Knot Resolver issueshttps://gitlab.nic.cz/knot/knot-resolver/-/issues2019-04-16T09:03:53+02:00https://gitlab.nic.cz/knot/knot-resolver/-/issues/416Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function ...2019-04-16T09:03:53+02:00Ghost UserAssertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997I am using The Knot DNS Resolver on macOS Mojave (10.14.1). I tested the resolver with 1.1.1.1 and 9.9.9.9 DNS Servers. It works good but periodically (after Mac exits sleep) the daemon stops working and "sudo brew services restart knot-...I am using The Knot DNS Resolver on macOS Mojave (10.14.1). I tested the resolver with 1.1.1.1 and 9.9.9.9 DNS Servers. It works good but periodically (after Mac exits sleep) the daemon stops working and "sudo brew services restart knot-resolver" doesn't help as well. After Mac's reboot it starts working again.
[kresd.log](/uploads/fdcbb5629cdde9ba263e2af0e5acc5ee/kresd.log) tells the following:
```
Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997.
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[detect_time_skew] cannot resolve '.' NS
[ ta ] active refresh failed for . with rcode: 2
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[priming] cannot resolve address 'a.root-servers.net.', type: 1
Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997.
[priming] cannot resolve address 'a.root-servers.net.', type: 1
[ ta ] active refresh failed for . with rcode: 2
[ ta ] active refresh failed for . with rcode: 2
Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997.
[priming] cannot resolve address 'a.root-servers.net.', type: 1
[priming] cannot resolve address 'b.root-servers.net.', type: 1
[priming] cannot resolve address 'g.root-servers.net.', type: 28
[priming] cannot resolve address 'h.root-servers.net.', type: 1
[priming] cannot resolve address 'k.root-servers.net.', type: 1
[ ta ] active refresh failed for . with rcode: 2
Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997.
[priming] cannot resolve address 'a.root-servers.net.', type: 1
[priming] cannot resolve address 'b.root-servers.net.', type: 1
[ ta ] active refresh failed for . with rcode: 2
[priming] cannot resolve address 'g.root-servers.net.', type: 28
[priming] cannot resolve address 'k.root-servers.net.', type: 1
[ ta ] active refresh failed for . with rcode: 2
Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997.
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[detect_time_skew] cannot resolve '.' NS
[ ta ] active refresh failed for . with rcode: 2
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[priming] cannot resolve '.' NS, next priming query in 10 seconds
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/449RFC 5011 will crash resolver if key is rolled to an unsupported algorithm2019-04-04T15:03:11+02:00Petr ŠpačekRFC 5011 will crash resolver if key is rolled to an unsupported algorithmReported by: Matthijs Mekking <matthijs@isc.org>
PANIC if kresd performs 5011 and retrieves an unsupported algorithm
===================================================================
Summary
-------
tldr; When refreshing trust anchor...Reported by: Matthijs Mekking <matthijs@isc.org>
PANIC if kresd performs 5011 and retrieves an unsupported algorithm
===================================================================
Summary
-------
tldr; When refreshing trust anchors and kresd receives an unsupported
DNSSEC algorithm, kresd will exit with a PANIC:
PANIC: unprotected error in call to Lua API
(/usr/local/lib/kdns_modules/trust_anchors.lua:208: invalid RR:
5011.isc.pletterpet.nl. 60 DNSKEY 257 3 16
GjgC97LCct7HZhArY9KRvynmXLKF/OGPCOX8jVqNaQ5Tj58lqxaNQ/tx2l8sftpLHHQj9KOsRzjN:
invalid key algorithm)
Knot resolver versions used
---------------------------
knot-resolver-3.2.1
Steps to reproduce
------------------
1. Set up an authoritative zone, DNSSEC signed with a supported
algorithm, for example RSA-SHA256 (8).
2. Start Knot resolver with a trust anchor file that contains the KSK
for the authoritative zone.
kresd -c config.test
3. Update the authoritative zone, add a new algorithm that is not
supported by BIND, for example Ed448 (16).
4. Wait until kresd refreshes trust anchors.
You should hit the same error if you do step 2 and the authoritative
server already has the DNSKEY with the unsupported algorithm in the zone.
What is the current bug behavior?
---------------------------------
The Knot resolver will exit with a PANIC.
What is the expected correct behavior?
--------------------------------------
The Knot resolver will log an error (or warning) and ignore the new key.
Relevant configuration files
----------------------------
config.test:
net = { '127.0.0.1', '::1' }
trust_anchors.config('trustanchors.conf', 0)
modules = {
'hints > iterate',
'stats',
'predict',
}
cache.size = 10 * MB4.0.0https://gitlab.nic.cz/knot/knot-resolver/-/issues/231non-empty answers with SERVFAIL2019-03-23T12:29:52+01:00Vladimír Čunátvladimir.cunat@nic.cznon-empty answers with SERVFAILIt currently happens only in some cases. See https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/343#note_51832
- [ ] investigate/decide how exactly the answers can/shall look like. Special case to note: [CNAME chains broken ...It currently happens only in some cases. See https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/343#note_51832
- [ ] investigate/decide how exactly the answers can/shall look like. Special case to note: [CNAME chains broken somewhere later](https://tools.ietf.org/html/rfc6604#section-3).
- [ ] implement.https://gitlab.nic.cz/knot/knot-resolver/-/issues/448net.list() ignores multiple ports on the same IP address2019-03-12T14:03:36+01:00Petr Špačeknet.list() ignores multiple ports on the same IP addressMultiple invocations of `net.listen()` using the same IP address but different port will confuse output of `net.list()`. Only single endpoint description listening for a given IP address is returned by `net.list`:
Example:
```
$ KRESD_N...Multiple invocations of `net.listen()` using the same IP address but different port will confuse output of `net.list()`. Only single endpoint description listening for a given IP address is returned by `net.list`:
Example:
```
$ KRESD_NO_LISTEN=1 kresd
> net.list()
> net.listen('::1', 5353)
true
> net.list()
[::1] => {
[tcp] => true
[tls] => false
[udp] => true
[port] => 5353
}
> net.listen('::1', 53000)
true
> net.list()
[::1] => {
[tcp] => true
[tls] => false
[udp] => true
[port] => 5353
}
```
Fixing this obviously requires change to `net.list()` output format, which can be done in upcoming 4.0.
The main question is how the new output should look like. Preliminary proposal:
{ address = 'string',
transport = udp/tcp/quic,
transport_params = { [transport-dependent parameters - port etc.] },
security = tls/dtls/...,
format = plain DNS/DNS-over-HTTP-binary/DNS-over-HTTP-JSON
}
`net.list()` would then produce numbered list of tuples, each tuple describing single combination.
