customers.company.tld.' type 'DS' new uid was assigned .151, parent uid .149
[cache ][64792.151] => satisfied by exact packet: rank 060, new TTL 32464
[iterat][64792.151] <= rcode: NOERROR
[valdtr][64792.151] <= parent: updating DS
[valdtr][64792.151] <= answer valid, OK
[worker][64792.149] cancelling query due to exceeded iteration count limit of 100
[resolv][64792.151] AD: request NOT classified as SECURE
[resolv][64792.149] finished in state: 8, queries: 50, mempool: 98400 B
```
knot configuration file is the default config.docker file.
[extract.log.txt](/uploads/497fe6b3a24c9be7f1d017454d243e82/extract.log.txt)https://gitlab.nic.cz/knot/knot-resolver/-/issues/802getting timeout when resolving retail.mobile.lbi.santander.uk2024-02-20T16:23:47+01:00Petr Jelinekgetting timeout when resolving retail.mobile.lbi.santander.ukI've faced this issue on my Turris Omnia and found out that it is caused by knotd. I have tried to run it on docker (out of my "turris" network).
As you can see, when I dig this domain, it works fine:
```
$ dig @1.1.1.1 retail.mobile.l...I've faced this issue on my Turris Omnia and found out that it is caused by knotd. I have tried to run it on docker (out of my "turris" network).
As you can see, when I dig this domain, it works fine:
```
$ dig @1.1.1.1 retail.mobile.lbi.santander.uk a
; <<>> DiG 9.18.8 <<>> @1.1.1.1 retail.mobile.lbi.santander.uk a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40183
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;retail.mobile.lbi.santander.uk. IN A
;; ANSWER SECTION:
retail.mobile.lbi.santander.uk. 108 IN A 193.127.211.80
;; Query time: 3 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Jul 13 10:48:06 BST 2023
;; MSG SIZE rcvd: 75
```
kdig fails:
```
$ docker run --rm cznic/knot kdig @1.1.1.1 retail.mobile.lbi.santander.uk SOA +dnssec
;; WARNING: response timeout for 1.1.1.1@53(UDP)
;; WARNING: response timeout for 1.1.1.1@53(UDP)
;; WARNING: response timeout for 1.1.1.1@53(UDP)
;; ERROR: failed to query server 1.1.1.1@53(UDP)
```
...however it works fine for other domains:
```
$ docker run --rm cznic/knot kdig @1.1.1.1 nic.cz SOA +dnssec
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 26938
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; nic.cz. IN SOA
;; ANSWER SECTION:
nic.cz. 1800 IN SOA a.ns.nic.cz. hostmaster.nic.cz. 1689235477 14400 3600 1209600 7200
nic.cz. 1800 IN RRSIG SOA 13 2 1800 20230727080427 20230713063427 36959 nic.cz. EBzkqEHwKlzsDIfb6Q5pPQ6szq4RFQfr2TfSpMqMzpizy/xSAfn3RsX/4q0lIVUODwY3sqgNyYXOFkDdHIYnNw==
;; Received 189 B
;; Time 2023-07-13 09:48:38 UTC
;; From 1.1.1.1@53(UDP) in 28.2 ms
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/790Recursion in STUB zone2023-05-01T18:54:36+02:00skudlik9Recursion in STUB zoneHello,
I'm trying to find a working setup for following scenario:
CZFree is (still) using own DNS root infrastructure (including root zone, dnssec) over private (10.0.0.0/8) addresses. Members of this community has its own DNS servers ...Hello,
I'm trying to find a working setup for following scenario:
CZFree is (still) using own DNS root infrastructure (including root zone, dnssec) over private (10.0.0.0/8) addresses. Members of this community has its own DNS servers (ie. Klfree, Pilsfree, etc). On our primary DNS recursor, I'd like to be able resolve (using recursion) normal Internet addresses, our private addresses (in domain .klfree.czf) and also private adresses of other czfree members (about 50 NS bound together in .czf zone with NS referencing members DNS servers). Recursion is also needed for the czfree part, because there are many distributed authoritative servers all around the members.
Our primary recursive resolving DNS server uses `bind` in "hybrid setup" (allowed recursion, slave for our private zone, slave for "fake-root" .czf zone) and everything works fine. For czfree zones it checks the slave-root .czf zone and continues using recursion.
Secondary/backup is running `knot-resolver` (answers user queries, currently debian 5.5.1-cznic.1 ) and `knot` (slave for our private zones - and also for .czf zone). Here, I'm unable to find any way, how to get it works.
