Knot Resolver issueshttps://gitlab.nic.cz/knot/knot-resolver/-/issues2017-10-09T17:00:34+02:00https://gitlab.nic.cz/knot/knot-resolver/-/issues/187test etcd module2017-10-09T17:00:34+02:00Petr Špačektest etcd moduleAn open question is how to mock etcd.An open question is how to mock etcd.https://gitlab.nic.cz/knot/knot-resolver/-/issues/172query name minimization does not work with partially bad glue records2017-10-09T17:06:28+02:00Petr Špačekquery name minimization does not work with partially bad glue recordsLet's have a zone which has incomplete glue records in delegation like this:
```
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
com. IN A
SECTION AUTHORITY
; This is the offending NS (it mu...Let's have a zone which has incomplete glue records in delegation like this:
```
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
com. IN A
SECTION AUTHORITY
; This is the offending NS (it must be ignored)
com. IN NS x.gtld-servers.net.
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
x.gtld-servers.net. IN A 192.5.6.31
ENTRY_END
```
The server `x.gtld-servers.net.` is broken and returns REFUSED for all but NS queries. The other server `a.gtld-servers.net.` works.
kresd without query name minimization can handle it fine as it detects the `x` server as `bad` and moves on to the next server:
```
[ 0][plan] plan 'www.foo.com.' type 'A'
[55398][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[55398][resl] => using root hints
[39654][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[39654][resl] => querying: '193.0.14.129' score: 10 zone cut: '.' m12n: 'wWw.foO.cOM.' type: 'A' proto: 'udp'
[39654][iter] <= using glue for 'x.gtld-servers.net.': '192.5.6.31'
[39654][iter] <= referral response, follow
[39654][resl] <= server: '193.0.14.129' rtt: 6 ms
[30494][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[30494][resl] => querying: '192.5.6.31' score: 10 zone cut: 'com.' m12n: 'WWW.FoO.COM.' type: 'A' proto: 'udp'
[30494][iter] <= rcode: REFUSED
[30494][resl] <= server: '192.5.6.31' rtt: 1 ms
[18206][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[18206][resl] => querying: '192.5.6.31' score: 111 zone cut: 'com.' m12n: 'WWw.FOo.COm.' type: 'A' proto: 'udp'
[18206][iter] <= rcode: REFUSED
[18206][resl] <= server: '192.5.6.31' rtt: 1 ms
[57219][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[57219][resl] => querying: '192.5.6.31' score: 161 zone cut: 'com.' m12n: 'WwW.FoO.cOm.' type: 'A' proto: 'udp'
[57219][iter] <= rcode: REFUSED
[57219][resl] <= server: '192.5.6.31' rtt: 1 ms
[61022][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[61022][resl] => querying: '192.5.6.31' score: 186 zone cut: 'com.' m12n: 'wwW.fOO.COm.' type: 'A' proto: 'udp'
[61022][iter] <= rcode: REFUSED
[61022][resl] => server: '192.5.6.31' flagged as 'bad'
[54075][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[54075][plan] plan 'a.gtld-servers.net.' type 'AAAA'
[32802][iter] 'a.gtld-servers.net.' type 'AAAA' id was assigned, parent id 54075
[32802][resl] => using root hints
[61553][iter] 'a.gtld-servers.net.' type 'AAAA' id was assigned, parent id 54075
[61553][resl] => querying: '193.0.14.129' score: 11 zone cut: '.' m12n: 'A.gtld-SerVErS.nET.' type: 'AAAA' proto: 'udp'
[61553][iter] <= rcode: NOERROR
[61553][resl] <= server: '193.0.14.129' rtt: 2 ms
[30187][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[30187][plan] plan 'a.gtld-servers.net.' type 'A'
[27896][iter] 'a.gtld-servers.net.' type 'A' id was assigned, parent id 30187
[27896][resl] => using root hints
[34685][iter] 'a.gtld-servers.net.' type 'A' id was assigned, parent id 30187
[34685][resl] => querying: '193.0.14.129' score: 11 zone cut: '.' m12n: 'A.gtLd-SErVeRs.nET.' type: 'A' proto: 'udp'
[34685][iter] <= rcode: NOERROR
[30187][iter] <= using glue for 'a.gtld-servers.net.': '192.5.6.30'
[34685][resl] <= server: '193.0.14.129' rtt: 2 ms
[14390][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[14390][resl] => querying: '192.5.6.30' score: 10 zone cut: 'com.' m12n: 'WWW.foo.cOm.' type: 'A' proto: 'udp'
[14390][iter] <= referral response, follow
[14390][resl] <= server: '192.5.6.30' rtt: 1 ms
[14916][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[14916][plan] plan 'a.gtld-servers.net.' type 'AAAA'
[24215][iter] 'a.gtld-servers.net.' type 'AAAA' id was assigned, parent id 14916
[24215][resl] => using root hints
[45906][iter] 'a.gtld-servers.net.' type 'AAAA' id was assigned, parent id 14916
[45906][resl] => querying: '193.0.14.129' score: 11 zone cut: '.' m12n: 'A.gTld-SeRVErS.nET.' type: 'AAAA' proto: 'udp'
[45906][iter] <= rcode: NOERROR
[45906][resl] <= server: '193.0.14.129' rtt: 2 ms
[57675][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[57675][plan] plan 'a.gtld-servers.net.' type 'A'
[21748][iter] 'a.gtld-servers.net.' type 'A' id was assigned, parent id 57675
[21748][ rc ] => satisfied from cache
[21748][iter] <= rcode: NOERROR
[57675][iter] <= using glue for 'a.gtld-servers.net.': '192.5.6.30'
[49536][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[49536][resl] => querying: '192.5.6.30' score: 11 zone cut: 'www.foo.com.' m12n: 'WwW.fOo.CoM.' type: 'A' proto: 'udp'
