Knot Resolver issueshttps://gitlab.nic.cz/knot/knot-resolver/-/issues2019-03-12T12:12:22+01:00https://gitlab.nic.cz/knot/knot-resolver/-/issues/451trust_anchors.lua: keyset_read() parameter shadows string library2019-03-12T12:12:22+01:00Petr Špačektrust_anchors.lua: keyset_read() parameter shadows string libraryIn file
/usr/lib/kdns_modules/trust_anchors.lua
around line 376, the `local function keyset_read(path, string)` shadows `string` library, which causes weird problems. We have to remove shadowing before release.In file
/usr/lib/kdns_modules/trust_anchors.lua
around line 376, the `local function keyset_read(path, string)` shadows `string` library, which causes weird problems. We have to remove shadowing before release.4.0.0Tomas KrizekTomas Krizekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/449RFC 5011 will crash resolver if key is rolled to an unsupported algorithm2019-04-04T15:03:11+02:00Petr ŠpačekRFC 5011 will crash resolver if key is rolled to an unsupported algorithmReported by: Matthijs Mekking <matthijs@isc.org>
PANIC if kresd performs 5011 and retrieves an unsupported algorithm
===================================================================
Summary
-------
tldr; When refreshing trust anchor...Reported by: Matthijs Mekking <matthijs@isc.org>
PANIC if kresd performs 5011 and retrieves an unsupported algorithm
===================================================================
Summary
-------
tldr; When refreshing trust anchors and kresd receives an unsupported
DNSSEC algorithm, kresd will exit with a PANIC:
PANIC: unprotected error in call to Lua API
(/usr/local/lib/kdns_modules/trust_anchors.lua:208: invalid RR:
5011.isc.pletterpet.nl. 60 DNSKEY 257 3 16
GjgC97LCct7HZhArY9KRvynmXLKF/OGPCOX8jVqNaQ5Tj58lqxaNQ/tx2l8sftpLHHQj9KOsRzjN:
invalid key algorithm)
Knot resolver versions used
---------------------------
knot-resolver-3.2.1
Steps to reproduce
------------------
1. Set up an authoritative zone, DNSSEC signed with a supported
algorithm, for example RSA-SHA256 (8).
2. Start Knot resolver with a trust anchor file that contains the KSK
for the authoritative zone.
kresd -c config.test
3. Update the authoritative zone, add a new algorithm that is not
supported by BIND, for example Ed448 (16).
4. Wait until kresd refreshes trust anchors.
You should hit the same error if you do step 2 and the authoritative
server already has the DNSKEY with the unsupported algorithm in the zone.
What is the current bug behavior?
---------------------------------
The Knot resolver will exit with a PANIC.
What is the expected correct behavior?
--------------------------------------
The Knot resolver will log an error (or warning) and ignore the new key.
Relevant configuration files
----------------------------
config.test:
net = { '127.0.0.1', '::1' }
trust_anchors.config('trustanchors.conf', 0)
modules = {
'hints > iterate',
'stats',
'predict',
}
cache.size = 10 * MB4.0.0https://gitlab.nic.cz/knot/knot-resolver/-/issues/448net.list() ignores multiple ports on the same IP address2019-03-12T14:03:36+01:00Petr Špačeknet.list() ignores multiple ports on the same IP addressMultiple invocations of `net.listen()` using the same IP address but different port will confuse output of `net.list()`. Only single endpoint description listening for a given IP address is returned by `net.list`:
Example:
```
$ KRESD_N...Multiple invocations of `net.listen()` using the same IP address but different port will confuse output of `net.list()`. Only single endpoint description listening for a given IP address is returned by `net.list`:
Example:
```
$ KRESD_NO_LISTEN=1 kresd
> net.list()
> net.listen('::1', 5353)
true
> net.list()
[::1] => {
[tcp] => true
[tls] => false
[udp] => true
[port] => 5353
}
> net.listen('::1', 53000)
true
> net.list()
[::1] => {
[tcp] => true
[tls] => false
[udp] => true
[port] => 5353
}
```
Fixing this obviously requires change to `net.list()` output format, which can be done in upcoming 4.0.
The main question is how the new output should look like. Preliminary proposal:
{ address = 'string',
transport = udp/tcp/quic,
transport_params = { [transport-dependent parameters - port etc.] },
security = tls/dtls/...,
format = plain DNS/DNS-over-HTTP-binary/DNS-over-HTTP-JSON
}
`net.list()` would then produce numbered list of tuples, each tuple describing single combination.
While this would be technically correct I don't know if it would be too verbose and ugly. Maybe we should introduce `net.summary()` which could produce a nicer output out of `net.list()` or something like that.4.0.0Tomas KrizekTomas Krizekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/443DNSSEC validation failing for NSEC signed zone with deeper wildcard2022-05-18T16:25:24+02:00Štěpán BalážikDNSSEC validation failing for NSEC signed zone with deeper wildcardWhen testing on the zones linked below (in local `knotd`), and when asked for `dig @127.0.0.1 -p 53 A shit.wildc.nsec.test.knot-resolver.cz +dnssec` Resolver ends up servfailing because it can't validate proof of non-existence of `wildc....When testing on the zones linked below (in local `knotd`), and when asked for `dig @127.0.0.1 -p 53 A shit.wildc.nsec.test.knot-resolver.cz +dnssec` Resolver ends up servfailing because it can't validate proof of non-existence of `wildc.nsec.test.knot-resolver.cz. DS` record:
```
[44720.12][resl] => id: '36540' querying: '127.0.0.1#05353' score: 21 zone cut: 'nsec.test.knot-resolver.cz.' qname: 'wilDC.nSEc.teSt.KnOT-REsolVER.cz.' qtype: 'DS' proto: 'udp'
[44720.12][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 36540
;; Flags: qr aa rd QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
wildc.nsec.test.knot-resolver.cz. DS
;; AUTHORITY SECTION
nsec.test.knot-resolver.cz. 3600 SOA dns1.example.com. hostmaster.example.com. 2010111238 21600 3600 604800 86400
*.wild.nsec.test.knot-resolver.cz. 86400 NSEC *.wildc.nsec.test.knot-resolver.cz. A RRSIG NSEC
*.wildc.nsec.test.knot-resolver.cz. 86400 NSEC nsec.test.knot-resolver.cz. CNAME RRSIG NSEC
nsec.test.knot-resolver.cz. 3600 RRSIG SOA 13 4 3600 20370101153211 20190118140211 25023 nsec.test.knot-resolver.cz. YlGILkcuX6EpClR9YBmNZP/2G6UaCWLFB2LxLMfU40h+qARSMwsaaRrBPt9mO7kMS1e6r/vG9muP/tkgIPmEJA==
*.wild.nsec.test.knot-resolver.cz. 86400 RRSIG NSEC 13 5 86400 20370101153211 20190118140211 25023 nsec.test.knot-resolver.cz. HnNsj0OoA82ltnf+iFEdyvUqpw/3DSkeZCGGKKCbvvP0ENgT6jeRP8euL19WBVvloPTb8LUMQWb9FhgauuRtmg==
*.wildc.nsec.test.knot-resolver.cz. 86400 RRSIG NSEC 13 5 86400 20370101153211 20190118140211 25023 nsec.test.knot-resolver.cz. rbFDZXGXSY1J4wWzeIN+EqnKCjr6ZsA/9lZV/yy5ILzi9K2z4IxIp09uKS2qasK/nVuWAdqonFgLteCLuUew6g==
[44720.12][iter] <= rcode: NOERROR
[44720.12][vldr] <= bad NODATA proof
[44720.12][cach] => stashed nsec.test.knot-resolver.cz. SOA, rank 020, 190 B total, incl. 1 RRSIGs
[44720.12][cach] => stashed packet: rank 025, TTL 1, DS wildc.nsec.test.knot-resolver.cz. (615 B)
[44720.12][resl] finished: 8, queries: 3, mempool: 32800 B
```
When asked for the respective record in the NSEC3 signed zone Resolver validates with no problem.