**Original setup** of the knot-resolver is/was to forward everything "local" on the `knot` (running on localhost - port 5301)
```
internalDomains = policy.todnames({'klfree.czf', 'klfree.net', '10.in-addr.arpa', 'czf' })
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), internalDomains))
policy.add(policy.suffix(policy.STUB('127.0.0.1@5301'),internalDomains))
```
This works for our internal zone `klfree.czf` (because here knot is authoritative). But problem is, that `knot` doesn't support recursion, nor `knot-resolver` does it in STUB forward mode. When resolving address like `www.praha12.czf`, knot answers only with NS records (because no recursion), and `knot-resolver` returns this to client (again without the questioned address resolved. So this doesn't work well.
My **next try** was to use two instances of `knot-resolver`:
- main: copy of original setup
- czf: fake-root recursive resolver for just for the `.czf` zone.
Here I tried to use `hints.root()` to force the second instance to be a .czf-only recursive resolver. But again without success. Even when I setup hints.root like this:
```
> hints.root()
{
['a.root-servers.net.'] = {
'10.27.0.68',
},
['b.root-servers.net.'] = {
'10.253.32.129',
},
['c.root-servers.net.'] = {
'10.27.0.68',
},
['d.root-servers.net.'] = {
'10.253.32.129',
},
['e.root-servers.net.'] = {
'10.27.0.68',
},
['f.root-servers.net.'] = {
'10.253.32.129',
},
['g.root-servers.net.'] = {
'10.27.0.68',
},
['h.root-servers.net.'] = {
'10.253.32.129',
},
['i.root-servers.net.'] = {
'10.27.0.68',
},
['j.root-servers.net.'] = {
'10.253.32.129',
},
['k.root-servers.net.'] = {
'10.253.32.129',
},
['l.root-servers.net.'] = {
'10.27.0.68',
},
['m.root-servers.net.'] = {
'10.253.32.129',
},
}
```
`Knot-resolver` uses hardcoded (?) root servers and ignores this setting at all.
```
root@dns-recursive2:/etc/knot-resolver# dig @localhost -p 6663 a.root-servers.net
; <<>> DiG 9.16.37-Debian <<>> @localhost -p 6663 a.root-servers.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20770
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;a.root-servers.net. IN A
;; ANSWER SECTION:
a.root-servers.net. 171361 IN A 198.41.0.4
;; Query time: 0 msec
;; SERVER: 127.0.0.1#6663(127.0.0.1)
;; WHEN: Fri Apr 21 23:10:47 CEST 2023
;; MSG SIZE rcvd: 63
```
My current test setup of `kresd.conf` (czf instance part):
```
elseif string.match(systemd_instance, '^czf') then
modules.unload('priming')
net.listen('127.0.0.1', 6663, { kind = 'dns' })
modules = {
'hints > iterate', -- Load /etc/hosts and allow custom root hints
}
cache.size = 50 * MB
hints.root_file("/etc/knot-resolver/czf.zone")
policy.add(policy.suffix(policy.PASS, {todname('10.in-addr.arpa')}))
policy.add(policy.suffix(policy.PASS, {todname('.czf')}))
log_level('debug')
else
panic("Unknown instance of kresd!")
end
```
Even with `priming` module disabled, and hints.root() returning addresses of our internal czf-root servers, server asks Internet root for answers. :disappointed:
Am I missing some crutial point?
Any "hints" how to deal with "root_hints" or how to "forward with recursion" to solve this riddle ?
Thanks in advance
Janhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/789how to disable qname minimization2023-04-26T14:00:42+02:00makehow to disable qname minimizationI want to use knot resolver without QNAME minimization,how to config itI want to use knot resolver without QNAME minimization,how to config ithttps://gitlab.nic.cz/knot/knot-resolver/-/issues/788Problems with resolution of ldt2.evolvi.co.uk (unexpected NXDOMAIN)2023-04-19T13:13:01+02:00Ondřej BenkovskýProblems with resolution of ldt2.evolvi.co.uk (unexpected NXDOMAIN)Hello, I am investigating the DNS resolution issue of domain `ldt2.evolvi.co.uk` using Knot Resolver, the domain is resolved without problems using public resolvers like GoogleDNS (`8.8.8.8`), but when resolving the same domain using Kno...Hello, I am investigating the DNS resolution issue of domain `ldt2.evolvi.co.uk` using Knot Resolver, the domain is resolved without problems using public resolvers like GoogleDNS (`8.8.8.8`), but when resolving the same domain using Knot Resolver ends up with NXDOMAIN. Based on the resolution plan, I am guessing that there might be a problem with \000 character found during DNS resolution?
See following resolution plan
```
[iterat][66545.00] 'ldt2.evolvi.co.uk.' type 'A' new uid was assigned .01, parent uid .00
[cache ][66545.01] => skipping unfit CNAME RR: rank 030, new TTL -340
[cache ][66545.01] => no NSEC* cached for zone: evolvi.co.uk.
