Knot Resolver issueshttps://gitlab.nic.cz/knot/knot-resolver/-/issues2017-10-09T17:06:28+02:00https://gitlab.nic.cz/knot/knot-resolver/-/issues/172query name minimization does not work with partially bad glue records2017-10-09T17:06:28+02:00Petr Špačekquery name minimization does not work with partially bad glue recordsLet's have a zone which has incomplete glue records in delegation like this:
```
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
com. IN A
SECTION AUTHORITY
; This is the offending NS (it mu...Let's have a zone which has incomplete glue records in delegation like this:
```
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
com. IN A
SECTION AUTHORITY
; This is the offending NS (it must be ignored)
com. IN NS x.gtld-servers.net.
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
x.gtld-servers.net. IN A 192.5.6.31
ENTRY_END
```
The server `x.gtld-servers.net.` is broken and returns REFUSED for all but NS queries. The other server `a.gtld-servers.net.` works.
kresd without query name minimization can handle it fine as it detects the `x` server as `bad` and moves on to the next server:
```
[ 0][plan] plan 'www.foo.com.' type 'A'
[55398][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[55398][resl] => using root hints
[39654][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[39654][resl] => querying: '193.0.14.129' score: 10 zone cut: '.' m12n: 'wWw.foO.cOM.' type: 'A' proto: 'udp'
[39654][iter] <= using glue for 'x.gtld-servers.net.': '192.5.6.31'
[39654][iter] <= referral response, follow
[39654][resl] <= server: '193.0.14.129' rtt: 6 ms
[30494][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[30494][resl] => querying: '192.5.6.31' score: 10 zone cut: 'com.' m12n: 'WWW.FoO.COM.' type: 'A' proto: 'udp'
[30494][iter] <= rcode: REFUSED
[30494][resl] <= server: '192.5.6.31' rtt: 1 ms
[18206][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[18206][resl] => querying: '192.5.6.31' score: 111 zone cut: 'com.' m12n: 'WWw.FOo.COm.' type: 'A' proto: 'udp'
[18206][iter] <= rcode: REFUSED
[18206][resl] <= server: '192.5.6.31' rtt: 1 ms
[57219][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[57219][resl] => querying: '192.5.6.31' score: 161 zone cut: 'com.' m12n: 'WwW.FoO.cOm.' type: 'A' proto: 'udp'
[57219][iter] <= rcode: REFUSED
[57219][resl] <= server: '192.5.6.31' rtt: 1 ms
[61022][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[61022][resl] => querying: '192.5.6.31' score: 186 zone cut: 'com.' m12n: 'wwW.fOO.COm.' type: 'A' proto: 'udp'
[61022][iter] <= rcode: REFUSED
[61022][resl] => server: '192.5.6.31' flagged as 'bad'
[54075][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[54075][plan] plan 'a.gtld-servers.net.' type 'AAAA'
[32802][iter] 'a.gtld-servers.net.' type 'AAAA' id was assigned, parent id 54075
[32802][resl] => using root hints
[61553][iter] 'a.gtld-servers.net.' type 'AAAA' id was assigned, parent id 54075
[61553][resl] => querying: '193.0.14.129' score: 11 zone cut: '.' m12n: 'A.gtld-SerVErS.nET.' type: 'AAAA' proto: 'udp'
[61553][iter] <= rcode: NOERROR
[61553][resl] <= server: '193.0.14.129' rtt: 2 ms
[30187][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[30187][plan] plan 'a.gtld-servers.net.' type 'A'
[27896][iter] 'a.gtld-servers.net.' type 'A' id was assigned, parent id 30187
[27896][resl] => using root hints
[34685][iter] 'a.gtld-servers.net.' type 'A' id was assigned, parent id 30187
[34685][resl] => querying: '193.0.14.129' score: 11 zone cut: '.' m12n: 'A.gtLd-SErVeRs.nET.' type: 'A' proto: 'udp'
[34685][iter] <= rcode: NOERROR
[30187][iter] <= using glue for 'a.gtld-servers.net.': '192.5.6.30'
[34685][resl] <= server: '193.0.14.129' rtt: 2 ms
[14390][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[14390][resl] => querying: '192.5.6.30' score: 10 zone cut: 'com.' m12n: 'WWW.foo.cOm.' type: 'A' proto: 'udp'
[14390][iter] <= referral response, follow
[14390][resl] <= server: '192.5.6.30' rtt: 1 ms
[14916][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[14916][plan] plan 'a.gtld-servers.net.' type 'AAAA'
[24215][iter] 'a.gtld-servers.net.' type 'AAAA' id was assigned, parent id 14916
[24215][resl] => using root hints
[45906][iter] 'a.gtld-servers.net.' type 'AAAA' id was assigned, parent id 14916
[45906][resl] => querying: '193.0.14.129' score: 11 zone cut: '.' m12n: 'A.gTld-SeRVErS.nET.' type: 'AAAA' proto: 'udp'
[45906][iter] <= rcode: NOERROR
[45906][resl] <= server: '193.0.14.129' rtt: 2 ms
[57675][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[57675][plan] plan 'a.gtld-servers.net.' type 'A'
[21748][iter] 'a.gtld-servers.net.' type 'A' id was assigned, parent id 57675
[21748][ rc ] => satisfied from cache
[21748][iter] <= rcode: NOERROR
[57675][iter] <= using glue for 'a.gtld-servers.net.': '192.5.6.30'
[49536][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[49536][resl] => querying: '192.5.6.30' score: 11 zone cut: 'www.foo.com.' m12n: 'WwW.fOo.CoM.' type: 'A' proto: 'udp'
[49536][iter] <= rcode: NOERROR
[49536][resl] <= server: '192.5.6.30' rtt: 1 ms
```
Unfortunately kresd does not move to the next server if query minimization is enabled:
```
[ 0][plan] plan 'www.foo.com.' type 'A'
[ 6555][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[ 6555][resl] => using root hints
[39232][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[39232][resl] => querying: '193.0.14.129' score: 10 zone cut: '.' m12n: 'coM.' type: 'NS' proto: 'udp'
[39232][iter] <= using glue for 'x.gtld-servers.net.': '192.5.6.31'
[39232][iter] <= referral response, follow
[39232][resl] <= server: '193.0.14.129' rtt: 7 ms
[17873][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[17873][resl] => querying: '192.5.6.31' score: 10 zone cut: 'com.' m12n: 'FoO.Com.' type: 'NS' proto: 'udp'
[17873][iter] <= using glue for 'x.gtld-servers.net.': '192.5.6.31'
[17873][iter] <= referral response, follow
[17873][resl] <= server: '192.5.6.31' rtt: 4 ms
[ 8362][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[ 8362][resl] => querying: '192.5.6.31' score: 11 zone cut: 'foo.com.' m12n: 'Www.fOo.cOM.' type: 'A' proto: 'udp'
[ 8362][iter] <= rcode: REFUSED
[ 8362][resl] <= server: '192.5.6.31' rtt: 3 ms
[ 6889][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[ 6889][resl] => querying: '192.5.6.31' score: 111 zone cut: 'foo.com.' m12n: 'WWw.fOO.cOm.' type: 'A' proto: 'udp'
[ 6889][iter] <= rcode: REFUSED
[ 6889][resl] <= server: '192.5.6.31' rtt: 2 ms
[43963][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[43963][resl] => querying: '192.5.6.31' score: 161 zone cut: 'foo.com.' m12n: 'Www.FOo.cOM.' type: 'A' proto: 'udp'
[43963][iter] <= rcode: REFUSED
[43963][resl] <= server: '192.5.6.31' rtt: 2 ms
[60355][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[60355][resl] => querying: '192.5.6.31' score: 186 zone cut: 'foo.com.' m12n: 'WWw.foo.COm.' type: 'A' proto: 'udp'
[60355][iter] <= rcode: REFUSED
[60355][resl] => server: '192.5.6.31' flagged as 'bad'
[26974][iter] 'www.foo.com.' type 'A' id was assigned, parent id 0
[26974][resl] => no valid NS left
```
Versions
-----------
Kresd: f9352bee195996c65bb764ec0ba3a2ad7683824d
This is covered by (fixed) test sets/resolver/iter_ns_badglue.rpl from commit deckard@ebcc8b59c29652af83266abbae6e5ae512e66f45 . (temporary branch iter_ns_badglue)https://gitlab.nic.cz/knot/knot-resolver/-/issues/171positive answer can be masked out using SOA+RRSIG2017-04-04T10:36:10+02:00Petr Špačekpositive answer can be masked out using SOA+RRSIGLet's have following signed DNS zone:
```
nsec.example. 3600 IN NS ns.nsec.example.
nsec.example. 3600 IN SOA ns.nsec.example. root.nsec.example. 6 60 60 120 3600
ns.nsec.example. 3600 IN A 192.0.2.3
*.n...Let's have following signed DNS zone:
```
nsec.example. 3600 IN NS ns.nsec.example.
nsec.example. 3600 IN SOA ns.nsec.example. root.nsec.example. 6 60 60 120 3600
ns.nsec.example. 3600 IN A 192.0.2.3
*.nsec.example. 3600 IN A 10.6.6.6
```
An attacker is able to copy SOA+RRSIG SOA records and use these to create fake NODATA answer for query `missing-nsec-masked-data.local.nsec.example. IN A`:
```
missing-nsec-masked-data.local.nsec.example. IN A
SECTION ANSWER
nsec.example. 3600 IN SOA ns.nsec.example. root.nsec.example. 6 60 60 120 3600
nsec.example. 3600 IN RRSIG SOA 8 2 3600 20170419140236 20170320140236 41524 nsec.example. gZCIxxFWL04vgzuNbZYq3Ghb7OZsZCp1WCcByM602yEgf0IUk8KSqkol pTe
m3IXQELhFTzbddGFV3Cis5MxZq8XjNbSwXelbUkOkKE4EzDcpldtR yqGnp+ZdZhBrymZvS8dOhwOGllF6AobXx7iFHaY7wtC17XvODduxOBdV mQ/t2QDUnl+Io3s1KfDRf4e22WvtatlQNr9NW+PueeGtGhEdDeyR7VMA fxE
qL6Lds7NWN7DPKfsCVgUNkwHzy9opQ64AyVyQAmwRohuon652jKiu MbvJ1vaLxJLeDBnnT3hbMrI/CIfmjqucSOgM9JNXXggIcfBxok5Ze2R5 SL35VA==
ENTRY_END
```
This passes validation in `kresd`:
```
Exception: sets/resolver/nsec_wildcard_no_data_response.rpl step 21 line 269, "flags": expected 'QR RD RA', got 'QR RD RA AD' in the response:
id 1063
opcode QUERY
rcode NOERROR
flags QR RD RA AD
edns 0
eflags DO
payload 4096
;QUESTION
missing-nsec-nodata.local.nsec.example. IN CNAME
;ANSWER
;AUTHORITY
;ADDITIONAL
```
- kresd: 4a037c10cf3389e6bc2c169978d7eaa8e74922f5
- test: deckad@618ecf14186a67e0205cee3770c335ca0ef751b2 sets/resolver/nsec_wildcard_no_data_response.rpl1.2.52017-03-21https://gitlab.nic.cz/knot/knot-resolver/-/issues/170wildcard answer can be used to mask explicit answers from the same range2017-04-04T10:33:36+02:00Petr Špačekwildcard answer can be used to mask explicit answers from the same rangeThere is a bug in wildcard proof validation. Let's suppose we have DNS zone with following records:
- *.nsec.example. 3600 IN A 10.6.6.6
- explicita.nsec.example. 3600 IN A 203.0.113.1
- explicita2.nsec.example. 3600 IN A 203.0.113...There is a bug in wildcard proof validation. Let's suppose we have DNS zone with following records:
- *.nsec.example. 3600 IN A 10.6.6.6
- explicita.nsec.example. 3600 IN A 203.0.113.1
- explicita2.nsec.example. 3600 IN A 203.0.113.2
Right now an attacker is able to fool `kresd` using this technique:
- query for `a.local.nsec.example. IN A`
- modify obtained answer: rename owner name `a.local.nsec.example.` to `explicita2.nsec.example.`
- return this modified answer to queries for `explicita2.nsec.example.`
Observed results:
- `kresd` 91dd2c6da506894b48cb3a83a2517faab75efadc returns `NOERROR` answer with `AD` flag set.
- `unbound-1.5.10-1.fc25.x86_64` detects this and answers with `SERVFAIL`
Work-in-progress test is available in deckard@247687632ebdf1ac934e0992500fc00e745c5d73 sets/resolver/nsec_wildcard_answer_response.rpl.1.2.52017-03-20https://gitlab.nic.cz/knot/knot-resolver/-/issues/161Answer to query going through chain of CNAMEs contains duplicate records in A...2017-04-04T10:33:36+02:00Petr ŠpačekAnswer to query going through chain of CNAMEs contains duplicate records in AUTHORITY sectionAnswer to query going through chain of CNAMEs contains duplicate records in `AUTHORITY` section.
Example of such answer:
```
;QUESTION
start.example.com. IN A
;ANSWER
start.example.com. 3600 IN CNAME x.y.z.wc.example.com.
start.example....Answer to query going through chain of CNAMEs contains duplicate records in `AUTHORITY` section.
Example of such answer:
```
;QUESTION
start.example.com. IN A
;ANSWER
start.example.com. 3600 IN CNAME x.y.z.wc.example.com.
start.example.com. 3600 IN RRSIG CNAME 8 3 3600 20121126123316 20121029123316 64050 example.com. LHpx5n++Z0Jgjjalac+e7wdYSbfurqSD pLRAOI1PybTJkwrMvgDKfp0ycT4HwsLV y7spumZ/Ahg/5II9pai7jCiqv1Iyh6fx 19ZVeClTFMOLotCK8xMHACYJIY39BhTw D2D3r9BxbK+RopUlXypwV02yzdY2xEnP CBJVDUn5d0g=
x.y.z.wc.example.com. 3600 IN CNAME x.y.z.end.example.com.
x.y.z.wc.example.com. 3600 IN RRSIG CNAME 8 3 3600 20121126123316 20121029123316 64050 example.com. BCnT6CIuqvF1U9LfiHIovgvXIVFJsCXq QWmnjHtbFvzUlTlfGj+56YBSOEpyCep4 CBJ0CBgZ8gl5kWip8N+sTlveU/UWMv4F AkqLXRYjp4CZegslmJIuXU5uS+Q0GlLb WdSB9ZCZcbbO0qrOtUfrJ2ozcSTCS+D+ oIZ+CkwvDlQ=
x.y.z.end.example.com. 3600 IN A 1.2.3.5
x.y.z.end.example.com. 3600 IN RRSIG A 8 3 3600 20121126123249 20121029123249 64050 example.com. MyXXd3MvXtEYVNqWDepM3+Ra/j/b63Qe hzSHXZe5gL954WxW8KGHPYmeWyhDtruT hpZS6s6jeARY2xt0lmEDnMgNyPJGA6UW wTIgvGD0u9Qw5kocCq3ZH4cSG4xu4rmZ oi+h8OGrHxUb4jIKzipzAQDxhnAcp/wK F7e+p+OE+Fo=
;AUTHORITY
isjq5aarcp8p5sukc56g961cccjus5u2.example.com. 86400 IN NSEC3 1 0 1 abcd isoaarjsq14bkqaamivn1t1milkv95lc A RRSIG
isjq5aarcp8p5sukc56g961cccjus5u2.example.com. 86400 IN RRSIG NSEC3 8 3 86400 20121126123259 20121029123259 64050 example.com. Cxwzq1DUQvhkTVHEJHlb92c511Y+uJy/ C0yL9br6W/5lB/usuSiK2DjW58ibPh2k LH1P3SpGqd1Y7LigptdXoPBDFakcNcim PWCN93R3J80+vrHHPkPyIsBaywwYI3SN GgfnHfPF+wmH+tZ1vfEHbigOxqPFK+T0 ntKq7dkSndg=
a61sejfu6am5a36p628t4s089s309o44.example.com. 86400 IN NSEC3 1 0 1 abcd a64lt5ij9a1up15h5cdsn1u2071901hu A RRSIG
a61sejfu6am5a36p628t4s089s309o44.example.com. 86400 IN RRSIG NSEC3 8 3 86400 20121126123315 20121029123315 64050 example.com. gfBu4oqo9cVxJbqrw2Ly7mK638kGPOF8 l8eh7ovalniwkU3F+PNYJyfSE9yGX8tM GbXrkEW9mAzAh39igr2+Bbzi9WPTRp4R DVM0qw+eyMmQRPWKt7FeanDtP+OcdVp0 Hf2aPzsgmgTdS6s0AboUq1rX53H2M6F8 xAiwPrBJXDQ=
example.com. 3600 IN NS ns.example.com.
example.com. 3600 IN RRSIG NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WH RWj3AeIHK0StYFcAlflGLdkae1LEgMwf UmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGf uShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWc SoU/wLrr66I1K8oSB2yK1Tyyv73c2N40 D1mBbzIE70U=
a61sejfu6am5a36p628t4s089s309o44.example.com. 86400 IN NSEC3 1 0 1 abcd a64lt5ij9a1up15h5cdsn1u2071901hu A RRSIG
a61sejfu6am5a36p628t4s089s309o44.example.com. 86400 IN RRSIG NSEC3 8 3 86400 20121126123315 20121029123315 64050 example.com. gfBu4oqo9cVxJbqrw2Ly7mK638kGPOF8 l8eh7ovalniwkU3F+PNYJyfSE9yGX8tM GbXrkEW9mAzAh39igr2+Bbzi9WPTRp4R DVM0qw+eyMmQRPWKt7FeanDtP+OcdVp0 Hf2aPzsgmgTdS6s0AboUq1rX53H2M6F8 xAiwPrBJXDQ=
example.com. 3600 IN NS ns.example.com.
example.com. 3600 IN RRSIG NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WH RWj3AeIHK0StYFcAlflGLdkae1LEgMwf UmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGf uShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWc SoU/wLrr66I1K8oSB2yK1Tyyv73c2N40 D1mBbzIE70U=
;ADDITIONAL
```
Please note duplicate `example.com. 3600 IN NS ns.example.com.` and associated `RRSIG`/`NSEC3` records.
Reproducer:
- Use kresd b9c99804d0a02cbeec1b5114c4f9875c65a7e5e2
- Use test `sets/resolver/val_nsec3_cnametocnamewctoposwc.rpl` from Deckard@9a70ab63db0ec8a5220b04ab5152ab2215e1206a.
- run test as `rm -f /tmp/pcap && SOCKET_WRAPPER_PCAP_FILE=/tmp/pcap TESTS=sets/resolver/val_nsec3_cnametocnamewctoposwc.rpl MAKEFLAGS="-j1" ./kresd_run.sh`
- check `AUTHORITY` section in the last DNS packet of `/tmp/pcap`
(ignore duplicate packets in the pcap, IMHO this is not caused by `kresd`)https://gitlab.nic.cz/knot/knot-resolver/-/issues/160If an authoritative server returns invalid RRType in the answer, kresd goes a...2017-04-05T12:12:44+02:00Ondřej SurýIf an authoritative server returns invalid RRType in the answer, kresd goes alongGitBook CDN returns A record on any query (now at least limited to A and AAAA), and IPv4 is now fine:
```
ondrej@komorebi:~/Projects/knot-resolver (master)$ dig +dnssec +multi +time=60 +retry=1 -p 50168 @::1 cdn.gitbook.com.
; <<>...GitBook CDN returns A record on any query (now at least limited to A and AAAA), and IPv4 is now fine:
```
ondrej@komorebi:~/Projects/knot-resolver (master)$ dig +dnssec +multi +time=60 +retry=1 -p 50168 @::1 cdn.gitbook.com.
; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec +multi +time=60 +retry=1 -p 50168 @::1 cdn.gitbook.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33743
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;cdn.gitbook.com. IN A
;; ANSWER SECTION:
cdn.gitbook.com. 3600 IN A 95.85.1.232
;; Query time: 880 msec
;; SERVER: ::1#50168(::1)
;; WHEN: Mon Feb 20 11:09:56 CET 2017
;; MSG SIZE rcvd: 60
```
But AAAA query returns `A` record which is invalid for this type of query.
```
ondrej@komorebi:~/Projects/knot-resolver (master)$ dig +dnssec +multi +time=60 +retry=1 -p 50168 @::1 IN AAAA cdn.gitbook.com.
; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec +multi +time=60 +retry=1 -p 50168 @::1 IN AAAA cdn.gitbook.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55917
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;cdn.gitbook.com. IN AAAA
;; ANSWER SECTION:
cdn.gitbook.com. 3600 IN A 95.85.1.232
;; Query time: 110 msec
;; SERVER: ::1#50168(::1)
;; WHEN: Mon Feb 20 11:11:22 CET 2017
;; MSG SIZE rcvd: 60
```
@pspacek Could you write tests with @sbalazik or @ikrumlova ?1.3.0 releaseIvana KrumlovaIvana Krumlovahttps://gitlab.nic.cz/knot/knot-resolver/-/issues/151trust anchor bootstrap does not work: [vldr] bad keys, broken trust chain2017-04-05T11:53:40+02:00Petr Špačektrust anchor bootstrap does not work: [vldr] bad keys, broken trust chainSomething weird is when attempting TA bootstrap:
~~~
rm -f *.mdb /tmp/root.keys && kresd -a 127.0.0.1#5353 -v -k /tmp/root.keys
==9656== Memcheck, a memory error detector
==9656== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward ...Something weird is when attempting TA bootstrap:
~~~
rm -f *.mdb /tmp/root.keys && kresd -a 127.0.0.1#5353 -v -k /tmp/root.keys
==9656== Memcheck, a memory error detector
==9656== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==9656== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==9656== Command: kresd -a 127.0.0.1#5353 -v -k /tmp/root.keys
==9656==
[ ta ] keyfile '/tmp/root.keys': doesn't exist, bootstrapping
[ ta ] warning: root anchor bootstrapped, you SHOULD check the key manually, see: https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html#sigs
[system] interactive mode
> [ 0][plan] plan '.' type 'DNSKEY'
[51149][iter] '.' type 'DNSKEY' id was assigned, parent id 0
[51149][resl] => using root hints
[64772][iter] '.' type 'DNSKEY' id was assigned, parent id 0
[64772][resl] => querying: '2001:dc3::35' score: 10 zone cut: '.' m12n: '.' type: 'DNSKEY' proto: 'udp'
[64772][resl] => querying: '202.12.27.33' score: 10 zone cut: '.' m12n: '.' type: 'DNSKEY' proto: 'udp'
[64772][iter] <= rcode: NOERROR
[64772][vldr] <= bad keys, broken trust chain
[ 0][resl] finished: 8, queries: 0, mempool: 81952 B
[ ta ] active refresh failed, rcode: 2
[ ta ] next refresh: 86400000
[ 0][plan] plan '.' type 'NS'
[23829][iter] '.' type 'NS' id was assigned, parent id 0
[23829][resl] => using root hints
[ 3535][iter] '.' type 'NS' id was assigned, parent id 0
[ 3535][plan] plan '.' type 'DNSKEY'
[34898][iter] '.' type 'DNSKEY' id was assigned, parent id 3535
[34898][resl] => querying: '2001:dc3::35' score: 10 zone cut: '.' m12n: '.' type: 'DNSKEY' proto: 'udp'
[34898][resl] => querying: '202.12.27.33' score: 10 zone cut: '.' m12n: '.' type: 'DNSKEY' proto: 'udp'
[34898][iter] <= rcode: NOERROR
[34898][vldr] <= bad keys, broken trust chain
[ 0][resl] finished: 8, queries: 0, mempool: 81952 B
~~~
The important (and weird) part seems to be:
~~~
[34898][iter] <= rcode: NOERROR
[34898][vldr] <= bad keys, broken trust chain
~~~
Huh? Is validator running before the bootstrap is finished?