Bellow I link all three zonefiles as well as the configurations of both `kresd` and `knotd` I used.
[kresd.log](/uploads/5360e41e89323adf2636cc868e0caab2/kresd.log)
[kresd.conf](/uploads/3465c6d90d6681e94e87091af39f6c00/kresd.conf)
[knotd.conf](/uploads/519da89b51c4ff77f97bd9c847274230/knotd.conf)
[test.knot-resolver.cz.zone](/uploads/8d6a2b3497134f9895bd4e4592b027b7/test.knot-resolver.cz.zone)
[nsec.test.knot-resolver.cz.zone](/uploads/afe51a85acb768e0b4552b3fad4d1dbb/nsec.test.knot-resolver.cz.zone)
[nsec3.test.knot-resolver.cz.zone](/uploads/ca69754b0afd55d2362c3da28cf6491d/nsec3.test.knot-resolver.cz.zone)5.5.1Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/440kresd 3.2.0 coredump2020-11-16T12:32:42+01:00ilfkresd 3.2.0 coredump```
% kresd --version
Knot Resolver, version 3.2.0
```
```
% cat /etc/knot-resolver/kresd.conf
-- vim:syntax=lua:
-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
-- Load useful modules
modul...```
% kresd --version
Knot Resolver, version 3.2.0
```
```
% cat /etc/knot-resolver/kresd.conf
-- vim:syntax=lua:
-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
-- Load useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'hints > iterate', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
-- 'predict', -- Prefetch expiring/frequent records
}
-- See kresd.systemd(7) about configuring network interfaces when using systemd
-- Listen on localhost (default)
-- net = { '127.0.0.1', '::1' }
-- Enable DNSSEC validation
trust_anchors.file = '/etc/knot-resolver/root.keys'
-- Cache size
cache.size = 100 * MB
-- https://dns.cmrg.net/
policy.add(policy.all(policy.TLS_FORWARD({
{'199.58.81.218', hostname='dns.cmrg.net', ca_file='/etc/ssl/certs/ca-certificates.crt'},
})))
```
```
% sudo coredumpctl gdb 673
PID: 673 (kresd)
UID: 972 (knot-resolver)
GID: 972 (knot-resolver)
Signal: 6 (ABRT)
Timestamp: Sat 2019-01-05 16:48:08 CET (14min ago)
Command Line: /usr/sbin/kresd --config=/etc/knot-resolver/kresd.conf
Executable: /usr/bin/kresd
Control Group: /system.slice/system-kresd.slice/kresd@1.service
Unit: kresd@1.service
Slice: system-kresd.slice
Storage: /var/lib/systemd/coredump/core.kresd.972.41f1b997dbba4fc1a3959eeb94b783ef.673.1546703288000000.lz4
Message: Process 673 (kresd) of user 972 dumped core.
Stack trace of thread 673:
#0 0x00007fd9ab352d7f raise (libc.so.6)
#1 0x00007fd9ab33d672 abort (libc.so.6)
#2 0x00007fd9ab33d548 __assert_fail_base.cold.0 (libc.so.6)
#3 0x00007fd9ab34b396 __assert_fail (libc.so.6)
#4 0x000055ab58ecd1f4 session_tls_hs_cb (kresd)
#5 0x000055ab58ed34ca tls_handshake (kresd)
#6 0x000055ab58ed3b8b tls_process_input_data (kresd)
#7 0x000055ab58ec5a20 tcp_recv (kresd)
#8 0x00007fd9ab9e9a19 n/a (libuv.so.1)
#9 0x00007fd9ab9ea668 n/a (libuv.so.1)
#10 0x00007fd9ab9ef370 uv__io_poll (libuv.so.1)
#11 0x00007fd9ab9e0ab0 uv_run (libuv.so.1)
#12 0x000055ab58ec5139 run_worker (kresd)
#13 0x00007fd9ab33f223 __libc_start_main (libc.so.6)
#14 0x000055ab58ec523e _start (kresd)
```
```
(gdb) backtrace
#0 0x00007fd9ab352d7f in raise () from /usr/lib/libc.so.6
#1 0x00007fd9ab33d672 in abort () from /usr/lib/libc.so.6
#2 0x00007fd9ab33d548 in __assert_fail_base.cold.0 () from /usr/lib/libc.so.6
#3 0x00007fd9ab34b396 in __assert_fail () from /usr/lib/libc.so.6
#4 0x000055ab58ecd1f4 in session_tls_hs_cb (session=session@entry=0x55ab596762e0, status=status@entry=0) at daemon/worker.c:751
#5 0x000055ab58ed34ca in tls_handshake (ctx=ctx@entry=0x55ab597d33b0, handshake_cb=0x55ab58eccfb0 <session_tls_hs_cb>) at daemon/tls.c:256
#6 0x000055ab58ed3b8b in tls_process_input_data (s=s@entry=0x55ab596762e0, buf=0x55ab597d33e8 "\026\003\003\n\252\v", nread=nread@entry=3082) at daemon/tls.c:472
#7 0x000055ab58ec5a20 in tcp_recv (handle=0x55ab5968ac50, nread=3082, buf=0x7ffec983b810) at daemon/io.c:237
#8 0x00007fd9ab9e9a19 in ?? () from /usr/lib/libuv.so.1
#9 0x00007fd9ab9ea668 in ?? () from /usr/lib/libuv.so.1
#10 0x00007fd9ab9ef370 in uv.io_poll () from /usr/lib/libuv.so.1
#11 0x00007fd9ab9e0ab0 in uv_run () from /usr/lib/libuv.so.1
#12 0x000055ab58ec5139 in run_worker (args=0x7ffec983ec20, leader=<optimized out>, ipc_set=0x7ffec983ebe0, engine=0x7ffec983ecc0, loop=0x7fd9ab9fc240) at daemon/main.c:476
#13 main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:825
```
```
(gdb) backtrace full
#0 0x00007fd9ab352d7f in raise () from /usr/lib/libc.so.6
No symbol table info available.
#1 0x00007fd9ab33d672 in abort () from /usr/lib/libc.so.6
No symbol table info available.
#2 0x00007fd9ab33d548 in __assert_fail_base.cold.0 () from /usr/lib/libc.so.6
No symbol table info available.
#3 0x00007fd9ab34b396 in __assert_fail () from /usr/lib/libc.so.6
No symbol table info available.