[cache ][66545.01] => skipping zone: evolvi.co.uk., NSEC, hash 0;new TTL -123456789, ret -2
[cache ][66545.01] => skipping zone: evolvi.co.uk., NSEC, hash 0;new TTL -123456789, ret -2
[zoncut][66545.01] found cut: evolvi.co.uk. (rank 010 return codes: DS 1, DNSKEY 1)
[resolv][66545.01] => NS is provably without DS, going insecure
[select][66545.01] => id: '05621' choosing from addresses: 2 v4 + 0 v6; names to resolve: 2 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66545.01] => id: '05621' choosing: 'dns1.mtgsy.co.uk.'@'172.105.69.234#00053' with timeout 54 ms zone cut: 'evolvi.co.uk.'
[resolv][66545.01] => id: '05621' querying: 'dns1.mtgsy.co.uk.'@'172.105.69.234#00053' zone cut: 'evolvi.co.uk.' qname: 'LdT2.eVoLVI.Co.uk.' qtype: 'A' proto: 'udp'
[select][66545.01] => id: '05621' updating: 'dns1.mtgsy.co.uk.'@'172.105.69.234#00053' zone cut: 'evolvi.co.uk.' with rtt 26 to srtt: 30 and variance: 6
[iterat][66545.01] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5621
;; Flags: qr aa cd QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 2
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
ldt2.evolvi.co.uk. A
;; ANSWER SECTION
ldt2.evolvi.co.uk. 300 CNAME azureprodev6ag.\000.
;; ADDITIONAL SECTION
azureprodev6ag.evolvi.co.uk. 600 A 51.105.12.148
[iterat][66545.01] <= rcode: NOERROR
[iterat][66545.01] <= cname chain, following
[cache ][66545.01] => stashed ldt2.evolvi.co.uk. CNAME, rank 030, 34 B total, incl. 0 RRSIGs
[iterat][66545.02] 'azureprodev6ag.\000.' type 'A' new uid was assigned .03, parent uid .00
[cache ][66545.03] => skipping zero-containing name azureprodev6ag.\000.
[zoncut][66545.03] found cut: . (rank 060 return codes: DS -2, DNSKEY 0)
[resolv][66545.03] >< TA: '.'
[select][66545.03] => id: '09381' choosing from addresses: 13 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66545.03] => id: '09381' choosing: 'j.root-servers.net.'@'192.58.128.30#00053' with timeout 23 ms zone cut: '.'
[resolv][66545.03] => id: '09381' querying: 'j.root-servers.net.'@'192.58.128.30#00053' zone cut: '.' qname: '\000.' qtype: 'NS' proto: 'udp'
[select][66545.03] => id: '09381' updating: 'j.root-servers.net.'@'192.58.128.30#00053' zone cut: '.' with rtt 2 to srtt: 3 and variance: 1
[iterat][66545.03] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 9381
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1472 B; ext-rcode: Unused
;; QUESTION SECTION
\000. NS
;; AUTHORITY SECTION
. 86400 NSEC aaa. NS SOA RRSIG NSEC DNSKEY
. 86400 RRSIG NSEC 8 0 86400 1683003600 1681876800 60955 . ntDYSODGiyW725OVm7aEdZi0/52owv36Fp6ZLSd2MELmroK/1TX8VjEUdmM1OXDxO72gNPwVhU4NTGugPGxYjO4deCV7O4VBvTEc+ayksGIpLhoHkHaeTvnEE4JBPgvhGmxkzHjbPsml8X78qLIe1iC9OX3lKCZKicJivA9Mb+4vSsPnRK00O2SS6b95daEeAyMnNl9KN3+Mh0YQAd0EsZ+dLqVV4nKN8Kq9n2iBuZXJEFb2x94qhXHbkA/uiHNGRaQ7WsylDF2A86uQaVelsPdGk5Z3PB7qGeN3QwMdZbN/rHPvnwSxPxJNcgMIli8SMe/I2eTtr1ltU0SbbOyWgQ==
. 86400 SOA a.root-servers.net. nstld.verisign-grs.com. 2023041900 1800 900 604800 86400
. 86400 RRSIG SOA 8 0 86400 1683003600 1681876800 60955 . fJ1IV7H70mU48wQVVaS6FvfFE83Yc6jrvm3BBROrj3bhFaA2Sb1rIC5ZgxIOERVGfCiZuIA2BDmSf+TpK6hNeqE3sfM5uDzJqKD8HSOAwRjBckOyIIY1Ln4rn8vBkDr6sPPgzMinrOjP4/vQLuH3a95nZXYqKOTBL8SF9/BNSCjmtsiNoUvIdSy/l9tgc+cSEMJIxI03C7f4cCbufMF+gPWriQw5M0yBJkmzlVmUIPTNw44VeHX+6RLpumSWcArAUahWSv5AUWLAtKWcvsmbHei5VeCuaRYYHJgyRF39NWvTgQ8y4/VWrT3h9Yox/r3ABdGzYyCkXdbQWiDma8+Ygw==
;; ADDITIONAL SECTION
[iterat][66545.03] <= rcode: NXDOMAIN
[iterat][66545.03] <= retrying with non-minimized name
[cache ][66545.03] => skipping zero-containing name \000.