In any case, the bootstrap fails because of this and the `kresd` is returning `SERVFAIL` for all the queries.
Affected version: fd84f602b002936c82414f20f9940ad803eaff371.2.2 patch releaseVladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/144unsigned zone with bare CNAME pointing to signed zone yields AD flag set2017-04-04T10:33:36+02:00Petr Špačekunsigned zone with bare CNAME pointing to signed zone yields AD flag set* zone `nic.mx` is not signed.
* zone `nicmexico.mx` is signed.
* `www.nic.mx.` is CNAME to `nicmexico.mx`
* depending on upstream answer to query `nicmexico.mx IN A`, the answer from kresd may or may not have AD flag set
Reprod...* zone `nic.mx` is not signed.
* zone `nicmexico.mx` is signed.
* `www.nic.mx.` is CNAME to `nicmexico.mx`
* depending on upstream answer to query `nicmexico.mx IN A`, the answer from kresd may or may not have AD flag set
Reproducer is in test https://gitlab.labs.nic.cz/knot/deckard/commit/372ecb456d2516cbb1916e42485ed5846a98c3e0.
Expected result:
~~~
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.nic.mx. IN A
ENTRY_END
STEP 11 CHECK_ANSWER
ENTRY_BEGIN
MATCH flags rcode question answer
REPLY QR RD RA DO NOERROR
SECTION QUESTION
www.nic.mx. IN A
SECTION ANSWER
www.nic.mx. 300 IN CNAME www.nicmexico.mx.
www.nicmexico.mx. 171139 IN A 200.94.180.57
www.nicmexico.mx. 171139 IN A 200.94.180.56
www.nicmexico.mx. 171139 IN A 200.94.180.54
www.nicmexico.mx. 171139 IN A 200.94.180.55
www.nicmexico.mx. 171139 IN RRSIG A 7 3 172800 20170221235959 20161221161902 14618 nicmexico.mx. s3THv+Ay2WrcOTG6bo+54Zc/rff/jhzcJKZ3ZRYMXhw3FToSvTOSqsIG1gzW/Sk6r2oikHH3nNluaMTAXfCULu2mHiQVAuFlnajFSMPcm8KvEyV0cCT7knkAFqb+ODkimPMufRHiOLbnhQk9/A25qK7J8rCB76IUmzk41hYRNBU=
ENTRY_END
~~~1.2.0 releaseGrigorii DemidovGrigorii Demidovhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/142Resolution of `726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.w...2017-04-04T10:33:36+02:00Ondřej SurýResolution of `726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com. IN MX` "fails" with NXDOMAINCDNs are broken. This is our most desperate hour. Help me, Obi-Wan Kenobi. You're my only hope.
```
[ 0][plan] plan '726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com.' type 'MX'
[58623][iter] '726170696...CDNs are broken. This is our most desperate hour. Help me, Obi-Wan Kenobi. You're my only hope.
```
[ 0][plan] plan '726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com.' type 'MX'
[58623][iter] '726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com.' type 'MX' id was assigned, parent id 0
[58623][resl] => using root hints
[25279][iter] '726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com.' type 'MX' id was assigned, parent id 0
[25279][plan] plan '.' type 'DNSKEY'
[60831][iter] '.' type 'DNSKEY' id was assigned, parent id 25279
[60831][resl] => querying: '2001:dc3::35' score: 10 zone cut: '.' m12n: '.' type: 'DNSKEY' proto: 'udp'
[60831][iter] <= rcode: NOERROR
[60831][vldr] <= parent: updating DNSKEY
[60831][vldr] <= answer valid, OK
[60831][resl] <= server: '2001:dc3::35' rtt: 19 ms
[33422][iter] '726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com.' type 'MX' id was assigned, parent id 0
[33422][resl] => querying: '2001:500:9f::42' score: 10 zone cut: '.' m12n: 'coM.' type: 'NS' proto: 'udp'
[33422][iter] <= using glue for 'a.gtld-servers.net.': '192.5.6.30'
[33422][iter] <= using glue for 'a.gtld-servers.net.': '2001:503:a83e::2:30'
[33422][iter] <= using glue for 'b.gtld-servers.net.': '192.33.14.30'
[33422][iter] <= using glue for 'b.gtld-servers.net.': '2001:503:231d::2:30'
[33422][iter] <= using glue for 'c.gtld-servers.net.': '192.26.92.30'
[33422][iter] <= using glue for 'd.gtld-servers.net.': '192.31.80.30'
[33422][iter] <= using glue for 'e.gtld-servers.net.': '192.12.94.30'
[33422][iter] <= using glue for 'f.gtld-servers.net.': '192.35.51.30'
[33422][iter] <= using glue for 'g.gtld-servers.net.': '192.42.93.30'
[33422][iter] <= using glue for 'h.gtld-servers.net.': '192.54.112.30'
[33422][iter] <= using glue for 'i.gtld-servers.net.': '192.43.172.30'
[33422][iter] <= using glue for 'j.gtld-servers.net.': '192.48.79.30'
[33422][iter] <= using glue for 'k.gtld-servers.net.': '192.52.178.30'
[33422][iter] <= using glue for 'l.gtld-servers.net.': '192.41.162.30'
[33422][iter] <= using glue for 'm.gtld-servers.net.': '192.55.83.30'
[33422][iter] <= referral response, follow
[33422][vldr] <= DS: OK
[33422][vldr] <= answer valid, OK
[33422][resl] <= server: '2001:500:9f::42' rtt: 2 ms
[61984][iter] '726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com.' type 'MX' id was assigned, parent id 0
[61984][plan] plan 'com.' type 'DNSKEY'
[34645][iter] 'com.' type 'DNSKEY' id was assigned, parent id 61984
[34645][resl] => querying: '192.55.83.30' score: 10 zone cut: 'com.' m12n: 'cOM.' type: 'DNSKEY' proto: 'udp'
[34645][iter] <= rcode: NOERROR
[34645][vldr] <= parent: updating DNSKEY
[34645][vldr] <= answer valid, OK
[34645][resl] <= server: '192.55.83.30' rtt: 34 ms
[38918][iter] '726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com.' type 'MX' id was assigned, parent id 0
[38918][resl] => querying: '192.41.162.30' score: 10 zone cut: 'com.' m12n: 'WEbCfs00.cOm.' type: 'NS' proto: 'udp'
[38918][iter] <= using glue for 'ns01.webcfs00.com.': '204.212.170.100'
[38918][iter] <= using glue for 'ns02.webcfs00.com.': '204.212.170.105'
[38918][iter] <= referral response, follow
[38918][vldr] <= DS doesn't exist, going insecure
[38918][vldr] <= answer valid, OK
[38918][resl] <= server: '192.41.162.30' rtt: 116 ms
[65055][iter] '726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com.' type 'MX' id was assigned, parent id 0
[65055][resl] => querying: '204.212.170.105' score: 10 zone cut: 'webcfs00.com.' m12n: '80Hc70747bE.weBCFS00.cOm.' type: 'NS' proto: 'udp'
[65055][iter] <= rcode: NOERROR
[65055][iter] <= found cut, retrying with non-minimized name
[65055][resl] <= server: '204.212.170.105' rtt: 171 ms
[ 7523][iter] '726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com.' type 'MX' id was assigned, parent id 0
[ 7523][resl] => querying: '204.212.170.100' score: 10 zone cut: 'webcfs00.com.' m12n: '726170696473736c2d63726c.67656f7472757374.636F6d.80Hc70747BE.weBCFS00.com.' type: 'MX' proto: 'udp'
[ 7523][iter] <= rcode: NXDOMAIN
[ 7523][ pc ] => answer cached for TTL=5
[ 7523][resl] <= server: '204.212.170.100' rtt: 179 ms
[ 0][resl] finished: 4, queries: 3, mempool: 164000 B
```
Compare:
```
$ dig +multi +time=60 +retry=1 @204.212.170.100 726170696473736c2d63726C.67656f7472757374.636f6d.80hc70747be.webcfs00.com. IN MX
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 36386
;; Flags: qr aa; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; QUESTION SECTION:
;; 726170696473736c2d63726C.67656f7472757374.636f6d.80hc70747be.webcfs00.com. IN MX
;; ANSWER SECTION:
726170696473736c2d63726C.67656f7472757374.636f6d.80hc70747be.webcfs00.com. 84600 IN MX 4144 f.1b0f0000.a.f.726170696473736c2d63726C.67656f7472757374.636f6d.80hc70747be.webcfs00.com.
;; ADDITIONAL SECTION:
f.1b0f0000.a.f.726170696473736c2d63726C.67656f7472757374.636f6d.80hc70747be.webcfs00.com. 84600 IN A 204.212.170.105
;; Received 138 B
;; Time 2017-01-24 13:53:52 CET
;; From 204.212.170.100@53(UDP) in 170.6 ms
```
vs
```
$ dig +dnssec +multi +time=60 +retry=1 @204.212.170.100 726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com. IN MX
;; ERROR: malformed reply packet from 204.212.170.100@53(UDP)
```1.2.2 patch releasehttps://gitlab.nic.cz/knot/knot-resolver/-/issues/154predict module can get stuck2017-12-17T01:10:18+01:00Vladimír Čunátvladimir.cunat@nic.czpredict module can get stuckRefs:
- https://lists.nic.cz/pipermail/knot-dns-users/2017-February/001050.html
- https://gitter.im/CZ-NIC/knot-resolver?at=585e7766c895451b751765fdRefs:
- https://lists.nic.cz/pipermail/knot-dns-users/2017-February/001050.html
- https://gitter.im/CZ-NIC/knot-resolver?at=585e7766c895451b751765fd1.3.xhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/153support forwarding to kresd so DNSSEC validation can work2019-09-13T17:17:15+02:00Petr Špačeksupport forwarding to kresd so DNSSEC validation can workIn cases when `kresd` is run without a configured trust anchor it strips DNSSEC records (like `RRSIG`). It also happens if kresd thinks that particular zone is insecure.
This breaks any validator using this non-validating `kresd` as for...In cases when `kresd` is run without a configured trust anchor it strips DNSSEC records (like `RRSIG`). It also happens if kresd thinks that particular zone is insecure.
This breaks any validator using this non-validating `kresd` as forwarder and also cases where validating client has different set of trust achors than kresd it forwards to.
Affected version: 96d29c0e91d161ad6e50d96d0be2c647af08f120
~~~
# rm *.mdb && sudo kresd -v &
# dig @127.0.0.1 +dnssec .
[ 0][plan] plan '.' type 'A'
[12071][iter] '.' type 'A' id was assigned, parent id 0
[12071][resl] => using root hints
[15848][iter] '.' type 'A' id was assigned, parent id 0
[15848][resl] => querying: '2001:dc3::35' score: 10 zone cut: '.' m12n: '.' type: 'A' proto: 'udp'
[15848][resl] => querying: '202.12.27.33' score: 10 zone cut: '.' m12n: '.' type: 'A' proto: 'udp'
[15848][iter] <= rcode: NOERROR
[15848][ pc ] => answer cached for TTL=900
[15848][resl] <= server: '2001:dc3::35' rtt: >=285 ms
[15848][resl] <= server: '202.12.27.33' rtt: 35 ms
[ 0][resl] finished: 4, queries: 1, mempool: 16400 B
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41638
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN A
;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2017020600 1800 900 604800 86400
;; Query time: 286 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Po úno 06 12:20:15 CET 2017
;; MSG SIZE rcvd: 103
~~~
Further inspection in Wireshark showed that `DO` bit is received by `kresd` but not set in queries to upstream servers.https://gitlab.nic.cz/knot/knot-resolver/-/issues/150unable to quit() daemon with multiple forks2017-12-17T01:10:18+01:00Petr Špačekunable to quit() daemon with multiple forksWhen running multiple forks, e.g. `kresd -f 2`, calling `quit()` function on one of the the control sockets leads to infinite loop:
~~~
tty1$ kresd -f 2
~~~
~~~
tty2$ echo 'quit()' | socat - unix-client:tty/21894
~~~
~~~
tty1$ kresd -f 2...When running multiple forks, e.g. `kresd -f 2`, calling `quit()` function on one of the the control sockets leads to infinite loop:
~~~
tty1$ kresd -f 2
~~~
~~~
tty2$ echo 'quit()' | socat - unix-client:tty/21894
~~~
~~~
tty1$ kresd -f 2
[system] ipc: File exists
[system] ipc: File exists
[system] ipc: File exists
[system] ipc: File exists
[system] ipc: File exists
[system] ipc: File exists
[system] ipc: File exists
[system] ipc: File exists
[system] ipc: File exists
[system] ipc: File exists
[system] ipc: File exists
[system] ipc: File exists
...
~~~
One of the processes terminates sucessfully but the other one ends up in infinite loop.
Backtrace from the cycling process:
~~~
#0 0x00007f7073b78c30 in __write_nocancel () at ../sysdeps/unix/syscall-template.S:84
#1 0x00007f7073afba57 in _IO_new_file_write (f=0x7f7073e42500 <_IO_2_1_stderr_>, data=0x7ffccc738460, n=26) at fileops.c:1271
#2 0x00007f7073afc368 in new_do_write (to_do=<optimized out>, data=0x7ffccc738460 "[system] ipc: File exists\n", fp=0x7f7073e42500 <_IO_2_1_stderr_>) at fileops.c:526
#3 _IO_new_file_xsputn (f=0x7f7073e42500 <_IO_2_1_stderr_>, data=<optimized out>, n=26) at fileops.c:1350
#4 0x00007f7073ad1a45 in buffered_vfprintf (s=0x7f7073e42500 <_IO_2_1_stderr_>, format=<optimized out>, args=<optimized out>) at vfprintf.c:2346
#5 0x00007f7073acebf5 in _IO_vfprintf_internal (s=0x7f7073e42500 <_IO_2_1_stderr_>, format=0x558653b144fa "[system] ipc: %s\n", ap=ap@entry=0x7ffccc73a9f8)
at vfprintf.c:1293
#6 0x00007f7073ad7677 in __fprintf (stream=<optimized out>, format=<optimized out>) at fprintf.c:32
#7 0x0000558653b0bf9c in ipc_activity (handle=0x55865560d1e0, status=0, events=1) at daemon/main.c:221
#8 0x00007f7074f84938 in uv.io_poll () from /lib64/libuv.so.1
#9 0x00007f7074f762d4 in uv_run () from /lib64/libuv.so.1
#10 0x0000558653b0c621 in run_worker (loop=0x7f707518f220, engine=0x7ffccc73dfa0, ipc_set=0x7ffccc73e1a0, leader=false, control_fd=-1) at daemon/main.c:367
#11 0x0000558653b0da83 in main (argc=3, argv=0x7ffccc73e568) at daemon/main.c:692
~~~
The problem apparently comes from `ipc_readall()`:
~~~
#0 ipc_readall (fd=10, dst=0x7ffccc73aaf4 "", len=4) at daemon/main.c:169
#1 0x0000558653b0bda4 in ipc_activity (handle=0x55865560d1e0, status=0, events=1) at daemon/main.c:189
#2 0x00007f7074f84938 in uv__io_poll (loop=loop@entry=0x7f707518f220 <default_loop_struct>, timeout=17425) at src/unix/linux-core.c:382
#3 0x00007f7074f762d4 in uv_run (loop=0x7f707518f220 <default_loop_struct>, mode=UV_RUN_DEFAULT) at src/unix/core.c:352
#4 0x0000558653b0c621 in run_worker (loop=0x7f707518f220 <default_loop_struct>, engine=0x7ffccc73dfa0, ipc_set=0x7ffccc73e1a0, leader=false, control_fd=-1)
at daemon/main.c:367
#5 0x0000558653b0da83 in main (argc=3, argv=0x7ffccc73e568) at daemon/main.c:692
~~~
In function `static bool ipc_readall(int fd, char *dst, size_t len)` the `read()` returns `0` but `len` parameter is 4:
~~~
(gdb) frame
#0 ipc_readall (fd=10, dst=0x7ffccc73aaf4 "", len=4) at daemon/main.c:169
(gdb) bt full
#0 ipc_readall (fd=10, dst=0x7ffccc73aaf4 "", len=4) at daemon/main.c:169
rb = 0
#1 0x0000558653b0bda4 in ipc_activity (handle=0x55865560d1e0, status=0, events=1) at daemon/main.c:189
engine = 0x7ffccc73dfa0
fd = 10
len = 0
~~~
Affected version: 1.2.1, c664f0075a4cb62af84b122eaf53a82d520e7299https://gitlab.nic.cz/knot/knot-resolver/-/issues/127Returned TTL in the first answer doesn't honor `cache.min_ttl`2022-12-13T12:57:01+01:00Ondřej SurýReturned TTL in the first answer doesn't honor `cache.min_ttl`This is just a reminder, that the first answer (not from cache) doesn't honor the `cache.min_ttl()` settings. The min_ttl value is stored in the cache correctly, but the non-cached answer TTL is not mangled.This is just a reminder, that the first answer (not from cache) doesn't honor the `cache.min_ttl()` settings. The min_ttl value is stored in the cache correctly, but the non-cached answer TTL is not mangled.Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/125policy forward does not skip dead servers2017-07-07T11:35:52+02:00Petr Špačekpolicy forward does not skip dead serversThe `kresd` always tries to contact servers in order specified in configuration and does not preffer the working one:
This happens e.g. in situation where configuration specifies two forwarders in following order:
1. dead address `1...The `kresd` always tries to contact servers in order specified in configuration and does not preffer the working one:
This happens e.g. in situation where configuration specifies two forwarders in following order:
1. dead address `192.0.2.111`
2. working address `192.168.3.1`
Here is log from attempts to resolve various non-cached names:
~~~
[plan] plan 'nonexistent.' type 'NS'
[resl] => querying: '192.0.2.111' score: 1425 zone cut: '.' m12n: 'nonexiSteNT.' type: 'NS' proto: 'udp'
[resl] => querying: '192.168.3.1' score: 1425 zone cut: '.' m12n: 'nonexiSteNT.' type: 'NS' proto: 'udp'
[iter] <= rcode: NXDOMAIN
[ pc ] => answer cached for TTL=900
[resl] <= server: '192.0.2.111' rtt: >=270 ms
[resl] <= server: '192.168.3.1' rtt: 20 ms
[resl] finished: 4, queries: 1, mempool: 16400 B
[plan] plan 'sorry-root.' type 'NS'
[resl] => querying: '192.0.2.111' score: 20 zone cut: '.' m12n: 'SoRrY-roOt.' type: 'NS' proto: 'udp'
[resl] => querying: '192.168.3.1' score: 20 zone cut: '.' m12n: 'SoRrY-roOt.' type: 'NS' proto: 'udp'
[iter] <= rcode: NXDOMAIN
[ pc ] => answer cached for TTL=900
[resl] <= server: '192.0.2.111' rtt: >=172 ms
[resl] finished: 4, queries: 1, mempool: 16400 B
[plan] plan 'qqq.' type 'NS'
[resl] => querying: '192.0.2.111' score: 20 zone cut: '.' m12n: 'QqQ.' type: 'NS' proto: 'udp'
[resl] => querying: '192.168.3.1' score: 20 zone cut: '.' m12n: 'QqQ.' type: 'NS' proto: 'udp'
[iter] <= rcode: NXDOMAIN
[ pc ] => answer cached for TTL=900
[resl] <= server: '192.0.2.111' rtt: >=49 ms
[resl] finished: 4, queries: 1, mempool: 16400 B
~~~https://gitlab.nic.cz/knot/knot-resolver/-/issues/88TA bootstrap doesn't work without external resolver2020-01-07T17:16:08+01:00Ondřej SurýTA bootstrap doesn't work without external resolverIf `/etc/resolv.conf` contains `nameserver 127.0.0.1` and the nameserver running on `127.0.0.1` is the Knot Resolver instance bootstrapping the root TA, then the bootstrapping fails with name resolution error as it doesn't start resolvin...If `/etc/resolv.conf` contains `nameserver 127.0.0.1` and the nameserver running on `127.0.0.1` is the Knot Resolver instance bootstrapping the root TA, then the bootstrapping fails with name resolution error as it doesn't start resolving until the root TA is bootstrapped.
Knot Resolver should be able to resolve at least `data.iana.org` when doing the bootstrap and it should probably fail to start if it can't bootstrap root TA.https://gitlab.nic.cz/knot/knot-resolver/-/issues/33lib: DNSSEC shortcomings2017-10-12T10:50:46+02:00Ghost Userlib: DNSSEC shortcomingsBad queries:
* [x] `+dnssec DNSKEY 192.in-addr.arpa` needs a test
* [x] `+dnssec AAAA ns-1601.awsdns-08.co.uk` needs a test
* [x] `+dnssec A zimbra.rfc1925.org` add test with multiple DS, where 1st fails
* [x] `+dnssec A www.lidovky.cz` ...Bad queries:
* [x] `+dnssec DNSKEY 192.in-addr.arpa` needs a test
* [x] `+dnssec AAAA ns-1601.awsdns-08.co.uk` needs a test
* [x] `+dnssec A zimbra.rfc1925.org` add test with multiple DS, where 1st fails
* [x] `+dnssec A www.lidovky.cz` add test with a signed CNAME leading to unsigned target
* [x] `+dnssec PTR 134.221.135.195.in-addr.arpa.` treats NODATA answer as referral
* [x] `+dnssec A x.ent-asterisk.powerdns.space` name is after the last name in the zone, bad check ([zonefile](https://p.6core.net/p/2MbWJDDFcFImUmxy9cgSts7b))
* [x] `+dnssec AAAA www.nyx.cz` wildcard expansion proof not checked here
* [x] `+dnssec A nic.mx` (.mx signed on the same NS, but nic.mx is not, validator fails to fetch DS)
Not compliant:
* [x] answers from hints have `+ad`
* [x] cached CNAME targets miss RRSIGs
* wildcard expansion proof is only validated, but not inserted to the final answer -> moved to #108
* [RFC4509](https://tools.ietf.org/html/rfc4509#section-2.2) not respected (DS digest downgrade) -> moved to #254
* [x] DNSSEC records are not stripped from pktcache negative answers when client asks with DO=0
Missing features:
* [x] `+cd`, no BADCACHE (tracked as #97)
* [x] insecure answers aren't cached properly when asked with `+dnssec` (refetched)
* [x] names below NTA answered from cache are still treated as valid (cache should be purged below)2018 Q1Grigorii DemidovGrigorii Demidovhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/140Resolution of `p7677.cdngc.net.` fails with SERVFAIL2017-04-05T16:20:17+02:00Ondřej SurýResolution of `p7677.cdngc.net.` fails with SERVFAIL```
$ dig +dnssec +multi +time=60 +retry=1 -p 38267 @::1 IN A p7677.cdngc.net.