[49536][iter] <= rcode: NOERROR
[49536][resl] <= server: '192.5.6.30' rtt: 1 ms
```
Unfortunately kresd does not move to the next server if query minimization is enabled:
```
[ 0][plan] plan 'www.foo.com.' type 'A'
[ 6555][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[ 6555][resl] => using root hints
[39232][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[39232][resl] => querying: '193.0.14.129' score: 10 zone cut: '.' m12n: 'coM.' type: 'NS' proto: 'udp'
[39232][iter] <= using glue for 'x.gtld-servers.net.': '192.5.6.31'
[39232][iter] <= referral response, follow
[39232][resl] <= server: '193.0.14.129' rtt: 7 ms
[17873][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[17873][resl] => querying: '192.5.6.31' score: 10 zone cut: 'com.' m12n: 'FoO.Com.' type: 'NS' proto: 'udp'
[17873][iter] <= using glue for 'x.gtld-servers.net.': '192.5.6.31'
[17873][iter] <= referral response, follow
[17873][resl] <= server: '192.5.6.31' rtt: 4 ms
[ 8362][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[ 8362][resl] => querying: '192.5.6.31' score: 11 zone cut: 'foo.com.' m12n: 'Www.fOo.cOM.' type: 'A' proto: 'udp'
[ 8362][iter] <= rcode: REFUSED
[ 8362][resl] <= server: '192.5.6.31' rtt: 3 ms
[ 6889][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[ 6889][resl] => querying: '192.5.6.31' score: 111 zone cut: 'foo.com.' m12n: 'WWw.fOO.cOm.' type: 'A' proto: 'udp'
[ 6889][iter] <= rcode: REFUSED
[ 6889][resl] <= server: '192.5.6.31' rtt: 2 ms
[43963][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[43963][resl] => querying: '192.5.6.31' score: 161 zone cut: 'foo.com.' m12n: 'Www.FOo.cOM.' type: 'A' proto: 'udp'
[43963][iter] <= rcode: REFUSED
[43963][resl] <= server: '192.5.6.31' rtt: 2 ms
[60355][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[60355][resl] => querying: '192.5.6.31' score: 186 zone cut: 'foo.com.' m12n: 'WWw.foo.COm.' type: 'A' proto: 'udp'
[60355][iter] <= rcode: REFUSED
[60355][resl] => server: '192.5.6.31' flagged as 'bad'
[26974][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[26974][resl] => no valid NS left
```
Versions
-----------
Kresd: f9352bee195996c65bb764ec0ba3a2ad7683824d
This is covered by (fixed) test sets/resolver/iter_ns_badglue.rpl from commit deckard@ebcc8b59c29652af83266abbae6e5ae512e66f45 . (temporary branch iter_ns_badglue)https://gitlab.nic.cz/knot/knot-resolver/-/issues/224validate: support mixing NSEC and NSEC3 in a single packet2017-10-10T10:08:11+02:00Vladimír Čunátvladimir.cunat@nic.czvalidate: support mixing NSEC and NSEC3 in a single packethttps://gitlab.nic.cz/knot/knot-resolver/-/issues/226handling out-of-bailiwick CNAME chains from authoritative servers2017-10-10T10:12:12+02:00Vladimír Čunátvladimir.cunat@nic.czhandling out-of-bailiwick CNAME chains from authoritative serversSome servers incorrectly answer like this:
```
$ kdig @2a02:4a8:ac24:100::96:2 www.rozpocetverejne.cz.
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 41711
;; Flags: qr aa rd; Q...Some servers incorrectly answer like this:
```
$ kdig @2a02:4a8:ac24:100::96:2 www.rozpocetverejne.cz.
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 41711
;; Flags: qr aa rd; QUERY: 1; ANSWER: 1; AUTHORITY: 1; ADDITIONAL: 0
;; QUESTION SECTION:
;; www.rozpocetverejne.cz. IN A
;; ANSWER SECTION:
www.rozpocetverejne.cz. 600 IN CNAME ghs.google.com.
;; AUTHORITY SECTION:
google.com. 3600 IN SOA alfa.ns.active24.cz. hostmaster.active24.cz. 2017042405 10800 1800 1209600 3600
;; Received 132 B
;; Time 2017-07-28 10:26:52 CEST
;; From 2a02:4a8:ac24:100::96:2@53(UDP) in 5.3 ms
```
That claims two wrong things: that the server is authoritative for google.com and that name ghs.google.com doesn't exist. (For RCODE meaning with CNAMEs see https://tools.ietf.org/html/rfc6604#section-3) We found multiple instances of this, e.g. also from wedos: www.silvidesign.cz.
Kresd currently SERVFAILs on this (validation); it would be better to use the in-bailiwick information (the CNAME) and discard the rest of the information, even in this case.https://gitlab.nic.cz/knot/knot-resolver/-/issues/262simplify DNS64 code2017-10-22T14:25:03+02:00Petr Špačeksimplify DNS64 codeNew code introduced in #203 seems ugly because it introduced FFI spaghetti into DNS64 module. When you have some time, we should refactor that so it is readable again.New code introduced in #203 seems ugly because it introduced FFI spaghetti into DNS64 module. When you have some time, we should refactor that so it is readable again.https://gitlab.nic.cz/knot/knot-resolver/-/issues/252Test DNS64 module with weird answers2017-12-17T01:10:17+01:00Petr ŠpačekTest DNS64 module with weird answersPresentation [DNS64 at scale – Turning off IPv4](https://indico.dns-oarc.net/event/27/session/2/contribution/0) contains on slide 14 queries which return intentionally weird answers. We should test our DNS64 module that it reacts reasona...Presentation [DNS64 at scale – Turning off IPv4](https://indico.dns-oarc.net/event/27/session/2/contribution/0) contains on slide 14 queries which return intentionally weird answers. We should test our DNS64 module that it reacts reasonably.