[iterat][66545.03] 'azureprodev6ag.\000.' type 'A' new uid was assigned .04, parent uid .00
[select][66545.04] => id: '52347' choosing from addresses: 13 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66545.04] => id: '52347' choosing: 'j.root-servers.net.'@'192.58.128.30#00053' with timeout 23 ms zone cut: '.'
[resolv][66545.04] => id: '52347' querying: 'j.root-servers.net.'@'192.58.128.30#00053' zone cut: '.' qname: 'AzureprodEv6ag.\000.' qtype: 'A' proto: 'udp'
[select][66545.04] => id: '52347' updating: 'j.root-servers.net.'@'192.58.128.30#00053' zone cut: '.' with rtt 2 to srtt: 3 and variance: 1
[iterat][66545.04] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 52347
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1472 B; ext-rcode: Unused
;; QUESTION SECTION
azureprodev6ag.\000. A
;; AUTHORITY SECTION
. 86400 NSEC aaa. NS SOA RRSIG NSEC DNSKEY
. 86400 RRSIG NSEC 8 0 86400 1683003600 1681876800 60955 . ntDYSODGiyW725OVm7aEdZi0/52owv36Fp6ZLSd2MELmroK/1TX8VjEUdmM1OXDxO72gNPwVhU4NTGugPGxYjO4deCV7O4VBvTEc+ayksGIpLhoHkHaeTvnEE4JBPgvhGmxkzHjbPsml8X78qLIe1iC9OX3lKCZKicJivA9Mb+4vSsPnRK00O2SS6b95daEeAyMnNl9KN3+Mh0YQAd0EsZ+dLqVV4nKN8Kq9n2iBuZXJEFb2x94qhXHbkA/uiHNGRaQ7WsylDF2A86uQaVelsPdGk5Z3PB7qGeN3QwMdZbN/rHPvnwSxPxJNcgMIli8SMe/I2eTtr1ltU0SbbOyWgQ==
. 86400 SOA a.root-servers.net. nstld.verisign-grs.com. 2023041900 1800 900 604800 86400
. 86400 RRSIG SOA 8 0 86400 1683003600 1681876800 60955 . fJ1IV7H70mU48wQVVaS6FvfFE83Yc6jrvm3BBROrj3bhFaA2Sb1rIC5ZgxIOERVGfCiZuIA2BDmSf+TpK6hNeqE3sfM5uDzJqKD8HSOAwRjBckOyIIY1Ln4rn8vBkDr6sPPgzMinrOjP4/vQLuH3a95nZXYqKOTBL8SF9/BNSCjmtsiNoUvIdSy/l9tgc+cSEMJIxI03C7f4cCbufMF+gPWriQw5M0yBJkmzlVmUIPTNw44VeHX+6RLpumSWcArAUahWSv5AUWLAtKWcvsmbHei5VeCuaRYYHJgyRF39NWvTgQ8y4/VWrT3h9Yox/r3ABdGzYyCkXdbQWiDma8+Ygw==
;; ADDITIONAL SECTION
[iterat][66545.04] <= rcode: NXDOMAIN
[valdtr][66545.04] <= answer valid, OK
[cache ][66545.04] => stashed . SOA, rank 060, 358 B total, incl. 1 RRSIGs
[cache ][66545.04] => stashed . NSEC, rank 060, 308 B total, incl. 1 RRSIGs
[cache ][66545.04] => nsec_p stash for . skipped (extra TTL: 968, hash: 0)
[cache ][66545.04] => skipping zero-containing name azureprodev6ag.\000.
[resolv][66545.04] AD: request NOT classified as SECURE
[resolv][66545.04] finished in state: 4, queries: 2, mempool: 98352 B
;; selected from ANSWER sections:
; ranked rrset to_wire true, rank 030 (auth insecure), cached true, qry_uid 1, revalidations 0
ldt2.evolvi.co.uk. 300 CNAME azureprodev6ag.\000.