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 54558
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
...```
$ dig +dnssec +multi +time=60 +retry=1 -p 38267 @::1 IN A p7677.cdngc.net.
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 54558
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION:
;; p7677.cdngc.net. IN A
;; Received 44 B
;; Time 2017-01-24 13:45:33 CET
;; From ::1@38267(UDP) in 687.3 ms
```
vs
```
$ dig +dnssec +multi +time=60 +retry=1 @8.8.8.8 IN A p7677.cdngc.net.
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 20458
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 512 B; ext-rcode: Unused
;; QUESTION SECTION:
;; p7677.cdngc.net. IN A
;; AUTHORITY SECTION:
cdngc.net. 119 IN SOA ns1.cdngc.net. noc.pantherexpress.net. (
2016021700 ; serial
1200 ; refresh
120 ; retry
86400 ; expire
120 ; minimum
)
;; Received 103 B
;; Time 2017-01-24 13:46:05 CET
;; From 8.8.8.8@53(UDP) in 28.8 ms
```
clear cache log:
```
[ 0][plan] plan 'p7677.cdngc.net.' type 'A'
[52139][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[52139][resl] => using root hints
[21123][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[21123][plan] plan '.' type 'DNSKEY'
[63279][iter] '.' type 'DNSKEY' id was assigned, parent id 21123
[63279][resl] => querying: '2001:dc3::35' score: 10 zone cut: '.' m12n: '.' type: 'DNSKEY' proto: 'udp'
[63279][iter] <= rcode: NOERROR
[63279][vldr] <= parent: updating DNSKEY
[63279][vldr] <= answer valid, OK
[63279][resl] <= server: '2001:dc3::35' rtt: 18 ms
[59716][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[59716][resl] => querying: '2001:500:9f::42' score: 10 zone cut: '.' m12n: 'net.' type: 'NS' proto: 'udp'
[59716][iter] <= using glue for 'a.gtld-servers.net.': '192.5.6.30'
[59716][iter] <= using glue for 'a.gtld-servers.net.': '2001:503:a83e::2:30'
[59716][iter] <= using glue for 'b.gtld-servers.net.': '192.33.14.30'
[59716][iter] <= using glue for 'b.gtld-servers.net.': '2001:503:231d::2:30'
[59716][iter] <= using glue for 'c.gtld-servers.net.': '192.26.92.30'
[59716][iter] <= using glue for 'd.gtld-servers.net.': '192.31.80.30'
[59716][iter] <= using glue for 'e.gtld-servers.net.': '192.12.94.30'
[59716][iter] <= using glue for 'f.gtld-servers.net.': '192.35.51.30'
[59716][iter] <= using glue for 'g.gtld-servers.net.': '192.42.93.30'
[59716][iter] <= using glue for 'h.gtld-servers.net.': '192.54.112.30'
[59716][iter] <= using glue for 'i.gtld-servers.net.': '192.43.172.30'
[59716][iter] <= using glue for 'j.gtld-servers.net.': '192.48.79.30'
[59716][iter] <= using glue for 'k.gtld-servers.net.': '192.52.178.30'
[59716][iter] <= using glue for 'l.gtld-servers.net.': '192.41.162.30'
[59716][iter] <= using glue for 'm.gtld-servers.net.': '192.55.83.30'
[59716][iter] <= referral response, follow
[59716][vldr] <= DS: OK
[59716][vldr] <= answer valid, OK
[59716][resl] <= server: '2001:500:9f::42' rtt: 1 ms
[12204][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[12204][plan] plan 'net.' type 'DNSKEY'
[43582][iter] 'net.' type 'DNSKEY' id was assigned, parent id 12204
[43582][resl] => querying: '192.55.83.30' score: 10 zone cut: 'net.' m12n: 'nET.' type: 'DNSKEY' proto: 'udp'
[43582][iter] <= rcode: NOERROR
[43582][vldr] <= parent: updating DNSKEY
[43582][vldr] <= answer valid, OK
[43582][resl] <= server: '192.55.83.30' rtt: 34 ms
[38328][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[38328][resl] => querying: '192.41.162.30' score: 10 zone cut: 'net.' m12n: 'cdngC.Net.' type: 'NS' proto: 'udp'
[38328][iter] <= referral response, follow
[38328][vldr] <= DS doesn't exist, going insecure
[38328][vldr] <= answer valid, OK
[38328][resl] <= server: '192.41.162.30' rtt: 113 ms
[57075][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[57075][plan] plan 'ns4.panthercdn.com.' type 'AAAA'
[46349][iter] 'ns4.panthercdn.com.' type 'AAAA' id was assigned, parent id 57075
[46349][resl] => using root hints
[42721][iter] 'ns4.panthercdn.com.' type 'AAAA' id was assigned, parent id 57075
[42721][resl] >< TA: '.'
[42721][plan] plan '.' type 'DNSKEY'
[54368][iter] '.' type 'DNSKEY' id was assigned, parent id 42721
[54368][ rc ] => satisfied from cache
[54368][iter] <= rcode: NOERROR
[54368][vldr] <= parent: updating DNSKEY
[54368][vldr] <= answer valid, OK
[61820][iter] 'ns4.panthercdn.com.' type 'AAAA' id was assigned, parent id 57075
[61820][resl] => querying: '2001:7fd::1' score: 10 zone cut: '.' m12n: 'CoM.' type: 'NS' proto: 'udp'
[61820][iter] <= using glue for 'a.gtld-servers.net.': '192.5.6.30'
[61820][iter] <= using glue for 'a.gtld-servers.net.': '2001:503:a83e::2:30'
[61820][iter] <= using glue for 'b.gtld-servers.net.': '192.33.14.30'
[61820][iter] <= using glue for 'b.gtld-servers.net.': '2001:503:231d::2:30'
[61820][iter] <= using glue for 'c.gtld-servers.net.': '192.26.92.30'
[61820][iter] <= using glue for 'd.gtld-servers.net.': '192.31.80.30'
[61820][iter] <= using glue for 'e.gtld-servers.net.': '192.12.94.30'
[61820][iter] <= using glue for 'f.gtld-servers.net.': '192.35.51.30'
[61820][iter] <= using glue for 'g.gtld-servers.net.': '192.42.93.30'
[61820][iter] <= using glue for 'h.gtld-servers.net.': '192.54.112.30'
[61820][iter] <= using glue for 'i.gtld-servers.net.': '192.43.172.30'
[61820][iter] <= using glue for 'j.gtld-servers.net.': '192.48.79.30'
[61820][iter] <= using glue for 'k.gtld-servers.net.': '192.52.178.30'
[61820][iter] <= using glue for 'l.gtld-servers.net.': '192.41.162.30'
[61820][iter] <= using glue for 'm.gtld-servers.net.': '192.55.83.30'
[61820][iter] <= referral response, follow
[61820][vldr] <= DS: OK
[61820][vldr] <= answer valid, OK
[61820][resl] <= server: '2001:7fd::1' rtt: 2 ms
[43817][iter] 'ns4.panthercdn.com.' type 'AAAA' id was assigned, parent id 57075
[43817][plan] plan 'com.' type 'DNSKEY'
[57985][iter] 'com.' type 'DNSKEY' id was assigned, parent id 43817
[57985][resl] => querying: '192.52.178.30' score: 10 zone cut: 'com.' m12n: 'COM.' type: 'DNSKEY' proto: 'udp'
[57985][resl] => querying: '192.48.79.30' score: 10 zone cut: 'com.' m12n: 'COM.' type: 'DNSKEY' proto: 'udp'
[57985][iter] <= rcode: NOERROR
[57985][vldr] <= parent: updating DNSKEY
[57985][vldr] <= answer valid, OK
[57985][resl] <= server: '192.52.178.30' rtt: 267 ms
[57985][resl] <= server: '192.48.79.30' rtt: >=17 ms
[48815][iter] 'ns4.panthercdn.com.' type 'AAAA' id was assigned, parent id 57075
[48815][resl] => querying: '192.55.83.30' score: 34 zone cut: 'com.' m12n: 'PANTheRCDn.cOM.' type: 'NS' proto: 'udp'
[48815][iter] <= using glue for 'ns3.panthercdn.com.': '174.35.89.33'
[48815][iter] <= using glue for 'ns4.panthercdn.com.': '174.35.49.33'
[48815][iter] <= referral response, follow
[48815][vldr] <= DS doesn't exist, going insecure
[48815][vldr] <= parent: updating DS
[48815][vldr] <= answer valid, OK
[48815][resl] <= server: '192.55.83.30' rtt: 34 ms
[26282][iter] 'ns4.panthercdn.com.' type 'AAAA' id was assigned, parent id 57075
[26282][resl] => querying: '174.35.49.33' score: 10 zone cut: 'panthercdn.com.' m12n: 'Ns4.PANtheRCDn.COm.' type: 'AAAA' proto: 'udp'
[26282][iter] <= rcode: NOERROR
[26282][ pc ] => answer cached for TTL=5
[26282][resl] <= server: '174.35.49.33' rtt: 21 ms
[49339][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[49339][plan] plan 'ns4.panthercdn.com.' type 'A'
[51066][iter] 'ns4.panthercdn.com.' type 'A' id was assigned, parent id 49339
[51066][ rc ] => satisfied from cache
[51066][iter] <= rcode: NOERROR
[51066][vldr] <= cached insecure response, going insecure
[24570][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[24570][resl] => querying: '174.35.49.33' score: 21 zone cut: 'cdngc.net.' m12n: 'P7677.cDNgc.net.' type: 'A' proto: 'udp'
[24570][iter] <= rcode: REFUSED
[24570][resl] <= server: '174.35.49.33' rtt: 21 ms
[ 9998][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[ 9998][resl] => querying: '174.35.49.33' score: 121 zone cut: 'cdngc.net.' m12n: 'P7677.CDngC.NEt.' type: 'A' proto: 'udp'
[ 9998][iter] <= rcode: REFUSED
[ 9998][resl] <= server: '174.35.49.33' rtt: 21 ms
[40285][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[40285][resl] => querying: '174.35.49.33' score: 171 zone cut: 'cdngc.net.' m12n: 'P7677.cDNgC.neT.' type: 'A' proto: 'udp'
[40285][iter] <= rcode: REFUSED
[40285][resl] <= server: '174.35.49.33' rtt: 20 ms
[56211][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[56211][resl] => querying: '174.35.49.33' score: 195 zone cut: 'cdngc.net.' m12n: 'P7677.CdNGc.NEt.' type: 'A' proto: 'udp'
[56211][iter] <= rcode: REFUSED
[56211][resl] => server: '174.35.49.33' flagged as 'bad'
[23576][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[23576][resl] => unresolvable NS address, bailing out
[23576][plan] plan 'ns3.panthercdn.com.' type 'AAAA'
[29290][iter] 'ns3.panthercdn.com.' type 'AAAA' id was assigned, parent id 23576
[48411][iter] 'ns3.panthercdn.com.' type 'AAAA' id was assigned, parent id 23576
[48411][resl] => querying: '174.35.89.33' score: 10 zone cut: 'panthercdn.com.' m12n: 'nS3.PaNtherCdn.Com.' type: 'AAAA' proto: 'udp'
[48411][iter] <= rcode: NOERROR
[48411][ pc ] => answer cached for TTL=5
[48411][resl] <= server: '174.35.89.33' rtt: 21 ms
[38390][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[38390][plan] plan 'ns3.panthercdn.com.' type 'A'
[19349][iter] 'ns3.panthercdn.com.' type 'A' id was assigned, parent id 38390
[19349][ rc ] => satisfied from cache
[19349][iter] <= rcode: NOERROR
[19349][vldr] <= cached insecure response, going insecure
[24405][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[24405][resl] => querying: '174.35.89.33' score: 21 zone cut: 'cdngc.net.' m12n: 'p7677.CDnGC.neT.' type: 'A' proto: 'udp'
[24405][iter] <= rcode: REFUSED
[24405][resl] <= server: '174.35.89.33' rtt: 21 ms
[42424][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[42424][resl] => querying: '174.35.89.33' score: 121 zone cut: 'cdngc.net.' m12n: 'p7677.CdNgc.net.' type: 'A' proto: 'udp'
[42424][iter] <= rcode: REFUSED
[42424][resl] <= server: '174.35.89.33' rtt: 20 ms
[33417][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[33417][resl] => querying: '174.35.89.33' score: 170 zone cut: 'cdngc.net.' m12n: 'p7677.CdNGc.net.' type: 'A' proto: 'udp'
[33417][iter] <= rcode: REFUSED
[33417][resl] <= server: '174.35.89.33' rtt: 21 ms
[53032][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[53032][resl] => querying: '174.35.89.33' score: 195 zone cut: 'cdngc.net.' m12n: 'p7677.CDNgC.NeT.' type: 'A' proto: 'udp'
[53032][iter] <= rcode: REFUSED
[53032][resl] => server: '174.35.89.33' flagged as 'bad'
[11267][iter] 'p7677.cdngc.net.' type 'A' id was assigned, parent id 0
[11267][resl] => unresolvable NS address, bailing out
[11267][resl] => no valid NS left
[ 0][resl] finished: 8, queries: 9, mempool: 164000 B
```1.3.0 releaseVladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/128mcaffee.com CDN records unresolvable2017-04-05T16:20:20+02:00Ondřej Surýmcaffee.com CDN records unresolvableFrom internal testing the `b-0.19-23003008.1481.1518.19cf.3ea1.410.0.ekzijnekvvvg7gb38qcwur561b.avqs.mcafee.com. IN A` and similar queries end with `NXDOMAIN` while it should return A record:
```
;; ANSWER SECTION:
b-0.19-23003008.1...From internal testing the `b-0.19-23003008.1481.1518.19cf.3ea1.410.0.ekzijnekvvvg7gb38qcwur561b.avqs.mcafee.com. IN A` and similar queries end with `NXDOMAIN` while it should return A record:
```
;; ANSWER SECTION:
b-0.19-23003008.1481.1518.19cf.3ea1.410.0.ekzijnekvvvg7gb38qcwur561b.avqs.mcafee.com. 3599 IN A 127.129.0.128
```
I suspect QNAME minimization, but further debugging is needed.
Clean cache log:
```
[ 0][plan] plan 'b-0.19-23003008.1481.1518.19cf.3ea1.410.0.ekzijnekvvvg7gb38qcwur561b.avqs.mcafee.com.' type 'A'
[12987][iter] 'b-0.19-23003008.1481.1518.19cf.3ea1.410.0.ekzijnekvvvg7gb38qcwur561b.avqs.mcafee.com.' type 'A' id was assigned, parent id 0
[12987][plan] plan 'm.root-servers.net.' type 'AAAA'
[44827][iter] 'm.root-servers.net.' type 'AAAA' id was assigned, parent id 12987
[44827][resl] >< TA: '.'
[44827][resl] => querying: '2001:7fd::1' score: 10 zone cut: '.' m12n: 'NeT.' type: 'NS' proto: 'udp'
[44827][iter] <= using glue for 'a.gtld-servers.net.': '192.5.6.30'
[44827][iter] <= using glue for 'a.gtld-servers.net.': '2001:503:a83e::2:30'
[44827][iter] <= using glue for 'b.gtld-servers.net.': '192.33.14.30'
[44827][iter] <= using glue for 'b.gtld-servers.net.': '2001:503:231d::2:30'
[44827][iter] <= using glue for 'c.gtld-servers.net.': '192.26.92.30'
[44827][iter] <= using glue for 'd.gtld-servers.net.': '192.31.80.30'
[44827][iter] <= using glue for 'e.gtld-servers.net.': '192.12.94.30'
[44827][iter] <= using glue for 'f.gtld-servers.net.': '192.35.51.30'
[44827][iter] <= using glue for 'g.gtld-servers.net.': '192.42.93.30'
[44827][iter] <= using glue for 'h.gtld-servers.net.': '192.54.112.30'
[44827][iter] <= using glue for 'i.gtld-servers.net.': '192.43.172.30'
[44827][iter] <= using glue for 'j.gtld-servers.net.': '192.48.79.30'
[44827][iter] <= using glue for 'k.gtld-servers.net.': '192.52.178.30'
[44827][iter] <= using glue for 'l.gtld-servers.net.': '192.41.162.30'
[44827][iter] <= using glue for 'm.gtld-servers.net.': '192.55.83.30'
[44827][iter] <= referral response, follow
[44827][vldr] <= DS: OK
[44827][vldr] <= answer valid, OK
[44827][resl] <= server: '2001:7fd::1' rtt: 1 ms
[48044][iter] 'm.root-servers.net.' type 'AAAA' id was assigned, parent id 12987
[48044][plan] plan 'net.' type 'DNSKEY'
[56890][iter] 'net.' type 'DNSKEY' id was assigned, parent id 48044
[56890][resl] => querying: '192.55.83.30' score: 10 zone cut: 'net.' m12n: 'NET.' type: 'DNSKEY' proto: 'udp'
[56890][iter] <= rcode: NOERROR
[56890][vldr] <= parent: updating DNSKEY
[56890][vldr] <= answer valid, OK
[56890][resl] <= server: '192.55.83.30' rtt: 34 ms
[19599][iter] 'm.root-servers.net.' type 'AAAA' id was assigned, parent id 12987
[19599][resl] => querying: '192.41.162.30' score: 10 zone cut: 'net.' m12n: 'ROOT-sERvERs.NEt.' type: 'NS' proto: 'udp'
[19599][iter] <= using glue for 'a.root-servers.net.': '198.41.0.4'
[19599][iter] <= using glue for 'a.root-servers.net.': '2001:503:ba3e::2:30'
[19599][iter] <= using glue for 'h.root-servers.net.': '198.97.190.53'
[19599][iter] <= using glue for 'h.root-servers.net.': '2001:500:1::53'
[19599][iter] <= using glue for 'c.root-servers.net.': '192.33.4.12'
[19599][iter] <= using glue for 'c.root-servers.net.': '2001:500:2::c'
[19599][iter] <= using glue for 'g.root-servers.net.': '192.112.36.4'
[19599][iter] <= using glue for 'f.root-servers.net.': '192.5.5.241'
[19599][iter] <= using glue for 'f.root-servers.net.': '2001:500:2f::f'
[19599][iter] <= using glue for 'b.root-servers.net.': '192.228.79.201'
[19599][iter] <= using glue for 'b.root-servers.net.': '2001:500:84::b'
[19599][iter] <= using glue for 'j.root-servers.net.': '192.58.128.30'
[19599][iter] <= using glue for 'j.root-servers.net.': '2001:503:c27::2:30'
[19599][iter] <= using glue for 'k.root-servers.net.': '193.0.14.129'
[19599][iter] <= using glue for 'k.root-servers.net.': '2001:7fd::1'
[19599][iter] <= using glue for 'l.root-servers.net.': '199.7.83.42'
[19599][iter] <= using glue for 'l.root-servers.net.': '2001:500:9f::42'
[19599][iter] <= using glue for 'm.root-servers.net.': '2001:dc3::35'
[19599][iter] <= using glue for 'm.root-servers.net.': '202.12.27.33'
[19599][iter] <= using glue for 'i.root-servers.net.': '192.36.148.17'
[19599][iter] <= using glue for 'i.root-servers.net.': '2001:7fe::53'
[19599][iter] <= using glue for 'e.root-servers.net.': '192.203.230.10'
[19599][iter] <= using glue for 'd.root-servers.net.': '199.7.91.13'
[19599][iter] <= using glue for 'd.root-servers.net.': '2001:500:2d::d'
[19599][iter] <= referral response, follow
[19599][vldr] <= DS doesn't exist, going insecure
[19599][vldr] <= parent: updating DS
[19599][vldr] <= answer valid, OK
[19599][resl] <= server: '192.41.162.30' rtt: 114 ms
[12188][iter] 'm.root-servers.net.' type 'AAAA' id was assigned, parent id 12987
[12188][resl] => querying: '202.12.27.33' score: 10 zone cut: 'root-servers.net.' m12n: 'M.ROOT-sErveRS.nEt.' type: 'AAAA' proto: 'udp'
[12188][iter] <= using glue for 'b.root-servers.net.': '192.228.79.201'
[12188][iter] <= using glue for 'b.root-servers.net.': '2001:500:84::b'
[12188][iter] <= using glue for 'f.root-servers.net.': '192.5.5.241'
[12188][iter] <= using glue for 'f.root-servers.net.': '2001:500:2f::f'
[12188][iter] <= using glue for 'c.root-servers.net.': '192.33.4.12'
[12188][iter] <= using glue for 'c.root-servers.net.': '2001:500:2::c'
[12188][iter] <= using glue for 'k.root-servers.net.': '193.0.14.129'
[12188][iter] <= using glue for 'k.root-servers.net.': '2001:7fd::1'
[12188][iter] <= using glue for 'i.root-servers.net.': '192.36.148.17'
[12188][iter] <= using glue for 'i.root-servers.net.': '2001:7fe::53'
[12188][iter] <= using glue for 'j.root-servers.net.': '192.58.128.30'
[12188][iter] <= using glue for 'j.root-servers.net.': '2001:503:c27::2:30'
[12188][iter] <= using glue for 'l.root-servers.net.': '199.7.83.42'
[12188][iter] <= using glue for 'l.root-servers.net.': '2001:500:9f::42'
[12188][iter] <= using glue for 'a.root-servers.net.': '198.41.0.4'
[12188][iter] <= using glue for 'a.root-servers.net.': '2001:503:ba3e::2:30'
[12188][iter] <= using glue for 'm.root-servers.net.': '2001:dc3::35'
[12188][iter] <= using glue for 'm.root-servers.net.': '202.12.27.33'
[12188][iter] <= using glue for 'h.root-servers.net.': '198.97.190.53'
[12188][iter] <= using glue for 'h.root-servers.net.': '2001:500:1::53'
[12188][iter] <= using glue for 'g.root-servers.net.': '192.112.36.4'
[12188][iter] <= using glue for 'g.root-servers.net.': '2001:500:12::d0d'
[12188][iter] <= using glue for 'e.root-servers.net.': '192.203.230.10'
[12188][iter] <= using glue for 'e.root-servers.net.': '2001:500:a8::e'
[12188][iter] <= using glue for 'd.root-servers.net.': '199.7.91.13'
[12188][iter] <= using glue for 'd.root-servers.net.': '2001:500:2d::d'
[12188][iter] <= rcode: NOERROR
[12188][resl] <= server: '202.12.27.33' rtt: 18 ms
[20909][iter] 'b-0.19-23003008.1481.1518.19cf.3ea1.410.0.ekzijnekvvvg7gb38qcwur561b.avqs.mcafee.com.' type 'A' id was assigned, parent id 0
[20909][resl] => querying: '2001:dc3::35' score: 18 zone cut: '.' m12n: 'CoM.' type: 'NS' proto: 'udp'
[20909][iter] <= using glue for 'h.gtld-servers.net.': '192.54.112.30'
[20909][iter] <= using glue for 'f.gtld-servers.net.': '192.35.51.30'
[20909][iter] <= using glue for 'd.gtld-servers.net.': '192.31.80.30'
[20909][iter] <= using glue for 'e.gtld-servers.net.': '192.12.94.30'
[20909][iter] <= using glue for 'j.gtld-servers.net.': '192.48.79.30'