If there is something which is not RFC-compliant, let's fix it in the DNS64 module. If there is something worth fixing for non-compliant cases, it should probably be in workarounds module.
Please talk to me before introducing workarounds for non-compliant cases.
Also, this might require some new Deckard tests.https://gitlab.nic.cz/knot/knot-resolver/-/issues/295validator might better ignore out-of-bailiwick crap2018-01-22T15:27:22+01:00Vladimír Čunátvladimir.cunat@nic.czvalidator might better ignore out-of-bailiwick crapReal-life example: `www.vikhockey.se. AAAA` fails in validator, due to server returning:
```
kdig @195.74.39.30 www.vikhockey.se. AAAA +dnssec
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 50218
;; Flags: qr aa rd; QUERY: 1; ANSWE...Real-life example: `www.vikhockey.se. AAAA` fails in validator, due to server returning:
```
kdig @195.74.39.30 www.vikhockey.se. AAAA +dnssec
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 50218
;; Flags: qr aa rd; QUERY: 1; ANSWER: 2; AUTHORITY: 8; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1680 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; www.vikhockey.se. IN AAAA
;; ANSWER SECTION:
www.vikhockey.se. 600 IN CNAME vvik1-vvik.ramses.nu.
www.vikhockey.se. 600 IN RRSIG CNAME 8 3 600 20180201000000 20180111000000 34296 vikhockey.se. mnn7gL0v3BupFGZi4N/CV6vINkNOFy2y4H0Vx0ukrYDScxCubeLA0YCYCIE3thu13DCkOFuijUbWtaA9KSMivfJUb1q5yX0jdT0b5nvwK1/YSk2YnXMEbrjWqTu4rig+KsrZ0XSb76E0d/9wN5VtFxNkhfZypu5HSj85Isy46Bw=
;; AUTHORITY SECTION:
ramses.nu. 3600 IN SOA ns3.binero.se. registry.binero.se. 1516233600 86400 5400 604800 3600
ramses.nu. 3600 IN RRSIG SOA 8 2 3600 20180201000000 20180111000000 34296 ramses.nu. g4KxoD6HuieeEBgG6Z6oUTlhwdGelcUWRUq3Jd9osVaFzvn8XscQDdmcGh4maK0yofoz8t/ShRVjC4XQGnj5//eejMXY1jgra39VMbJ9P+7JOvGUuETw0WJL8oT7YehfFkCv1CRL5IoM6d9SYdYkmcDt/aoDMeoG+WgEZ6QHW5Y=
v8ssphenr3p30k9a4dpae5pr9ib7m3l1.ramses.nu. 3600 IN NSEC3 1 1 1 AB 18AJT6FFNC06017DT70ELSCVH3763P1C NS SOA MX RRSIG DNSKEY NSEC3PARAM
v8ssphenr3p30k9a4dpae5pr9ib7m3l1.ramses.nu. 3600 IN RRSIG NSEC3 8 3 3600 20180201000000 20180111000000 34296 ramses.nu. wSFv8izGquRzjaZJSnXn+7hgpaqfKGEr3l5OwtEI0KlBRPFmXGv8RD1d9dhJqp1QeaDK67rZqzFHioA/p13RP7kYDUCiOHX8VoA9hbQr3nFHeerkt+zSiYNaAH43sWT7oHpnrN9ODUIIB0s4Tbm1+U2G7tJ90JyjCjmMEXu+UQQ=
3dnbf1prkcm9234cr9atsv8a2gfs2oua.ramses.nu. 3600 IN NSEC3 1 1 1 AB 71O8H4PM96IP6HK4FDMQ2G34KD9KKGV4 A RRSIG
3dnbf1prkcm9234cr9atsv8a2gfs2oua.ramses.nu. 3600 IN RRSIG NSEC3 8 3 3600 20180201000000 20180111000000 34296 ramses.nu. dFKDMKzdwDmNEFfItTlEIIhAqqbk13WEO/etgywJLzEt3PRW1s70jfFCWqTeOjAUdeF6JEfLWklPYkhpBe0UwmYEVqlQcYJ37AKX7gUyN/iBKTtMfQWTXfdHMyjj1fyfEoeFh2SMk1Vl5bys1HKajB0SkOnKmzDKnZjBftDuimE=
j8qedtq6ned9n5sl7e99incs8s1m29sb.ramses.nu. 3600 IN NSEC3 1 1 1 AB MUE5EI8JM7A860A6HCDO7LQ42OSF6V55 A RRSIG
j8qedtq6ned9n5sl7e99incs8s1m29sb.ramses.nu. 3600 IN RRSIG NSEC3 8 3 3600 20180201000000 20180111000000 34296 ramses.nu. HTN4XXRy53RX8p2wksZ5HwW8gYisHHCWwbD/yjiUc4CC+q2tc9jiX9NTriGuKd32BCKqceHlPrAeU62Bn1fujCCKvmctVavr0oUXw4XSl0sJblyH5FitapCBwSW2rmiFY53Jup8oUQLpuNeNP8euADbai//gUiBl9UwHR0qR65c=
;; Received 1224 B
;; Time 2018-01-19 13:42:17 CET
;; From 195.74.39.30@53(UDP) in 130.5 ms
```
The part about CNAME is OK, but the NXDOMAIN on the target is BOGUS. (Seems like outdated `ramses.nu.` zone remaining on the server.)https://gitlab.nic.cz/knot/knot-resolver/-/issues/292tls forwarding: there are high likelyhood of msg-id duplication for active qu...2018-02-16T11:04:58+01:00Grigorii Demidovtls forwarding: there are high likelyhood of msg-id duplication for active query under heavy loadhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/347knot-resolver fails to build from source on hurd due to missing MAXPATHLEN2018-05-03T12:48:02+02:00Daniel Kahn Gillmorknot-resolver fails to build from source on hurd due to missing MAXPATHLENthe [debian hurd build daemon](https://buildd.debian.org/status/fetch.php?pkg=knot-resolver&arch=hurd-i386&ver=2.3.0-2&stamp=1524785893&raw=0) shows:
```
daemon/engine.c: In function 'engine_set_moduledir':
daemon/engine.c:231:15: error...the [debian hurd build daemon](https://buildd.debian.org/status/fetch.php?pkg=knot-resolver&arch=hurd-i386&ver=2.3.0-2&stamp=1524785893&raw=0) shows:
```
daemon/engine.c: In function 'engine_set_moduledir':
daemon/engine.c:231:15: error: 'MAXPATHLEN' undeclared (first use in this function); did you mean 'MAXNAMLEN'?