;; selected from AUTHORITY sections:
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
. 3600 NSEC aaa. NS SOA RRSIG NSEC DNSKEY
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
. 3600 RRSIG NSEC 8 0 86400 1683003600 1681876800 60955 . ntDYSODGiyW725OVm7aEdZi0/52owv36Fp6ZLSd2MELmroK/1TX8VjEUdmM1OXDxO72gNPwVhU4NTGugPGxYjO4deCV7O4VBvTEc+ayksGIpLhoHkHaeTvnEE4JBPgvhGmxkzHjbPsml8X78qLIe1iC9OX3lKCZKicJivA9Mb+4vSsPnRK00O2SS6b95daEeAyMnNl9KN3+Mh0YQAd0EsZ+dLqVV4nKN8Kq9n2iBuZXJEFb2x94qhXHbkA/uiHNGRaQ7WsylDF2A86uQaVelsPdGk5Z3PB7qGeN3QwMdZbN/rHPvnwSxPxJNcgMIli8SMe/I2eTtr1ltU0SbbOyWgQ==
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
. 3600 SOA a.root-servers.net. nstld.verisign-grs.com. 2023041900 1800 900 604800 86400
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
. 3600 RRSIG SOA 8 0 86400 1683003600 1681876800 60955 . fJ1IV7H70mU48wQVVaS6FvfFE83Yc6jrvm3BBROrj3bhFaA2Sb1rIC5ZgxIOERVGfCiZuIA2BDmSf+TpK6hNeqE3sfM5uDzJqKD8HSOAwRjBckOyIIY1Ln4rn8vBkDr6sPPgzMinrOjP4/vQLuH3a95nZXYqKOTBL8SF9/BNSCjmtsiNoUvIdSy/l9tgc+cSEMJIxI03C7f4cCbufMF+gPWriQw5M0yBJkmzlVmUIPTNw44VeHX+6RLpumSWcArAUahWSv5AUWLAtKWcvsmbHei5VeCuaRYYHJgyRF39NWvTgQ8y4/VWrT3h9Yox/r3ABdGzYyCkXdbQWiDma8+Ygw==```
Thanks!https://gitlab.nic.cz/knot/knot-resolver/-/issues/786LMDB utils not working with the LMDB cache created by Knot2023-03-29T21:19:01+02:00Peter SimanLMDB utils not working with the LMDB cache created by KnotHi,
I am trying to use LMDB utils to dump (`mdb_dump`) and load (`mdb_load`) the cache created by Knot but I am getting this error which points to problem (similar to issue reported [here](https://github.com/princeton-vl/CoqGym/issues/3...Hi,
I am trying to use LMDB utils to dump (`mdb_dump`) and load (`mdb_load`) the cache created by Knot but I am getting this error which points to problem (similar to issue reported [here](https://github.com/princeton-vl/CoqGym/issues/39)) with dump format (probably LMDB version mismatch).
```line 6: unrecognized keyword ignored: db_pagesize```
I am using latest `lmdb-utils` package installed using `apt-get`. I was trying to look into the source code of knot-resolver and find out which version of LMDB is used in it or whether I can use latest version of LMDB. Is this possible.
Thanks!https://gitlab.nic.cz/knot/knot-resolver/-/issues/785manager: API talks only JSON2023-03-29T13:40:03+02:00Vaclav Sraiermanager: API talks only JSONit currently accepts YAML, we don't want that...it currently accepts YAML, we don't want that...Aleš MrázekAleš Mrázekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/783resolving local zones when there's no internet (issue with policy)2023-03-01T17:44:05+01:00Daniel Baumannresolving local zones when there's no internet (issue with policy)Hi,
use-case:
* our kresd instances have policy.FORWARD/policy.STUB to resolv internal zone files by asking the authoritative
servers directly, rather than to go to the internet.
* when we cut internet access for kresd, it fails...Hi,
use-case:
* our kresd instances have policy.FORWARD/policy.STUB to resolv internal zone files by asking the authoritative
servers directly, rather than to go to the internet.
* when we cut internet access for kresd, it fails to forward the queries to the authoritative servers,
eventhough they are reachable and answer properly when asked.
* when we loose internet (or for extra resilliance), kresd should still resolv all internal zones and only
fail to resolv stuff in the internet.
For hints, this is properly working - they are always answered also when there's no internet connection.
For forwards, I've played a bit arround with 'policy < hints' and such in modules = {}, but to no awail.
Am I missing something or is this not possible? Is the use-case/situation clear enough, or do you want me to provide the exact configuration and debug log to reproduce?
Regards,
Danielhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/782DNSSEC error for gma.vmathlive.com but DNSViz says domain is OK2023-02-22T12:12:06+01:00Peter SimanDNSSEC error for gma.vmathlive.com but DNSViz says domain is OKHi,
I am investigating an issue with `gma.vmathlive.com` domain. Knot resolver states there is a [dnssec] validation error for this domain, but when I am trying to debug this using DNSViz, it seems like the DNSSEC is ok.
I am getting ...Hi,
I am investigating an issue with `gma.vmathlive.com` domain. Knot resolver states there is a [dnssec] validation error for this domain, but when I am trying to debug this using DNSViz, it seems like the DNSSEC is ok.
I am getting this resolution log from Knot resolver:
```curl localhost:8453/trace/gma.vmathlive.com/AAAA
[iterat][66078.00] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][66078.01] => no NSEC* cached for zone: com.