[20909][iter] <= using glue for 'g.gtld-servers.net.': '192.42.93.30'
[20909][iter] <= using glue for 'm.gtld-servers.net.': '192.55.83.30'
[20909][iter] <= using glue for 'i.gtld-servers.net.': '192.43.172.30'
[20909][iter] <= using glue for 'a.gtld-servers.net.': '192.5.6.30'
[20909][iter] <= using glue for 'a.gtld-servers.net.': '2001:503:a83e::2:30'
[20909][iter] <= using glue for 'l.gtld-servers.net.': '192.41.162.30'
[20909][iter] <= using glue for 'b.gtld-servers.net.': '192.33.14.30'
[20909][iter] <= using glue for 'b.gtld-servers.net.': '2001:503:231d::2:30'
[20909][iter] <= using glue for 'k.gtld-servers.net.': '192.52.178.30'
[20909][iter] <= using glue for 'c.gtld-servers.net.': '192.26.92.30'
[20909][iter] <= referral response, follow
[20909][vldr] <= DS: OK
[20909][vldr] <= answer valid, OK
[20909][resl] <= server: '2001:dc3::35' rtt: 17 ms
[35619][iter] 'b-0.19-23003008.1481.1518.19cf.3ea1.410.0.ekzijnekvvvg7gb38qcwur561b.avqs.mcafee.com.' type 'A' id was assigned, parent id 0
[35619][plan] plan 'com.' type 'DNSKEY'
[18962][iter] 'com.' type 'DNSKEY' id was assigned, parent id 35619
[18962][resl] => querying: '192.52.178.30' score: 10 zone cut: 'com.' m12n: 'COm.' type: 'DNSKEY' proto: 'udp'
[18962][resl] => querying: '192.48.79.30' score: 10 zone cut: 'com.' m12n: 'COm.' type: 'DNSKEY' proto: 'udp'
[18962][iter] <= rcode: NOERROR
[18962][vldr] <= parent: updating DNSKEY
[18962][vldr] <= answer valid, OK
[18962][resl] <= server: '192.52.178.30' rtt: 263 ms
[18962][resl] <= server: '192.48.79.30' rtt: >=13 ms
[15171][iter] 'b-0.19-23003008.1481.1518.19cf.3ea1.410.0.ekzijnekvvvg7gb38qcwur561b.avqs.mcafee.com.' type 'A' id was assigned, parent id 0
[15171][resl] => querying: '192.43.172.30' score: 10 zone cut: 'com.' m12n: 'MCafEE.CoM.' type: 'NS' proto: 'udp'
[15171][iter] <= using glue for 'ns-b.mcafee.com.': '208.69.152.14'
[15171][iter] <= using glue for 'ns-a.mcafee.com.': '216.49.88.14'
[15171][iter] <= referral response, follow
[15171][vldr] <= DS doesn't exist, going insecure
[15171][vldr] <= answer valid, OK
[15171][resl] <= server: '192.43.172.30' rtt: 28 ms
[42744][iter] 'b-0.19-23003008.1481.1518.19cf.3ea1.410.0.ekzijnekvvvg7gb38qcwur561b.avqs.mcafee.com.' type 'A' id was assigned, parent id 0
[42744][resl] => querying: '208.69.152.14' score: 10 zone cut: 'mcafee.com.' m12n: 'avqs.mcAfee.Com.' type: 'NS' proto: 'udp'
[42744][iter] <= referral response, follow
[42744][resl] <= server: '208.69.152.14' rtt: 129 ms
[ 305][iter] 'b-0.19-23003008.1481.1518.19cf.3ea1.410.0.ekzijnekvvvg7gb38qcwur561b.avqs.mcafee.com.' type 'A' id was assigned, parent id 0
[ 305][plan] plan 'local.cloud.mcafee.com.' type 'AAAA'
[20082][iter] 'local.cloud.mcafee.com.' type 'AAAA' id was assigned, parent id 305
[27766][iter] 'local.cloud.mcafee.com.' type 'AAAA' id was assigned, parent id 305
[27766][resl] => querying: '216.49.88.14' score: 10 zone cut: 'mcafee.com.' m12n: 'CLoud.mcaFee.cOm.' type: 'NS' proto: 'udp'
[27766][iter] <= using glue for 'gs4.mcafee.com.': '161.69.198.250'
[27766][iter] <= using glue for 'gs1.mcafee.com.': '8.18.25.250'
[27766][iter] <= using glue for 'gs2.mcafee.com.': '8.21.161.250'
[27766][iter] <= using glue for 'gs3.mcafee.com.': '161.69.169.250'
[27766][iter] <= referral response, follow
[27766][resl] <= server: '216.49.88.14' rtt: 153 ms
[37049][iter] 'local.cloud.mcafee.com.' type 'AAAA' id was assigned, parent id 305
[37049][resl] => querying: '161.69.198.250' score: 10 zone cut: 'cloud.mcafee.com.' m12n: 'LOCAl.Cloud.mCafEe.coM.' type: 'AAAA' proto: 'udp'
[37049][resl] => querying: '161.69.169.250' score: 10 zone cut: 'cloud.mcafee.com.' m12n: 'LOCAl.Cloud.mCafEe.coM.' type: 'AAAA' proto: 'udp'
[37049][iter] <= rcode: NOERROR
[37049][ pc ] => answer cached for TTL=5
[37049][resl] <= server: '161.69.198.250' rtt: >=266 ms
[37049][resl] <= server: '161.69.169.250' rtt: 16 ms
[59447][iter] 'b-0.19-23003008.1481.1518.19cf.3ea1.410.0.ekzijnekvvvg7gb38qcwur561b.avqs.mcafee.com.' type 'A' id was assigned, parent id 0
[59447][plan] plan 'local.cloud.mcafee.com.' type 'A'
[17906][iter] 'local.cloud.mcafee.com.' type 'A' id was assigned, parent id 59447
[26631][iter] 'local.cloud.mcafee.com.' type 'A' id was assigned, parent id 59447
[26631][plan] plan 'gs4.mcafee.com.' type 'AAAA'
[43299][iter] 'gs4.mcafee.com.' type 'AAAA' id was assigned, parent id 26631
[26908][iter] 'gs4.mcafee.com.' type 'AAAA' id was assigned, parent id 26631
[26908][resl] => querying: '208.69.152.14' score: 129 zone cut: 'mcafee.com.' m12n: 'Gs4.mCAFEe.CoM.' type: 'AAAA' proto: 'udp'
[26908][iter] <= rcode: NOERROR
[26908][ pc ] => answer cached for TTL=900
[26908][resl] <= server: '208.69.152.14' rtt: 129 ms
[27931][iter] 'local.cloud.mcafee.com.' type 'A' id was assigned, parent id 59447
[27931][plan] plan 'gs4.mcafee.com.' type 'A'
[ 7894][iter] 'gs4.mcafee.com.' type 'A' id was assigned, parent id 27931
[29665][iter] 'gs4.mcafee.com.' type 'A' id was assigned, parent id 27931
[29665][resl] => querying: '208.69.152.14' score: 129 zone cut: 'mcafee.com.' m12n: 'gs4.mCaFee.COm.' type: 'A' proto: 'udp'
[29665][iter] <= using glue for 'ns-a.mcafee.com.': '216.49.88.14'
[29665][iter] <= using glue for 'ns-b.mcafee.com.': '208.69.152.14'
[29665][iter] <= rcode: NOERROR
[29665][resl] <= server: '208.69.152.14' rtt: 129 ms
[34969][iter] 'local.cloud.mcafee.com.' type 'A' id was assigned, parent id 59447
[34969][resl] => querying: '161.69.198.250' score: 266 zone cut: 'cloud.mcafee.com.' m12n: 'locAL.CloUD.mcafeE.cOm.' type: 'A' proto: 'udp'
[34969][resl] => querying: '161.69.198.250' score: 266 zone cut: 'cloud.mcafee.com.' m12n: 'locAL.CloUD.mcafeE.cOm.' type: 'A' proto: 'udp'
[34969][iter] <= rcode: NOERROR
[34969][resl] <= server: '161.69.198.250' rtt: 264 ms
[ 5991][iter] 'b-0.19-23003008.1481.1518.19cf.3ea1.410.0.ekzijnekvvvg7gb38qcwur561b.avqs.mcafee.com.' type 'A' id was assigned, parent id 0
[ 5991][resl] => querying: '161.69.165.4' score: 10 zone cut: 'avqs.mcafee.com.' m12n: 'EKZIJnEKVVVG7Gb38QCwUr561B.avqS.MCAFEe.COM.' type: 'NS' proto: 'udp'
[ 5991][iter] <= rcode: NXDOMAIN
[ 5991][iter] <= found cut, retrying with non-minimized name
[ 5991][ pc ] => answer cached for TTL=600
[ 5991][resl] <= server: '161.69.165.4' rtt: 26 ms
[24433][iter] 'b-0.19-23003008.1481.1518.19cf.3ea1.410.0.ekzijnekvvvg7gb38qcwur561b.avqs.mcafee.com.' type 'A' id was assigned, parent id 0
[24433][resl] => querying: '161.69.165.4' score: 26 zone cut: 'avqs.mcafee.com.' m12n: 'b-0.19-23003008.1481.1518.19cf.3ea1.410.0.EkzIjneKVvvg7gB38qcwur561b.AVQs.McaFee.COm.' type: 'A' proto: 'udp'
[24433][iter] <= rcode: NXDOMAIN
[24433][ pc ] => answer cached for TTL=600
[24433][resl] <= server: '161.69.165.4' rtt: 25 ms
[ 0][resl] finished: 4, queries: 8, mempool: 82000 B
```1.3.0 releaseVladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/180OPT record is not sent on validation failures2019-06-25T17:27:09+02:00Petr ŠpačekOPT record is not sent on validation failures`kresd` a36b705aba556b1a20bf7ca0a234a3ae37df60e0 does not reply with OPT record (EDNS) when it is sending SERVFAIL caused by DNSSEC validation failure.
This breaks rules specified in https://tools.ietf.org/html/rfc6840#section-5.6 becau...`kresd` a36b705aba556b1a20bf7ca0a234a3ae37df60e0 does not reply with OPT record (EDNS) when it is sending SERVFAIL caused by DNSSEC validation failure.
This breaks rules specified in https://tools.ietf.org/html/rfc6840#section-5.6 because DO bit must be reflected back to the requestor. Also, it might potentially cause problems with EDNS version negotiation if the failed query is a first request sent by the client to `kresd`.
As far as I can tell `unbound-1.6.0-6.fc25.x86_64` replies with OPT record and DO bit set accordingly even on validation failures.2019 Q1Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/199validate: various failures on 1.2.6 not related to forwarding2017-10-10T09:53:15+02:00Vladimír Čunátvladimir.cunat@nic.czvalidate: various failures on 1.2.6 not related to forwardingThis seems independent of forwarding mode, and it fails on 1.2.6 as well. Example log:
```
[37659][plan] plan 'v1.pcextreme.nl.' type 'DNSKEY'
[60204][iter] 'v1.pcextreme.nl.' type 'DNSKEY' id was assigned, parent id 37659
[60204...This seems independent of forwarding mode, and it fails on 1.2.6 as well. Example log:
```
[37659][plan] plan 'v1.pcextreme.nl.' type 'DNSKEY'
[60204][iter] 'v1.pcextreme.nl.' type 'DNSKEY' id was assigned, parent id 37659
[60204][resl] => querying: '93.180.70.53' score: 10 zone cut: 'v1.pcextreme.nl.' m12n: 'v1.PcExtrEME.nL.' type: 'DNSKEY' proto: 'udp'
[60204][iter] <= rcode: NOERROR
[60204][vldr] <= bad keys, broken trust chain
```
Other resolvers find the domain OK, including [dnsviz](http://dnsviz.net/d/v1.pcextreme.nl/dnssec/), unbound and google.
**EDIT**: this particular name requires GOST for DS, and it's now correctly downgraded to insecure since !333 (and thus v1.3.2).https://gitlab.nic.cz/knot/knot-resolver/-/issues/200policy: update aho-corasick code2017-12-17T01:10:18+01:00Vladimír Čunátvladimir.cunat@nic.czpolicy: update aho-corasick code-bugs +speed
See https://gitter.im/CZ-NIC/knot-resolver?at=592d2fb7f3001cd34270f0cb and followups.-bugs +speed
See https://gitter.im/CZ-NIC/knot-resolver?at=592d2fb7f3001cd34270f0cb and followups.https://gitlab.nic.cz/knot/knot-resolver/-/issues/203DNS64 synthesis not working for CNAME responses2017-12-17T01:10:18+01:00Ondřej CaletkaDNS64 synthesis not working for CNAME responsesUsing kresd 1.2.6 on Turris Omnia, I've set up DNS64 using this snippet:
modules.load('dns64')
dns64.config('64:ff9b::')
It works well mostly but somehow it fails to synthetise AAAA response if the answer is indirected by a CNA...Using kresd 1.2.6 on Turris Omnia, I've set up DNS64 using this snippet:
modules.load('dns64')
dns64.config('64:ff9b::')
It works well mostly but somehow it fails to synthetise AAAA response if the answer is indirected by a CNAME. For instance:
```
$ dig www.regiojet.cz aaaa
; <<>> DiG 9.11.0-P3 <<>> www.regiojet.cz aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29320
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.regiojet.cz. IN AAAA
;; ANSWER SECTION:
www.regiojet.cz. 3310 IN CNAME brn-web02.sa.cz.
;; Query time: 3 msec
;; SERVER: 2001:718:e:ed14::1#53(2001:718:e:ed14::1)
;; WHEN: So čen 03 14:53:53 CEST 2017
;; MSG SIZE rcvd: 71
```1.3.xhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/204hints: interpretation of hosts file with multiple entries2017-12-17T01:10:18+01:00Vladimír Čunátvladimir.cunat@nic.czhints: interpretation of hosts file with multiple entriesIf one line contains multiple names for the address, the *first* name should be the canonical one (i.e. used for reverse lookups). In the current implementation the last one wins. Discovered on https://forum.turris.cz/t/dns-forwarding-...If one line contains multiple names for the address, the *first* name should be the canonical one (i.e. used for reverse lookups). In the current implementation the last one wins. Discovered on https://forum.turris.cz/t/dns-forwarding-to-a-different-dns-for-the-internal-lan/4039/181.3.2https://gitlab.nic.cz/knot/knot-resolver/-/issues/210RFC 4035 sec 5.2: downgrade to insecure when only unknown algorithms are used...2019-07-09T17:12:39+02:00Vladimír Čunátvladimir.cunat@nic.czRFC 4035 sec 5.2: downgrade to insecure when only unknown algorithms are used (provably)Currently these lead to SERVFAIL, as detected by https://rootcanary.org/test.html
This will probably be about handling the `DNSSEC_INVALID_DS_ALGORITHM` return code from libdnssec.
https://tools.ietf.org/html/rfc4035#section-5.2
...Currently these lead to SERVFAIL, as detected by https://rootcanary.org/test.html
This will probably be about handling the `DNSSEC_INVALID_DS_ALGORITHM` return code from libdnssec.
https://tools.ietf.org/html/rfc4035#section-5.2
> If the validator does not support any of the algorithms listed in an
authenticated DS RRset, then the resolver has no supported
authentication path leading from the parent to the child. The
resolver should treat this case as it would the case of an
authenticated NSEC RRset proving that no DS RRset exists, as
described above.https://gitlab.nic.cz/knot/knot-resolver/-/issues/218dns64 is broken with policy.STUB2024-02-28T12:09:18+01:00Vladimír Čunátvladimir.cunat@nic.czdns64 is broken with policy.STUBSee e.g. 0b748e0e49. Related: https://gitlab.nic.cz/knot/knot-resolver/issues/217See e.g. 0b748e0e49. Related: https://gitlab.nic.cz/knot/knot-resolver/issues/217https://gitlab.nic.cz/knot/knot-resolver/-/issues/220RFC 8109: Priming queries are not implemented2017-12-17T01:10:17+01:00Petr ŠpačekRFC 8109: Priming queries are not implementedKnot Resolver 1.3.2 is not doing priming queries as specified by Best Current Practice https://tools.ietf.org/html/rfc8109 . We should implement that before Knot resolvers gets massive deployment because it will be hard to update it late...Knot Resolver 1.3.2 is not doing priming queries as specified by Best Current Practice https://tools.ietf.org/html/rfc8109 . We should implement that before Knot resolvers gets massive deployment because it will be hard to update it later on.
Please see #230 before implementing this.
Additional notes:
- maybe it makes sense not to limit default TTL for data from root
- what happens if cache size == 0 or max TTL == 0? We should not create problems like the one described in this [talk DNS Priming Queries 2017](https://indico.dns-oarc.net/event/27/session/5/contribution/21) from DNS-OARC 272017 Q4https://gitlab.nic.cz/knot/knot-resolver/-/issues/224validate: support mixing NSEC and NSEC3 in a single packet2017-10-10T10:08:11+02:00Vladimír Čunátvladimir.cunat@nic.czvalidate: support mixing NSEC and NSEC3 in a single packethttps://gitlab.nic.cz/knot/knot-resolver/-/issues/225opcode IQUERY returns SERVFAIL instead of NOTIMP2019-07-09T17:14:22+02:00Štěpán Kotekopcode IQUERY returns SERVFAIL instead of NOTIMPUnsupported opcode must lead to `RCODE=NOTIMP`. This will get back and bite us when the session signalling draft comes by.
Clarification: Response to unknown OPCODE must contain only the DNS message header and nothing else, not even EDN...Unsupported opcode must lead to `RCODE=NOTIMP`. This will get back and bite us when the session signalling draft comes by.
Clarification: Response to unknown OPCODE must contain only the DNS message header and nothing else, not even EDNS. The reason is that different OPCODEs might potentially use very different message format so it is risky to return anything beyond the DNS header.
test failing: `sets/resolver/iter_opcode_notimp.rpl ` in deckard, branch `unknown-opcode`
blocks deckard#112019 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/231non-empty answers with SERVFAIL2019-03-23T12:29:52+01:00Vladimír Čunátvladimir.cunat@nic.cznon-empty answers with SERVFAILIt currently happens only in some cases. See https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/343#note_51832
- [ ] investigate/decide how exactly the answers can/shall look like. Special case to note: [CNAME chains broken ...It currently happens only in some cases. See https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/343#note_51832
- [ ] investigate/decide how exactly the answers can/shall look like. Special case to note: [CNAME chains broken somewhere later](https://tools.ietf.org/html/rfc6604#section-3).
- [ ] implement.https://gitlab.nic.cz/knot/knot-resolver/-/issues/234RFC 6672: DNAME support2020-04-27T15:23:29+02:00Vladimír Čunátvladimir.cunat@nic.czRFC 6672: DNAME supporthttps://tools.ietf.org/html/rfc6672 Mainly their validation doesn't work probably; the mandatory CNAMEs should make DNAMEs work on unsigned domains.
Related: #108, as DNAMEs are another way of generating RRs that haven't been seen.https://tools.ietf.org/html/rfc6672 Mainly their validation doesn't work probably; the mandatory CNAMEs should make DNAMEs work on unsigned domains.
Related: #108, as DNAMEs are another way of generating RRs that haven't been seen.https://gitlab.nic.cz/knot/knot-resolver/-/issues/236kresd crashes when network configuration changes2017-10-06T15:09:12+02:00Jan Včelákkresd crashes when network configuration changesEnvironment: Turris 1.3.1 on Turris Omnia
Sorry for vague description but this is all I have. My ISP had an outage and IP configuration on WAN disappeared for ~10 minutes. When they recovered, kresd was not running any longer. I guess t...Environment: Turris 1.3.1 on Turris Omnia
Sorry for vague description but this is all I have. My ISP had an outage and IP configuration on WAN disappeared for ~10 minutes. When they recovered, kresd was not running any longer. I guess the daemon had to crash as a result of network configuration change on the WAN interface. I don't have any logs that would prove that.
Config:
```
root@turris:~# ps w | grep kresd
10169 root 212m S /usr/bin/kresd -c /tmp/kresd.config -f 1 /tmp/kresd -a 0.0.0.0 53 -a :: 53 -k /etc/root.keys
10485 root 1088 S grep kresd
root@turris:~# cat /tmp/kresd.config
--Automatically generated file; DO NOT EDIT
modules = {
'hints > iterate'
, 'policy'
, 'stats'
, predict = {
window = 30 -- 30 minutes sampling window
, period = 24*(60/30) -- track last 24 hours
}
}
hints.config('/tmp/kresd/hints.tmp')
net.bufsize(4096)
net.ipv4=true
net.ipv6=false
cache.open(200*MB)
cache.clear()
```Jan PavlinecJan Pavlinechttps://gitlab.nic.cz/knot/knot-resolver/-/issues/237kresd crashes if run from a shellscript in interactive mode2018-12-10T17:28:12+01:00Libor Peltankresd crashes if run from a shellscript in interactive modeWhen I prepare a shell script like this:
```
#!/bin/bash
kresd -c rolltest.resolver.conf &
while true; do sleep 1; done
```
It ends up kresd crashing:
```
dnsbench@knot-lroot:~$ ./test.sh
[ ta ]: new trust anchor state:
. ...When I prepare a shell script like this:
```
#!/bin/bash
kresd -c rolltest.resolver.conf &
while true; do sleep 1; done
```
It ends up kresd crashing:
```
dnsbench@knot-lroot:~$ ./test.sh
[ ta ]: new trust anchor state:
. 10 DS 42362 8 2 2C1EC36EEC516C47DD3AEFF9905B46500194649902C1986DF7DB0F3B110DA9AD
[system] interactive mode
> ./test.sh: line 5: 61109 Aborted (core dumped) kresd -c rolltest.resolver.conf
^C
```
A workaround: running kresd in non-interactive mode (option `-f 1`).Štěpán BalážikŠtěpán Balážikhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/141Resolution of `*.cloudfiles.rackspacecloud.com. IN A` fails with SERVFAIL2017-08-22T13:33:34+02:00Ondřej SurýResolution of `*.cloudfiles.rackspacecloud.com. IN A` fails with SERVFAIL```
>> c0388858.cdn2.cloudfiles.rackspacecloud.com. IN A <<
> knot | bind:
rcode: 2 | 0
> differ: Count of responses.