While this would be technically correct I don't know if it would be too verbose and ugly. Maybe we should introduce `net.summary()` which could produce a nicer output out of `net.list()` or something like that.4.0.0Tomas KrizekTomas Krizekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/451trust_anchors.lua: keyset_read() parameter shadows string library2019-03-12T12:12:22+01:00Petr Špačektrust_anchors.lua: keyset_read() parameter shadows string libraryIn file
/usr/lib/kdns_modules/trust_anchors.lua
around line 376, the `local function keyset_read(path, string)` shadows `string` library, which causes weird problems. We have to remove shadowing before release.In file
/usr/lib/kdns_modules/trust_anchors.lua
around line 376, the `local function keyset_read(path, string)` shadows `string` library, which causes weird problems. We have to remove shadowing before release.4.0.0Tomas KrizekTomas Krizekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/437knot-resolver as a DNSoTLS client fails upon sleep2019-02-15T09:42:54+01:00Dustin Hodgesknot-resolver as a DNSoTLS client fails upon sleepOn **macOS Mojave 10.14.2**, when using ```knot-resolver``` as a *DNSoTLS client* (setting ```knot-resolver``` to communicate with Cloudflare's public DNS over TLS, and setting OS network DNS configuration to the local host, ```127.0.0.1...On **macOS Mojave 10.14.2**, when using ```knot-resolver``` as a *DNSoTLS client* (setting ```knot-resolver``` to communicate with Cloudflare's public DNS over TLS, and setting OS network DNS configuration to the local host, ```127.0.0.1``` & ```::1```), when Mac system enters sleep, knot-resolver stops communicating, either with macOS (local side), or Cloudflare (network side); unsure as to wich. Communication does not resume when resuming from sleep.
When this failure occurs, ```KRESD.LOG``` is given a single line:
> ```Assertion failed: (tls_p->consumed == tls_p->nread), function tls_process_input_data, file daemon/tls.c, line 508.```
Attemps to test connectivity using ```kdig bing.com``` result in
> ```;; WARNING: response timeout for ::1@53(UDP)```
>
> ```;; WARNING: response timeout for 127.0.0.1@53(UDP)```
Suggesting that it is local side, assuming the timeout is between macOS itself and
Temporary solution is to run ```sudo brew services restart knot-resolver``` via terminal, restarting the service and returning functionality of knot-resolver as a DNSoTLS client.2019 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/374in-bailiwick nameservers (possibly) not re-probed2018-12-17T15:33:58+01:00Vladimír Čunátvladimir.cunat@nic.czin-bailiwick nameservers (possibly) not re-probedThere is some possibility of getting into a situation when NS is never retried. Here's a 2.3.0 log (from Omnia):
```
[ 0][plan] plan 'ns.udag.de.' type 'A'
[22310][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[22310][c...There is some possibility of getting into a situation when NS is never retried. Here's a 2.3.0 log (from Omnia):
```
[ 0][plan] plan 'ns.udag.de.' type 'A'
[22310][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[22310][cach] => skipping exact RR: rank 030 (min. 030), new TTL -7934
[22310][cach] => trying zone: udag.de.
[22310][cach] => NSEC sname: range search found stale or insecure entry
[22310][zcut] found cut: udag.de. (return codes: DS 1, DNSKEY 1)
[22310][resl] => NS is provably without DS, going insecure
[11561][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[ ][nsre] probing timeouted NS: 185.61.8.11, score 1910
[11561][plan] plan 'ns.udag.net.' type 'A'
[58910][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[58910][cach] => skipping exact RR: rank 030 (min. 000), new TTL -4331
[58910][cach] => trying zone: udag.net.
[58910][cach] => NSEC sname: range search found inconsistent entry
[58910][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[58910][resl] => NS is provably without DS, going insecure
[20592][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[20592][resl] => unresolvable NS address, bailing out
[20592][resl] => circular dependepcy, retrying with non-minimized name
[ 2400][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[ 2400][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[ 2400][resl] => NS is provably without DS, going insecure
[ 2400][resl] => unresolvable NS address, bailing out
Last message '[ 2400][resl] =>' repeated 1 times, suppressed by syslog-ng on turris
[ 2400][resl] => no valid NS left
[18717][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[18717][resl] => no valid NS left
[37402][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[37402][resl] => unresolvable NS address, bailing out
[37402][resl] => circular dependepcy, retrying with non-minimized name
[ 9258][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[ 9258][zcut] found cut: udag.de. (return codes: DS 1, DNSKEY 1)
[ 9258][resl] => NS is provably without DS, going insecure
[ 9258][plan] plan 'ns.udag.net.' type 'A'
[43035][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[43035][cach] => skipping exact RR: rank 030 (min. 000), new TTL -4331
[43035][cach] => trying zone: udag.net.
[43035][cach] => NSEC sname: range search found inconsistent entry
[43035][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[43035][resl] => NS is provably without DS, going insecure
[49223][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[49223][resl] => circular dependepcy, retrying with non-minimized name
[16076][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[16076][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[16076][resl] => NS is provably without DS, going insecure
[16076][resl] => unresolvable NS address, bailing out
Last message '[16076][resl] =>' repeated 1 times, suppressed by syslog-ng on turris
[16076][resl] => no valid NS left
[ 9260][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[ 9260][resl] => no valid NS left
[43246][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[43246][resl] => unresolvable NS address, bailing out
Last message '[43246][resl] => u' repeated 1 times, suppressed by syslog-ng on turris
[43246][resl] => no valid NS left
[48690][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[48690][resl] => no valid NS left
[ 0][resl] AD: secure (start)
[ 0][resl] AD: secure (between ANS and AUTH)
[ 0][resl] AD: secure (1)
[48690][resl] finished: 0, queries: 3, mempool: 49176 B
```
_ATM I only estimate the characteristics/causes._2018 Q4Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/237kresd crashes if run from a shellscript in interactive mode2018-12-10T17:28:12+01:00Libor Peltankresd crashes if run from a shellscript in interactive modeWhen I prepare a shell script like this:
```
#!/bin/bash
kresd -c rolltest.resolver.conf &
while true; do sleep 1; done
```
It ends up kresd crashing:
```
dnsbench@knot-lroot:~$ ./test.sh
[ ta ]: new trust anchor state:
. ...When I prepare a shell script like this:
```
#!/bin/bash
kresd -c rolltest.resolver.conf &
while true; do sleep 1; done
```
It ends up kresd crashing:
```
dnsbench@knot-lroot:~$ ./test.sh
[ ta ]: new trust anchor state:
. 10 DS 42362 8 2 2C1EC36EEC516C47DD3AEFF9905B46500194649902C1986DF7DB0F3B110DA9AD
[system] interactive mode
> ./test.sh: line 5: 61109 Aborted (core dumped) kresd -c rolltest.resolver.conf
^C
```
A workaround: running kresd in non-interactive mode (option `-f 1`).Štěpán BalážikŠtěpán Balážikhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/58dnssec bug: resolver fails to validate answers2018-11-12T16:15:57+01:00Ondřej Surýdnssec bug: resolver fails to validate answersThis is actually a validator bug, that's why it retries every time. We can discuss how much effort should resolver do when it's fixed:
```
[plan] plan 'www.cmu.edu.' type 'A'
[plan] plan 'cmu.edu.' type 'DNSKEY'
[iter] <= rco...This is actually a validator bug, that's why it retries every time. We can discuss how much effort should resolver do when it's fixed:
```
[plan] plan 'www.cmu.edu.' type 'A'
[plan] plan 'cmu.edu.' type 'DNSKEY'
[iter] <= rcode: NOERROR
[vldr] <= parent: updating DNSKEY
[vldr] <= answer valid, OK
[iter] <= rcode: NOERROR
[vldr] <= couldn't validate RRSIGs
```
One of the nameservers for cmu.edu is misconfigured and returns `REFUSED`:
```
$ dig IN A www.cmu.edu @ny-server-03.net.cmu.edu.