[cache ][66078.01] => skipping zone: com., NSEC, hash 0;new TTL -123456789, ret -2
[cache ][66078.01] => skipping zone: com., NSEC, hash 0;new TTL -123456789, ret -2
[zoncut][66078.01] found cut: com. (rank 002 return codes: DS 0, DNSKEY 0)
[select][66078.01] => id: '43261' choosing from addresses: 13 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.01] => id: '43261' choosing: 'b.gtld-servers.net.'@'192.33.14.30#00053' with timeout 26 ms zone cut: 'com.'
[resolv][66078.01] => id: '43261' querying: 'b.gtld-servers.net.'@'192.33.14.30#00053' zone cut: 'com.' qname: 'VmAThlIvE.coM.' qtype: 'NS' proto: 'udp'
[select][66078.01] => id: '43261' updating: 'b.gtld-servers.net.'@'192.33.14.30#00053' zone cut: 'com.' with rtt 3 to srtt: 6 and variance: 3
[iterat][66078.01] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 43261
;; Flags: qr cd QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 3
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
vmathlive.com. NS
;; AUTHORITY SECTION
vmathlive.com. 172800 NS ns1.cambiumlearning.com.
vmathlive.com. 172800 NS ns2.cambiumlearning.com.
vmathlive.com. 86400 DS 38134 13 4 DC5F0BEA08FB6D643D89D74A14EDCD210C085E3B6782B9782FEE91BB66A76A83B4181774E0723461AC9B6F18C402C447
vmathlive.com. 86400 DS 38134 13 2 1BA1023E142BCB7B0F7CB6AC4C00771D100F326AC905DAC6074E41AFB25D7870
vmathlive.com. 86400 DS 38134 13 1 902FF916A6140AA401A187EEBDBD636EDFA7EFB1
vmathlive.com. 86400 RRSIG DS 8 2 86400 1677479970 1676870970 36739 com. vOM/iMztbhiYHxhbkI/Yf4t5OWquuKD8OscNNjsapaQ7qruzuAahkk7pD63I1sq+vM62+LvNW1hbK3hWkvqL6yzVPuoNu3fDn/WcxEEn4Kun1/kz2n3PEWdU1jgMnh3WpmzyAmMq33AagPtQT6AvA0hPAoH7nKr7TT+xlh1G9bpI7KFgl3AvMf2xq3N48JwhvxDf/jJx3yhx/xyOz3Hxsw==
;; ADDITIONAL SECTION
ns1.cambiumlearning.com. 172800 A 66.248.224.140
ns2.cambiumlearning.com. 172800 A 50.238.167.169
[iterat][66078.01] <= loaded 2 glue addresses
[iterat][66078.01] <= referral response, follow
[valdtr][66078.01] <= DS: OK
[valdtr][66078.01] <= answer valid, OK
[cache ][66078.01] => stashed vmathlive.com. DS, rank 060, 318 B total, incl. 1 RRSIGs
[cache ][66078.01] => stashed vmathlive.com. NS, rank 002, 70 B total, incl. 0 RRSIGs
[cache ][66078.01] => stashed also 2 nonauth RRsets
[iterat][66078.01] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .02, parent uid .00
[plan ][66078.02] plan 'vmathlive.com.' type 'DNSKEY' uid [66078.03]
[iterat][66078.03] 'vmathlive.com.' type 'DNSKEY' new uid was assigned .04, parent uid .02
[cache ][66078.04] => no NSEC* cached for zone: vmathlive.com.
[cache ][66078.04] => skipping zone: vmathlive.com., NSEC, hash 0;new TTL -123456789, ret -2
[cache ][66078.04] => skipping zone: vmathlive.com., NSEC, hash 0;new TTL -123456789, ret -2
[select][66078.04] => id: '18904' choosing from addresses: 2 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.04] => id: '18904' choosing: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' with timeout 400 ms zone cut: 'vmathlive.com.'
[resolv][66078.04] => id: '18904' querying: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' qname: 'vmatHLiVe.Com.' qtype: 'DNSKEY' proto: 'udp'
[select][66078.04] => id: '18904' updating: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' with rtt 133 to srtt: 133 and variance: 66
[iterat][66078.04] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 18904
;; Flags: qr aa QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
vmathlive.com. DNSKEY
;; ANSWER SECTION
vmathlive.com. 3600 RRSIG DNSKEY 13 2 3600 1677715200 1675900800 38134 vmathlive.com. LGEYXMp94nHpWX1vx7RaIFevV80jc/pOWub8+zkDq+ZnFnZ21KsiTiNwdGXdmDcjfS/DmzbYmQ1uk0PDPkTM8Q==
vmathlive.com. 3600 DNSKEY 257 3 13 WOWG2N+2P72hJS7k0mvEbOFNyo/d7qIa5qb2Kyj0oYz65nPhOIxZ8sc/1C3qAVINMyrOyOK2LtHsjg8sA7pr5Q==
;; ADDITIONAL SECTION
[iterat][66078.04] <= rcode: NOERROR
[valdtr][66078.04] <= parent: updating DNSKEY
[valdtr][66078.04] <= answer valid, OK
[cache ][66078.04] => stashed vmathlive.com. DNSKEY, rank 060, 184 B total, incl. 1 RRSIGs
[iterat][66078.02] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .05, parent uid .00
[select][66078.05] => id: '20059' choosing from addresses: 2 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.05] => id: '20059' choosing: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' with timeout 400 ms zone cut: 'vmathlive.com.'