#4 0x000055ab58ecd1f4 in session_tls_hs_cb (session=session@entry=0x55ab596762e0, status=status@entry=0) at daemon/worker.c:751
key = 0x55ab58eed3a0 <str> "199.58.81.218#00853"
__PRETTY_FUNCTION__ = "session_tls_hs_cb"
handle = <optimized out>
loop = <optimized out>
worker = 0x55ab593295c0
peer = 0x55ab596762e4
deletion_res = -2
ret = 0
tls_client_ctx = <optimized out>
tls_params = 0x55ab59353550
tls_session = 0x55ab5967d8d0
#5 0x000055ab58ed34ca in tls_handshake (ctx=ctx@entry=0x55ab597d33b0, handshake_cb=0x55ab58eccfb0 <session_tls_hs_cb>) at daemon/tls.c:256
peer = <optimized out>
session = 0x55ab596762e0
logstring = 0x55ab58ee2e30 <client_logstring> "tls_client"
err = <optimized out>
#6 0x000055ab58ed3b8b in tls_process_input_data (s=s@entry=0x55ab596762e0, buf=0x55ab597d33e8 "\026\003\003\n\252\v", nread=nread@entry=3082) at daemon/tls.c:472
err = <optimized out>
tls_p = 0x55ab597d33b0
__PRETTY_FUNCTION__ = "tls_process_input_data"
ok = true
logstring = 0x55ab58ee2e30 <client_logstring> "tls_client"
submitted = <optimized out>
wire_buf = <optimized out>
wire_buf_size = <optimized out>
#7 0x000055ab58ec5a20 in tcp_recv (handle=0x55ab5968ac50, nread=3082, buf=0x7ffec983b810) at daemon/io.c:237
s = 0x55ab596762e0
__PRETTY_FUNCTION__ = "tcp_recv"
consumed = 0
data = 0x55ab597d33e8 "\026\003\003\n\252\v"
data_len = 3082
ret = <optimized out>
worker = <optimized out>
#8 0x00007fd9ab9e9a19 in ?? () from /usr/lib/libuv.so.1
No symbol table info available.
#9 0x00007fd9ab9ea668 in ?? () from /usr/lib/libuv.so.1
No symbol table info available.
#10 0x00007fd9ab9ef370 in uv.io_poll () from /usr/lib/libuv.so.1
No symbol table info available.
#11 0x00007fd9ab9e0ab0 in uv_run () from /usr/lib/libuv.so.1
No symbol table info available.
#12 0x000055ab58ec5139 in run_worker (args=0x7ffec983ec20, leader=<optimized out>, ipc_set=0x7ffec983ebe0, engine=0x7ffec983ecc0, loop=0x7fd9ab9fc240) at daemon/main.c:476
sock_file = <optimized out>
pipe = {data = 0x7ffec983ec20, loop = 0x7fd9ab9fc240, type = UV_NAMED_PIPE, close_cb = 0x0, handle_queue = {0x55ab595a1cc0, 0x55ab5933ce40}, u = {fd = 0, reserved = {0x0, 0x0, 0x0, 0x0}}, next_closing = 0x0, flags = 49164,
write_queue_size = 0, alloc_cb = 0x0, read_cb = 0x0, connect_req = 0x0, shutdown_req = 0x0, io_watcher = {cb = 0x7fd9ab9eaab0 <uv.server_io>, pending_queue = {0x7ffec983f070, 0x7ffec983f070}, watcher_queue = {0x7ffec983f080,
0x7ffec983f080}, pevents = 1, events = 1, fd = 5}, write_queue = {0x7ffec983f0a0, 0x7ffec983f0a0}, write_completed_queue = {0x7ffec983f0b0, 0x7ffec983f0b0}, connection_cb = 0x55ab58ed9190 <tty_accept>, delayed_error = 0,
accepted_fd = -1, queued_fds = 0x0, ipc = 0, pipe_fname = 0x0}
sock_file = <optimized out>
pipe = <optimized out>
pipe_ret = <optimized out>
i = <optimized out>
#13 main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:825
ret = <optimized out>
args = {forks = 1, addr_set = {at = 0x0, len = 0, cap = 0}, tls_set = {at = 0x0, len = 0, cap = 0}, fd_set = {at = 0x55ab593115b0, len = 4, cap = 5}, tls_fd_set = {at = 0x55ab59311670, len = 2, cap = 5}, keyfile = 0x0,
keyfile_unmanaged = 0, moduledir = 0x55ab58ee424e "/usr/lib/kdns_modules", config = 0x7ffec9840e7d "/etc/knot-resolver/kresd.conf", control_fd = 5, rundir = 0x0, interactive = false, quiet = false, tty_binary_output = false}
socket_names = 0x55ab59327f20
sd_nsocks = <optimized out>
ipc_set = {at = 0x0, len = 0, cap = 0}
fork_id = <optimized out>
pool = {ctx = 0x55ab59328280, alloc = 0x55ab58edc340 <mp_alloc>, free = 0x0}
engine = {resolver = {options = {NO_MINIMIZE = false, NO_THROTTLE = false, NO_IPV6 = false, NO_IPV4 = false, TCP = false, RESOLVED = false, AWAIT_IPV4 = false, AWAIT_IPV6 = false, AWAIT_CUT = false, SAFEMODE = false,
CACHED = false, NO_CACHE = false, EXPIRING = false, ALLOW_LOCAL = false, DNSSEC_WANT = false, DNSSEC_BOGUS = false, DNSSEC_INSECURE = false, DNSSEC_CD = false, STUB = false, ALWAYS_CUT = false, DNSSEC_WEXPAND = false,
PERMISSIVE = false, STRICT = false, BADCOOKIE_AGAIN = false, CNAME = false, REORDER_RR = false, TRACE = false, NO_0X20 = false, DNSSEC_NODS = false, DNSSEC_OPTOUT = false, NONAUTH = false, FORWARD = false,
DNS64_MARK = false, CACHE_TRIED = false, NO_NS_FOUND = false}, opt_rr = 0x55ab593282f0, trust_anchors = {root = 0x55ab5930fea0, pool = 0x0}, negative_anchors = {root = 0x0, pool = 0x0}, root_hints = {
name = 0x55ab59328f68 "", key = 0x0, trust_anchor = 0x0, parent = 0x0, nsset = 0x55ab59328f70, pool = 0x7ffec983ec00}, cache = {db = 0x55ab5933c940, api = 0x7fd9abae0480 <api>, stats = {hit = 0, miss = 0, insert = 3621,
delete = 0}, ttl_min = 5, ttl_max = 518400, checkpoint_walltime = {tv_sec = 1546542717, tv_usec = 57135}, checkpoint_monotime = 48358}, cache_rtt = 0x7fd9a980f010, cache_rtt_tout_retry_interval = 1000,
cache_rep = 0x7fd9a978e010, modules = 0x7ffec983ee38, cookie_ctx = {clnt = {enabled = false, current = {secr = 0x0, alg_id = 0}, recent = {secr = 0x0, alg_id = 0}}, srvr = {enabled = false, current = {secr = 0x0, alg_id = 0},
recent = {secr = 0x0, alg_id = 0}}}, cache_cookie = 0x55ab59328360, tls_padding = -1, pool = 0x7ffec983ec00}, net = {loop = 0x7fd9ab9fc240, endpoints = {root = 0x55ab5930d811, pool = 0x0}, tls_credentials = 0x0,
tls_client_params = {root = 0x55ab593530d0, pool = 0x0}, tls_session_ticket_ctx = 0x55ab593294d0, tcp = {in_idle_timeout = 10000, tls_handshake_timeout = 6000}, tcp_backlog = 511}, modules = {at = 0x55ab5933cc50, len = 12,
cap = 15}, backends = {at = 0x55ab593292d0, len = 1, cap = 5}, ipc_set = {at = 0x0, len = 0, cap = 0}, pool = 0x7ffec983ec00, hostname = 0x0, L = 0x411ec378, moduledir = 0x55ab5930def0 "/usr/lib/kdns_modules"}
worker = 0x55ab593295c0
loop = 0x7fd9ab9fc240
sigint = {data = 0x7ffec983eef0, loop = 0x7fd9ab9fc240, type = UV_SIGNAL, close_cb = 0x0, handle_queue = {0x7ffec983ef60, 0x55ab593294f0}, u = {fd = 0, reserved = {0x0, 0x0, 0x7fd9abb138c8, 0x7fd9abb3e480}}, next_closing = 0x0,
flags = 12, signal_cb = 0x55ab58ed8ef0 <signal_handler>, signum = 2, tree_entry = {rbe_left = 0x0, rbe_right = 0x7ffec983ef40, rbe_parent = 0x0, rbe_color = 0}, caught_signals = 0, dispatched_signals = 0}
sigterm = {data = 0x28, loop = 0x7fd9ab9fc240, type = UV_SIGNAL, close_cb = 0x0, handle_queue = {0x55ab59339ef0, 0x7ffec983eec0}, u = {fd = 232, reserved = {0xe8, 0x2d00000000, 0xf0, 0x7}}, next_closing = 0x0, flags = 12,
signal_cb = 0x55ab58ed8ef0 <signal_handler>, signum = 15, tree_entry = {rbe_left = 0x0, rbe_right = 0x0, rbe_parent = 0x7ffec983eea0, rbe_color = 1}, caught_signals = 0, dispatched_signals = 0}
```2019 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/437knot-resolver as a DNSoTLS client fails upon sleep2019-02-15T09:42:54+01:00Dustin Hodgesknot-resolver as a DNSoTLS client fails upon sleepOn **macOS Mojave 10.14.2**, when using ```knot-resolver``` as a *DNSoTLS client* (setting ```knot-resolver``` to communicate with Cloudflare's public DNS over TLS, and setting OS network DNS configuration to the local host, ```127.0.0.1...On **macOS Mojave 10.14.2**, when using ```knot-resolver``` as a *DNSoTLS client* (setting ```knot-resolver``` to communicate with Cloudflare's public DNS over TLS, and setting OS network DNS configuration to the local host, ```127.0.0.1``` & ```::1```), when Mac system enters sleep, knot-resolver stops communicating, either with macOS (local side), or Cloudflare (network side); unsure as to wich. Communication does not resume when resuming from sleep.