;; ->>HEADER<<- opcode: QUERY; status: REFUSED; id: 61298
;; Flags: qr rd; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; www.cmu.edu. IN A
;; Received 29 B
;; Time 2016-04-15 09:13:04 CEST
;; From 38.96.147.4@53(UDP) in 98.5 ms
```
kresd should try harder and not return `REFUSED`, but retry with different nameservers.
```
$ dig IN A www.cmu.edu @127.0.0.1
;; ->>HEADER<<- opcode: QUERY; status: REFUSED; id: 60007
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; www.cmu.edu. IN A
;; Received 29 B
;; Time 2016-04-15 09:13:46 CEST
;; From 127.0.0.1@53(UDP) in 165.3 ms
```
Grigorii DemidovGrigorii Demidovhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/287crash on startup if cache directory is not writeable2018-09-12T11:08:36+02:00Petr Špačekcrash on startup if cache directory is not writeable```
$ chmod u-w .
$ kresd
[cache] LMDB error: Permission denied
kresd: lib/cdb_lmdb.c:67: lmdb_error: Assertion `false' failed.
Aborted (core dumped)
``````
$ chmod u-w .
$ kresd
[cache] LMDB error: Permission denied
kresd: lib/cdb_lmdb.c:67: lmdb_error: Assertion `false' failed.
Aborted (core dumped)
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/385log flood from TLS session key rotation2018-08-16T00:17:26+02:00Petr Špačeklog flood from TLS session key rotationFor some reason kresd log is full of these:
```
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling ro...For some reason kresd log is full of these:
```
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374132, scheduling rotation check in 4096000 ms
```
This is post-2.4.0 code c222c545d8bd3feec94a59f1a624ffda253586e3 running in single process.https://gitlab.nic.cz/knot/knot-resolver/-/issues/274failure to validate No Data response for explicit wildcard2018-08-04T11:53:46+02:00Jan Včelákfailure to validate No Data response for explicit wildcardkresd 1.5.0 fails to validate No Data response for explicit wildcard.
Query for an existent type:
```
$ kdig @::1 -p 53530 +tcp +adflag \*.wc.dnssec.test +dnssec TXT
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 41557
;; Flags: q...kresd 1.5.0 fails to validate No Data response for explicit wildcard.
Query for an existent type:
```
$ kdig @::1 -p 53530 +tcp +adflag \*.wc.dnssec.test +dnssec TXT
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 41557
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; *.wc.dnssec.test. IN TXT
;; ANSWER SECTION:
*.wc.dnssec.test. 1200 IN TXT "wc"
*.wc.dnssec.test. 1200 IN RRSIG TXT 13 3 1200 20171124132134 20171110132134 59809 dnssec.test. X45WDd9WkTnhlB60DImXo7pdNirsaQc/wTnR5ccJJglAypL121DkvkuMJmbYCWvt1O+U+ycVAKQznmF7D/DyTg==
;; Received 163 B
;; Time 2017-11-13 16:02:29 CET
;; From ::1@53530(TCP) in 41.5 ms
```
Query for a non-existent type:
```
$ kdig @::1 -p 53530 +tcp +adflag \*.wc.dnssec.test +dnssec AAAA
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 43702
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; *.wc.dnssec.test. IN AAAA
;; Received 32 B
;; Time 2017-11-13 16:02:37 CET
;; From ::1@53530(TCP) in 45.2 ms
```
kresd trace:
```
[21405][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 21405
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
*.wc.dnssec.test. AAAA
;; AUTHORITY SECTION
dnssec.test. 1200 SOA a.ns.fcelda.cz. hostmaster.fcelda.cz. 344 3600 1800 2678400 1200
*.wc.dnssec.test. 1200 NSEC no.wc.dnssec.test. TXT RRSIG NSEC
dnssec.test. 1400 RRSIG SOA 13 2 1400 20171124142134 20171110142134 59809 dnssec.test. 0n0ZDgLbhEJTmcbxR6V50T1Xk+39xo8vEzjnEcIdI+m/2fWWw45/MrRU/H5oT8y+LrtFu/wiFI0crvj+lH6NbQ==
*.wc.dnssec.test. 1200 RRSIG NSEC 13 3 1200 20171124132134 20171110132134 59809 dnssec.test. wwOzuf0QBcv1w7WBHlIMvxwZi0cPXDGfYRjxnXUaHx87ekMdislJwk+6Dc1kY8wjA24TAkvY9ViYHUHAikl1aQ==
[21405][iter] <= rcode: NOERROR
[21405][vldr] <= bad NODATA proof
```2018 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/366knot-resolver 2.3.0 aborted with "kresd: libknot/packet/pkt.c:84: pkt_wire_al...2018-08-02T16:15:47+02:00Toshifumi Sakaguchiknot-resolver 2.3.0 aborted with "kresd: libknot/packet/pkt.c:84: pkt_wire_alloc: Assertion `len >= KNOT_WIRE_HEADER_SIZE' failed."## Overview
Kresd aborted with following messages in my test(fuzzing) environment.
```
# rm -f *mdb ; /usr/local/sbin/kresd -c /usr/local/etc/knotolver/kresd.conf
[system] interactive mode
> [ ta ] key: 59407 state: Valid
[ ta ] next ...## Overview
Kresd aborted with following messages in my test(fuzzing) environment.