[resolv][66078.05] => id: '20059' querying: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' zone cut: 'vmathlive.com.' qname: 'Gma.VMaTHLIve.cOM.' qtype: 'AAAA' proto: 'udp'
[select][66078.05] => id: '20059' updating: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' zone cut: 'vmathlive.com.' with rtt 109 to srtt: 109 and variance: 54
[iterat][66078.05] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 20059
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
gma.vmathlive.com. AAAA
;; AUTHORITY SECTION
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. Kd4huzuDTm2sR0FffNa6Cv5bu7hcaQhzaV9seqiL0HfoZ+XdWCf0B7s7/k5bxnVQPuOb1jUAMa7ncCXXB/L3nw==
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. 5lT1gBZAZ3h1C0uRU6TeK3IgRTpxmZttV4ahGbrRPnipMdHrN9B+PQK3Jd0v5jjwgTdcsiOpK6c8tMyRdR3+Fg==
;; ADDITIONAL SECTION
[iterat][66078.05] <= rcode: NOERROR
[valdtr][66078.05] <= bad NODATA proof
[select][66078.05] => id: '20059' noting selection error: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' zone cut: 'vmathlive.com.' error: 14 DNSSEC_ERROR
[cache ][66078.05] => stashed vmathlive.com. NSEC, rank 060, 140 B total, incl. 1 RRSIGs
[cache ][66078.05] => stashed vmathlive.com. SOA, rank 060, 194 B total, incl. 1 RRSIGs
[cache ][66078.05] => nsec_p stashed for vmathlive.com. (new, hash: 0)
[cache ][66078.05] => stashed packet: rank 025, TTL 300, AAAA gma.vmathlive.com. (379 B)
[iterat][66078.05] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .06, parent uid .00
[select][66078.06] => id: '33899' choosing from addresses: 1 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.06] => id: '33899' choosing: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' with timeout 397 ms zone cut: 'vmathlive.com.'
[resolv][66078.06] => id: '33899' querying: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' qname: 'GmA.VmaTHlIVE.Com.' qtype: 'AAAA' proto: 'udp'
[select][66078.06] => id: '33899' updating: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' with rtt 126 to srtt: 132 and variance: 51
[iterat][66078.06] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33899
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
gma.vmathlive.com. AAAA
;; AUTHORITY SECTION
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. tua7ePdyjjRyyRDyr3gdankU7Xz2QUVOgfbErT6ssGtxGhLueKj8TLy3fgdkAZlsUtLTQoHParWTek6wc3ccSg==
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. wbGfikMJDqGkfDCn+7XQX7leUDIoAfYwZRtA0yysmg0MDJNFi7Cn6sw1He+JlWkX7zX2Vsk2oNhQE7a+u5fZNA==
;; ADDITIONAL SECTION
[iterat][66078.06] <= rcode: NOERROR
[valdtr][66078.06] <= bad NODATA proof
[select][66078.06] => id: '33899' noting selection error: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' error: 14 DNSSEC_ERROR
[cache ][66078.06] => stashed vmathlive.com. NSEC, rank 060, 140 B total, incl. 1 RRSIGs
[cache ][66078.06] => stashed vmathlive.com. SOA, rank 060, 194 B total, incl. 1 RRSIGs
[cache ][66078.06] => nsec_p stash for vmathlive.com. skipped (extra TTL: 0, hash: 0)
[cache ][66078.06] => not overwriting AAAA gma.vmathlive.com.
[iterat][66078.06] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .07, parent uid .00
[select][66078.07] => id: '57610' choosing from addresses: 0 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.07] => id: '57610' no suitable transport, zone cut: 'vmathlive.com.'
[iterat][66078.07] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .08, parent uid .00
[select][66078.08] => id: '47107' choosing from addresses: 0 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.08] => id: '47107' no suitable transport, zone cut: 'vmathlive.com.'
[resolv][66078.00] request failed, answering with empty SERVFAIL
[resolv][66078.08] finished in state: 8, queries: 2, mempool: 98352 B
;; selected from ANSWER sections:
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
vmathlive.com. 3600 RRSIG DNSKEY 13 2 3600 1677715200 1675900800 38134 vmathlive.com. LGEYXMp94nHpWX1vx7RaIFevV80jc/pOWub8+zkDq+ZnFnZ21KsiTiNwdGXdmDcjfS/DmzbYmQ1uk0PDPkTM8Q==
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
vmathlive.com. 3600 DNSKEY 257 3 13 WOWG2N+2P72hJS7k0mvEbOFNyo/d7qIa5qb2Kyj0oYz65nPhOIxZ8sc/1C3qAVINMyrOyOK2LtHsjg8sA7pr5Q==
;; selected from AUTHORITY sections:
; ranked rrset to_wire false, rank 002 (try), cached true, qry_uid 1, revalidations 0
vmathlive.com. 3600 NS ns1.cambiumlearning.com.
vmathlive.com. 3600 NS ns2.cambiumlearning.com.