char l_paths[MAXPATHLEN] = { 0 };
^~~~~~~~~~
MAXNAMLEN
```
See [Justus Winter's thoughts on MAXPATHLEN](https://lists.debian.org/debian-hurd/2012/01/msg00166.html) about why this might not be something worth relying on.https://gitlab.nic.cz/knot/knot-resolver/-/issues/318map_set is used incorrectly on some places2018-05-03T17:06:32+02:00Vladimír Čunátvladimir.cunat@nic.czmap_set is used incorrectly on some placesProbably due to misleading API docs; when it returns 1, it's replaced the value, but sometimes we free the value afterwards assuming ENOMEM. Some `set_add` call sites might also be affected.Probably due to misleading API docs; when it returns 1, it's replaced the value, but sometimes we free the value afterwards assuming ENOMEM. Some `set_add` call sites might also be affected.https://gitlab.nic.cz/knot/knot-resolver/-/issues/360make sure contrib/ does not get out of sync with libknot upstream2018-05-24T19:08:06+02:00Petr Špačekmake sure contrib/ does not get out of sync with libknot upstreamThis needs some clever idea how to compare against correct branch etc. See !588 for an example.This needs some clever idea how to compare against correct branch etc. See !588 for an example.https://gitlab.nic.cz/knot/knot-resolver/-/issues/316improve cache performance with qname minimization2018-07-11T13:43:37+02:00Petr Špačekimprove cache performance with qname minimizationIt seems that resolver sends more queries than necessary.
Following list in format summarizes queries made by resolver 2.1.1 sent to upstream servers.
Apparently `corp.microsoft.com. NS` (which does not exist and is denied by insecure ...It seems that resolver sends more queries than necessary.
Following list in format summarizes queries made by resolver 2.1.1 sent to upstream servers.
Apparently `corp.microsoft.com. NS` (which does not exist and is denied by insecure SOA RR with TTL 3600 s) is not cached properly. @vcunat told me that this is related to caching qname minimization steps and that fix might not be trivial because of some interdependency on iterator implementation (blah).
Format: (count, qname, qtype as number)
```
1 BiTLOckErRecoVeRY.CORp.MICRoSofT.cOM 1
1 BiTloCKErreCoVERY.RMB.CORP.miCrOSoFt.COM 1
1 CO1-Na-DC-01.NOrthAmErICa.corp.MICRoSoFT.cOm 1
1 CO1w7fS01b.cOrP.MIcRoSOfT.cOM 1
1 Co1vfScluSt02.CORP.MIcRoSOFT.coM 1
1 Cy1-eU-dc-02.eUrope.CORp.MicrOsoFt.CoM 1
1 DB3-REd-dC-01.COrp.mICRosOfT.COm 1
1 DB3-eu-Dc-08.EuROpe.coRp.microsOFT.com 1
1 DB3WefpRoD1.eurOPe.corP.mIcrOSofT.COm 1
1 DB3wEFPROd10.EUROPe.CORp.MICROSOFT.cOM 1
1 Db3-Red-dC-04.CORp.MiCroSofT.COM 1
1 Db3-af-DC-02.aFRIcA.cORP.mICrOsOFt.com 1
1 Db3WEfpROD3.EuropE.COrP.MiCRosOFT.COM 1
1 Db3WeFPROd6.EUroPE.cOrP.MICrosofT.COm 1
1 Db3WeFprOd9.EuroPe.corP.MiCroSofT.COm 1
1 Db3wefPrOD4.eURoPE.CorP.micrOsofT.Com 1
1 Db3wefPrOd8.eUROpe.CoRp.mIcrosOfT.com 1
1 EURopE.CORp.micrOsOft.COm 6
1 EmeAcAT.EUROPE.corP.micROSOfT.COM 1
1 LS2WeB.RedMOnD.CorP.MiCrosOft.coM 1
1 UDE.GuesT.coRp.MIcroSOft.coM 1
1 UDE.LHWKsta.cOrP.MIcRosOfT.COm 1
1 UDE.SoUTHPaciFiC.coRp.mIcroSOFT.COM 1
1 UDE.rMB.CoRP.mICROSOFt.CoM 1
1 UDe.NoRTHaMerIcA.corp.MICROSOFt.COm 1
1 UDe.ReDmoND.coRP.mICrOsOFT.com 1
1 UDe.Sys-WiNGROUP.ntDEv.coRp.micROSoFT.coM 1
1 UdE.MIdDlEEaSt.cORp.miCroSoFT.cOM 1
1 UdE.SeGROup.wiNSE.cORP.MicROsOft.cOm 1
1 UdE.sOuthaMERiCa.CorP.MiCROsOFt.CoM 1