;ANSWER [1]
ANSWER [2]
a1383.dscg10.akamai.net. IN A 2.21.74.33
a1383.dscg10.akamai.net. IN A 2.21.74.51
---...```
>> c0388858.cdn2.cloudfiles.rackspacecloud.com. IN A <<
> knot | bind:
rcode: 2 | 0
> differ: Count of responses.
;ANSWER [1]
ANSWER [2]
a1383.dscg10.akamai.net. IN A 2.21.74.33
a1383.dscg10.akamai.net. IN A 2.21.74.51
-------------^ knot | bind ^------------------
>> c0388858.cdn2.cloudfiles.rackspacecloud.com. IN A <<
> knot | unbound:
rcode: 2 | 0
> differ: Count of responses.
;ANSWER [1]
ANSWER [2]
a1383.dscg10.akamai.net. IN A 2.21.74.33
a1383.dscg10.akamai.net. IN A 2.21.74.51
-------------^ knot | unbound ^------------------
```
```
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 25787
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION:
;; c0388858.cdn2.cloudfiles.rackspacecloud.com. IN A
;; Received 72 B
;; Time 2017-01-24 13:48:24 CET
;; From ::1@38267(UDP) in 1719.0 ms
```
clear cache log:
```
[ 0][plan] plan 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A'
[56954][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[56954][resl] => using root hints
[44674][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[44674][plan] plan '.' type 'DNSKEY'
[30973][iter] '.' type 'DNSKEY' id was assigned, parent id 44674
[30973][resl] => querying: '2001:dc3::35' score: 10 zone cut: '.' m12n: '.' type: 'DNSKEY' proto: 'udp'
[30973][iter] <= rcode: NOERROR
[30973][vldr] <= parent: updating DNSKEY
[30973][vldr] <= answer valid, OK
[30973][resl] <= server: '2001:dc3::35' rtt: 18 ms
[29982][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[29982][resl] => querying: '2001:500:9f::42' score: 10 zone cut: '.' m12n: 'cOm.' type: 'NS' proto: 'udp'
[29982][iter] <= using glue for 'a.gtld-servers.net.': '192.5.6.30'
[29982][iter] <= using glue for 'a.gtld-servers.net.': '2001:503:a83e::2:30'
[29982][iter] <= using glue for 'b.gtld-servers.net.': '192.33.14.30'
[29982][iter] <= using glue for 'b.gtld-servers.net.': '2001:503:231d::2:30'
[29982][iter] <= using glue for 'c.gtld-servers.net.': '192.26.92.30'
[29982][iter] <= using glue for 'd.gtld-servers.net.': '192.31.80.30'
[29982][iter] <= using glue for 'e.gtld-servers.net.': '192.12.94.30'
[29982][iter] <= using glue for 'f.gtld-servers.net.': '192.35.51.30'
[29982][iter] <= using glue for 'g.gtld-servers.net.': '192.42.93.30'
[29982][iter] <= using glue for 'h.gtld-servers.net.': '192.54.112.30'
[29982][iter] <= using glue for 'i.gtld-servers.net.': '192.43.172.30'
[29982][iter] <= using glue for 'j.gtld-servers.net.': '192.48.79.30'
[29982][iter] <= using glue for 'k.gtld-servers.net.': '192.52.178.30'
[29982][iter] <= using glue for 'l.gtld-servers.net.': '192.41.162.30'
[29982][iter] <= using glue for 'm.gtld-servers.net.': '192.55.83.30'
[29982][iter] <= referral response, follow
[29982][vldr] <= DS: OK
[29982][vldr] <= answer valid, OK
[29982][resl] <= server: '2001:500:9f::42' rtt: 1 ms
[22599][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[22599][plan] plan 'com.' type 'DNSKEY'
[ 9678][iter] 'com.' type 'DNSKEY' id was assigned, parent id 22599
[ 9678][resl] => querying: '192.55.83.30' score: 10 zone cut: 'com.' m12n: 'COm.' type: 'DNSKEY' proto: 'udp'
[ 9678][iter] <= rcode: NOERROR
[ 9678][vldr] <= parent: updating DNSKEY
[ 9678][vldr] <= answer valid, OK
[ 9678][resl] <= server: '192.55.83.30' rtt: 34 ms
[49039][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[49039][resl] => querying: '192.41.162.30' score: 10 zone cut: 'com.' m12n: 'rACkSPACecLouD.cOM.' type: 'NS' proto: 'udp'
[49039][iter] <= using glue for 'ns2.rackspace.com.': '65.61.188.4'
[49039][iter] <= using glue for 'ns.rackspace.com.': '69.20.95.4'
[49039][iter] <= referral response, follow
[49039][vldr] <= DS doesn't exist, going insecure
[49039][vldr] <= answer valid, OK
[49039][resl] <= server: '192.41.162.30' rtt: 115 ms
[51213][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[51213][resl] => querying: '65.61.188.4' score: 10 zone cut: 'rackspacecloud.com.' m12n: 'CLoUDFIleS.RacKsPAcECloUD.cOM.' type: 'NS' proto: 'udp'
[51213][iter] <= referral response, follow
[51213][resl] <= server: '65.61.188.4' rtt: 31 ms
[33844][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[33844][plan] plan 'www-gtm-ord1.rackspace.com.' type 'AAAA'
[62064][iter] 'www-gtm-ord1.rackspace.com.' type 'AAAA' id was assigned, parent id 33844
[58017][iter] 'www-gtm-ord1.rackspace.com.' type 'AAAA' id was assigned, parent id 33844
[58017][plan] plan 'm.gtld-servers.net.' type 'AAAA'
[45856][iter] 'm.gtld-servers.net.' type 'AAAA' id was assigned, parent id 58017
[45856][resl] => using root hints
[ 4235][iter] 'm.gtld-servers.net.' type 'AAAA' id was assigned, parent id 58017
[ 4235][resl] >< TA: '.'
[ 4235][plan] plan '.' type 'DNSKEY'
[33383][iter] '.' type 'DNSKEY' id was assigned, parent id 4235
[33383][ rc ] => satisfied from cache
[33383][iter] <= rcode: NOERROR
[33383][vldr] <= parent: updating DNSKEY
[33383][vldr] <= answer valid, OK
[53600][iter] 'm.gtld-servers.net.' type 'AAAA' id was assigned, parent id 58017
[53600][resl] => querying: '2001:7fd::1' score: 10 zone cut: '.' m12n: 'NeT.' type: 'NS' proto: 'udp'
[53600][iter] <= using glue for 'a.gtld-servers.net.': '192.5.6.30'
[53600][iter] <= using glue for 'a.gtld-servers.net.': '2001:503:a83e::2:30'
[53600][iter] <= using glue for 'b.gtld-servers.net.': '192.33.14.30'
[53600][iter] <= using glue for 'b.gtld-servers.net.': '2001:503:231d::2:30'
[53600][iter] <= using glue for 'c.gtld-servers.net.': '192.26.92.30'
[53600][iter] <= using glue for 'd.gtld-servers.net.': '192.31.80.30'
[53600][iter] <= using glue for 'e.gtld-servers.net.': '192.12.94.30'
[53600][iter] <= using glue for 'f.gtld-servers.net.': '192.35.51.30'
[53600][iter] <= using glue for 'g.gtld-servers.net.': '192.42.93.30'
[53600][iter] <= using glue for 'h.gtld-servers.net.': '192.54.112.30'
[53600][iter] <= using glue for 'i.gtld-servers.net.': '192.43.172.30'
[53600][iter] <= using glue for 'j.gtld-servers.net.': '192.48.79.30'
[53600][iter] <= using glue for 'k.gtld-servers.net.': '192.52.178.30'
[53600][iter] <= using glue for 'l.gtld-servers.net.': '192.41.162.30'
[53600][iter] <= using glue for 'm.gtld-servers.net.': '192.55.83.30'
[53600][iter] <= referral response, follow
[53600][vldr] <= DS: OK
[53600][vldr] <= answer valid, OK
[53600][resl] <= server: '2001:7fd::1' rtt: 5 ms
[63179][iter] 'm.gtld-servers.net.' type 'AAAA' id was assigned, parent id 58017
[63179][plan] plan 'net.' type 'DNSKEY'
[64080][iter] 'net.' type 'DNSKEY' id was assigned, parent id 63179
[64080][resl] => querying: '192.52.178.30' score: 10 zone cut: 'net.' m12n: 'neT.' type: 'DNSKEY' proto: 'udp'
[64080][resl] => querying: '192.48.79.30' score: 10 zone cut: 'net.' m12n: 'neT.' type: 'DNSKEY' proto: 'udp'
[64080][iter] <= rcode: NOERROR
[64080][vldr] <= parent: updating DNSKEY
[64080][vldr] <= answer valid, OK
[64080][resl] <= server: '192.52.178.30' rtt: 264 ms
[64080][resl] <= server: '192.48.79.30' rtt: >=14 ms
[43576][iter] 'm.gtld-servers.net.' type 'AAAA' id was assigned, parent id 58017
[43576][resl] => querying: '192.43.172.30' score: 10 zone cut: 'net.' m12n: 'gtld-seRVeRs.NeT.' type: 'NS' proto: 'udp'
[43576][iter] <= referral response, follow
[43576][vldr] <= DS doesn't exist, going insecure
[43576][vldr] <= parent: updating DS
[43576][vldr] <= answer valid, OK
[43576][resl] <= server: '192.43.172.30' rtt: 28 ms
[27496][iter] 'm.gtld-servers.net.' type 'AAAA' id was assigned, parent id 58017
[27496][plan] plan 'av4.nstld.com.' type 'AAAA'
[27534][iter] 'av4.nstld.com.' type 'AAAA' id was assigned, parent id 27496
[22969][iter] 'av4.nstld.com.' type 'AAAA' id was assigned, parent id 27496
[22969][resl] => querying: '192.54.112.30' score: 10 zone cut: 'com.' m12n: 'nsTLd.COm.' type: 'NS' proto: 'udp'
[22969][iter] <= using glue for 'av1.nstld.com.': '192.42.177.30'
[22969][iter] <= using glue for 'av1.nstld.com.': '2001:500:124::30'
[22969][iter] <= using glue for 'av2.nstld.com.': '192.42.178.30'
[22969][iter] <= using glue for 'av2.nstld.com.': '2001:500:125::30'
[22969][iter] <= using glue for 'av3.nstld.com.': '192.82.133.30'
[22969][iter] <= using glue for 'av3.nstld.com.': '2001:500:126::30'
[22969][iter] <= using glue for 'av4.nstld.com.': '192.82.134.30'
[22969][iter] <= using glue for 'av4.nstld.com.': '2001:500:127::30'
[22969][iter] <= referral response, follow
[22969][resl] <= server: '192.54.112.30' rtt: 28 ms
[10652][iter] 'av4.nstld.com.' type 'AAAA' id was assigned, parent id 27496
[10652][resl] => querying: '2001:500:127::30' score: 10 zone cut: 'nstld.com.' m12n: 'aV4.nSTLd.cOM.' type: 'AAAA' proto: 'udp'
[10652][iter] <= using glue for 'av3.nstld.com.': '192.82.133.30'
[10652][iter] <= using glue for 'av3.nstld.com.': '2001:500:126::30'
[10652][iter] <= using glue for 'av1.nstld.com.': '192.42.177.30'
[10652][iter] <= using glue for 'av1.nstld.com.': '2001:500:124::30'
[10652][iter] <= using glue for 'av4.nstld.com.': '2001:500:127::30'
[10652][iter] <= using glue for 'av4.nstld.com.': '192.82.134.30'
[10652][iter] <= using glue for 'av2.nstld.com.': '192.42.178.30'
[10652][iter] <= using glue for 'av2.nstld.com.': '2001:500:125::30'
[10652][iter] <= rcode: NOERROR
[10652][resl] <= server: '2001:500:127::30' rtt: 19 ms
[61253][iter] 'm.gtld-servers.net.' type 'AAAA' id was assigned, parent id 58017
[61253][resl] => querying: '2001:500:127::30' score: 19 zone cut: 'gtld-servers.net.' m12n: 'M.gTld-SERVerS.NEt.' type: 'AAAA' proto: 'udp'
[61253][iter] <= rcode: NOERROR
[61253][ pc ] => answer cached for TTL=900
[61253][resl] <= server: '2001:500:127::30' rtt: 18 ms
[51040][iter] 'www-gtm-ord1.rackspace.com.' type 'AAAA' id was assigned, parent id 33844
[51040][plan] plan 'm.gtld-servers.net.' type 'A'
[26418][iter] 'm.gtld-servers.net.' type 'A' id was assigned, parent id 51040
[26418][ rc ] => satisfied from cache
[26418][iter] <= rcode: NOERROR
[26418][vldr] <= cached insecure response, going insecure
[12543][iter] 'www-gtm-ord1.rackspace.com.' type 'AAAA' id was assigned, parent id 33844
[12543][resl] => querying: '192.55.83.30' score: 34 zone cut: 'com.' m12n: 'racKSPaCe.COm.' type: 'NS' proto: 'udp'
[12543][iter] <= using glue for 'ns2.rackspace.com.': '65.61.188.4'
[12543][iter] <= using glue for 'ns.rackspace.com.': '69.20.95.4'
[12543][iter] <= referral response, follow
[12543][resl] <= server: '192.55.83.30' rtt: 34 ms
[60529][iter] 'www-gtm-ord1.rackspace.com.' type 'AAAA' id was assigned, parent id 33844
[60529][resl] => querying: '69.20.95.4' score: 10 zone cut: 'rackspace.com.' m12n: 'wWW-gTM-oRD1.raCksPAcE.CoM.' type: 'AAAA' proto: 'udp'
[60529][iter] <= rcode: NOERROR
[60529][ pc ] => answer cached for TTL=300
[60529][resl] <= server: '69.20.95.4' rtt: 107 ms
[56516][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[56516][plan] plan 'www-gtm-ord1.rackspace.com.' type 'A'
[ 4871][iter] 'www-gtm-ord1.rackspace.com.' type 'A' id was assigned, parent id 56516
[ 3085][iter] 'www-gtm-ord1.rackspace.com.' type 'A' id was assigned, parent id 56516
[ 3085][resl] => querying: '65.61.188.4' score: 31 zone cut: 'rackspace.com.' m12n: 'WWw-gtm-OrD1.RAckSPACE.CoM.' type: 'A' proto: 'udp'
[ 3085][iter] <= using glue for 'ns2.rackspace.com.': '65.61.188.4'
[ 3085][iter] <= using glue for 'ns.rackspace.com.': '69.20.95.4'
[ 3085][iter] <= rcode: NOERROR
[ 3085][resl] <= server: '65.61.188.4' rtt: 27 ms
[41180][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[41180][resl] => querying: '173.203.44.119' score: 10 zone cut: 'wip.rackspacecloud.com.' m12n: 'cdN2.CLoudfileS.rACkSPacECLoud.com.' type: 'NS' proto: 'udp'
[41180][iter] <= rcode: REFUSED
[41180][resl] <= server: '173.203.44.119' rtt: 121 ms
[52045][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[52045][resl] => querying: '173.203.44.119' score: 221 zone cut: 'wip.rackspacecloud.com.' m12n: 'c0388858.Cdn2.CLOuDfiLes.RacksPAceCloUd.COm.' type: 'A' proto: 'udp'
[52045][iter] <= rcode: REFUSED
[52045][resl] <= server: '173.203.44.119' rtt: 118 ms
[58945][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[58945][resl] => querying: '173.203.44.119' score: 269 zone cut: 'wip.rackspacecloud.com.' m12n: 'C0388858.cDn2.cLOudFIlEs.RAcKspACecLOUd.CoM.' type: 'A' proto: 'udp'
[58945][iter] <= rcode: REFUSED
[58945][resl] <= server: '173.203.44.119' rtt: 119 ms
[ 1543][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[ 1543][resl] => querying: '173.203.44.119' score: 294 zone cut: 'wip.rackspacecloud.com.' m12n: 'C0388858.CDN2.clOUDfiLeS.RAckSpaCeclOUd.COM.' type: 'A' proto: 'udp'
[ 1543][iter] <= rcode: REFUSED
[ 1543][resl] => server: '173.203.44.119' flagged as 'bad'
[34164][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[34164][resl] => unresolvable NS address, bailing out
[34164][plan] plan 'www-gtm-iad2.rackspace.com.' type 'AAAA'
[ 5083][iter] 'www-gtm-iad2.rackspace.com.' type 'AAAA' id was assigned, parent id 34164
[32261][iter] 'www-gtm-iad2.rackspace.com.' type 'AAAA' id was assigned, parent id 34164
[32261][resl] => querying: '65.61.188.4' score: 29 zone cut: 'rackspace.com.' m12n: 'wWw-Gtm-iaD2.RACksPAcE.COM.' type: 'AAAA' proto: 'udp'
[32261][iter] <= rcode: NOERROR
[32261][ pc ] => answer cached for TTL=300
[32261][resl] <= server: '65.61.188.4' rtt: 35 ms
[ 1144][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[ 1144][plan] plan 'www-gtm-iad2.rackspace.com.' type 'A'
[56948][iter] 'www-gtm-iad2.rackspace.com.' type 'A' id was assigned, parent id 1144
[ 4816][iter] 'www-gtm-iad2.rackspace.com.' type 'A' id was assigned, parent id 1144
[ 4816][resl] => querying: '65.61.188.4' score: 32 zone cut: 'rackspace.com.' m12n: 'WWw-GtM-iAD2.rACKSpACe.coM.' type: 'A' proto: 'udp'
[ 4816][iter] <= using glue for 'ns2.rackspace.com.': '65.61.188.4'
[ 4816][iter] <= using glue for 'ns.rackspace.com.': '69.20.95.4'
[ 4816][iter] <= rcode: NOERROR
[ 4816][resl] <= server: '65.61.188.4' rtt: 27 ms
[23391][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[23391][resl] => querying: '207.97.206.40' score: 10 zone cut: 'wip.rackspacecloud.com.' m12n: 'c0388858.Cdn2.clOUDfiLEs.racKspaceClOuD.COm.' type: 'A' proto: 'udp'
[23391][iter] <= rcode: REFUSED
[23391][resl] <= server: '207.97.206.40' rtt: 107 ms
[15551][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[15551][resl] => querying: '207.97.206.40' score: 207 zone cut: 'wip.rackspacecloud.com.' m12n: 'C0388858.cDn2.clouDfilES.RAcKSpACEcloUD.CoM.' type: 'A' proto: 'udp'
[15551][iter] <= rcode: REFUSED
[15551][resl] <= server: '207.97.206.40' rtt: 108 ms
[56069][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[56069][resl] => querying: '207.97.206.40' score: 257 zone cut: 'wip.rackspacecloud.com.' m12n: 'c0388858.CDN2.ClouDFiles.RaCkspAceCloud.cOM.' type: 'A' proto: 'udp'
[56069][iter] <= rcode: REFUSED
[56069][resl] <= server: '207.97.206.40' rtt: 111 ms
[62422][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[62422][resl] => querying: '207.97.206.40' score: 284 zone cut: 'wip.rackspacecloud.com.' m12n: 'C0388858.cDn2.ClOuDfIles.RaCkSpaCECLouD.CoM.' type: 'A' proto: 'udp'
[62422][iter] <= rcode: REFUSED
[62422][resl] => server: '207.97.206.40' flagged as 'bad'
[24149][iter] 'c0388858.cdn2.cloudfiles.rackspacecloud.com.' type 'A' id was assigned, parent id 0
[24149][resl] => unresolvable NS address, bailing out
[24149][resl] => no valid NS left
[ 0][resl] finished: 8, queries: 12, mempool: 164000 B
```1.2.2 patch releaseIvana KrumlovaIvana Krumlovahttps://gitlab.nic.cz/knot/knot-resolver/-/issues/138Resolution of `supercore.s3.amazonaws.com.` fails with SERVFAIL2017-08-22T13:33:34+02:00Ondřej SurýResolution of `supercore.s3.amazonaws.com.` fails with SERVFAIL```
$ dig +dnssec +multi +time=60 +retry=1 -p 38267 @::1 supercore.s3.amazonaws.com.
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 39486
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTIO...```
$ dig +dnssec +multi +time=60 +retry=1 -p 38267 @::1 supercore.s3.amazonaws.com.
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 39486
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; supercore.s3.amazonaws.com. IN A
;; Received 44 B
;; Time 2017-01-24 13:36:20 CET
;; From ::1@38267(UDP) in 580.0 ms
```
Clear cache log:
```
[ 0][plan] plan 'supercore.s3.amazonaws.com.' type 'A'
[48058][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[48058][resl] => using root hints
[13001][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[13001][plan] plan '.' type 'DNSKEY'
[12426][iter] '.' type 'DNSKEY' id was assigned, parent id 13001
[12426][resl] => querying: '2001:dc3::35' score: 10 zone cut: '.' m12n: '.' type: 'DNSKEY' proto: 'udp'
[12426][iter] <= rcode: NOERROR
[12426][vldr] <= parent: updating DNSKEY
[12426][vldr] <= answer valid, OK
[12426][resl] <= server: '2001:dc3::35' rtt: 19 ms
[19666][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[19666][resl] => querying: '2001:dc3::35' score: 19 zone cut: '.' m12n: 'cOm.' type: 'NS' proto: 'udp'
[19666][iter] <= using glue for 'h.gtld-servers.net.': '192.54.112.30'
[19666][iter] <= using glue for 'f.gtld-servers.net.': '192.35.51.30'
[19666][iter] <= using glue for 'a.gtld-servers.net.': '192.5.6.30'
[19666][iter] <= using glue for 'a.gtld-servers.net.': '2001:503:a83e::2:30'
[19666][iter] <= using glue for 'e.gtld-servers.net.': '192.12.94.30'
[19666][iter] <= using glue for 'j.gtld-servers.net.': '192.48.79.30'
[19666][iter] <= using glue for 'b.gtld-servers.net.': '192.33.14.30'
[19666][iter] <= using glue for 'b.gtld-servers.net.': '2001:503:231d::2:30'
[19666][iter] <= using glue for 'd.gtld-servers.net.': '192.31.80.30'
[19666][iter] <= using glue for 'c.gtld-servers.net.': '192.26.92.30'
[19666][iter] <= using glue for 'm.gtld-servers.net.': '192.55.83.30'
[19666][iter] <= using glue for 'g.gtld-servers.net.': '192.42.93.30'
[19666][iter] <= using glue for 'i.gtld-servers.net.': '192.43.172.30'
[19666][iter] <= using glue for 'l.gtld-servers.net.': '192.41.162.30'
[19666][iter] <= using glue for 'k.gtld-servers.net.': '192.52.178.30'
[19666][iter] <= referral response, follow
[19666][vldr] <= DS: OK
[19666][vldr] <= answer valid, OK
[19666][resl] <= server: '2001:dc3::35' rtt: 19 ms
[19695][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[19695][plan] plan 'com.' type 'DNSKEY'
[39453][iter] 'com.' type 'DNSKEY' id was assigned, parent id 19695
[39453][resl] => querying: '192.55.83.30' score: 10 zone cut: 'com.' m12n: 'com.' type: 'DNSKEY' proto: 'udp'
[39453][iter] <= rcode: NOERROR
[39453][vldr] <= parent: updating DNSKEY
[39453][vldr] <= answer valid, OK
[39453][resl] <= server: '192.55.83.30' rtt: 35 ms
[ 5358][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[ 5358][resl] => querying: '192.41.162.30' score: 10 zone cut: 'com.' m12n: 'AmAzOnaWS.COM.' type: 'NS' proto: 'udp'
[ 5358][iter] <= using glue for 'u1.amazonaws.com.': '156.154.64.10'
[ 5358][iter] <= using glue for 'u2.amazonaws.com.': '156.154.65.10'
[ 5358][iter] <= using glue for 'r1.amazonaws.com.': '205.251.192.27'
[ 5358][iter] <= using glue for 'r2.amazonaws.com.': '205.251.195.199'
[ 5358][iter] <= referral response, follow
[ 5358][vldr] <= DS doesn't exist, going insecure
[ 5358][vldr] <= answer valid, OK
[ 5358][resl] <= server: '192.41.162.30' rtt: 115 ms
[17677][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[17677][resl] => querying: '156.154.65.10' score: 10 zone cut: 'amazonaws.com.' m12n: 's3.aMAZONAwS.Com.' type: 'NS' proto: 'udp'
[17677][iter] <= referral response, follow
[17677][resl] <= server: '156.154.65.10' rtt: 16 ms
[60967][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[60967][plan] plan 'ns-1726.awsdns-23.co.uk.' type 'AAAA'
[ 9404][iter] 'ns-1726.awsdns-23.co.uk.' type 'AAAA' id was assigned, parent id 60967
[ 9404][resl] => using root hints
[27743][iter] 'ns-1726.awsdns-23.co.uk.' type 'AAAA' id was assigned, parent id 60967
[27743][resl] >< TA: '.'