```
# rm -f *mdb ; /usr/local/sbin/kresd -c /usr/local/etc/knotolver/kresd.conf
[system] interactive mode
> [ ta ] key: 59407 state: Valid
[ ta ] next refresh for . in 12 hours
kresd: libknot/packet/pkt.c:84: pkt_wire_alloc: Assertion `len >= KNOT_WIRE_HEADER_SIZE' failed.
Aborted (core dumped)
```
debugger output.
```
# gdb /usr/local/sbin/kresd
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-110.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/sbin/kresd...done.
(gdb) core-file core.25240
[New LWP 25240]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf'.
Program terminated with signal 6, Aborted.
#0 0x00007fc078ef3277 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.17-222.el7.x86_64 gmp-6.0.0-15.el7.x86_64 gnutls-3.3.26-9.el7.x86_64 libffi-3.0.13-18.el7.x86_64 libgcc-4.8.5-28.el7_5.1.x86_64 libstdc++-4.8.5-28.el7_5.1.x86_64 libtasn1-4.10-1.el7.x86_64 libuv-1.19.2-1.el7.x86_64 luajit-2.0.4-3.el7.x86_64 nettle-2.7.1-8.el7.x86_64 p11-kit-0.23.5-3.el7.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb) bt
#0 0x00007fc078ef3277 in raise () from /lib64/libc.so.6
#1 0x00007fc078ef4968 in abort () from /lib64/libc.so.6
#2 0x00007fc078eec096 in __assert_fail_base () from /lib64/libc.so.6
#3 0x00007fc078eec142 in __assert_fail () from /lib64/libc.so.6
#4 0x00007fc07a719f04 in pkt_wire_alloc (len=11, pkt=0x559f324636b8)
at libknot/packet/pkt.c:84
#5 pkt_init (mm=0x559f324608a8, len=11, wire=0x0, pkt=0x559f324636b8)
at libknot/packet/pkt.c:200
#6 pkt_new_mm (mm=0x559f324608a8, len=11, wire=0x0)
at libknot/packet/pkt.c:252
#7 knot_pkt_new (wire=wire@entry=0x0, len=11, mm=mm@entry=0x559f324608a8)
at libknot/packet/pkt.c:270
#8 0x00007fc07a96d817 in consume_yield (ctx=ctx@entry=0x7ffd9c03a850,
pkt=pkt@entry=0x559f2983d500) at lib/resolve.c:78
#9 0x00007fc07a96f3a7 in kr_resolve_consume (
request=request@entry=0x559f32460770, src=src@entry=0x7ffd9c03aa10,
packet=packet@entry=0x559f2983d500) at lib/resolve.c:935
#10 0x0000559f27ac3455 in qr_task_step (task=0x559f32461a20,
packet_source=0x7ffd9c03aa10, packet=0x559f2983d500)
at daemon/worker.c:1565
#11 0x0000559f27ac5406 in worker_submit (worker=worker@entry=0x7fc07ad0e010,
handle=handle@entry=0x559f29842830, query=<optimized out>,
addr=<optimized out>, addr@entry=0x7ffd9c03aa10) at daemon/worker.c:1897
---Type <return> to continue, or q <return> to quit---
#12 0x0000559f27abd92a in udp_recv (handle=0x559f29842830,
nread=<optimized out>, buf=<optimized out>, addr=0x7ffd9c03aa10,
flags=<optimized out>) at daemon/io.c:166
#13 0x00007fc07a08fec6 in uv__udp_io () from /lib64/libuv.so.1
#14 0x00007fc07a091bb8 in uv__io_poll () from /lib64/libuv.so.1
#15 0x00007fc07a082f28 in uv_run () from /lib64/libuv.so.1
#16 0x0000559f27abd4a9 in run_worker (args=0x7ffd9c03de20,
leader=<optimized out>, ipc_set=0x7ffd9c03dca0, engine=0x7ffd9c03dfd0,
loop=0x7fc07a29dd00) at daemon/main.c:422
#17 main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:755
(gdb)
```
## Environments.
### IP Addresses of each servers.
* root DNS server: 192.168.33.100/24
* malicious authoritative server: 192.168.33.101/24
* victim full service resolver: 192.168.33.102/24
### OS, Software of each servers.
root DNS server
* OS: CentOS 7.5 x86_64 on VirtualBox VM
* DNS: bind
Malicious authoritative server
* OS: CentOS 7.5 x86_64 on VirtualBox VM
victim full service resolver
* OS: CentOS 7.5 x86_64 on VirtualBox VM
* DNS: knot-resolver 2.3.0, knot-dns(libknot) 2.6.7
## Reproduce steps
### root server
Install CentOS 7.5 from install ISO image.
Set IP address VM to 192.168.33.100/24.
Set firewalld.
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Bind.
```
# yum install -y bind bind-utils
```
Upload and extract test-files.tar.gz
```
# cd /tmp
# tar xzf /path/to/test-files.tar.gz
```
Copy named.conf and root zone file.
```
# cp /tmp/test-files/root.named.conf /etc/named.conf
# cp /tmp/test-files/root.zone.signed /var/named/root.zone.signed
# chmod 644 /var/named/root.zone.signed
```
Start named.
```
# systemctl start named
# systemctl enable named
```
### Malicious authoritative server
Install CentOS 7.5 from install ISO image.
Set IP address to 192.168.33.101/24.
Set firewalld
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Build tools.
```
# yum install -y epel-release
# yum install -y gcc-c++ boost-devel wget perl yaml-cpp-devel bind-utils gtest-devel
# wget https://cmake.org/files/v3.10/cmake-3.10.0-Linux-x86_64.sh
# sh cmake-3.10.0-Linux-x86_64.sh --skip-license --prefix=/usr/local
```
Install openssl 1.1.0 from source file.
```
# wget https://www.openssl.org/source/openssl-1.1.0g.tar.gz
# tar xzf openssl-1.1.0g.tar.gz
# cd openssl-1.1.0g
# ./config shared
# make
# make install
# echo /usr/local/lib64 > /etc/ld.so.conf.d/local.conf
# ldconfig
```
Upload and extract dns-fuzz-server.tar.gz.
```
# tar xzf /path/to/dns-fuzz-server.tar.gz
# cd dns-fuzz-server
# cmake .
# make
```
Start DNS service foreground.
```
# ./bin/fuzz_server -z example.com -f data/example.com.zone.full -K data/example.com.ksk.yaml -Z data/example.com.zsk.yaml -n 4
```
### victim full service resolver
Install CentOS 7.5 from install ISO image.
Set IP address to 192.168.33.102/24.
Set firewalld
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Build tools.
```
# yum install -y epel-release
# yum install -y gcc-c++ openssl-devel wget luajit-devel libuv-devel userspace-rcu-devel.x86_64 libedit-devel.x86_64 gcc-c++ gnutls-devel
```
Install knot-dns(libnot) 2.6.7 from source file.