When this failure occurs, ```KRESD.LOG``` is given a single line:
> ```Assertion failed: (tls_p->consumed == tls_p->nread), function tls_process_input_data, file daemon/tls.c, line 508.```
Attemps to test connectivity using ```kdig bing.com``` result in
> ```;; WARNING: response timeout for ::1@53(UDP)```
>
> ```;; WARNING: response timeout for 127.0.0.1@53(UDP)```
Suggesting that it is local side, assuming the timeout is between macOS itself and
Temporary solution is to run ```sudo brew services restart knot-resolver``` via terminal, restarting the service and returning functionality of knot-resolver as a DNSoTLS client.2019 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/416Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function ...2019-04-16T09:03:53+02:00Ghost UserAssertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997I am using The Knot DNS Resolver on macOS Mojave (10.14.1). I tested the resolver with 1.1.1.1 and 9.9.9.9 DNS Servers. It works good but periodically (after Mac exits sleep) the daemon stops working and "sudo brew services restart knot-...I am using The Knot DNS Resolver on macOS Mojave (10.14.1). I tested the resolver with 1.1.1.1 and 9.9.9.9 DNS Servers. It works good but periodically (after Mac exits sleep) the daemon stops working and "sudo brew services restart knot-resolver" doesn't help as well. After Mac's reboot it starts working again.
[kresd.log](/uploads/fdcbb5629cdde9ba263e2af0e5acc5ee/kresd.log) tells the following:
```
Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997.
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[detect_time_skew] cannot resolve '.' NS
[ ta ] active refresh failed for . with rcode: 2
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[priming] cannot resolve address 'a.root-servers.net.', type: 1
Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997.
[priming] cannot resolve address 'a.root-servers.net.', type: 1
[ ta ] active refresh failed for . with rcode: 2
[ ta ] active refresh failed for . with rcode: 2
Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997.
[priming] cannot resolve address 'a.root-servers.net.', type: 1
[priming] cannot resolve address 'b.root-servers.net.', type: 1
[priming] cannot resolve address 'g.root-servers.net.', type: 28
[priming] cannot resolve address 'h.root-servers.net.', type: 1
[priming] cannot resolve address 'k.root-servers.net.', type: 1
[ ta ] active refresh failed for . with rcode: 2
Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997.
[priming] cannot resolve address 'a.root-servers.net.', type: 1
[priming] cannot resolve address 'b.root-servers.net.', type: 1
[ ta ] active refresh failed for . with rcode: 2
[priming] cannot resolve address 'g.root-servers.net.', type: 28
[priming] cannot resolve address 'k.root-servers.net.', type: 1
[ ta ] active refresh failed for . with rcode: 2
Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997.
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[detect_time_skew] cannot resolve '.' NS
[ ta ] active refresh failed for . with rcode: 2
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[priming] cannot resolve '.' NS, next priming query in 10 seconds
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/407Knot Resolver can't resolve dc01.integricloud.com2022-01-12T14:16:46+01:00Ghost UserKnot Resolver can't resolve dc01.integricloud.comKnot DNS Resolver, version 2.4.1 in latest TurrisOS, can't resolve `dc01.integricloud.com`, it gives `status: SERVFAIL`. Even 1.1.1.1 can't resolve this name. Other resolvers return `status: NOERROR` and `IN A 108.178.208.107`.Knot DNS Resolver, version 2.4.1 in latest TurrisOS, can't resolve `dc01.integricloud.com`, it gives `status: SERVFAIL`. Even 1.1.1.1 can't resolve this name. Other resolvers return `status: NOERROR` and `IN A 108.178.208.107`.https://gitlab.nic.cz/knot/knot-resolver/-/issues/406validate: fails to accept some correct proofs in deeper NSEC zones2022-05-09T11:46:29+02:00Vladimír Čunátvladimir.cunat@nic.czvalidate: fails to accept some correct proofs in deeper NSEC zonesReal-life example: `_domainkey.bronz.cz` - it's an empty non-terminal covered by
```
*.bronz.cz. 3589 IN NSEC arcz._domainkey.bronz.cz. CNAME RRSIG NSEC
```
Note: aggressive cache does generate the proof correctly...Real-life example: `_domainkey.bronz.cz` - it's an empty non-terminal covered by
```
*.bronz.cz. 3589 IN NSEC arcz._domainkey.bronz.cz. CNAME RRSIG NSEC
```
Note: aggressive cache does generate the proof correctly, if the record is in cache; it's just validator not accepting it. In real life this issue will probably be rarely causing problems, moreover NODATA isn't often recognizable from SERVFAIL.https://gitlab.nic.cz/knot/knot-resolver/-/issues/404incorrect handling of EDNS version 1+2019-07-09T17:12:25+02:00Petr Špačekincorrect handling of EDNS version 1+Apparently we do not return BADVERS as we should:
```
$ dig +nocookie +rec +noad +edns=1 +noednsneg +ednsopt=100 soa isc.org. @1.1.1.1
; <<>> DiG 9.13.0-dev <<>> +nocookie +rec +noad +edns=1 +noednsneg +ednsopt=100 soa isc.org. @1.1.1....Apparently we do not return BADVERS as we should:
```
$ dig +nocookie +rec +noad +edns=1 +noednsneg +ednsopt=100 soa isc.org. @1.1.1.1
; <<>> DiG 9.13.0-dev <<>> +nocookie +rec +noad +edns=1 +noednsneg +ednsopt=100 soa isc.org. @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20124
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;isc.org. IN SOA
;; ANSWER SECTION:
isc.org. 6914 IN SOA ns-int.isc.org. hostmaster.isc.org. 2018092500 7200 3600 24796800 3600
;; Query time: 16 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Oct 01 13:40:13 CEST 2018
;; MSG SIZE rcvd: 90
```
Test suite:
https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing
run `genreport -R` with input like:
`nic.cz. resolver.test. 1.1.1.1`
Output at the moment:
```
nic.cz. @1.1.1.1 (resolver.test.): dns=ok edns=ok edns1=noerror,badversion,soa edns@512=ok ednsopt=ok edns1opt=noerror,badversion,soa do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=ok
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/396SERVFAIL answer still contains bogus RRsets2020-04-15T10:25:21+02:00Petr ŠpačekSERVFAIL answer still contains bogus RRsetsAttached test [val_ad_qtype_ds.rpl](/uploads/a35e1072c53b8e68374b158d36d04d3a/val_ad_qtype_ds.rpl) contains incorrect SOA serial, i.e. RRSIG for `. SOA` does not match the SOA RR.