[27743][plan] plan '.' type 'DNSKEY'
[38153][iter] '.' type 'DNSKEY' id was assigned, parent id 27743
[38153][ rc ] => satisfied from cache
[38153][iter] <= rcode: NOERROR
[38153][vldr] <= parent: updating DNSKEY
[38153][vldr] <= answer valid, OK
[43424][iter] 'ns-1726.awsdns-23.co.uk.' type 'AAAA' id was assigned, parent id 60967
[43424][resl] => querying: '2001:500:9f::42' score: 10 zone cut: '.' m12n: 'UK.' type: 'NS' proto: 'udp'
[43424][iter] <= using glue for 'nsa.nic.uk.': '156.154.100.3'
[43424][iter] <= using glue for 'nsa.nic.uk.': '2001:502:ad09::3'
[43424][iter] <= using glue for 'nsb.nic.uk.': '156.154.101.3'
[43424][iter] <= using glue for 'nsc.nic.uk.': '156.154.102.3'
[43424][iter] <= using glue for 'nsd.nic.uk.': '156.154.103.3'
[43424][iter] <= using glue for 'dns1.nic.uk.': '213.248.216.1'
[43424][iter] <= using glue for 'dns1.nic.uk.': '2a01:618:400::1'
[43424][iter] <= using glue for 'dns2.nic.uk.': '103.49.80.1'
[43424][iter] <= using glue for 'dns2.nic.uk.': '2401:fd80:400::1'
[43424][iter] <= using glue for 'dns3.nic.uk.': '213.248.220.1'
[43424][iter] <= using glue for 'dns3.nic.uk.': '2a01:618:404::1'
[43424][iter] <= using glue for 'dns4.nic.uk.': '43.230.48.1'
[43424][iter] <= using glue for 'dns4.nic.uk.': '2401:fd80:404::1'
[43424][iter] <= referral response, follow
[43424][vldr] <= DS: OK
[43424][vldr] <= answer valid, OK
[43424][resl] <= server: '2001:500:9f::42' rtt: 2 ms
[32969][iter] 'ns-1726.awsdns-23.co.uk.' type 'AAAA' id was assigned, parent id 60967
[32969][plan] plan 'uk.' type 'DNSKEY'
[11309][iter] 'uk.' type 'DNSKEY' id was assigned, parent id 32969
[11309][resl] => querying: '2401:fd80:404::1' score: 10 zone cut: 'uk.' m12n: 'uk.' type: 'DNSKEY' proto: 'udp'
[11309][iter] <= rcode: NOERROR
[11309][vldr] <= parent: updating DNSKEY
[11309][vldr] <= answer valid, OK
[11309][resl] <= server: '2401:fd80:404::1' rtt: 19 ms
[17293][iter] 'ns-1726.awsdns-23.co.uk.' type 'AAAA' id was assigned, parent id 60967
[17293][resl] => querying: '2a01:618:404::1' score: 10 zone cut: 'uk.' m12n: 'co.uK.' type: 'NS' proto: 'udp'
[17293][iter] <= rcode: NOERROR
[17293][iter] <= found cut, retrying with non-minimized name
[17293][resl] <= server: '2a01:618:404::1' rtt: 18 ms
[56151][iter] 'ns-1726.awsdns-23.co.uk.' type 'AAAA' id was assigned, parent id 60967
[56151][resl] => querying: '2401:fd80:400::1' score: 10 zone cut: 'uk.' m12n: 'Ns-1726.AWsDNs-23.Co.uK.' type: 'AAAA' proto: 'udp'
[56151][iter] <= using glue for 'g-ns-343.awsdns-23.co.uk.': '205.251.193.87'
[56151][iter] <= using glue for 'g-ns-919.awsdns-23.co.uk.': '205.251.195.151'
[56151][iter] <= using glue for 'g-ns-1498.awsdns-23.co.uk.': '205.251.197.218'
[56151][iter] <= using glue for 'g-ns-1819.awsdns-23.co.uk.': '205.251.199.27'
[56151][iter] <= referral response, follow
[56151][vldr] >< cut changed (new signer), needs revalidation
[56151][resl] <= server: '2401:fd80:400::1' rtt: 29 ms
[56151][plan] plan 'co.uk.' type 'DS'
[23696][iter] 'co.uk.' type 'DS' id was assigned, parent id 56151
[24246][iter] 'co.uk.' type 'DS' id was assigned, parent id 56151
[24246][resl] => querying: '2a01:618:400::1' score: 10 zone cut: 'uk.' m12n: 'cO.uK.' type: 'DS' proto: 'udp'
[24246][iter] <= rcode: NOERROR
[24246][resl] <= server: '2a01:618:400::1' rtt: 29 ms
[56151][plan] plan 'co.uk.' type 'DS'
[54876][iter] 'co.uk.' type 'DS' id was assigned, parent id 56151
[54876][ rc ] => satisfied from cache
[54876][iter] <= rcode: NOERROR
[54876][vldr] <= cached insecure response, going insecure
[56151][resl] => resuming yielded answer
[32610][iter] 'ns-1726.awsdns-23.co.uk.' type 'AAAA' id was assigned, parent id 60967
[32610][resl] => querying: '156.154.103.3' score: 10 zone cut: 'co.uk.' m12n: 'nS-1726.awsdnS-23.co.uk.' type: 'AAAA' proto: 'udp'
[32610][iter] <= using glue for 'g-ns-343.awsdns-23.co.uk.': '205.251.193.87'
[32610][iter] <= using glue for 'g-ns-1498.awsdns-23.co.uk.': '205.251.197.218'
[32610][iter] <= using glue for 'g-ns-919.awsdns-23.co.uk.': '205.251.195.151'
[32610][iter] <= using glue for 'g-ns-1819.awsdns-23.co.uk.': '205.251.199.27'
[32610][iter] <= referral response, follow
[32610][resl] <= server: '156.154.103.3' rtt: 21 ms
[ 7507][iter] 'ns-1726.awsdns-23.co.uk.' type 'AAAA' id was assigned, parent id 60967
[ 7507][resl] => querying: '205.251.199.27' score: 10 zone cut: 'awsdns-23.co.uk.' m12n: 'ns-1726.AWSDns-23.CO.UK.' type: 'AAAA' proto: 'udp'
[ 7507][iter] <= using glue for 'g-ns-1498.awsdns-23.co.uk.': '205.251.197.218'
[ 7507][iter] <= using glue for 'g-ns-1498.awsdns-23.co.uk.': '2600:9000:5305:da00::1'
[ 7507][iter] <= using glue for 'g-ns-1819.awsdns-23.co.uk.': '205.251.199.27'
[ 7507][iter] <= using glue for 'g-ns-1819.awsdns-23.co.uk.': '2600:9000:5307:1b00::1'
[ 7507][iter] <= using glue for 'g-ns-343.awsdns-23.co.uk.': '205.251.193.87'
[ 7507][iter] <= using glue for 'g-ns-343.awsdns-23.co.uk.': '2600:9000:5301:5700::1'
[ 7507][iter] <= using glue for 'g-ns-919.awsdns-23.co.uk.': '205.251.195.151'
[ 7507][iter] <= using glue for 'g-ns-919.awsdns-23.co.uk.': '2600:9000:5303:9700::1'
[ 7507][iter] <= rcode: NOERROR
[ 7507][resl] <= server: '205.251.199.27' rtt: 38 ms
[33647][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[33647][resl] => querying: '2600:9000:5306:be00::1' score: 10 zone cut: 's3-1.amazonaws.com.' m12n: 'SuPErCore.S3.AMaZonAws.cOm.' type: 'A' proto: 'udp'
[33647][iter] <= rcode: REFUSED
[33647][resl] <= server: '2600:9000:5306:be00::1' rtt: 14 ms
[ 1013][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[ 1013][resl] => querying: '2600:9000:5306:be00::1' score: 114 zone cut: 's3-1.amazonaws.com.' m12n: 'suPercORE.S3.AmAzOnAws.coM.' type: 'A' proto: 'udp'
[ 1013][iter] <= rcode: REFUSED
[ 1013][resl] <= server: '2600:9000:5306:be00::1' rtt: 14 ms
[57855][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[57855][resl] => querying: '2600:9000:5306:be00::1' score: 164 zone cut: 's3-1.amazonaws.com.' m12n: 'supErcOre.s3.AmazoNaWS.coM.' type: 'A' proto: 'udp'
[57855][iter] <= rcode: REFUSED
[57855][resl] <= server: '2600:9000:5306:be00::1' rtt: 13 ms
[27306][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[27306][resl] => querying: '2600:9000:5306:be00::1' score: 188 zone cut: 's3-1.amazonaws.com.' m12n: 'SupeRcOre.s3.AmAzOnaWs.COM.' type: 'A' proto: 'udp'
[27306][iter] <= rcode: REFUSED
[27306][resl] => server: '2600:9000:5306:be00::1' flagged as 'bad'
[45229][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[45229][plan] plan 'ns-1726.awsdns-23.co.uk.' type 'A'
[ 1731][iter] 'ns-1726.awsdns-23.co.uk.' type 'A' id was assigned, parent id 45229
[49901][iter] 'ns-1726.awsdns-23.co.uk.' type 'A' id was assigned, parent id 45229
[49901][resl] => querying: '2600:9000:5307:1b00::1' score: 10 zone cut: 'awsdns-23.co.uk.' m12n: 'nS-1726.AWsdnS-23.cO.Uk.' type: 'A' proto: 'udp'
[49901][iter] <= using glue for 'g-ns-1498.awsdns-23.co.uk.': '205.251.197.218'
[49901][iter] <= using glue for 'g-ns-1498.awsdns-23.co.uk.': '2600:9000:5305:da00::1'
[49901][iter] <= using glue for 'g-ns-1819.awsdns-23.co.uk.': '205.251.199.27'
[49901][iter] <= using glue for 'g-ns-1819.awsdns-23.co.uk.': '2600:9000:5307:1b00::1'
[49901][iter] <= using glue for 'g-ns-343.awsdns-23.co.uk.': '205.251.193.87'
[49901][iter] <= using glue for 'g-ns-343.awsdns-23.co.uk.': '2600:9000:5301:5700::1'
[49901][iter] <= using glue for 'g-ns-919.awsdns-23.co.uk.': '205.251.195.151'
[49901][iter] <= using glue for 'g-ns-919.awsdns-23.co.uk.': '2600:9000:5303:9700::1'
[49901][iter] <= rcode: NOERROR
[49901][resl] <= server: '2600:9000:5307:1b00::1' rtt: 15 ms
[ 5832][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[ 5832][resl] => querying: '205.251.198.190' score: 10 zone cut: 's3-1.amazonaws.com.' m12n: 'suPERcORE.s3.AmAzonAws.coM.' type: 'A' proto: 'udp'
[ 5832][iter] <= rcode: REFUSED
[ 5832][resl] <= server: '205.251.198.190' rtt: 32 ms
[61034][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[61034][resl] => querying: '205.251.198.190' score: 132 zone cut: 's3-1.amazonaws.com.' m12n: 'sUPercorE.S3.AmAZOnAws.Com.' type: 'A' proto: 'udp'
[61034][iter] <= rcode: REFUSED
[61034][resl] <= server: '205.251.198.190' rtt: 31 ms
[59107][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[59107][resl] => querying: '205.251.198.190' score: 181 zone cut: 's3-1.amazonaws.com.' m12n: 'SUPERcoRe.s3.AMazonAWS.Com.' type: 'A' proto: 'udp'
[59107][iter] <= rcode: REFUSED
[59107][resl] <= server: '205.251.198.190' rtt: 37 ms
[46872][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[46872][resl] => querying: '205.251.198.190' score: 209 zone cut: 's3-1.amazonaws.com.' m12n: 'sUPERCoRe.S3.amAZonaWs.coM.' type: 'A' proto: 'udp'
[46872][iter] <= rcode: REFUSED
[46872][resl] => server: '205.251.198.190' flagged as 'bad'
[13397][iter] 'supercore.s3.amazonaws.com.' type 'A' id was assigned, parent id 0
[13397][resl] => unresolvable NS address, bailing out
[13397][plan] plan 'ns-1084.awsdns-07.org.' type 'AAAA'
[18528][iter] 'ns-1084.awsdns-07.org.' type 'AAAA' id was assigned, parent id 13397
[18528][resl] => using root hints
[ 4069][iter] 'ns-1084.awsdns-07.org.' type 'AAAA' id was assigned, parent id 13397
[ 4069][resl] >< TA: '.'
[ 4069][plan] plan '.' type 'DNSKEY'
[59431][iter] '.' type 'DNSKEY' id was assigned, parent id 4069
[59431][ rc ] => satisfied from cache
[59431][iter] <= rcode: NOERROR
[59431][vldr] <= parent: updating DNSKEY
[59431][vldr] <= answer valid, OK
[51048][iter] 'ns-1084.awsdns-07.org.' type 'AAAA' id was assigned, parent id 13397
[51048][resl] => querying: '2001:7fd::1' score: 10 zone cut: '.' m12n: 'oRg.' type: 'NS' proto: 'udp'
[51048][iter] <= using glue for 'a0.org.afilias-nst.info.': '199.19.56.1'
[51048][iter] <= using glue for 'a0.org.afilias-nst.info.': '2001:500:e::1'
[51048][iter] <= using glue for 'a2.org.afilias-nst.info.': '199.249.112.1'
[51048][iter] <= using glue for 'a2.org.afilias-nst.info.': '2001:500:40::1'
[51048][iter] <= using glue for 'b0.org.afilias-nst.org.': '199.19.54.1'
[51048][iter] <= using glue for 'b0.org.afilias-nst.org.': '2001:500:c::1'
[51048][iter] <= using glue for 'b2.org.afilias-nst.org.': '199.249.120.1'
[51048][iter] <= using glue for 'b2.org.afilias-nst.org.': '2001:500:48::1'
[51048][iter] <= using glue for 'c0.org.afilias-nst.info.': '199.19.53.1'
[51048][iter] <= using glue for 'c0.org.afilias-nst.info.': '2001:500:b::1'
[51048][iter] <= using glue for 'd0.org.afilias-nst.org.': '199.19.57.1'
[51048][iter] <= using glue for 'd0.org.afilias-nst.org.': '2001:500:f::1'
[51048][iter] <= referral response, follow
[ 0][resl] finished: 8, queries: 9, mempool: 164000 B
```1.2.0 releaseIvana KrumlovaIvana Krumlovahttps://gitlab.nic.cz/knot/knot-resolver/-/issues/131pypi.fiber.consulting returns SERVFAIL on first try2017-08-22T13:33:34+02:00Ondřej Surýpypi.fiber.consulting returns SERVFAIL on first tryProbably iteration limit or something like that:
Clean cache log:
```
[ 0][plan] plan 'pypi.fiber.consulting.' type 'A'
[23288][iter] 'pypi.fiber.consulting.' type 'A' id was assigned, parent id 0
[23288][resl] => using root hint...Probably iteration limit or something like that:
Clean cache log:
```
[ 0][plan] plan 'pypi.fiber.consulting.' type 'A'
[23288][iter] 'pypi.fiber.consulting.' type 'A' id was assigned, parent id 0
[23288][resl] => using root hints
[47790][iter] 'pypi.fiber.consulting.' type 'A' id was assigned, parent id 0
[47790][plan] plan '.' type 'DNSKEY'
[10800][iter] '.' type 'DNSKEY' id was assigned, parent id 47790
[10800][resl] => querying: '2001:dc3::35' score: 10 zone cut: '.' m12n: '.' type: 'DNSKEY' proto: 'udp'
[10800][iter] <= rcode: NOERROR
[10800][vldr] <= parent: updating DNSKEY
[10800][vldr] <= answer valid, OK
[10800][resl] <= server: '2001:dc3::35' rtt: 19 ms
[24754][iter] 'pypi.fiber.consulting.' type 'A' id was assigned, parent id 0
[24754][resl] => querying: '2001:500:9f::42' score: 10 zone cut: '.' m12n: 'COnsULTIng.' type: 'NS' proto: 'udp'
[24754][iter] <= using glue for 'demand.beta.aridns.net.au.': '37.209.194.7'
[24754][iter] <= using glue for 'demand.beta.aridns.net.au.': '2001:dcd:2::7'
[24754][iter] <= using glue for 'demand.alpha.aridns.net.au.': '37.209.192.7'
[24754][iter] <= using glue for 'demand.alpha.aridns.net.au.': '2001:dcd:1::7'
[24754][iter] <= using glue for 'demand.delta.aridns.net.au.': '37.209.198.7'
[24754][iter] <= using glue for 'demand.delta.aridns.net.au.': '2001:dcd:4::7'
[24754][iter] <= using glue for 'demand.gamma.aridns.net.au.': '37.209.196.7'
[24754][iter] <= using glue for 'demand.gamma.aridns.net.au.': '2001:dcd:3::7'
[24754][iter] <= referral response, follow
[24754][vldr] <= DS: OK
[24754][vldr] <= answer valid, OK
[24754][resl] <= server: '2001:500:9f::42' rtt: 1 ms
[ 1704][iter] 'pypi.fiber.consulting.' type 'A' id was assigned, parent id 0
[ 1704][plan] plan 'consulting.' type 'DNSKEY'
[16921][iter] 'consulting.' type 'DNSKEY' id was assigned, parent id 1704
[16921][resl] => querying: '2001:dcd:3::7' score: 10 zone cut: 'consulting.' m12n: 'CoNSULTiNg.' type: 'DNSKEY' proto: 'udp'
[16921][iter] <= rcode: NOERROR
[16921][vldr] <= parent: updating DNSKEY
[16921][vldr] <= answer valid, OK
[16921][resl] <= server: '2001:dcd:3::7' rtt: 15 ms
[59254][iter] 'pypi.fiber.consulting.' type 'A' id was assigned, parent id 0
[59254][resl] => querying: '2001:dcd:4::7' score: 10 zone cut: 'consulting.' m12n: 'fIBeR.CoNsUlting.' type: 'NS' proto: 'udp'
[59254][iter] <= referral response, follow
[59254][vldr] <= DS: OK
[59254][vldr] <= answer valid, OK
[59254][resl] <= server: '2001:dcd:4::7' rtt: 15 ms
[11692][iter] 'pypi.fiber.consulting.' type 'A' id was assigned, parent id 0
[11692][plan] plan 'fiber.consulting.' type 'DNSKEY'
[17671][iter] 'fiber.consulting.' type 'DNSKEY' id was assigned, parent id 11692
[17671][plan] plan 'ns2.h4ck.space.' type 'AAAA'
[ 6688][iter] 'ns2.h4ck.space.' type 'AAAA' id was assigned, parent id 17671
[ 6688][resl] => using root hints
[29600][iter] 'ns2.h4ck.space.' type 'AAAA' id was assigned, parent id 17671
[29600][plan] plan '.' type 'DNSKEY'
[36950][iter] '.' type 'DNSKEY' id was assigned, parent id 29600
[36950][ rc ] => satisfied from cache
[36950][iter] <= rcode: NOERROR
[36950][vldr] <= parent: updating DNSKEY
[36950][vldr] <= answer valid, OK
[61812][iter] 'ns2.h4ck.space.' type 'AAAA' id was assigned, parent id 17671
[61812][resl] => querying: '2001:7fd::1' score: 10 zone cut: '.' m12n: 'sPACe.' type: 'NS' proto: 'udp'
[61812][iter] <= using glue for 'a.nic.space.': '194.169.218.51'
[61812][iter] <= using glue for 'a.nic.space.': '2001:67c:13cc::1:51'
[61812][iter] <= using glue for 'b.nic.space.': '185.24.64.51'
[61812][iter] <= using glue for 'b.nic.space.': '2a04:2b00:13cc::1:51'
[61812][iter] <= using glue for 'c.nic.space.': '185.38.99.4'
[61812][iter] <= using glue for 'c.nic.space.': '2a02:e180:3::4'
[61812][iter] <= using glue for 'd.nic.space.': '108.59.161.4'
[61812][iter] <= using glue for 'd.nic.space.': '2a02:e180:4::4'
[61812][iter] <= referral response, follow
[61812][vldr] <= DS: OK
[61812][vldr] <= answer valid, OK
[61812][resl] <= server: '2001:7fd::1' rtt: 2 ms
[ 4807][iter] 'ns2.h4ck.space.' type 'AAAA' id was assigned, parent id 17671
[ 4807][plan] plan 'space.' type 'DNSKEY'
[34976][iter] 'space.' type 'DNSKEY' id was assigned, parent id 4807
[34976][resl] => querying: '2a02:e180:4::4' score: 10 zone cut: 'space.' m12n: 'SpAcE.' type: 'DNSKEY' proto: 'udp'
[34976][iter] <= rcode: NOERROR
[34976][vldr] <= parent: updating DNSKEY
[34976][vldr] <= answer valid, OK
[34976][resl] <= server: '2a02:e180:4::4' rtt: 21 ms
[65306][iter] 'ns2.h4ck.space.' type 'AAAA' id was assigned, parent id 17671
[65306][resl] => querying: '2a02:e180:3::4' score: 10 zone cut: 'space.' m12n: 'H4CK.Space.' type: 'NS' proto: 'udp'
[65306][iter] <= referral response, follow
[65306][vldr] <= DS doesn't exist, going insecure
[65306][vldr] <= parent: updating DS
[65306][vldr] <= answer valid, OK
[65306][resl] <= server: '2a02:e180:3::4' rtt: 99 ms
[25567][iter] 'ns2.h4ck.space.' type 'AAAA' id was assigned, parent id 17671
[25567][plan] plan 'c.dns.gandi.net.' type 'AAAA'
[45392][iter] 'c.dns.gandi.net.' type 'AAAA' id was assigned, parent id 25567
[45392][resl] => using root hints
[10763][iter] 'c.dns.gandi.net.' type 'AAAA' id was assigned, parent id 25567
[10763][resl] >< TA: '.'