```
$ wget https://secure.nic.cz/files/knot-dns/knot-2.6.7.tar.xz
$ tar xJf knot-2.6.7.tar.xz
$ cd knot-2.6.7
$ ./configure
$ make
$ su
# make install
```
Install knot-resolver 2.3.0 from source.
```
# wget https://secure.nic.cz/files/knot-resolver/knot-resolver-2.3.0.tar.xz
# tar xJf knot-resolver-2.3.0.tar.xz
# cd knot-resolver-2.3.0
# PKG_CONFIG_PATH=/usr/local/lib/pkgconfig make LDFLAGS="-Wl,-rpath=/usr/local/lib" PREFIX="/usr/local" CFLAGS="-DNDEBUG -g" install
```
Upload and extract test-files.tar.gz.
```
# cd /tmp
# tar xzf /path/to/test-files.tar.gz
```
Copy kresd.conf, trust anchor and hints file.
```
# cp /tmp/test-files/kresd.conf /usr/local/etc/knot-resolver
# cp /tmp/test-files/root.hints /usr/local/etc/knot-resolver
# cp /tmp/test-files/root.keys /usr/local/etc/knot-resolver
```
Start knot-resolver.
```
# mkdir -p /tmp/db
# cd /tmp/db
# rm -f * ; /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
```
Login to malicios authoritative server, and send queries by `fuzz_client`.
```
# cd /path/to/dns-fuzz-server
# ./bin/fuzz_client -s 192.168.33.102 -b example.com -i 100
```
Please wait sevral hours or days.
[test-files.tar.gz](/uploads/014e5a07c6c80a5f29f03f1b31b4a15c/test-files.tar.gz)
[dns-fuzz-server.tar.gz](/uploads/39148d8d68c200350a0a34e7c85a8943/dns-fuzz-server.tar.gz)https://gitlab.nic.cz/knot/knot-resolver/-/issues/384NSEC3 caching doesn't seem to work2018-07-27T19:48:16+02:00Marek VavrusaNSEC3 caching doesn't seem to workI was trying the aggressive NSEC3 caching in the v2.4.0 tag (4141975d2f8d5c2e45cc319de20af356eb2a8b3e).
```
$ cat config # Empty configuration
$ rm *.mdb
$ kresd -a 127.0.0.1#5354 -k root.keys -v
[tls] session ticket: epoch 374032, sch...I was trying the aggressive NSEC3 caching in the v2.4.0 tag (4141975d2f8d5c2e45cc319de20af356eb2a8b3e).
```
$ cat config # Empty configuration
$ rm *.mdb
$ kresd -a 127.0.0.1#5354 -k root.keys -v
[tls] session ticket: epoch 374032, scheduling rotation check in 3276245 ms
[ ta ] new state of trust anchors for a domain: . 172800 DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
[ ta ] new state of trust anchors for a domain: . 172800 DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
. 172800 DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
[system] interactive mode
>
```
When I query for a name that exists, caching seems to work:
```
$ kdig @127.0.0.1 -p 5354 nic.cz | grep From
;; From 127.0.0.1@5354(UDP) in 870.8 ms
$ kdig @127.0.0.1 -p 5354 nic.cz | grep From
;; From 127.0.0.1@5354(UDP) in 0.2 ms
```
When I query for a name that doesn't exist, caching doesn't seem to work:
```
$ kdig @127.0.0.1 -p 5354 bla2.nic.cz | grep From
;; From 127.0.0.1@5354(UDP) in 1208.7 ms
$ kdig @127.0.0.1 -p 5354 bla2.nic.cz | grep From
;; From 127.0.0.1@5354(UDP) in 412.8 ms
```
Here's the server log:
```
[ 0][plan] plan 'bla2.nic.cz.' type 'A'
[63031][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[63031][cach] => no NSEC* cached for zone: cz.
[63031][zcut] found cut: cz. (rank 002 return codes: DS 0, DNSKEY 0)
[29651][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[29651][resl] => querying: '194.0.13.1' score: 95 zone cut: 'cz.' qname: 'NiC.cZ.' qtype: 'NS' proto: 'udp'
[29651][resl] => querying: '2001:678:10::1' score: 95 zone cut: 'cz.' qname: 'NiC.cZ.' qtype: 'NS' proto: 'udp'
[29651][iter] <= rcode: NOERROR
[29651][iter] <= continuing with qname minimization
[29651][resl] <= server: '194.0.13.1' rtt: 175 ms
[28702][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[28702][plan] plan 'nic.cz.' type 'DS'
[40723][iter] 'nic.cz.' type 'DS' id was assigned, parent id 28702
[40723][cach] => satisfied by exact RRset: rank 060, new TTL 3513
[40723][iter] <= rcode: NOERROR
[40723][vldr] <= DS: OK
[40723][vldr] <= parent: updating DS
[40723][vldr] <= answer valid, OK
[60915][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[60915][plan] plan 'nic.cz.' type 'DNSKEY'
[ 5674][iter] 'nic.cz.' type 'DNSKEY' id was assigned, parent id 60915
[ 5674][cach] => satisfied by exact RRset: rank 060, new TTL 1713
[ 5674][iter] <= rcode: NOERROR
[ 5674][vldr] <= parent: updating DNSKEY
[ 5674][vldr] <= answer valid, OK
[29278][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[29278][resl] => query[29278][resl] => querying: '2001:678:f::1' score: 11 zone cut: 'nic.cz.' qname: 'BLa2.Nic.Cz.' qtype: 'A' proto: 'udp'
[29278][iter] <= rcode: NXDOMAIN
[29278][vldr] <= answer valid, OK
[29278][cach] => stashed 61irsbhhtmb5arro3jt924s607pojbnu.nic.cz. NSEC3, rank 060, 149 B total, incl. 1 RRSIGs
[29278][cach] => stashed 7cnkran8antk3fkqoiivftbr83c4fk16.nic.cz. NSEC3, rank 060, 141 B total, incl. 1 RRSIGs
[29278][cach] => stashed 038c9fesqq3ofr3cefq91hji5h3mq5mc.nic.cz. NSEC3, rank 060, 150 B total, incl. 1 RRSIGs
[29278][cach] => stashed nic.cz. SOA, rank 060, 159 B total, incl. 1 RRSIGs
[29278][cach] => nsec_p stash skipped (extra TTL: 88)
[29278][resl] <= server: '194.0.12.1' rtt: 169 ms
[ 0][resl] AD: request classified as SECURE
[29278][resl] finished: 4, queries: 3, mempool: 82000 B
[ 0][plan] plan 'bla2.nic.cz.' type 'A'
[24186][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[24186][cach] => no NSEC* cached for zone: cz.