1 Ude.AfRiCA.coRP.miCROsoFT.COm 1
1 WPAD.NTDev.cOrp.mIcRoSofT.COM 1
1 WPaD.NOrthaMErIca.coRP.miCroSoFt.CoM 1
1 WPaD.afRica.coRp.mICROsofT.Com 1
1 WpAd.Sys-wIngROup.NTdEv.cOrP.mICRoSoFT.com 1
1 WpAd.midDlEeAST.cOrp.MICrosOft.COm 1
1 WpaD.MslPa.corp.MICROSofT.COM 1
1 WpaD.euroPe.cOrp.miCRoSofT.COM 1
1 Wpad.reDMond.cORP.micrOsOFT.COM 1
1 _LDAp._TcP.eU-iE-DuBdC._sItES.DC._MSdCs.fAreAst.cOrP.MiCrOsOFT.CoM 33
1 _LDaP._TcP.EU-IE-dUBdc._siTes.Dc._MsDCs.nOrTHaMEriCA.coRp.MicrOsoFT.COm 33
1 _LdAp._tcP.eu-iE-DUbDC._SItes.AFRIcA.corp.micRoSoFT.COM 33
1 _Ldap._TCp.eu-ie-DubDc._SitEs.farEast.CORp.miCroSOft.cOM 33
1 _lDaP._tcp.EU-ie-DUbdC._siTES.dC._MsDcs.a-jINOvo-NB2.EuropE.COrP.mIcRosoft.COM 33
1 _lDap._TCP.PDC._MSDCS.EuroPE.CorP.MicRoSOFT.COM 33
1 _ldAp._Tcp.Eu-Ie-DuBdc._SitEs.COrp.MiCROsoFT.cOm 33
1 a-jinoVO-nB2.EuRoPe.cOrP.MicrOSOfT.com 6
1 aZeu1MP03.EUrOPe.CoRP.MICrOsOfT.cOm 1
1 biTLOCKerrEcOvEry.GuEst.corp.mICroSOFT.com 1
1 cO1-fE-dC-05.fArEASt.cOrp.MicROSoFt.cOM 1
1 cY1Cdmvfs1.cOrp.MicrOsoFT.cOm 1
1 corp.MICROsOft.COm 6
1 dB3WEFprOD7.eURoPe.CoRP.miCROSoFt.cOM 1
1 dB3WefProd2.EuROPE.coRp.MICRosOft.COm 1
1 dR._dns-SD._UDp.COrP.MicrosOft.CoM 12
1 db3-eU-DC-03.eurOPe.cORP.Microsoft.CoM 1
1 db3WEfprOd5.europe.CoRP.MICRosOft.cOM 1
1 suhriN-dEvopS.eURope.cOrP.mICrOsoft.cOM 6
1 tRYlEK-z240.eUrOpE.COrp.MicROSoFt.CoM 6
1 uDE.CorP.MICRosOft.Com 1
1 uDE.MSlpA.CORP.MicROsoFt.cOm 1
1 uDE.wINSE.coRp.MICroSofT.Com 1
1 uDe.faREASt.corP.micRoSOfT.Com 1
1 udE.eUROpE.CORP.MiCROSoFt.Com 1
1 udE.ntDev.CORp.mICrosOFt.COm 1
1 wPAD.GUest.CoRp.mICROSOFt.cOm 1
1 wPAD.Lhwksta.cORP.MicRoSOfT.cOm 1
1 wPaD.sOUtHAmERiCa.CORP.MIcRosoFt.CoM 1
1 wPaD.wiNSe.corP.MICroSOft.COm 1
1 wpAD.cORP.microsOfT.cOM 1
1 wpAd.SouThpACiFIc.CORp.MICrOSOFt.cOm 1
1 wpAd.rMb.CORP.MIcROSOft.COm 1
1 wpaD.fAReAst.cORp.MIcROsOfT.CoM 1
1 wpaD.seGrOuP.wINsE.coRP.mICROsoFt.cOM 1
57 CORP.MIcRosoft.com 2
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/392improve protection from NTP attacks2018-08-06T11:38:00+02:00Petr Špačekimprove protection from NTP attacksMaybe we can tune some parameters introduced in !392 to be more resilient. This needs more thought.
Sources:
* https://nlnetlabs.nl/downloads/presentations/The-impact-of-NTP-security-weaknesses-on-DNSSEC.pdf
* https://tools.ietf.org/htm...Maybe we can tune some parameters introduced in !392 to be more resilient. This needs more thought.
Sources:
* https://nlnetlabs.nl/downloads/presentations/The-impact-of-NTP-security-weaknesses-on-DNSSEC.pdf
* https://tools.ietf.org/html/draft-aanchal-time-implementation-guidance-00https://gitlab.nic.cz/knot/knot-resolver/-/issues/393cache open: handle EAGAIN2018-08-17T11:31:16+02:00Vladimír Čunátvladimir.cunat@nic.czcache open: handle EAGAIN... probably via random exponential backoff or something. Details: https://gitter.im/CZ-NIC/knot-resolver?at=5b73e162a37112689c21348b... probably via random exponential backoff or something. Details: https://gitter.im/CZ-NIC/knot-resolver?at=5b73e162a37112689c21348bhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/346www.nrl.navy.mil. validation broken without query minimization2018-09-04T16:29:06+02:00Filip Sirokywww.nrl.navy.mil. validation broken without query minimizationValidation is broken without query minimization for www.nrl.navy.mil. after it was fixed with it in merge !543.
