Cross zone DNAME-CNAME is not chased
Hello! I'm hosting two zones, example.com & b.example.com, on Knot:
/etc/knot/knot.conf
# This is a sample of a minimal configuration file for Knot DNS.
# See knot.conf(5) or refer to the server documentation.
server:
rundir: "/run/knot"
user: knot:knot
automatic-acl: on
listen: [ 0.0.0.0@53, ::@53 ]
log:
- target: syslog
any: info
database:
storage: "/var/lib/knot"
remote:
# - id: secondary
# address: 192.168.1.1@53
#
# - id: primary
# address: 192.168.2.1@53
template:
- id: default
storage: "/var/lib/knot"
file: "%s.zone"
zone:
- domain: example.com
- domain: b.example.com
example.com.zone
$TTL 86400
@ IN SOA ns.example.com. admin.example.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS ns.example.com.
a IN CNAME a.bb
bb IN DNAME b
b.example.com.zone
$TTL 86400
@ IN SOA ns.example.com. admin.example.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS ns.example.com.
a IN A 0.0.0.0
I expected dig a.example.com would return 0.0.0.0, but it stops at CNAME:
dig a.example.com @127.1
; <<>> DiG 9.18.12-1-Debian <<>> a.example.com @127.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13358
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;a.example.com. IN A
;; ANSWER SECTION:
a.example.com. 86400 IN CNAME a.bb.example.com.
bb.example.com. 86400 IN DNAME b.example.com.
a.bb.example.com. 86400 IN CNAME a.b.example.com.
;; AUTHORITY SECTION:
example.com. 86400 IN SOA ns.example.com. admin.example.com. 1 604800 86400 2419200 86400
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.1) (UDP)
;; WHEN: Tue Jun 20 12:31:40 CST 2023
;; MSG SIZE rcvd: 159
I think the reason is that Knot does not support recursion, so I installed Knot Resolver on the same server and let it listen on 5300, with all query for example.com forwarded (policy.STUB) to 127.1@53, but this did not work:
/etc/knot-resolver/kresd.conf
-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/
-- Network interface configuration
net.listen('0.0.0.0', 5300, { kind = 'dns' })
--net.listen('127.0.0.1', 853, { kind = 'tls' })
--net.listen('127.0.0.1', 443, { kind = 'doh2' })
net.listen('::', 5300, { kind = 'dns', freebind = true })
--net.listen('::1', 853, { kind = 'tls', freebind = true })
--net.listen('::1', 443, { kind = 'doh2' })
-- Load useful modules
modules = {
'hints > iterate', -- Allow loading /etc/hosts or custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
}
-- Cache size
cache.size = 100 * MB
log_level('debug')
log_target('syslog')
policy.add(policy.suffix(
policy.FLAGS({'NO_EDNS', 'NO_CACHE'}),
{todname('example.com.')}
))
policy.add(policy.suffix(
policy.STUB({'127.0.0.1', '::1'}),
{todname('example.com.')}
))
dig a.example.com @127.1 -p 5300
; <<>> DiG 9.18.12-1-Debian <<>> a.example.com @127.1 -p 5300
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38012
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;a.example.com. IN A
;; ANSWER SECTION:
a.example.com. 86400 IN CNAME a.bb.example.com.
bb.example.com. 86400 IN DNAME b.example.com.
a.bb.example.com. 86400 IN CNAME a.b.example.com.
;; AUTHORITY SECTION:
example.com. 86400 IN SOA ns.example.com. admin.example.com. 1 604800 86400 2419200 86400
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5300(127.1) (UDP)
;; WHEN: Tue Jun 20 12:34:18 CST 2023
;; MSG SIZE rcvd: 159
It's strange that the answer has AUTHORITY flag set to 1.
However, if I use PowerDNS Recursor instead of Knot Resolver it gives the correct answer.
Is it possible to let Knot DNS do recursion?