Kresd 3.0.0 correctly detects bogus answer, clears AD bi...Attached test [val_ad_qtype_ds.rpl](/uploads/a35e1072c53b8e68374b158d36d04d3a/val_ad_qtype_ds.rpl) contains incorrect SOA serial, i.e. RRSIG for `. SOA` does not match the SOA RR.
Kresd 3.0.0 correctly detects bogus answer, clears AD bit and sets RCODE=SERVFAIL but the bogus RR is still present in response sent to client:
```
E id 43842
E opcode QUERY
E rcode SERVFAIL
E flags QR RD RA
E edns 0
E eflags DO
E payload 4096
E ;QUESTION
E test. IN DS
E ;ANSWER
E ;AUTHORITY
E . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2017030902 1800 900 604800 86400
E test. 86400 IN NSEC . NS RRSIG NSEC
E . 86400 IN RRSIG SOA 8 0 86400 20180922145219 20180823145219 61125 . oUmzRZlxlk8WMI6EVAVqveSrD7gY7dxo g/KF0xIsUgb4wuw7ysD4C1E7GCKA8UqF XKsJn+RpKJHiHAASLctCL8Ewnger2ebe RtTNENEuqyvWlJwWHIY9Bk9YvMr5RzNd TfyLS+EGFGQzk2G793DOoi0DuNFaFK1A kN/jDDzDuGxwK/9oZ4X9Sk2mKeZfjKWI oXaPhMonfnWtX+6rKeMvgSjMZYEXz0+E XYHeHwvtUIPYzMfO2iCrEfCABH04OG61 NP5N9W+IiOKP1KAmT8id3JyFJACHjSP6 BeEIv6Ydzz3M9vq4B4pj0Cr9ePH0GnNC 0Sg8uOfHzjC5bHldoaJs4g==
E test. 86400 IN RRSIG NSEC 8 1 86400 20180922145219 20180823145219 61125 . Fgq94cQgkH4LhB0NFRSzqZT09eLTr4Jd P+xV+s5HEPiipfmaRSy3Y1ZoihtofwjO +LObPVLmyPz7WUWmJBCu3bPRS0GU4Ltq YmpBpUxjuaVqbiw07/GO3IS6nLD1IVYp uXzktncdJDkwalkPb/qMtrMTSEzH5V6a 9CJErKJRIEn36Ypg6+hvKXJT5uJyqcTs eqFXnHDXBzIQjlc6rm7gPCdUCzxx9UrP SxVeNfLSYUV96RA2G1NgksCejP7TPpIi heRXDIItvl/XtQy5pdaPsdE+bJHQaxC2 uTabzvGPoLHRahfCjtH2XxuFsWCSm7ad 0bRQH4v1o05CB8Cv9JkDEQ==
E ;ADDITIONAL
```
RR `. SOA` should not be there, it is bogus.Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/390unsigned same-server delegation does not work (SERVFAIL when iterating)2020-08-10T12:38:58+02:00Petr Špačekunsigned same-server delegation does not work (SERVFAIL when iterating)Attached [test](/uploads/faf14f8a4d04b5331a3d3ec150027dfc/qlist) asks for `unsigned2.box. SOA` and the request ends with SERVFAIL.
I believe that it should work because the domain is an unsigned delegation from parent, with child hosted...Attached [test](/uploads/faf14f8a4d04b5331a3d3ec150027dfc/qlist) asks for `unsigned2.box. SOA` and the request ends with SERVFAIL.
I believe that it should work because the domain is an unsigned delegation from parent, with child hosted on the same server.
The delegation is inside opt-out range so resolver should verify unsigned status of zone and continue.
(I hope there is no mistake in the test, I did my best. If there is a mistake in test itself I apologize.)https://gitlab.nic.cz/knot/knot-resolver/-/issues/385log flood from TLS session key rotation2018-08-16T00:17:26+02:00Petr Špačeklog flood from TLS session key rotationFor some reason kresd log is full of these:
```
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling ro...For some reason kresd log is full of these:
```
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374132, scheduling rotation check in 4096000 ms
```
This is post-2.4.0 code c222c545d8bd3feec94a59f1a624ffda253586e3 running in single process.https://gitlab.nic.cz/knot/knot-resolver/-/issues/384NSEC3 caching doesn't seem to work2018-07-27T19:48:16+02:00Marek VavrusaNSEC3 caching doesn't seem to workI was trying the aggressive NSEC3 caching in the v2.4.0 tag (4141975d2f8d5c2e45cc319de20af356eb2a8b3e).
```
$ cat config # Empty configuration
$ rm *.mdb
$ kresd -a 127.0.0.1#5354 -k root.keys -v
[tls] session ticket: epoch 374032, sch...I was trying the aggressive NSEC3 caching in the v2.4.0 tag (4141975d2f8d5c2e45cc319de20af356eb2a8b3e).
```
$ cat config # Empty configuration
$ rm *.mdb
$ kresd -a 127.0.0.1#5354 -k root.keys -v
[tls] session ticket: epoch 374032, scheduling rotation check in 3276245 ms
[ ta ] new state of trust anchors for a domain: . 172800 DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
[ ta ] new state of trust anchors for a domain: . 172800 DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
. 172800 DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
[system] interactive mode
>
```
When I query for a name that exists, caching seems to work:
```
$ kdig @127.0.0.1 -p 5354 nic.cz | grep From
;; From 127.0.0.1@5354(UDP) in 870.8 ms
$ kdig @127.0.0.1 -p 5354 nic.cz | grep From
;; From 127.0.0.1@5354(UDP) in 0.2 ms
```
When I query for a name that doesn't exist, caching doesn't seem to work:
```
$ kdig @127.0.0.1 -p 5354 bla2.nic.cz | grep From
;; From 127.0.0.1@5354(UDP) in 1208.7 ms
$ kdig @127.0.0.1 -p 5354 bla2.nic.cz | grep From
;; From 127.0.0.1@5354(UDP) in 412.8 ms
```
Here's the server log:
```
[ 0][plan] plan 'bla2.nic.cz.' type 'A'
[63031][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[63031][cach] => no NSEC* cached for zone: cz.