Kresd log:
[server.log](/uploads/199eaec49170e46882d23c12e6db646b/server.log)
Deckard scenario:
[gen_navy.rpl](/uploads/aaa4...Validation is broken without query minimization for www.nrl.navy.mil. after it was fixed with it in merge !543.
Kresd log:
[server.log](/uploads/199eaec49170e46882d23c12e6db646b/server.log)
Deckard scenario:
[gen_navy.rpl](/uploads/aaa46e764a232e811ee9d32813953325/gen_navy.rpl)https://gitlab.nic.cz/knot/knot-resolver/-/issues/394cache.get(): resurrect the lua API2018-09-12T15:32:37+02:00Vladimír Čunátvladimir.cunat@nic.czcache.get(): resurrect the lua APIThis wasn't finished in https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/633, but there are some ideas how the API might look like.This wasn't finished in https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/633, but there are some ideas how the API might look like.https://gitlab.nic.cz/knot/knot-resolver/-/issues/405Improving TCP/TLS timer logic for long-lived connections2018-10-31T15:51:37+01:00BaptisteImproving TCP/TLS timer logic for long-lived connectionsI am testing long-lived client connections to Knot resolver over TCP or TLS.
Currently, the idle timeout is quite short: `kresd` closes a client TCP connection after just a few seconds when no request is made. While investigating this p...I am testing long-lived client connections to Knot resolver over TCP or TLS.
Currently, the idle timeout is quite short: `kresd` closes a client TCP connection after just a few seconds when no request is made. While investigating this part of the code, I found that the idle timeout strategy is quite complex, and mixes up the timeout values for "downstream" TCP connections and "upstream" TCP connections (while in reality, they have very different requirements).
Below is an attempt at documenting the current behaviour, so that we can discuss how to improve it.
This is related to #311 (short idle timeout for outgoing TLS connections) and #378 ("unificate processing of inbound and outbound TCP connections where it possible")https://gitlab.nic.cz/knot/knot-resolver/-/issues/425Too many requests for DNSKEY2018-11-29T17:36:42+01:00Ivana KrumlovaToo many requests for DNSKEYwhen it uses unsupported algorithm (DSA).
Happens on this rpl test:
[val_noadwhennodo.rpl](/uploads/e3e52c6d62772621faa8047cd247ea00/val_noadwhennodo.rpl)
Server log:
[server.log](/uploads/27aff279562f79da370b5b2de67a1d5d/server.log)when it uses unsupported algorithm (DSA).
Happens on this rpl test:
[val_noadwhennodo.rpl](/uploads/e3e52c6d62772621faa8047cd247ea00/val_noadwhennodo.rpl)
Server log:
[server.log](/uploads/27aff279562f79da370b5b2de67a1d5d/server.log)https://gitlab.nic.cz/knot/knot-resolver/-/issues/430"=> going insecure because there's no covering TA" message2018-12-14T12:48:27+01:00Ivana Krumlova"=> going insecure because there's no covering TA" messageDeckard often prints this at the beginning of the log, even on tests where data are DNSSEC-validated correctly.
Maybe this is a problem in kresd logging or something like that.
for example:
log:
```deckard.py 364 DEBUG...Deckard often prints this at the beginning of the log, even on tests where data are DNSSEC-validated correctly.
Maybe this is a problem in kresd logging or something like that.
for example:
log:
```deckard.py 364 DEBUG [00000.00][plan] plan 'b.example.com.' type 'DS' uid [36622.00]
deckard.py 364 DEBUG [36622.00][iter] 'b.example.com.' type 'DS' new uid was assigned .01, parent uid .00
deckard.py 364 DEBUG [36622.01][resl] => going insecure because there's no covering TA
deckard.py 364 DEBUG [36622.01][resl] => using root hints
deckard.py 364 DEBUG [36622.01][iter] 'b.example.com.' type 'DS' new uid was assigned .02, parent uid .00
deckard.py 364 DEBUG [36622.02][resl] => id: '50568' querying: '193.0.14.129' score: 10 zone cut: '.' qname: 'b.EXampLe.COm.' qtype: 'DS' proto: 'udp'
deckard.py 364 DEBUG [36622.02][iter] <= answer received:
deckard.py 364 DEBUG ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 50568
deckard.py 364 DEBUG ;; Flags: qr QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 2
deckard.py 364 DEBUG
deckard.py 364 DEBUG ;; EDNS PSEUDOSECTION:
deckard.py 364 DEBUG ;; Version: 0; flags: ; UDP size: 1280 B; ext-rcode: Unused
deckard.py 364 DEBUG
deckard.py 364 DEBUG ;; QUESTION SECTION
deckard.py 364 DEBUG b.example.com. DS
deckard.py 364 DEBUG
deckard.py 364 DEBUG ;; AUTHORITY SECTION
deckard.py 364 DEBUG com. 3600 NS a.gtld-servers.net.