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 1, revalidations 0
vmathlive.com. 3600 DS 38134 13 1 902FF916A6140AA401A187EEBDBD636EDFA7EFB1
vmathlive.com. 3600 DS 38134 13 2 1BA1023E142BCB7B0F7CB6AC4C00771D100F326AC905DAC6074E41AFB25D7870
vmathlive.com. 3600 DS 38134 13 4 DC5F0BEA08FB6D643D89D74A14EDCD210C085E3B6782B9782FEE91BB66A76A83B4181774E0723461AC9B6F18C402C447
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 1, revalidations 0
vmathlive.com. 3600 RRSIG DS 8 2 86400 1677479970 1676870970 36739 com. vOM/iMztbhiYHxhbkI/Yf4t5OWquuKD8OscNNjsapaQ7qruzuAahkk7pD63I1sq+vM62+LvNW1hbK3hWkvqL6yzVPuoNu3fDn/WcxEEn4Kun1/kz2n3PEWdU1jgMnh3WpmzyAmMq33AagPtQT6AvA0hPAoH7nKr7TT+xlh1G9bpI7KFgl3AvMf2xq3N48JwhvxDf/jJx3yhx/xyOz3Hxsw==
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. Kd4huzuDTm2sR0FffNa6Cv5bu7hcaQhzaV9seqiL0HfoZ+XdWCf0B7s7/k5bxnVQPuOb1jUAMa7ncCXXB/L3nw==
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. 5lT1gBZAZ3h1C0uRU6TeK3IgRTpxmZttV4ahGbrRPnipMdHrN9B+PQK3Jd0v5jjwgTdcsiOpK6c8tMyRdR3+Fg==
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. tua7ePdyjjRyyRDyr3gdankU7Xz2QUVOgfbErT6ssGtxGhLueKj8TLy3fgdkAZlsUtLTQoHParWTek6wc3ccSg==
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. wbGfikMJDqGkfDCn+7XQX7leUDIoAfYwZRtA0yysmg0MDJNFi7Cn6sw1He+JlWkX7zX2Vsk2oNhQE7a+u5fZNA==
;; selected from ADDITIONAL sections:
; ranked rrset to_wire false, rank 001 (omit), cached true, qry_uid 1, revalidations 0
ns1.cambiumlearning.com. 3600 A 66.248.224.140
; ranked rrset to_wire false, rank 001 (omit), cached true, qry_uid 1, revalidations 0
ns2.cambiumlearning.com. 3600 A 50.238.167.169
```
DNSViz DNSSEC analysis [result](https://dnsviz.net/d/gma.vmathlive.com/responses/)
Any idea what might be wrong?
Thanks in advance for your assistance!https://gitlab.nic.cz/knot/knot-resolver/-/issues/781Build on MSYS2023-03-20T09:15:18+01:00Christopher NgBuild on MSYSCurrently this doesn't build on MSYS (i.e. Cygwin). I've managed to get it to build/run on MSYS, but it also required minor fixes to `LMDB` and `knot-dns` (mostly build flags etc). Is there any interest in merging support for this enviro...Currently this doesn't build on MSYS (i.e. Cygwin). I've managed to get it to build/run on MSYS, but it also required minor fixes to `LMDB` and `knot-dns` (mostly build flags etc). Is there any interest in merging support for this environment?
It has to run under MSYS, running under 'native native' windows (ie MSVC runtime or similar) needs a lot more changes to `knot-dns`, I didn't get very far into investigating it.https://gitlab.nic.cz/knot/knot-resolver/-/issues/780Issues of EDNS buffer size2023-01-21T07:23:19+01:00idealeerIssues of EDNS buffer sizeAlthough the `edns buffer size` is set to 1232 for a query, Knot Resolver still receives a response with a size larger than 1232, even than 4096.
As suggested here https://www.dnsflagday.net/2020/:
```
It is important for DNS software ...Although the `edns buffer size` is set to 1232 for a query, Knot Resolver still receives a response with a size larger than 1232, even than 4096.
As suggested here https://www.dnsflagday.net/2020/:
```
It is important for DNS software vendors to comply with DNS standards,
and to use a default EDNS buffer size (1232 bytes) that will not cause
fragmentation on typical network links.
```
We recommend following current practices by only accepting responses less than 1,232 by default, which are implemented by PowerDNS Recursor.
We also wonder why Knot Resolver does this.