[24186][zcut] found cut: cz. (rank 002 return codes: DS 0, DNSKEY 0)
[ 390][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[ 390][resl] => querying: '194.0.12.1' score: 90 zone cut: 'cz.' qname: 'NIc.cZ.' qtype: 'NS' proto: 'udp'
[ 390][resl] => querying: '2001:678:f::1' score: 90 zone cut: 'cz.' qname: 'NIc.cZ.' qtype: 'NS' proto: 'udp'
[ 390][iter] <= rcode: NOERROR
[ 390][iter] <= continuing with qname minimization
[ 390][resl] <= server: '194.0.12.1' rtt: 180 ms
[21470][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[21470][plan] plan 'nic.cz.' type 'DS'
[60687][iter] 'nic.cz.' type 'DS' id was assigned, parent id 21470
[60687][cach] => satisfied by exact RRset: rank 060, new TTL 3512
[60687][iter] <= rcode: NOERROR
[60687][vldr] <= DS: OK
[60687][vldr] <= parent: updating DS
[60687][vldr] <= answer valid, OK
[31813][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[31813][plan] plan 'nic.cz.' type 'DNSKEY'
[52521][iter] 'nic.cz.' type 'DNSKEY' id was assigned, parent id 31813
[52521][cach] => satisfied by exact RRset: rank 060, new TTL 1712
[52521][iter] <= rcode: NOERROR
[52521][vldr] <= parent: updating DNSKEY
[52521][vldr] <= answer valid, OK
[47111][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[47111][resl] => query[47111][resl] => querying: '194.0.14.1' score: 116 zone cut: 'nic.cz.' qname: 'bla2.Nic.cZ.' qtype: 'A' proto: 'udp'
[47111][iter] <= rcode: NXDOMAIN
[47111][vldr] <= answer valid, OK
[47111][cach] => stashed 61irsbhhtmb5arro3jt924s607pojbnu.nic.cz. NSEC3, rank 060, 149 B total, incl. 1 RRSIGs
[47111][cach] => stashed 7cnkran8antk3fkqoiivftbr83c4fk16.nic.cz. NSEC3, rank 060, 141 B total, incl. 1 RRSIGs
[47111][cach] => stashed 038c9fesqq3ofr3cefq91hji5h3mq5mc.nic.cz. NSEC3, rank 060, 150 B total, incl. 1 RRSIGs
[47111][cach] => stashed nic.cz. SOA, rank 060, 159 B total, incl. 1 RRSIGs
[47111][cach] => nsec_p stash skipped (extra TTL: 89)
[47111][resl] <= server: '2001:678:11::1' rtt: 157 ms
[ 0][resl] AD: request classified as SECURE
[47111][resl] finished: 4, queries: 3, mempool: 82000 B
```
When I clear cache and restart the daemon, the caching sometimes works, but most of the time it doesn't. That's strange.
I was trying to test aggressive NSEC3 caching originally with bla3, bla4, bla5, ... bla10.nic.cz, but it doesn't seem to work even when I ask the same name repetitively, so I'm not sure what am I doing wrong.
cc @anb @pspacek @vcunat2018 Q3Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/375DNS64 should not perform synthesis for queries with CD and DO flags2018-07-02T15:41:42+02:00Ondřej CaletkaDNS64 should not perform synthesis for queries with CD and DO flagsAccording to [RFC 6147, section 5.5, paragraph 3](https://tools.ietf.org/html/rfc6147#section-5.5), DNS64 synthesis MUST NOT be performed for queries with CD and DO flags (not to fool validating stub resolvers). Knot Resolver is not comp...According to [RFC 6147, section 5.5, paragraph 3](https://tools.ietf.org/html/rfc6147#section-5.5), DNS64 synthesis MUST NOT be performed for queries with CD and DO flags (not to fool validating stub resolvers). Knot Resolver is not compliant with this requirement.
# dig ipv4only.arpa aaaa +cdflag +dnssec +short
64:ff9b::c000:aa
64:ff9b::c000:ab
Both BIND and Unbound DNS64 modules perform well:
# dig ipv4only.arpa aaaa +cdflag +dnssec +short
<empty>2018 Q2Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/329Daemon is leaking requests2018-06-20T20:02:58+02:00Marek VavrusaDaemon is leaking requestsThe server seems to be leaking requests since version 2.0. This is the graph of `worker.stats().concurrent` between restarts:
![Screen_Shot_2018-03-18_at_11.55.51_PM](/uploads/312ed5998f674b4cff442dc614744512/Screen_Shot_2018-03-18_at_1...The server seems to be leaking requests since version 2.0. This is the graph of `worker.stats().concurrent` between restarts:
![Screen_Shot_2018-03-18_at_11.55.51_PM](/uploads/312ed5998f674b4cff442dc614744512/Screen_Shot_2018-03-18_at_11.55.51_PM.png)
This counter gets increment every time a new task gets created https://gitlab.labs.nic.cz/knot/knot-resolver/blob/master/daemon/worker.c#L690 and decremented every time it gets freed, so that doesn't right.