[63031][zcut] found cut: cz. (rank 002 return codes: DS 0, DNSKEY 0)
[29651][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[29651][resl] => querying: '194.0.13.1' score: 95 zone cut: 'cz.' qname: 'NiC.cZ.' qtype: 'NS' proto: 'udp'
[29651][resl] => querying: '2001:678:10::1' score: 95 zone cut: 'cz.' qname: 'NiC.cZ.' qtype: 'NS' proto: 'udp'
[29651][iter] <= rcode: NOERROR
[29651][iter] <= continuing with qname minimization
[29651][resl] <= server: '194.0.13.1' rtt: 175 ms
[28702][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[28702][plan] plan 'nic.cz.' type 'DS'
[40723][iter] 'nic.cz.' type 'DS' id was assigned, parent id 28702
[40723][cach] => satisfied by exact RRset: rank 060, new TTL 3513
[40723][iter] <= rcode: NOERROR
[40723][vldr] <= DS: OK
[40723][vldr] <= parent: updating DS
[40723][vldr] <= answer valid, OK
[60915][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[60915][plan] plan 'nic.cz.' type 'DNSKEY'
[ 5674][iter] 'nic.cz.' type 'DNSKEY' id was assigned, parent id 60915
[ 5674][cach] => satisfied by exact RRset: rank 060, new TTL 1713
[ 5674][iter] <= rcode: NOERROR
[ 5674][vldr] <= parent: updating DNSKEY
[ 5674][vldr] <= answer valid, OK
[29278][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[29278][resl] => query[29278][resl] => querying: '2001:678:f::1' score: 11 zone cut: 'nic.cz.' qname: 'BLa2.Nic.Cz.' qtype: 'A' proto: 'udp'
[29278][iter] <= rcode: NXDOMAIN
[29278][vldr] <= answer valid, OK
[29278][cach] => stashed 61irsbhhtmb5arro3jt924s607pojbnu.nic.cz. NSEC3, rank 060, 149 B total, incl. 1 RRSIGs
[29278][cach] => stashed 7cnkran8antk3fkqoiivftbr83c4fk16.nic.cz. NSEC3, rank 060, 141 B total, incl. 1 RRSIGs
[29278][cach] => stashed 038c9fesqq3ofr3cefq91hji5h3mq5mc.nic.cz. NSEC3, rank 060, 150 B total, incl. 1 RRSIGs
[29278][cach] => stashed nic.cz. SOA, rank 060, 159 B total, incl. 1 RRSIGs
[29278][cach] => nsec_p stash skipped (extra TTL: 88)
[29278][resl] <= server: '194.0.12.1' rtt: 169 ms
[ 0][resl] AD: request classified as SECURE
[29278][resl] finished: 4, queries: 3, mempool: 82000 B
[ 0][plan] plan 'bla2.nic.cz.' type 'A'
[24186][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[24186][cach] => no NSEC* cached for zone: cz.
[24186][zcut] found cut: cz. (rank 002 return codes: DS 0, DNSKEY 0)
[ 390][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[ 390][resl] => querying: '194.0.12.1' score: 90 zone cut: 'cz.' qname: 'NIc.cZ.' qtype: 'NS' proto: 'udp'
[ 390][resl] => querying: '2001:678:f::1' score: 90 zone cut: 'cz.' qname: 'NIc.cZ.' qtype: 'NS' proto: 'udp'
[ 390][iter] <= rcode: NOERROR
[ 390][iter] <= continuing with qname minimization
[ 390][resl] <= server: '194.0.12.1' rtt: 180 ms
[21470][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[21470][plan] plan 'nic.cz.' type 'DS'
[60687][iter] 'nic.cz.' type 'DS' id was assigned, parent id 21470
[60687][cach] => satisfied by exact RRset: rank 060, new TTL 3512
[60687][iter] <= rcode: NOERROR
[60687][vldr] <= DS: OK
[60687][vldr] <= parent: updating DS
[60687][vldr] <= answer valid, OK
[31813][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[31813][plan] plan 'nic.cz.' type 'DNSKEY'
[52521][iter] 'nic.cz.' type 'DNSKEY' id was assigned, parent id 31813
[52521][cach] => satisfied by exact RRset: rank 060, new TTL 1712
[52521][iter] <= rcode: NOERROR
[52521][vldr] <= parent: updating DNSKEY
[52521][vldr] <= answer valid, OK
[47111][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[47111][resl] => query[47111][resl] => querying: '194.0.14.1' score: 116 zone cut: 'nic.cz.' qname: 'bla2.Nic.cZ.' qtype: 'A' proto: 'udp'
[47111][iter] <= rcode: NXDOMAIN
[47111][vldr] <= answer valid, OK
[47111][cach] => stashed 61irsbhhtmb5arro3jt924s607pojbnu.nic.cz. NSEC3, rank 060, 149 B total, incl. 1 RRSIGs
[47111][cach] => stashed 7cnkran8antk3fkqoiivftbr83c4fk16.nic.cz. NSEC3, rank 060, 141 B total, incl. 1 RRSIGs
[47111][cach] => stashed 038c9fesqq3ofr3cefq91hji5h3mq5mc.nic.cz. NSEC3, rank 060, 150 B total, incl. 1 RRSIGs
[47111][cach] => stashed nic.cz. SOA, rank 060, 159 B total, incl. 1 RRSIGs
[47111][cach] => nsec_p stash skipped (extra TTL: 89)
[47111][resl] <= server: '2001:678:11::1' rtt: 157 ms
[ 0][resl] AD: request classified as SECURE
[47111][resl] finished: 4, queries: 3, mempool: 82000 B
```
When I clear cache and restart the daemon, the caching sometimes works, but most of the time it doesn't. That's strange.
I was trying to test aggressive NSEC3 caching originally with bla3, bla4, bla5, ... bla10.nic.cz, but it doesn't seem to work even when I ask the same name repetitively, so I'm not sure what am I doing wrong.
cc @anb @pspacek @vcunat2018 Q3Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/377kresd fails to bind IPv6 TLS socket sometimes (but IPv4 works)2019-06-06T12:46:11+02:00Petr Špačekkresd fails to bind IPv6 TLS socket sometimes (but IPv4 works)I have no idea why, this issues is here to remind us to inspect code for stream socket binding:
kresd should be listening on port 53028 for IPv4 and IPv6 at the same time but it is not. [config](/uploads/864f0d5638e9ec828d0d8085869938d3...I have no idea why, this issues is here to remind us to inspect code for stream socket binding:
kresd should be listening on port 53028 for IPv4 and IPv6 at the same time but it is not. [config](/uploads/864f0d5638e9ec828d0d8085869938d3/config)
```
$ netstat -lptn | grep kresd
tcp 0 0 127.0.0.1:53021 0.0.0.0:* LISTEN 79892/kresd
tcp 0 0 127.0.0.1:53022 0.0.0.0:* LISTEN 79894/kresd
tcp 0 0 127.0.0.1:53028 0.0.0.0:* LISTEN 79892/kresd
tcp6 0 0 ::1:53021 :::* LISTEN 79892/kresd
tcp6 0 0 ::1:53022 :::* LISTEN 79894/kresd
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/375DNS64 should not perform synthesis for queries with CD and DO flags2018-07-02T15:41:42+02:00Ondřej CaletkaDNS64 should not perform synthesis for queries with CD and DO flagsAccording to [RFC 6147, section 5.5, paragraph 3](https://tools.ietf.org/html/rfc6147#section-5.5), DNS64 synthesis MUST NOT be performed for queries with CD and DO flags (not to fool validating stub resolvers). Knot Resolver is not comp...According to [RFC 6147, section 5.5, paragraph 3](https://tools.ietf.org/html/rfc6147#section-5.5), DNS64 synthesis MUST NOT be performed for queries with CD and DO flags (not to fool validating stub resolvers). Knot Resolver is not compliant with this requirement.