[10763][plan] plan '.' type 'DNSKEY'
[16961][iter] '.' type 'DNSKEY' id was assigned, parent id 10763
[16961][ rc ] => satisfied from cache
[16961][iter] <= rcode: NOERROR
[16961][vldr] <= parent: updating DNSKEY
[16961][vldr] <= answer valid, OK
[19618][iter] 'c.dns.gandi.net.' type 'AAAA' id was assigned, parent id 25567
[19618][resl] => querying: '2001:503:c27::2:30' score: 10 zone cut: '.' m12n: 'nEt.' type: 'NS' proto: 'udp'
[19618][iter] <= using glue for 'a.gtld-servers.net.': '192.5.6.30'
[19618][iter] <= using glue for 'a.gtld-servers.net.': '2001:503:a83e::2:30'
[19618][iter] <= using glue for 'b.gtld-servers.net.': '192.33.14.30'
[19618][iter] <= using glue for 'b.gtld-servers.net.': '2001:503:231d::2:30'
[19618][iter] <= using glue for 'c.gtld-servers.net.': '192.26.92.30'
[19618][iter] <= using glue for 'd.gtld-servers.net.': '192.31.80.30'
[19618][iter] <= using glue for 'e.gtld-servers.net.': '192.12.94.30'
[19618][iter] <= using glue for 'f.gtld-servers.net.': '192.35.51.30'
[19618][iter] <= using glue for 'g.gtld-servers.net.': '192.42.93.30'
[19618][iter] <= using glue for 'h.gtld-servers.net.': '192.54.112.30'
[19618][iter] <= using glue for 'i.gtld-servers.net.': '192.43.172.30'
[19618][iter] <= using glue for 'j.gtld-servers.net.': '192.48.79.30'
[19618][iter] <= using glue for 'k.gtld-servers.net.': '192.52.178.30'
[19618][iter] <= using glue for 'l.gtld-servers.net.': '192.41.162.30'
[19618][iter] <= using glue for 'm.gtld-servers.net.': '192.55.83.30'
[19618][iter] <= referral response, follow
[19618][vldr] <= DS: OK
[19618][vldr] <= answer valid, OK
[19618][resl] <= server: '2001:503:c27::2:30' rtt: 16 ms
[12050][iter] 'c.dns.gandi.net.' type 'AAAA' id was assigned, parent id 25567
[12050][plan] plan 'net.' type 'DNSKEY'
[27336][iter] 'net.' type 'DNSKEY' id was assigned, parent id 12050
[27336][resl] => querying: '192.55.83.30' score: 10 zone cut: 'net.' m12n: 'NEt.' type: 'DNSKEY' proto: 'udp'
[27336][iter] <= rcode: NOERROR
[27336][vldr] <= parent: updating DNSKEY
[27336][vldr] <= answer valid, OK
[27336][resl] <= server: '192.55.83.30' rtt: 35 ms
[ 1255][iter] 'c.dns.gandi.net.' type 'AAAA' id was assigned, parent id 25567
[ 1255][resl] => querying: '192.41.162.30' score: 10 zone cut: 'net.' m12n: 'GANDi.NET.' type: 'NS' proto: 'udp'
[ 1255][iter] <= using glue for 'dns0.gandi.net.': '2001:4b98:d:1::39'
[ 1255][iter] <= using glue for 'dns0.gandi.net.': '217.70.177.39'
[ 1255][iter] <= using glue for 'dns1.gandi.net.': '2001:4b98:d:1::45'
[ 1255][iter] <= using glue for 'dns1.gandi.net.': '217.70.177.45'
[ 1255][iter] <= using glue for 'dns2.gandi.net.': '2001:4b98:d:589::211'
[ 1255][iter] <= using glue for 'dns2.gandi.net.': '217.70.183.211'
[ 1255][iter] <= using glue for 'dns3.gandi.net.': '2001:4b98:c:13::14'
[ 1255][iter] <= using glue for 'dns3.gandi.net.': '217.70.184.14'
[ 1255][iter] <= using glue for 'dns4.gandi.net.': '2001:4b98:dc2:90:217:70:186:184'
[ 1255][iter] <= using glue for 'dns4.gandi.net.': '217.70.186.184'
[ 1255][iter] <= referral response, follow
[ 1255][vldr] <= DS doesn't exist, going insecure
[ 1255][vldr] <= parent: updating DS
[ 1255][vldr] <= answer valid, OK
[ 1255][resl] <= server: '192.41.162.30' rtt: 115 ms
[19006][iter] 'c.dns.gandi.net.' type 'AAAA' id was assigned, parent id 25567
[19006][resl] => querying: '2001:4b98:dc2:90:217:70:186:184' score: 10 zone cut: 'gandi.net.' m12n: 'Dns.gANDi.NET.' type: 'NS' proto: 'udp'
[19006][iter] <= rcode: NOERROR
[19006][iter] <= found cut, retrying with non-minimized name
[19006][ pc ] => answer cached for TTL=900
[19006][resl] <= server: '2001:4b98:dc2:90:217:70:186:184' rtt: 18 ms
[58499][iter] 'c.dns.gandi.net.' type 'AAAA' id was assigned, parent id 25567
[58499][resl] => querying: '217.70.186.184' score: 10 zone cut: 'gandi.net.' m12n: 'c.dns.GANdI.nEt.' type: 'AAAA' proto: 'udp'
[58499][iter] <= using glue for 'dns4.gandi.net.': '217.70.186.184'
[58499][iter] <= using glue for 'dns4.gandi.net.': '2001:4b98:dc2:90:217:70:186:184'
[58499][iter] <= using glue for 'dns2.gandi.net.': '217.70.183.211'
[58499][iter] <= using glue for 'dns2.gandi.net.': '2001:4b98:d:589::211'
[58499][iter] <= using glue for 'dns0.gandi.net.': '217.70.177.39'
[58499][iter] <= using glue for 'dns0.gandi.net.': '2001:4b98:d:1::39'
[58499][iter] <= using glue for 'dns1.gandi.net.': '217.70.177.45'
[58499][iter] <= using glue for 'dns1.gandi.net.': '2001:4b98:d:1::45'
[58499][iter] <= using glue for 'dns3.gandi.net.': '217.70.184.14'
[58499][iter] <= using glue for 'dns3.gandi.net.': '2001:4b98:c:13::14'
[58499][iter] <= rcode: NOERROR
[58499][resl] <= server: '217.70.186.184' rtt: 15 ms
[34114][iter] 'ns2.h4ck.space.' type 'AAAA' id was assigned, parent id 17671
[34114][resl] => querying: '2604:3400:abcc::1' score: 10 zone cut: 'h4ck.space.' m12n: 'Ns2.h4CK.spAcE.' type: 'AAAA' proto: 'udp'
[34114][iter] <= rcode: NOERROR
[34114][iter] <= cname chain, following
[17671][plan] plan 'dns2.h4ck.space.' type 'AAAA'
[34114][resl] <= server: '2604:3400:abcc::1' rtt: 15 ms
[47406][iter] 'dns2.h4ck.space.' type 'AAAA' id was assigned, parent id 17671
[47406][ rc ] => satisfied from cache
[47406][iter] <= rcode: NOERROR
[47406][vldr] <= cached insecure response, going insecure
[18264][iter] 'fiber.consulting.' type 'DNSKEY' id was assigned, parent id 11692
[18264][plan] plan 'ns2.h4ck.space.' type 'A'
[54751][iter] 'ns2.h4ck.space.' type 'A' id was assigned, parent id 18264
[54751][ rc ] => satisfied from cache
[54751][iter] <= rcode: NOERROR
[54751][iter] <= cname chain, following
[18264][plan] plan 'dns2.h4ck.space.' type 'A'
[54751][vldr] <= cached insecure response, going insecure
[61256][iter] 'dns2.h4ck.space.' type 'A' id was assigned, parent id 18264
[61256][resl] => NS is provably without DS, going insecure
[ 5367][iter] 'dns2.h4ck.space.' type 'A' id was assigned, parent id 18264
[ 5367][resl] => querying: '2604:3400:abcc::1' score: 15 zone cut: 'h4ck.space.' m12n: 'dns2.H4cK.spacE.' type: 'A' proto: 'udp'
[ 5367][iter] <= rcode: NOERROR
[ 5367][resl] <= server: '2604:3400:abcc::1' rtt: 18 ms
[16899][iter] 'fiber.consulting.' type 'DNSKEY' id was assigned, parent id 11692
[16899][resl] => unresolvable NS address, bailing out
[16899][resl] => querying: '2a01:7a0:10:151:236:17:139:1' score: 10 zone cut: 'fiber.consulting.' m12n: 'fibEr.conSulTINg.' type: 'DNSKEY' proto: 'udp'
[16899][iter] <= rcode: NOERROR
[16899][vldr] <= parent: updating DNSKEY
[16899][vldr] <= answer valid, OK
[16899][resl] <= server: '2a01:7a0:10:151:236:17:139:1' rtt: 16 ms
[55906][iter] 'pypi.fiber.consulting.' type 'A' id was assigned, parent id 0
[55906][plan] plan 'ns2.h4ck.space.' type 'AAAA'
[14359][iter] 'ns2.h4ck.space.' type 'AAAA' id was assigned, parent id 55906
[14359][ rc ] => satisfied from cache
[14359][iter] <= rcode: NOERROR
[14359][iter] <= cname chain, following
[14359][iter] <= cname chain loop
[ 0][resl] finished: 8, queries: 12, mempool: 98400 B
[ 0][plan] plan '.' type 'DNSKEY'
[31350][iter] '.' type 'DNSKEY' id was assigned, parent id 0
[31350][ rc ] => satisfied from cache
[31350][iter] <= rcode: NOERROR
[ 0][resl] finished: 4, queries: 1, mempool: 163952 B
[ ta ] key: 19036 state: Valid
[ ta ] next refresh: 86400000
[ 0][plan] plan '.' type 'NS'
[11586][iter] '.' type 'NS' id was assigned, parent id 0
[11586][resl] => using root hints
[ 9182][iter] '.' type 'NS' id was assigned, parent id 0
[ 9182][plan] plan '.' type 'DNSKEY'
[63993][iter] '.' type 'DNSKEY' id was assigned, parent id 9182
[63993][ rc ] => satisfied from cache
[63993][iter] <= rcode: NOERROR
[63993][vldr] <= parent: updating DNSKEY
[63993][vldr] <= answer valid, OK
[12456][iter] '.' type 'NS' id was assigned, parent id 0
[12456][resl] => querying: '2001:7fe::53' score: 10 zone cut: '.' m12n: '.' type: 'NS' proto: 'udp'
[12456][iter] <= rcode: NOERROR
[12456][vldr] <= answer valid, OK
[12456][resl] <= server: '2001:7fe::53' rtt: 7 ms
[ 0][resl] finished: 4, queries: 2, mempool: 98352 B
```
Second attempt:
```
[ 0][plan] plan 'pypi.fiber.consulting.' type 'A'
[ 7101][iter] 'pypi.fiber.consulting.' type 'A' id was assigned, parent id 0
[ 1393][iter] 'pypi.fiber.consulting.' type 'A' id was assigned, parent id 0
[ 1393][plan] plan 'ns2.h4ck.space.' type 'AAAA'
[ 6625][iter] 'ns2.h4ck.space.' type 'AAAA' id was assigned, parent id 1393
[ 6625][ rc ] => satisfied from cache
[ 6625][iter] <= rcode: NOERROR
[ 6625][iter] <= cname chain, following
[ 1393][plan] plan 'dns2.h4ck.space.' type 'AAAA'
[ 6625][vldr] <= cached insecure response, going insecure
[62761][iter] 'dns2.h4ck.space.' type 'AAAA' id was assigned, parent id 1393
[62761][ rc ] => satisfied from cache
[62761][iter] <= rcode: NOERROR
[62761][vldr] <= cached insecure response, going insecure
[54779][iter] 'pypi.fiber.consulting.' type 'A' id was assigned, parent id 0
[54779][plan] plan 'ns2.h4ck.space.' type 'A'
[22497][iter] 'ns2.h4ck.space.' type 'A' id was assigned, parent id 54779
[22497][ rc ] => satisfied from cache
[22497][iter] <= rcode: NOERROR
[22497][iter] <= cname chain, following
[54779][plan] plan 'dns2.h4ck.space.' type 'A'
[22497][vldr] <= cached insecure response, going insecure
[21038][iter] 'dns2.h4ck.space.' type 'A' id was assigned, parent id 54779
[21038][ rc ] => satisfied from cache
[21038][iter] <= rcode: NOERROR
[21038][vldr] <= cached insecure response, going insecure
[42668][iter] 'pypi.fiber.consulting.' type 'A' id was assigned, parent id 0
[42668][resl] => unresolvable NS address, bailing out
[42668][resl] => querying: '151.236.17.139' score: 10 zone cut: 'fiber.consulting.' m12n: 'PyPI.fIbER.cONsUlTING.' type: 'A' proto: 'udp'
[42668][iter] <= rcode: NOERROR
[42668][iter] <= cname chain, following
[ 0][plan] plan 'epsilon.rammhold.de.' type 'A'
[42668][vldr] <= answer valid, OK
[42668][resl] <= server: '151.236.17.139' rtt: 19 ms
[30661][iter] 'epsilon.rammhold.de.' type 'A' id was assigned, parent id 0
[30661][plan] plan 'm.root-servers.net.' type 'AAAA'
[18825][iter] 'm.root-servers.net.' type 'AAAA' id was assigned, parent id 30661
[18825][resl] >< TA: '.'
[18825][resl] => querying: '2001:500:9f::42' score: 11 zone cut: '.' m12n: 'NEt.' type: 'NS' proto: 'udp'
[18825][iter] <= using glue for 'a.gtld-servers.net.': '192.5.6.30'
[18825][iter] <= using glue for 'a.gtld-servers.net.': '2001:503:a83e::2:30'
[18825][iter] <= using glue for 'b.gtld-servers.net.': '192.33.14.30'
[18825][iter] <= using glue for 'b.gtld-servers.net.': '2001:503:231d::2:30'
[18825][iter] <= using glue for 'c.gtld-servers.net.': '192.26.92.30'
[18825][iter] <= using glue for 'd.gtld-servers.net.': '192.31.80.30'
[18825][iter] <= using glue for 'e.gtld-servers.net.': '192.12.94.30'
[18825][iter] <= using glue for 'f.gtld-servers.net.': '192.35.51.30'
[18825][iter] <= using glue for 'g.gtld-servers.net.': '192.42.93.30'
[18825][iter] <= using glue for 'h.gtld-servers.net.': '192.54.112.30'
[18825][iter] <= using glue for 'i.gtld-servers.net.': '192.43.172.30'
[18825][iter] <= using glue for 'j.gtld-servers.net.': '192.48.79.30'
[18825][iter] <= using glue for 'k.gtld-servers.net.': '192.52.178.30'
[18825][iter] <= using glue for 'l.gtld-servers.net.': '192.41.162.30'
[18825][iter] <= using glue for 'm.gtld-servers.net.': '192.55.83.30'
[18825][iter] <= referral response, follow
[18825][vldr] <= DS: OK
[18825][vldr] <= answer valid, OK
[18825][resl] <= server: '2001:500:9f::42' rtt: 1 ms
[36046][iter] 'm.root-servers.net.' type 'AAAA' id was assigned, parent id 30661
[36046][plan] plan 'net.' type 'DNSKEY'
[43294][iter] 'net.' type 'DNSKEY' id was assigned, parent id 36046
[43294][ rc ] => satisfied from cache
[43294][iter] <= rcode: NOERROR
[43294][vldr] <= parent: updating DNSKEY
[43294][vldr] <= answer valid, OK
[47963][iter] 'm.root-servers.net.' type 'AAAA' id was assigned, parent id 30661
[47963][resl] => querying: '192.52.178.30' score: 10 zone cut: 'net.' m12n: 'rOOt-SerVErs.nET.' type: 'NS' proto: 'udp'
[47963][resl] => querying: '192.48.79.30' score: 10 zone cut: 'net.' m12n: 'rOOt-SerVErs.nET.' type: 'NS' proto: 'udp'
[47963][iter] <= using glue for 'a.root-servers.net.': '198.41.0.4'
[47963][iter] <= using glue for 'a.root-servers.net.': '2001:503:ba3e::2:30'
[47963][iter] <= using glue for 'h.root-servers.net.': '198.97.190.53'
[47963][iter] <= using glue for 'h.root-servers.net.': '2001:500:1::53'
[47963][iter] <= using glue for 'c.root-servers.net.': '192.33.4.12'
[47963][iter] <= using glue for 'c.root-servers.net.': '2001:500:2::c'
[47963][iter] <= using glue for 'g.root-servers.net.': '192.112.36.4'
[47963][iter] <= using glue for 'f.root-servers.net.': '192.5.5.241'
[47963][iter] <= using glue for 'f.root-servers.net.': '2001:500:2f::f'
[47963][iter] <= using glue for 'b.root-servers.net.': '192.228.79.201'
[47963][iter] <= using glue for 'b.root-servers.net.': '2001:500:84::b'
[47963][iter] <= using glue for 'j.root-servers.net.': '192.58.128.30'
[47963][iter] <= using glue for 'j.root-servers.net.': '2001:503:c27::2:30'
[47963][iter] <= using glue for 'k.root-servers.net.': '193.0.14.129'
[47963][iter] <= using glue for 'k.root-servers.net.': '2001:7fd::1'
[47963][iter] <= using glue for 'l.root-servers.net.': '199.7.83.42'
[47963][iter] <= using glue for 'l.root-servers.net.': '2001:500:9f::42'
[47963][iter] <= using glue for 'm.root-servers.net.': '2001:dc3::35'
[47963][iter] <= using glue for 'm.root-servers.net.': '202.12.27.33'
[47963][iter] <= using glue for 'i.root-servers.net.': '192.36.148.17'
[47963][iter] <= using glue for 'i.root-servers.net.': '2001:7fe::53'
[47963][iter] <= using glue for 'e.root-servers.net.': '192.203.230.10'
[47963][iter] <= using glue for 'd.root-servers.net.': '199.7.91.13'
[47963][iter] <= using glue for 'd.root-servers.net.': '2001:500:2d::d'
[47963][iter] <= referral response, follow
[47963][vldr] <= DS doesn't exist, going insecure
[47963][vldr] <= parent: updating DS
[47963][vldr] <= answer valid, OK
[47963][resl] <= server: '192.52.178.30' rtt: 264 ms
[47963][resl] <= server: '192.48.79.30' rtt: >=14 ms
[56807][iter] 'm.root-servers.net.' type 'AAAA' id was assigned, parent id 30661
[56807][resl] => querying: '202.12.27.33' score: 10 zone cut: 'root-servers.net.' m12n: 'M.RoOT-sErVeRs.net.' type: 'AAAA' proto: 'udp'
[56807][iter] <= using glue for 'm.root-servers.net.': '2001:dc3::35'
[56807][iter] <= using glue for 'm.root-servers.net.': '202.12.27.33'
[56807][iter] <= using glue for 'g.root-servers.net.': '192.112.36.4'
[56807][iter] <= using glue for 'g.root-servers.net.': '2001:500:12::d0d'
[56807][iter] <= using glue for 'c.root-servers.net.': '192.33.4.12'
[56807][iter] <= using glue for 'c.root-servers.net.': '2001:500:2::c'
[56807][iter] <= using glue for 'a.root-servers.net.': '198.41.0.4'
[56807][iter] <= using glue for 'a.root-servers.net.': '2001:503:ba3e::2:30'
[56807][iter] <= using glue for 'k.root-servers.net.': '193.0.14.129'
[56807][iter] <= using glue for 'k.root-servers.net.': '2001:7fd::1'
[56807][iter] <= using glue for 'b.root-servers.net.': '192.228.79.201'
[56807][iter] <= using glue for 'b.root-servers.net.': '2001:500:84::b'
[56807][iter] <= using glue for 'e.root-servers.net.': '192.203.230.10'
[56807][iter] <= using glue for 'e.root-servers.net.': '2001:500:a8::e'
[56807][iter] <= using glue for 'h.root-servers.net.': '198.97.190.53'
[56807][iter] <= using glue for 'h.root-servers.net.': '2001:500:1::53'
[56807][iter] <= using glue for 'i.root-servers.net.': '192.36.148.17'
[56807][iter] <= using glue for 'i.root-servers.net.': '2001:7fe::53'
[56807][iter] <= using glue for 'l.root-servers.net.': '199.7.83.42'
[56807][iter] <= using glue for 'l.root-servers.net.': '2001:500:9f::42'
[56807][iter] <= using glue for 'd.root-servers.net.': '199.7.91.13'
[56807][iter] <= using glue for 'd.root-servers.net.': '2001:500:2d::d'
[56807][iter] <= using glue for 'f.root-servers.net.': '192.5.5.241'
[56807][iter] <= using glue for 'f.root-servers.net.': '2001:500:2f::f'
[56807][iter] <= using glue for 'j.root-servers.net.': '192.58.128.30'
[56807][iter] <= using glue for 'j.root-servers.net.': '2001:503:c27::2:30'
[56807][iter] <= rcode: NOERROR
[56807][resl] <= server: '202.12.27.33' rtt: 18 ms
[58965][iter] 'epsilon.rammhold.de.' type 'A' id was assigned, parent id 0
[58965][resl] => querying: '2001:dc3::35' score: 19 zone cut: '.' m12n: 'dE.' type: 'NS' proto: 'udp'
[58965][iter] <= using glue for 'l.de.net.': '77.67.63.105'
[58965][iter] <= using glue for 'l.de.net.': '2001:668:1f:11::105'
[58965][iter] <= using glue for 'f.nic.de.': '81.91.164.5'
[58965][iter] <= using glue for 'f.nic.de.': '2a02:568:0:2::53'
[58965][iter] <= using glue for 'a.nic.de.': '194.0.0.53'
[58965][iter] <= using glue for 'a.nic.de.': '2001:678:2::53'
[58965][iter] <= using glue for 'n.de.net.': '194.146.107.6'
[58965][iter] <= using glue for 'n.de.net.': '2001:67c:1011:1::53'
[58965][iter] <= using glue for 'z.nic.de.': '194.246.96.1'
[58965][iter] <= using glue for 's.de.net.': '195.243.137.26'
[58965][iter] <= referral response, follow
[58965][vldr] <= DS: OK
[58965][vldr] <= answer valid, OK
[58965][resl] <= server: '2001:dc3::35' rtt: 18 ms
[63087][iter] 'epsilon.rammhold.de.' type 'A' id was assigned, parent id 0
[63087][plan] plan 'de.' type 'DNSKEY'
[42419][iter] 'de.' type 'DNSKEY' id was assigned, parent id 63087
[42419][resl] => querying: '194.246.96.1' score: 10 zone cut: 'de.' m12n: 'DE.' type: 'DNSKEY' proto: 'udp'
[42419][iter] <= rcode: NOERROR
[42419][vldr] <= parent: updating DNSKEY
[42419][vldr] <= answer valid, OK
[42419][resl] <= server: '194.246.96.1' rtt: 121 ms
[ 7766][iter] 'epsilon.rammhold.de.' type 'A' id was assigned, parent id 0
[ 7766][resl] => querying: '195.243.137.26' score: 10 zone cut: 'de.' m12n: 'RaMmhoLD.dE.' type: 'NS' proto: 'udp'
[ 7766][iter] <= using glue for 'ns1.quarxconnect.de.': '94.186.151.136'
[ 7766][iter] <= referral response, follow
[ 7766][vldr] <= DS doesn't exist, going insecure
[ 7766][vldr] <= answer valid, OK
[ 7766][resl] <= server: '195.243.137.26' rtt: 23 ms
[19955][iter] 'epsilon.rammhold.de.' type 'A' id was assigned, parent id 0
[19955][resl] => querying: '94.186.151.136' score: 10 zone cut: 'rammhold.de.' m12n: 'EPsIloN.RaMMholD.De.' type: 'A' proto: 'udp'
[19955][iter] <= referral response, follow
[19955][resl] <= server: '94.186.151.136' rtt: 38 ms
[49323][iter] 'epsilon.rammhold.de.' type 'A' id was assigned, parent id 0
[49323][plan] plan 'ns2.quarxconnect.org.' type 'AAAA'
[12824][iter] 'ns2.quarxconnect.org.' type 'AAAA' id was assigned, parent id 49323
[12824][resl] >< TA: '.'