deckard.py 364 DEBUG
deckard.py 364 DEBUG [36622.02][iter] <= loaded 1 glue addresses
deckard.py 364 DEBUG [36622.02][iter] <= referral response, follow
deckard.py 364 DEBUG [36622.02][cach] => stashed com. NS, rank 002, 36 B total, incl. 0 RRSIGs
deckard.py 364 DEBUG [36622.02][cach] => stashed also 1 nonauth RRsets
deckard.py 364 DEBUG [36622.02][resl] <= server: '193.0.14.129' rtt: 103 ms
deckard.py 364 DEBUG [36622.02][iter] 'b.example.com.' type 'DS' new uid was assigned .03, parent uid .00
deckard.py 364 DEBUG [36622.03][resl] => id: '52885' querying: '192.5.6.30' score: 10 zone cut: 'com.' qname: 'b.EXampLe.CoM.' qtype: 'DS' proto: 'udp'
deckard.py 364 DEBUG [36622.03][iter] <= answer received:
deckard.py 364 DEBUG ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52885
deckard.py 364 DEBUG ;; Flags: qr QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 2
deckard.py 364 DEBUG
deckard.py 364 DEBUG ;; EDNS PSEUDOSECTION:
deckard.py 364 DEBUG ;; Version: 0; flags: ; UDP size: 1280 B; ext-rcode: Unused
deckard.py 364 DEBUG
deckard.py 364 DEBUG ;; QUESTION SECTION
deckard.py 364 DEBUG b.example.com. DS
deckard.py 364 DEBUG
deckard.py 364 DEBUG ;; AUTHORITY SECTION
deckard.py 364 DEBUG example.com. 3600 NS ns.example.com.
deckard.py 364 DEBUG
deckard.py 364 DEBUG [36622.03][iter] <= loaded 1 glue addresses
deckard.py 364 DEBUG [36622.03][iter] <= referral response, follow
deckard.py 364 DEBUG [36622.03][cach] => stashed example.com. NS, rank 002, 32 B total, incl. 0 RRSIGs
deckard.py 364 DEBUG [36622.03][cach] => stashed also 1 nonauth RRsets
deckard.py 364 DEBUG [36622.03][resl] <= server: '192.5.6.30' rtt: 5 ms
deckard.py 364 DEBUG [36622.03][iter] 'b.example.com.' type 'DS' new uid was assigned .04, parent uid .00
deckard.py 364 DEBUG [36622.04][resl] >< TA: 'example.com.'
deckard.py 364 DEBUG [36622.04][plan] plan 'example.com.' type 'DNSKEY' uid [36622.05]
deckard.py 364 DEBUG [36622.05][iter] 'example.com.' type 'DNSKEY' new uid was assigned .06, parent uid .04
deckard.py 364 DEBUG [36622.06][cach] => no NSEC* cached for zone: example.com.
deckard.py 364 DEBUG [36622.06][cach] => skipping zone: example.com., NSEC, hash 0;new TTL -123456789, ret -2
deckard.py 364 DEBUG [36622.06][cach] => skipping zone: example.com., NSEC, hash 0;new TTL -123456789, ret -2
deckard.py 364 DEBUG [36622.06][resl] => id: '19571' querying: '1.2.3.4' score: 10 zone cut: 'example.com.' qname: 'EXaMPlE.Com.' qtype: 'DNSKEY' proto: 'udp'
deckard.py 364 DEBUG [36622.06][iter] <= answer received:
deckard.py 364 DEBUG ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 19571
deckard.py 364 DEBUG ;; Flags: qr QUERY: 1; ANSWER: 2; AUTHORITY: 2; ADDITIONAL: 3
deckard.py 364 DEBUG
deckard.py 364 DEBUG ;; EDNS PSEUDOSECTION:
deckard.py 364 DEBUG ;; Version: 0; flags: do; UDP size: 1280 B; ext-rcode: Unused
deckard.py 364 DEBUG
deckard.py 364 DEBUG ;; QUESTION SECTION
deckard.py 364 DEBUG example.com. DNSKEY
deckard.py 364 DEBUG
deckard.py 364 DEBUG ;; ANSWER SECTION
deckard.py 364 DEBUG example.com. 3600 DNSKEY 256 3 7 AwEAAef0Gt81KzrbFGbFmk6VeEzLLcRbnKiDjdMBO7R+HsQWCO9YpPGx20mBEV7ISCLva+LZulf584i30ga7qMeVsarsdh9xCYtyMXd4Ex5nMEXxV9f2Or+FjihPduL2TnAlWpvL8oc1oKVI2RISTT1yf8IYy6X/FpfmMP819WBN2Kit
deckard.py 364 DEBUG example.com. 3600 RRSIG DNSKEY 7 2 3600 20181230101851 20181130101851 16907 example.com. RPXAcaVjBdtk/geHTdTg9ZOKREpAdjZAopRE/5Kk9fdFYQWwg0uRxexLPJ11jXjnp9MKOp1FehctyvE/mm1lB/J6+YepHu3tRAzzJ9YfjVxJjUppQv/nA/fU55MHWYhdhXwKn7F+PXD8+MFlAqPyFz9mYZEO89lI4P2/Wf4xpv4=
deckard.py 364 DEBUG
deckard.py 364 DEBUG ;; AUTHORITY SECTION
deckard.py 364 DEBUG example.com. 3600 NS ns.example.com.
deckard.py 364 DEBUG example.com. 3600 RRSIG NS 7 2 3600 20181230101851 20181130101851 16907 example.com. KXsKhCme80OQl4qekE+q0KvymkhEelk+OdOsajCsGmfG5eeCEkN58gVw5fBgtR2Ekp15KLsV1elsyVL8i7W5Hp5f2G70/plqSQ+78n3Al5jXONgNoVFSOuf8N179F2uf3k20MpnlxQQ7W/VX6SpuAOejyVpp6il6dm2YwRHHnX4=
deckard.py 364 DEBUG
deckard.py 364 DEBUG [36622.06][iter] <= loaded 1 glue addresses
deckard.py 364 DEBUG [36622.06][iter] <= rcode: NOERROR
deckard.py 364 DEBUG [36622.06][vldr] <= parent: updating DNSKEY
deckard.py 364 DEBUG [36622.06][vldr] <= answer valid, OK
deckard.py 364 DEBUG [36622.06][cach] => stashed example.com. DNSKEY, rank 060, 314 B total, incl. 1 RRSIGs
deckard.py 364 DEBUG [36622.06][cach] => not overwriting A ns.example.com.