# dig ipv4only.arpa aaaa +cdflag +dnssec +short
64:ff9b::c000:aa
64:ff9b::c000:ab
Both BIND and Unbound DNS64 modules perform well:
# dig ipv4only.arpa aaaa +cdflag +dnssec +short
<empty>2018 Q2Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/374in-bailiwick nameservers (possibly) not re-probed2018-12-17T15:33:58+01:00Vladimír Čunátvladimir.cunat@nic.czin-bailiwick nameservers (possibly) not re-probedThere is some possibility of getting into a situation when NS is never retried. Here's a 2.3.0 log (from Omnia):
```
[ 0][plan] plan 'ns.udag.de.' type 'A'
[22310][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[22310][c...There is some possibility of getting into a situation when NS is never retried. Here's a 2.3.0 log (from Omnia):
```
[ 0][plan] plan 'ns.udag.de.' type 'A'
[22310][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[22310][cach] => skipping exact RR: rank 030 (min. 030), new TTL -7934
[22310][cach] => trying zone: udag.de.
[22310][cach] => NSEC sname: range search found stale or insecure entry
[22310][zcut] found cut: udag.de. (return codes: DS 1, DNSKEY 1)
[22310][resl] => NS is provably without DS, going insecure
[11561][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[ ][nsre] probing timeouted NS: 185.61.8.11, score 1910
[11561][plan] plan 'ns.udag.net.' type 'A'
[58910][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[58910][cach] => skipping exact RR: rank 030 (min. 000), new TTL -4331
[58910][cach] => trying zone: udag.net.
[58910][cach] => NSEC sname: range search found inconsistent entry
[58910][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[58910][resl] => NS is provably without DS, going insecure
[20592][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[20592][resl] => unresolvable NS address, bailing out
[20592][resl] => circular dependepcy, retrying with non-minimized name
[ 2400][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[ 2400][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[ 2400][resl] => NS is provably without DS, going insecure
[ 2400][resl] => unresolvable NS address, bailing out
Last message '[ 2400][resl] =>' repeated 1 times, suppressed by syslog-ng on turris
[ 2400][resl] => no valid NS left
[18717][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[18717][resl] => no valid NS left
[37402][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[37402][resl] => unresolvable NS address, bailing out
[37402][resl] => circular dependepcy, retrying with non-minimized name
[ 9258][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[ 9258][zcut] found cut: udag.de. (return codes: DS 1, DNSKEY 1)
[ 9258][resl] => NS is provably without DS, going insecure
[ 9258][plan] plan 'ns.udag.net.' type 'A'
[43035][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[43035][cach] => skipping exact RR: rank 030 (min. 000), new TTL -4331
[43035][cach] => trying zone: udag.net.
[43035][cach] => NSEC sname: range search found inconsistent entry
[43035][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[43035][resl] => NS is provably without DS, going insecure
[49223][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[49223][resl] => circular dependepcy, retrying with non-minimized name
[16076][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[16076][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[16076][resl] => NS is provably without DS, going insecure
[16076][resl] => unresolvable NS address, bailing out
Last message '[16076][resl] =>' repeated 1 times, suppressed by syslog-ng on turris
[16076][resl] => no valid NS left
[ 9260][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[ 9260][resl] => no valid NS left
[43246][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[43246][resl] => unresolvable NS address, bailing out
Last message '[43246][resl] => u' repeated 1 times, suppressed by syslog-ng on turris
[43246][resl] => no valid NS left
[48690][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[48690][resl] => no valid NS left
[ 0][resl] AD: secure (start)
[ 0][resl] AD: secure (between ANS and AUTH)
[ 0][resl] AD: secure (1)
[48690][resl] finished: 0, queries: 3, mempool: 49176 B
```
_ATM I only estimate the characteristics/causes._2018 Q4Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/366knot-resolver 2.3.0 aborted with "kresd: libknot/packet/pkt.c:84: pkt_wire_al...2018-08-02T16:15:47+02:00Toshifumi Sakaguchiknot-resolver 2.3.0 aborted with "kresd: libknot/packet/pkt.c:84: pkt_wire_alloc: Assertion `len >= KNOT_WIRE_HEADER_SIZE' failed."## Overview
Kresd aborted with following messages in my test(fuzzing) environment.
```
# rm -f *mdb ; /usr/local/sbin/kresd -c /usr/local/etc/knotolver/kresd.conf
[system] interactive mode
> [ ta ] key: 59407 state: Valid
[ ta ] next ...## Overview
Kresd aborted with following messages in my test(fuzzing) environment.
```
# rm -f *mdb ; /usr/local/sbin/kresd -c /usr/local/etc/knotolver/kresd.conf
[system] interactive mode
> [ ta ] key: 59407 state: Valid
[ ta ] next refresh for . in 12 hours
kresd: libknot/packet/pkt.c:84: pkt_wire_alloc: Assertion `len >= KNOT_WIRE_HEADER_SIZE' failed.
Aborted (core dumped)
```
debugger output.
```
# gdb /usr/local/sbin/kresd
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-110.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/sbin/kresd...done.
(gdb) core-file core.25240
[New LWP 25240]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf'.
Program terminated with signal 6, Aborted.
#0 0x00007fc078ef3277 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.17-222.el7.x86_64 gmp-6.0.0-15.el7.x86_64 gnutls-3.3.26-9.el7.x86_64 libffi-3.0.13-18.el7.x86_64 libgcc-4.8.5-28.el7_5.1.x86_64 libstdc++-4.8.5-28.el7_5.1.x86_64 libtasn1-4.10-1.el7.x86_64 libuv-1.19.2-1.el7.x86_64 luajit-2.0.4-3.el7.x86_64 nettle-2.7.1-8.el7.x86_64 p11-kit-0.23.5-3.el7.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb) bt
#0 0x00007fc078ef3277 in raise () from /lib64/libc.so.6
#1 0x00007fc078ef4968 in abort () from /lib64/libc.so.6
#2 0x00007fc078eec096 in __assert_fail_base () from /lib64/libc.so.6
#3 0x00007fc078eec142 in __assert_fail () from /lib64/libc.so.6
#4 0x00007fc07a719f04 in pkt_wire_alloc (len=11, pkt=0x559f324636b8)
at libknot/packet/pkt.c:84
#5 pkt_init (mm=0x559f324608a8, len=11, wire=0x0, pkt=0x559f324636b8)
at libknot/packet/pkt.c:200
#6 pkt_new_mm (mm=0x559f324608a8, len=11, wire=0x0)
at libknot/packet/pkt.c:252
#7 knot_pkt_new (wire=wire@entry=0x0, len=11, mm=mm@entry=0x559f324608a8)
at libknot/packet/pkt.c:270
#8 0x00007fc07a96d817 in consume_yield (ctx=ctx@entry=0x7ffd9c03a850,
pkt=pkt@entry=0x559f2983d500) at lib/resolve.c:78
#9 0x00007fc07a96f3a7 in kr_resolve_consume (
request=request@entry=0x559f32460770, src=src@entry=0x7ffd9c03aa10,
packet=packet@entry=0x559f2983d500) at lib/resolve.c:935
#10 0x0000559f27ac3455 in qr_task_step (task=0x559f32461a20,
packet_source=0x7ffd9c03aa10, packet=0x559f2983d500)
at daemon/worker.c:1565
#11 0x0000559f27ac5406 in worker_submit (worker=worker@entry=0x7fc07ad0e010,
handle=handle@entry=0x559f29842830, query=<optimized out>,
addr=<optimized out>, addr@entry=0x7ffd9c03aa10) at daemon/worker.c:1897
---Type <return> to continue, or q <return> to quit---
#12 0x0000559f27abd92a in udp_recv (handle=0x559f29842830,
nread=<optimized out>, buf=<optimized out>, addr=0x7ffd9c03aa10,
flags=<optimized out>) at daemon/io.c:166
#13 0x00007fc07a08fec6 in uv__udp_io () from /lib64/libuv.so.1
#14 0x00007fc07a091bb8 in uv__io_poll () from /lib64/libuv.so.1
#15 0x00007fc07a082f28 in uv_run () from /lib64/libuv.so.1
#16 0x0000559f27abd4a9 in run_worker (args=0x7ffd9c03de20,
leader=<optimized out>, ipc_set=0x7ffd9c03dca0, engine=0x7ffd9c03dfd0,
loop=0x7fc07a29dd00) at daemon/main.c:422
#17 main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:755
(gdb)