I managed to reproduce it:
1. Compile from latest master, start with no special configuration: `/usr/local/sbin/kresd -a 127.0.0.1#5354 -k root.keys`
2. Run dnsperf with the sample query data from https://www.nominum.com/measurement-tools/ for some time (~ 125651 queries) and stop it
3. Check `worker.stats()` in console, it should drain to zero over time, but it stays 5-20 concurrent queries forever
```
> worker.stats()
[rss] => 73400320
[pagefaults] => 5330
[concurrent_requests] => 18
[queries] => 125651
[systime] => 198.250469
[timeout] => 8186
[csw] => 151011
[swaps] => 0
[udp] => 156770
[dropped] => 0
[ipv6] => 50576
[concurrent] => 18
[tcp] => 1848
[ipv4] => 108042
[usertime] => 22.501294
```
(I added tracking of `worker->stats.rconcurrent` just to make sure it's the same as `worker->stats.concurrent`)
cc @anb @vendemiatMarek VavrusaMarek Vavrusahttps://gitlab.nic.cz/knot/knot-resolver/-/issues/336crash while processing malformed query with 0 question with OPT2018-05-31T10:23:09+02:00vendemiatcrash while processing malformed query with 0 question with OPT```
(gdb) bt
#0 knot_wire_is_pointer (pos=0x557aac60607c "\300\f") at ./libknot/packet/wire.h:901
#1 knot_wire_get_pointer (pos=0x557aac60607c "\300\f") at libknot/packet/wire.c:122
#2 0x00007f6bee68c105 in knot_wire_seek_label (wire=...```
(gdb) bt
#0 knot_wire_is_pointer (pos=0x557aac60607c "\300\f") at ./libknot/packet/wire.h:901
#1 knot_wire_get_pointer (pos=0x557aac60607c "\300\f") at libknot/packet/wire.c:122
#2 0x00007f6bee68c105 in knot_wire_seek_label (wire=0x557aac605ff0 "", lp=<optimized out>) at ./libknot/packet/wire.h:910
#3 knot_wire_next_label (wire=0x557aac605ff0 "", lp=<optimized out>) at ./libknot/packet/wire.h:920
#4 knot_dname_labels (name=<optimized out>, pkt=0x557aac605ff0 "") at libknot/dname.c:781
#5 0x00007f6bee68e7e8 in knot_pkt_put (pkt=0x557aac5c9760, compr_hint=<optimized out>, rr=0x557aac5c9868, flags=<optimized out>)
at libknot/packet/pkt.c:563
#6 0x00007f6bee9254e9 in kr_resolve_finish () from /usr/local/lib/libkres.so.6
#7 0x0000557aa81ecb26 in ?? ()
#8 0x0000000000000106 in ?? ()
#9 0x0000557aac5c7eb0 in ?? ()
#10 0x0000000000000106 in ?? ()
#11 0x0000000000000008 in ?? ()
#12 0x00007f6beedad010 in ?? ()
#13 0x0000557aa81edae9 in ?? ()
#14 0x0000000000000000 in ?? ()
(gdb) f 5
#5 0x00007f6bee68e7e8 in knot_pkt_put (pkt=0x557aac5c9760,
compr_hint=<optimized out>, rr=0x557aac5c9868, flags=<optimized out>)
at libknot/packet/pkt.c:563
563 libknot/packet/pkt.c: No such file or directory.
(gdb) print pkt
$4 = (knot_pkt_t *) 0x557aac5c9760
(gdb) print *pkt
$5 = {wire = 0x557aac605ff0 "", size = 12, max_size = 65535, parsed = 0,
reserved = 0, qname_size = 0, rrset_count = 0, flags = 2,
opt_rr = 0x557aac5c9868, tsig_rr = 0x0, tsig_wire = {pos = 0x0, len = 0},
current = KNOT_ADDITIONAL, sections = {{pkt = 0x557aac5c9760, pos = 0,
count = 0}, {pkt = 0x557aac5c9760, pos = 0, count = 0}, {
pkt = 0x557aac5c9760, pos = 0, count = 0}}, rrset_allocd = 16,
rr_info = 0x557aac5c9898, rr = 0x557aac5c9ad8, mm = {ctx = 0x557aac5c7e40,
alloc = 0x557aa81faee0 <mp_alloc>, free = 0x0}, compr = {
wire = 0x557aac605ff0 "", rrinfo = 0x557aac5c9898, suffix = {pos = 12,
labels = 0 '\000'}}}
(gdb) print rr
$6 = (const knot_rrset_t *) 0x557aac5c9868
(gdb) print *rr
$7 = {owner = 0x557aac5c9860 "", type = 41, rclass = 1536, rrs = {
rr_count = 1, data = 0x557aac5c9890 ""}, additional = 0x0}
```
it shouldnt read qname if it's not there
https://github.com/CZ-NIC/knot/blob/master/src/libknot/packet/pkt.c#L522
cc @vavrusam @anbGrigorii DemidovGrigorii Demidovhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/334knot-resolver 2.2.0 crashes when malformed response, which include SIG record...2018-05-31T10:22:34+02:00Toshifumi Sakaguchiknot-resolver 2.2.0 crashes when malformed response, which include SIG record in authority section, is received.## Overview
Knot-resolver crashes when malformed response is received from a malicious
authoritative server in my test environment.
response from authoritative server.
```
;; QUESTION SECTION:
;www.example.com. IN ...## Overview
Knot-resolver crashes when malformed response is received from a malicious
authoritative server in my test environment.
response from authoritative server.
```
;; QUESTION SECTION:
;www.example.com. IN A
;; AUTHORITY SECTION:
www.example.com. 600 CH SIG A 1 3 3600 19700102034640 19700101135320 174 www.example.com. AQE.... snip ....
```
message at crach.
```
# /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
[system] interactive mode
> kresd: lib/cache/api.c:254: key_exact_type_maypkt: Assertion `!knot_rrtype_is_metatype(type)' failed.
Aborted
```
Please read README.md whichi includes reproduce steps.
[README.md](/uploads/1f87bb00d6ce354120772fc2d1f4dd60/README.md)
[test-files.tar.gz](/uploads/9633ee2f097827b3149758f4b886a0d7/test-files.tar.gz)
[test-tools.tar.gz](/uploads/22cb32ed448550be29e8f55a2d6994dc/test-tools.tar.gz)2018 Q2Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/335knot-resolver 2.2.0 segfault when malformed response, which has label "\000".2018-05-31T10:16:51+02:00Toshifumi Sakaguchiknot-resolver 2.2.0 segfault when malformed response, which has label "\000".## Overview
Knot-resolver crashes when malformed response is received from a malicious
authoritative server in my test(fuzzing) environment.
response from authoritative server.
```
;; QUESTION SECTION:
;www.example.com. IN A
;; AUT...## Overview
Knot-resolver crashes when malformed response is received from a malicious
authoritative server in my test(fuzzing) environment.
response from authoritative server.
```
;; QUESTION SECTION:
;www.example.com. IN A
;; AUTHORITY SECTION:
www.example.com. 600 IN NS \000.example.com.
;; ADDITIONAL SECTION:
\000.example.com. 600 IN A 192.168.33.101
```
message at crach.
```
# /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
[system] interactive mode
> Segmentation fault
```
debugger output.
```
# gdb /usr/local/sbin/kresd
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-100.el7_4.1
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/sbin/kresd...(no debugging symbols found)...done.
(gdb) run -c /usr/local/etc/knot-resolver/kresd.conf
Starting program: /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[system] interactive mode
>
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7947488 in knot_dname_lf () from /lib64/libknot.so.7
Missing separate debuginfos, use: debuginfo-install glibc-2.17-196.el7_4.2.x86_64 gmp-6.0.0-15.el7.x86_64 gnutls-3.3.26-9.el7.x86_64 knot-libs-2.6.5-1.el7.x86_64 libcap-ng-0.7.5-4.el7.x86_64 libffi-3.0.13-18.el7.x86_64 libgcc-4.8.5-16.el7_4.2.x86_64 libstdc++-4.8.5-16.el7_4.2.x86_64 libtasn1-4.10-1.el7.x86_64 libuv-1.10.2-1.el7.x86_64 lmdb-libs-0.9.18-1.el7.x86_64 luajit-2.0.4-3.el7.x86_64 nettle-2.7.1-8.el7.x86_64 p11-kit-0.23.5-3.el7.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb) list
No symbol table is loaded. Use the "file" command.