deckard.py 364 DEBUG [36622.06][resl] <= server: '1.2.3.4' rtt: 7 ms
deckard.py 364 DEBUG [36622.04][iter] 'b.example.com.' type 'DS' new uid was assigned .07, parent uid .00
deckard.py 364 DEBUG [36622.07][resl] => id: '04066' querying: '1.2.3.4' score: 11 zone cut: 'example.com.' qname: 'b.EXAmPLE.cOM.' qtype: 'DS' proto: 'udp'
deckard.py 364 DEBUG [36622.07][iter] <= answer received:
deckard.py 364 DEBUG ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4066
deckard.py 364 DEBUG ;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
deckard.py 364 DEBUG
deckard.py 364 DEBUG ;; EDNS PSEUDOSECTION:
deckard.py 364 DEBUG ;; Version: 0; flags: do; UDP size: 1280 B; ext-rcode: Unused
deckard.py 364 DEBUG
deckard.py 364 DEBUG ;; QUESTION SECTION
deckard.py 364 DEBUG b.example.com. DS
deckard.py 364 DEBUG
deckard.py 364 DEBUG ;; AUTHORITY SECTION
deckard.py 364 DEBUG example.com. 86394 SOA ns.iana.org. nstld.iana.org. 2007092000 1800 900 604800 86400
deckard.py 364 DEBUG example.com. 86394 RRSIG SOA 7 2 86394 20181230101851 20181130101851 16907 example.com. uQjgfvlcxQLPfqetqWjTgKTbDOK3BoqbdmrqudrEl/X/S3OR8uhTQu7PEsrJm7IP7lmKcsbF4LAFjBNRp28G4at8v5cnCpvZfKFDzO3JzCubaVnn18rSZj9gM1e4CN5ms/aAlr5I2hDhIQnsKmhxQBTrngyTcpGgf/YQuruMRKw=
deckard.py 364 DEBUG *.example.com. 3600 NSEC *.b.example.com. A MX RRSIG NSEC
deckard.py 364 DEBUG *.example.com. 86400 RRSIG NSEC 7 2 86400 20181230101851 20181130101851 16907 example.com. 5NyjMTv7p0jvYrfxQzTJXvTlf1Uy2tMSmYKEWZoBq87u6mLNBtRgpKl91gpVvT8o+uA2XAznujnFZYgLdE9Swk87KqQQSWkyM81458SuSVwB5hma9afCrB38FH9D9aOCN1nfqIuoEsQi3Bu3Uvtr+eV7oE97ViROSy/1pyyKg9A=
deckard.py 364 DEBUG
deckard.py 364 DEBUG [36622.07][iter] <= rcode: NOERROR
deckard.py 364 DEBUG [36622.07][vldr] <= DS doesn't exist, going insecure
deckard.py 364 DEBUG [36622.07][vldr] <= answer valid, OK
deckard.py 364 DEBUG [36622.07][cach] => stashed *.example.com. NSEC, rank 060, 204 B total, incl. 1 RRSIGs
deckard.py 364 DEBUG [36622.07][cach] => stashed example.com. SOA, rank 060, 228 B total, incl. 1 RRSIGs
deckard.py 364 DEBUG [36622.07][cach] => nsec_p stashed for example.com. (new, hash: 0)
deckard.py 364 DEBUG [36622.07][resl] <= server: '1.2.3.4' rtt: 7 ms
deckard.py 364 DEBUG [36622.07][resl] AD: request classified as SECURE
deckard.py 364 DEBUG [36622.07][resl] finished: 4, queries: 2, mempool: 16400 B
scenario.py 536 INFO [ RANGE 0-100 ] {'192.5.6.30'} received: 1 sent: 1
scenario.py 536 INFO [ RANGE 0-100 ] {'193.0.14.129'} received: 1 sent: 1
scenario.py 536 INFO [ RANGE 0-100 ] {'1.2.3.4'} received: 2 sent: 2
. [100%]
1 passed, 1 skipped in 1.32 seconds```
from test [val_mal_wc.rpl](https://gitlab.labs.nic.cz/knot/deckard/blob/master/sets/resolver/val_mal_wc.rpl)https://gitlab.nic.cz/knot/knot-resolver/-/issues/291refactor excessively long functions2018-12-17T13:29:42+01:00Marek Vavrusarefactor excessively long functionsFor readability's sake, we should refactor functions so that they're reasonably short.
The screen size is ~80 lines, some functions are >300 lines, which makes it easier to make mistakes.
The !432 added an upper bound limit of 400 statem...For readability's sake, we should refactor functions so that they're reasonably short.
The screen size is ~80 lines, some functions are >300 lines, which makes it easier to make mistakes.
The !432 added an upper bound limit of 400 statements / 500 lines, but we should do better.
These functions exceed the 200 statements / 300 lines limit:
* [ ] layer/validate.c:824 function 'validate' 337 statements (threshold 200)
* [ ] resolve.c:1310 function 'kr_resolve_produce' 250 statements (threshold 200)
* [x] worker.c:1406 function 'qr_task_step' 221 statements (threshold 200)
* [x] worker.c:1872 function 'worker_process_tcp' 260 statements (threshold 200)
* [ ] main.c:425 function 'main' 247 statements (threshold 200)