```
## Environments.
### IP Addresses of each servers.
* root DNS server: 192.168.33.100/24
* malicious authoritative server: 192.168.33.101/24
* victim full service resolver: 192.168.33.102/24
### OS, Software of each servers.
root DNS server
* OS: CentOS 7.5 x86_64 on VirtualBox VM
* DNS: bind
Malicious authoritative server
* OS: CentOS 7.5 x86_64 on VirtualBox VM
victim full service resolver
* OS: CentOS 7.5 x86_64 on VirtualBox VM
* DNS: knot-resolver 2.3.0, knot-dns(libknot) 2.6.7
## Reproduce steps
### root server
Install CentOS 7.5 from install ISO image.
Set IP address VM to 192.168.33.100/24.
Set firewalld.
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Bind.
```
# yum install -y bind bind-utils
```
Upload and extract test-files.tar.gz
```
# cd /tmp
# tar xzf /path/to/test-files.tar.gz
```
Copy named.conf and root zone file.
```
# cp /tmp/test-files/root.named.conf /etc/named.conf
# cp /tmp/test-files/root.zone.signed /var/named/root.zone.signed
# chmod 644 /var/named/root.zone.signed
```
Start named.
```
# systemctl start named
# systemctl enable named
```
### Malicious authoritative server
Install CentOS 7.5 from install ISO image.
Set IP address to 192.168.33.101/24.
Set firewalld
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Build tools.
```
# yum install -y epel-release
# yum install -y gcc-c++ boost-devel wget perl yaml-cpp-devel bind-utils gtest-devel
# wget https://cmake.org/files/v3.10/cmake-3.10.0-Linux-x86_64.sh
# sh cmake-3.10.0-Linux-x86_64.sh --skip-license --prefix=/usr/local
```
Install openssl 1.1.0 from source file.
```
# wget https://www.openssl.org/source/openssl-1.1.0g.tar.gz
# tar xzf openssl-1.1.0g.tar.gz
# cd openssl-1.1.0g
# ./config shared
# make
# make install
# echo /usr/local/lib64 > /etc/ld.so.conf.d/local.conf
# ldconfig
```
Upload and extract dns-fuzz-server.tar.gz.
```
# tar xzf /path/to/dns-fuzz-server.tar.gz
# cd dns-fuzz-server
# cmake .
# make
```
Start DNS service foreground.
```
# ./bin/fuzz_server -z example.com -f data/example.com.zone.full -K data/example.com.ksk.yaml -Z data/example.com.zsk.yaml -n 4
```
### victim full service resolver
Install CentOS 7.5 from install ISO image.
Set IP address to 192.168.33.102/24.
Set firewalld
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Build tools.
```
# yum install -y epel-release
# yum install -y gcc-c++ openssl-devel wget luajit-devel libuv-devel userspace-rcu-devel.x86_64 libedit-devel.x86_64 gcc-c++ gnutls-devel
```
Install knot-dns(libnot) 2.6.7 from source file.
```
$ wget https://secure.nic.cz/files/knot-dns/knot-2.6.7.tar.xz
$ tar xJf knot-2.6.7.tar.xz
$ cd knot-2.6.7
$ ./configure
$ make
$ su
# make install
```
Install knot-resolver 2.3.0 from source.
```
# wget https://secure.nic.cz/files/knot-resolver/knot-resolver-2.3.0.tar.xz
# tar xJf knot-resolver-2.3.0.tar.xz
# cd knot-resolver-2.3.0
# PKG_CONFIG_PATH=/usr/local/lib/pkgconfig make LDFLAGS="-Wl,-rpath=/usr/local/lib" PREFIX="/usr/local" CFLAGS="-DNDEBUG -g" install
```
Upload and extract test-files.tar.gz.
```
# cd /tmp
# tar xzf /path/to/test-files.tar.gz
```
Copy kresd.conf, trust anchor and hints file.
```
# cp /tmp/test-files/kresd.conf /usr/local/etc/knot-resolver
# cp /tmp/test-files/root.hints /usr/local/etc/knot-resolver
# cp /tmp/test-files/root.keys /usr/local/etc/knot-resolver
```
Start knot-resolver.
```
# mkdir -p /tmp/db
# cd /tmp/db
# rm -f * ; /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
```
Login to malicios authoritative server, and send queries by `fuzz_client`.
```
# cd /path/to/dns-fuzz-server
# ./bin/fuzz_client -s 192.168.33.102 -b example.com -i 100
```
Please wait sevral hours or days.
[test-files.tar.gz](/uploads/014e5a07c6c80a5f29f03f1b31b4a15c/test-files.tar.gz)
[dns-fuzz-server.tar.gz](/uploads/39148d8d68c200350a0a34e7c85a8943/dns-fuzz-server.tar.gz)https://gitlab.nic.cz/knot/knot-resolver/-/issues/347knot-resolver fails to build from source on hurd due to missing MAXPATHLEN2018-05-03T12:48:02+02:00Daniel Kahn Gillmorknot-resolver fails to build from source on hurd due to missing MAXPATHLENthe [debian hurd build daemon](https://buildd.debian.org/status/fetch.php?pkg=knot-resolver&arch=hurd-i386&ver=2.3.0-2&stamp=1524785893&raw=0) shows:
```
daemon/engine.c: In function 'engine_set_moduledir':
daemon/engine.c:231:15: error...the [debian hurd build daemon](https://buildd.debian.org/status/fetch.php?pkg=knot-resolver&arch=hurd-i386&ver=2.3.0-2&stamp=1524785893&raw=0) shows:
```
daemon/engine.c: In function 'engine_set_moduledir':
daemon/engine.c:231:15: error: 'MAXPATHLEN' undeclared (first use in this function); did you mean 'MAXNAMLEN'?
char l_paths[MAXPATHLEN] = { 0 };
^~~~~~~~~~
MAXNAMLEN
```
See [Justus Winter's thoughts on MAXPATHLEN](https://lists.debian.org/debian-hurd/2012/01/msg00166.html) about why this might not be something worth relying on.https://gitlab.nic.cz/knot/knot-resolver/-/issues/346www.nrl.navy.mil. validation broken without query minimization2018-09-04T16:29:06+02:00Filip Sirokywww.nrl.navy.mil. validation broken without query minimizationValidation is broken without query minimization for www.nrl.navy.mil. after it was fixed with it in merge !543.
Kresd log:
[server.log](/uploads/199eaec49170e46882d23c12e6db646b/server.log)
Deckard scenario:
[gen_navy.rpl](/uploads/aaa4...Validation is broken without query minimization for www.nrl.navy.mil. after it was fixed with it in merge !543.
Kresd log:
[server.log](/uploads/199eaec49170e46882d23c12e6db646b/server.log)
Deckard scenario:
[gen_navy.rpl](/uploads/aaa46e764a232e811ee9d32813953325/gen_navy.rpl)