(gdb) bt
#0 0x00007ffff7947488 in knot_dname_lf () from /lib64/libknot.so.7
#1 0x00007ffff7b7736f in peek_exact_real.isra.9 ()
from /usr/local/lib/libkres.so.7
#2 0x00007ffff7b8ea23 in kr_zonecut_find_cached ()
from /usr/local/lib/libkres.so.7
#3 0x00007ffff7b88aae in zone_cut_check () from /usr/local/lib/libkres.so.7
#4 0x00007ffff7b8a657 in kr_resolve_produce ()
from /usr/local/lib/libkres.so.7
#5 0x0000555555561c83 in qr_task_step ()
#6 0x000055555555c19a in udp_recv ()
#7 0x00007ffff72c2696 in uv__udp_io () from /lib64/libuv.so.1
#8 0x00007ffff72c42e8 in uv__io_poll () from /lib64/libuv.so.1
#9 0x00007ffff72b5db8 in uv_run () from /lib64/libuv.so.1
#10 0x000055555555bd19 in main ()
```
## Environment
### IP Addresses of each servers.
* root DNS server: 192.168.33.100/24
* malicious authoritative server: 192.168.33.101/24
* victim full service resolver: 192.168.33.102/24
### OS, Software of each servers.
#### root DNS server
* OS: CentOS 7.4 x86_64 on VirtualBox VM
* DNS: bind
#### Malicious authoritative server
* OS: CentOS 7.4 x86_64 on VirtualBox VM
#### victim full service resolver
* OS: CentOS 7.4 x86_64 on VirtualBox VM
* DNS: knot-resolver 2.2.0
## Setup steps of Environment
### root servers
Install CentOS 7.4 from install ISO image.
Set IP address VM to 192.168.33.100/24.
Set firewalld.
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Bind.
```
# yum install bind bind-utils
```
Upload and extract test-files.tar.gz
```
# cd /tmp
# tar xzf /path/to/test-files.tar.gz
```
Copy named.conf and root zone file.
```
# cp /tmp/test-files/root.named.conf /etc/named.conf
# cp /tmp/test-files/root.zone /var/named/root.zone
# chmod 644 /var/named/root.zone
```
Start named.
```
# systemctl start named
# systemctl enable named
```
#### Malicious authoritative server
Install CentOS 7.4 from install ISO image.
Set IP address to 192.168.33.101/24.
Set firewalld
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Build tools.
```
# yum install epel-release
# yum install gcc-c++ boost-devel wget perl yaml-cpp-devel bind-utils
# wget https://cmake.org/files/v3.10/cmake-3.10.0-Linux-x86_64.sh
# sh cmake-3.10.0-Linux-x86_64.sh --skip-license --prefix=/usr/local
```
Install openssl 1.0.1 from source file.
```
# wget https://www.openssl.org/source/openssl-1.1.0g.tar.gz
# tar xzf openssl-1.1.0g.tar.gz
# cd openssl-1.1.0g
# ./config
# maket
# make install
```
Upload and extract test-tools.tar.gz.
```
# cd /tmp
# tar xzf /path/to/test-tools.tar.gz
# cd test-tools
# OPENSSL_ROOT_DIR=/usr/local/ssl cmake .
# make
```
Start DNS service foreground.
```
# ./bin/knot-dname_lf
```
Login to authoritative server from other terminal, and check response of knot-dname_lf on other terminal.
```
# dig \@127.0.0.1 www.example.com a +norec
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> @127.0.0.1 www.example.com a +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44651
;; flags: qr aa ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.example.com. IN A
;; AUTHORITY SECTION:
www.example.com. 600 IN NS \000.example.com.
;; ADDITIONAL SECTION:
\000.example.com. 600 IN A 192.168.33.101
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 04 01:10:59 JST 2018
;; MSG SIZE rcvd: 104
```
### victim full service resolver
Install CentOS 7.4 from install ISO image.
Set IP address to 192.168.33.102/24.
Install Build tools.
```
# yum install epel-release
# yum install gcc-c++ openssl-devel wget knot-devel bind-utils luajit-devel libuv-devel
```
Install knot-resolver
```
# wget https://secure.nic.cz/files/knot-resolver/knot-resolver-2.2.0.tar.xz
# tar xJf knot-resolver-2.2.0.tar.xz
# cd knot-resolver-2.2.0
# make CFLAGS=-DNDEBUG
# make install
# echo /usr/local/lib > /etc/ld.so.conf.d/knot.conf
# ldconfig
```
Upload and extract test-files.tar.gz.
```
# cd /tmp
# tar xzf /path/to/test-files.tar.gz
```
Copy kresd.conf and hints file.
```
# cp /tmp/test-files/kresd.conf /usr/local/etc/knot-resolver
# cp /tmp/test-files/root.hints /usr/local/etc/knot-resolver
```
Start knot-resolver
```
# mkdir -p /tmp/db
# cd /tmp/db
# rm -f * ; /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
```
Login to victim full service resolver from other terminal, and send queries to knot-resolver.
```
# sh -x /tmp/test-files/crash.sh
```
Check knot-resolver process.
```
# /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
[system] interactive mode
> Segmentation fault
```
[test-files.tar.gz](/uploads/afe8c7be07dd8efdc28b28f28516509c/test-files.tar.gz)
[test-tools.tar.gz](/uploads/79014a2e4e99983e5662412c8d88a0d6/test-tools.tar.gz)https://gitlab.nic.cz/knot/knot-resolver/-/issues/308debian stretch PPA: systemd service doesn't have privileges to bind to well-k...2018-02-28T10:19:28+01:00Ghost Userdebian stretch PPA: systemd service doesn't have privileges to bind to well-known portsIf I install the current knot-resolver package (1.5.0-1+0~20171112102149.11+stretch~1.gbp1554e1) from the projects debian repositories to a up to date debian stretch I can't get it running because it can't bind to the configured interfac...If I install the current knot-resolver package (1.5.0-1+0~20171112102149.11+stretch~1.gbp1554e1) from the projects debian repositories to a up to date debian stretch I can't get it running because it can't bind to the configured interface addresses.
The problem is that the daemon is started as user knot-resolver over systemd. This users hasn't the permission to bind to the necessary interface addresses and port configured in the config. Also the dropping of permissions over the config doesn't work because there are no permission to drop. This looks like a wrong default value for the user in the systemd config file. If this is on purpose there should be a hint in the documentation an default config file.Tomas KrizekTomas Krizek