[12824][resl] => querying: '2001:500:1::53' score: 10 zone cut: '.' m12n: 'OrG.' type: 'NS' proto: 'udp'
[12824][iter] <= using glue for 'a0.org.afilias-nst.info.': '2001:500:e::1'
[12824][iter] <= using glue for 'a0.org.afilias-nst.info.': '199.19.56.1'
[12824][iter] <= using glue for 'a2.org.afilias-nst.info.': '2001:500:40::1'
[12824][iter] <= using glue for 'a2.org.afilias-nst.info.': '199.249.112.1'
[12824][iter] <= using glue for 'b0.org.afilias-nst.org.': '2001:500:c::1'
[12824][iter] <= using glue for 'b0.org.afilias-nst.org.': '199.19.54.1'
[12824][iter] <= using glue for 'b2.org.afilias-nst.org.': '2001:500:48::1'
[12824][iter] <= using glue for 'b2.org.afilias-nst.org.': '199.249.120.1'
[12824][iter] <= using glue for 'c0.org.afilias-nst.info.': '2001:500:b::1'
[12824][iter] <= using glue for 'c0.org.afilias-nst.info.': '199.19.53.1'
[12824][iter] <= using glue for 'd0.org.afilias-nst.org.': '2001:500:f::1'
[12824][iter] <= using glue for 'd0.org.afilias-nst.org.': '199.19.57.1'
[12824][iter] <= referral response, follow
[12824][vldr] <= DS: OK
[12824][vldr] <= answer valid, OK
[12824][resl] <= server: '2001:500:1::53' rtt: 94 ms
[21499][iter] 'ns2.quarxconnect.org.' type 'AAAA' id was assigned, parent id 49323
[21499][plan] plan 'org.' type 'DNSKEY'
[42662][iter] 'org.' type 'DNSKEY' id was assigned, parent id 21499
[42662][resl] => querying: '2001:500:f::1' score: 10 zone cut: 'org.' m12n: 'orG.' type: 'DNSKEY' proto: 'udp'
[42662][iter] <= rcode: NOERROR
[42662][vldr] <= parent: updating DNSKEY
[42662][vldr] <= answer valid, OK
[42662][resl] <= server: '2001:500:f::1' rtt: 165 ms
[58832][iter] 'ns2.quarxconnect.org.' type 'AAAA' id was assigned, parent id 49323
[58832][resl] => querying: '199.19.57.1' score: 10 zone cut: 'org.' m12n: 'QuarxconNECT.ORg.' type: 'NS' proto: 'udp'
[58832][iter] <= using glue for 'ns2.quarxconnect.org.': '89.238.77.2'
[58832][iter] <= referral response, follow
[58832][vldr] <= DS doesn't exist, going insecure
[58832][vldr] <= parent: updating DS
[58832][vldr] <= answer valid, OK
[58832][resl] <= server: '199.19.57.1' rtt: 95 ms
[ 3403][iter] 'ns2.quarxconnect.org.' type 'AAAA' id was assigned, parent id 49323
[ 3403][resl] => querying: '89.238.77.2' score: 10 zone cut: 'quarxconnect.org.' m12n: 'ns2.QuaRXCOnnect.orG.' type: 'AAAA' proto: 'udp'
[ 3403][iter] <= rcode: NOERROR
[ 3403][ pc ] => answer cached for TTL=900
[ 3403][resl] <= server: '89.238.77.2' rtt: 24 ms
[20474][iter] 'epsilon.rammhold.de.' type 'A' id was assigned, parent id 0
[20474][ rc ] => satisfied from cache
[20474][iter] <= rcode: NOERROR
[ 0][resl] finished: 4, queries: 11, mempool: 98400 B
```1.2.0 releaseIvana KrumlovaIvana Krumlovahttps://gitlab.nic.cz/knot/knot-resolver/-/issues/119[vld-refactoring] Fails to resolve ftp.tu-graz.ac.at2017-08-22T13:33:34+02:00Ondřej Surý[vld-refactoring] Fails to resolve ftp.tu-graz.ac.atvld-refactoring snapshot from this morning:
```
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [plan] plan 'ftp.tu-graz.ac.at.' type 'A'
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [resl] => querying: '81.91.161.98' score...vld-refactoring snapshot from this morning:
```
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [plan] plan 'ftp.tu-graz.ac.at.' type 'A'
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [resl] => querying: '81.91.161.98' score: 22 zone cut: 'at.' m12n: 'aC.AT.' type: 'NS' proto: 'udp'
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [iter] <= rcode: NOERROR
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [iter] <= found cut, retrying with non-minimized name
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [resl] <= server: '81.91.161.98' rtt: 17 ms
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [resl] => querying: '81.91.161.98' score: 19 zone cut: 'at.' m12n: 'FTP.tu-GraZ.aC.at.' type: 'A' proto: 'udp'
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [iter] <= using glue for 'ns1.tu-graz.ac.at.'
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [iter] <= using glue for 'ns5.univie.ac.at.'
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [iter] <= using glue for 'ns2.tu-graz.ac.at.'
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [iter] <= using glue for 'ns10.univie.ac.at.'
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [iter] <= referral response, follow
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [vldr] <= DS\NSEC was not found, querying for DS
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [resl] <= server: '81.91.161.98' rtt: 18 ms
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [plan] plan 'tu-graz.ac.at.' type 'DS'
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [resl] => querying: '81.91.161.98' score: 18 zone cut: 'at.' m12n: 'aC.aT.' type: 'NS' proto: 'udp'
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [iter] <= rcode: NOERROR
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [iter] <= found cut, retrying with non-minimized name
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [resl] <= server: '81.91.161.98' rtt: 17 ms
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [resl] => querying: '81.91.161.98' score: 17 zone cut: 'at.' m12n: 'TU-GRAz.ac.AT.' type: 'DS' proto: 'udp'
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [iter] <= rcode: NOERROR
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [vldr] <= bad NODATA proof
Jan 06 13:57:18 milkyway.rfc1925.org kresd[30588]: [resl] finished: 8, queries: 0, mempool: 16400 B
```
But it looks ok according to dnsviz: http://dnsviz.net/d/ftp.tu-graz.ac.at/dnssec/1.2.0 releaseŠtěpán BalážikŠtěpán Balážikhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/118[vld-refactoring] Fails to revalidate .org2017-08-22T13:33:34+02:00Ondřej Surý[vld-refactoring] Fails to revalidate .orgThis happens on two independent knot resolvers. The version is 1.2.0~20161222-1+0~201612220911 which is based on `vld-refactoring` branch as of 2016-12-22 state.
It needs cache purge to make the resolving work again for those.
I am...This happens on two independent knot resolvers. The version is 1.2.0~20161222-1+0~201612220911 which is based on `vld-refactoring` branch as of 2016-12-22 state.
It needs cache purge to make the resolving work again for those.
I am going to upgrade both machines to the todays state to see whether it helps.
Happened with anything under `rfc1925.org` yesterday (and cache purge helped).
```
root@milkyway:~# host ftp.cz.debian.org
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [plan] plan 'ftp.cz.debian.org.' type 'A'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [plan] plan 'org.' type 'DNSKEY'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [plan] plan 'd0.org.afilias-nst.org.' type 'AAAA'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => using root hints
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [plan] plan '.' type 'DNSKEY'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [ rc ] => satisfied from cache
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= rcode: NOERROR
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] <= parent: updating DNSKEY
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] <= answer valid, OK
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:dc3::35' score: 30 zone cut: '.' m12n: 'ORg.' type: 'NS' proto: 'udp'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= using glue for 'a2.org.afilias-nst.info.'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= using glue for 'b0.org.afilias-nst.org.'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= using glue for 'd0.org.afilias-nst.org.'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= using glue for 'b2.org.afilias-nst.org.'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] <= DS: OK
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] <= answer valid, OK
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:dc3::35' rtt: 24 ms
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AFIliAS-nSt.orG.' type: 'NS' proto: 'udp'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'afIliaS-NsT.Org.' type: 'NS' proto: 'udp'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfiLias-nsT.org.' type: 'NS' proto: 'udp'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AFiliaS-nsT.Org.' type: 'NS' proto: 'udp'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '199.19.57.1' score: 95 zone cut: 'org.' m12n: 'AFiLiAs-nsT.oRg.' type: 'NS' proto: 'udp'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '199.19.57.1' rtt: 95 ms
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfilIAs-nSt.ORg.' type: 'NS' proto: 'udp'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'afiLias-nST.orG.' type: 'NS' proto: 'udp'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'afiLIAS-nst.oRg.' type: 'NS' proto: 'udp'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '199.19.57.1' score: 95 zone cut: 'org.' m12n: 'AfiLIAs-NST.ORG.' type: 'NS' proto: 'udp'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '199.19.57.1' rtt: 96 ms
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'aFILias-NSt.oRG.' type: 'NS' proto: 'udp'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfILIAs-nSt.oRG.' type: 'NS' proto: 'udp'
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:33 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfiLIas-nST.org.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfIlIAs-nst.oRg.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AFiLias-nst.org.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AFilIAs-nSt.Org.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '199.19.57.1' score: 95 zone cut: 'org.' m12n: 'AFIlIaS-NST.oRG.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '199.19.57.1' rtt: 94 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'aFILias-NSt.Org.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfiliAS-NSt.orG.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AFILIaS-nST.ORg.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '199.19.57.1' score: 94 zone cut: 'org.' m12n: 'afilias-nsT.OrG.' type: 'NS' proto: 'udp'
Host ftp.cz.debian.org. type A error: SERVFAIL
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '199.19.57.1' rtt: 95 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '199.19.57.1' score: 94 zone cut: 'org.' m12n: 'AfILiAS-NST.ORG.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '199.19.57.1' rtt: 95 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'aFiLIAS-NST.ORG.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] finished: 8, queries: 1, mempool: 196800 B
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [plan] plan 'ftp.cz.debian.org.' type 'AAAA'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [plan] plan 'org.' type 'DNSKEY'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [plan] plan 'd0.org.afilias-nst.org.' type 'AAAA'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => using root hints
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [plan] plan '.' type 'DNSKEY'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [ rc ] => satisfied from cache
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= rcode: NOERROR
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] <= parent: updating DNSKEY
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] <= answer valid, OK
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:dc3::35' score: 27 zone cut: '.' m12n: 'orG.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= using glue for 'a2.org.afilias-nst.info.'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= using glue for 'd0.org.afilias-nst.org.'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= using glue for 'b0.org.afilias-nst.org.'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= using glue for 'b2.org.afilias-nst.org.'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] <= DS: OK
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] <= answer valid, OK
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:dc3::35' rtt: 24 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfiLiAS-nst.ORg.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AFILiaS-NSt.oRG.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfIlIAS-NSt.oRG.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfIlIAs-nsT.OrG.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AFiliAS-NsT.Org.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'aFiLiAs-NST.oRg.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'aFiliaS-nST.ORG.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'afILIAs-nST.oRg.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '199.19.57.1' score: 94 zone cut: 'org.' m12n: 'AFiLiAs-nsT.ORg.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '199.19.57.1' rtt: 95 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'afILias-NSt.org.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfilIAs-nsT.oRg.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'afiLIaS-nSt.ORg.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '199.19.57.1' score: 94 zone cut: 'org.' m12n: 'AFilias-nst.org.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '199.19.57.1' rtt: 94 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfILiAS-NST.oRg.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '199.19.57.1' score: 94 zone cut: 'org.' m12n: 'afiLias-NST.org.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '199.19.57.1' rtt: 95 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'aFiLiAS-Nst.org.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '199.19.57.1' score: 94 zone cut: 'org.' m12n: 'afiLIaS-Nst.oRg.' type: 'NS' proto: 'udp'
Host ftp.cz.debian.org. type AAAA error: SERVFAIL
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '199.19.57.1' rtt: 95 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '199.19.57.1' score: 94 zone cut: 'org.' m12n: 'aFilIaS-NSt.oRg.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '199.19.57.1' rtt: 95 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'aFilIAS-nSt.ORg.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'aFiLiAS-nST.OrG.' type: 'NS' proto: 'udp'
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:34 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfILIAS-NsT.org.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'aFiLIas-NsT.oRg.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] finished: 8, queries: 1, mempool: 196800 B
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [plan] plan 'ftp.cz.debian.org.' type 'MX'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [plan] plan 'org.' type 'DNSKEY'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [plan] plan 'd0.org.afilias-nst.org.' type 'AAAA'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => using root hints
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [plan] plan '.' type 'DNSKEY'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [ rc ] => satisfied from cache
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= rcode: NOERROR
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] <= parent: updating DNSKEY
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] <= answer valid, OK
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:dc3::35' score: 25 zone cut: '.' m12n: 'org.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= using glue for 'd0.org.afilias-nst.org.'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= using glue for 'b0.org.afilias-nst.org.'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= using glue for 'b2.org.afilias-nst.org.'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] <= DS: OK
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] <= answer valid, OK
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:dc3::35' rtt: 24 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'afIlias-nST.org.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'aFIlIaS-NSt.ORG.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AFILIas-NSt.oRg.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'afIlIaS-nst.orG.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AFILIAS-NsT.Org.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfILIAs-nsT.OrG.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfIliAS-nST.oRg.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AFiLiaS-nst.org.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfIlIas-nST.org.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 10 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'afILias-NsT.oRG.' type: 'NS' proto: 'udp'
Host ftp.cz.debian.org. type MX error: SERVFAIL
root@milkyway:~# Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'aFilIAS-nSt.oRG.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AFiLIas-nSt.orG.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfIliaS-nst.OrG.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AFiLiaS-nsT.oRg.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 10 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfILIas-NSt.ORg.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AFiLIAs-nSt.orG.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfILiAS-NST.ORG.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfIliAS-NsT.ORg.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfILiAs-NSt.Org.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'aFiliAs-nsT.ORG.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '2001:500:48::1' score: 11 zone cut: 'org.' m12n: 'AfILiAs-nsT.oRg.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '2001:500:48::1' rtt: 9 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => querying: '199.19.57.1' score: 94 zone cut: 'org.' m12n: 'afILIaS-NSt.ORg.' type: 'NS' proto: 'udp'
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [iter] <= referral response, follow
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] <= server: '199.19.57.1' rtt: 95 ms
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] => resuming yielded answer
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [vldr] >< cut changed (new signer), needs revalidation
Jan 06 13:39:35 milkyway.rfc1925.org kresd[8277]: [resl] finished: 8, queries: 1, mempool: 196800 B
```1.2.0 releaseGrigorii DemidovGrigorii Demidovhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/58dnssec bug: resolver fails to validate answers2018-11-12T16:15:57+01:00Ondřej Surýdnssec bug: resolver fails to validate answersThis is actually a validator bug, that's why it retries every time. We can discuss how much effort should resolver do when it's fixed:
```
[plan] plan 'www.cmu.edu.' type 'A'
[plan] plan 'cmu.edu.' type 'DNSKEY'
[iter] <= rco...This is actually a validator bug, that's why it retries every time. We can discuss how much effort should resolver do when it's fixed:
```
[plan] plan 'www.cmu.edu.' type 'A'
[plan] plan 'cmu.edu.' type 'DNSKEY'
[iter] <= rcode: NOERROR
[vldr] <= parent: updating DNSKEY
[vldr] <= answer valid, OK
[iter] <= rcode: NOERROR
[vldr] <= couldn't validate RRSIGs
```
One of the nameservers for cmu.edu is misconfigured and returns `REFUSED`:
```
$ dig IN A www.cmu.edu @ny-server-03.net.cmu.edu.
;; ->>HEADER<<- opcode: QUERY; status: REFUSED; id: 61298
;; Flags: qr rd; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; www.cmu.edu. IN A
;; Received 29 B
;; Time 2016-04-15 09:13:04 CEST
;; From 38.96.147.4@53(UDP) in 98.5 ms
```
kresd should try harder and not return `REFUSED`, but retry with different nameservers.
```
$ dig IN A www.cmu.edu @127.0.0.1
;; ->>HEADER<<- opcode: QUERY; status: REFUSED; id: 60007
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; www.cmu.edu. IN A
;; Received 29 B
;; Time 2016-04-15 09:13:46 CEST
;; From 127.0.0.1@53(UDP) in 165.3 ms
```
Grigorii DemidovGrigorii Demidovhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/41Program received signal SIGSEGV, Segmentation fault. 0x00007ffff66b48ed in ??...2022-04-08T16:14:00+02:00Ondřej SurýProgram received signal SIGSEGV, Segmentation fault. 0x00007ffff66b48ed in ?? () from /lib/x86_64-linux-gnu/libc.so.6Version v1.0.0-beta1-96-gc7e8224
And it's something in the config as it doesn't crash when config is empty:
config:
```
modules = {
view = 'true',
stats = 'true',
cachectl = 'true',
dns64 = '2...Version v1.0.0-beta1-96-gc7e8224
And it's something in the config as it doesn't crash when config is empty:
config:
```
modules = {
view = 'true',
stats = 'true',
cachectl = 'true',
dns64 = '2001:1488:ffff:64:ffff:ffff::',
tinyweb = {
addr = '127.0.0.1:8053',
geoip = '/root'
}
}
```
```
#0 0x00007ffff66b48ed in ?? () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#1 0x00007ffff6d0bd92 in ?? () from /usr/lib/x86_64-linux-gnu/libluajit-5.1.so.2
No symbol table info available.
#2 0x00007ffff6d0d0aa in ?? () from /usr/lib/x86_64-linux-gnu/libluajit-5.1.so.2
No symbol table info available.
#3 0x00007ffff6cd7a88 in ?? () from /usr/lib/x86_64-linux-gnu/libluajit-5.1.so.2
No symbol table info available.
#4 0x00007ffff6d1af60 in lua_pcall () from /usr/lib/x86_64-linux-gnu/libluajit-5.1.so.2
No symbol table info available.
#5 0x000000000041049f in l_ffi_call (argc=2, L=0x40000378) at daemon/ffimodule.c:84
status = <optimized out>
#6 l_ffi_layer_begin (ctx=0x7fffffffe2e0, module_param=<optimized out>) at daemon/ffimodule.c:153
cb_slot = <optimized out>
L = 0x40000378
#7 0x0000000000414ab8 in resolve_query (packet=0x6a07a0, request=0x6a07a0) at lib/resolve.c:390
layer = {node = {next = 0x0, prev = 0x0}, state = 2, mm = 0x0, data = 0x6a07a0, api = 0x662640}
mod = <optimized out>
i = 4
rplan = 0x6a0800
qtype = <optimized out>
negative_anchors = 0x7fffffffea20
trust_anchors = 0x7fffffffea00
answer = <optimized out>
qname = <optimized out>
qclass = <optimized out>
qry = 0x6a2b90
#8 kr_resolve_consume (request=request@entry=0x6a07a0, src=src@entry=0x0, packet=packet@entry=0x6965b0) at lib/resolve.c:407
rplan = 0x6a0800
ctx = 0x7fffffffe9f0
qry = <optimized out>
tried_tcp = <optimized out>
#9 0x000000000040de58 in qr_task_step (task=0x6a07a0, packet_source=packet_source@entry=0x0, packet=0x6965b0) at daemon/worker.c:449
sock_type = -1
state = <optimized out>
choice = <optimized out>
#10 0x000000000040e5d8 in worker_resolve (worker=worker@entry=0x7ffff7f95010, query=<optimized out>, options=options@entry=0, on_complete=<optimized out>, baton=<optimized out>)
at daemon/worker.c:616
task = <optimized out>
#11 0x000000000040fc0c in wrk_resolve (L=0x40000378) at daemon/bindings.c:658
worker = 0x7ffff7f95010
pkt = 0x6965b0
dname = '\000' <repeats 80 times>, "\270\003\000@\000\000\000\000x\003\000@\000\000\000\000\220\344\377\377\377\177\000\000\b\032\003@\000\000\000\000\210\345\001@\000\000\000\000\310\324\000@\000\000\000\000HN\001@\000\000\000\000\200\345\001@\000\000\000\000\324\344\377\377\377\177\000\000_\317\320\366\377\177\000\000X\237\000@\000\000\000\000\330\344\377\377\377\177\000\000\210\344\377\377\377\177\000\000\204\344\377\377\377\177\000\000x\003\000@\001\000\000\000"...
rrtype = 2
rrclass = <optimized out>
ret = 0
options = 0
#12 0x00007ffff6cd7a88 in ?? () from /usr/lib/x86_64-linux-gnu/libluajit-5.1.so.2
No symbol table info available.
#13 0x00007ffff6d1af60 in lua_pcall () from /usr/lib/x86_64-linux-gnu/libluajit-5.1.so.2
No symbol table info available.
#14 0x000000000040c11c in engine_pcall (L=<optimized out>, argc=<optimized out>) at daemon/engine.c:469
No locals.
#15 0x000000000040fe03 in execute_callback (L=0x40000378, argc=1) at daemon/bindings.c:476
ret = <optimized out>
#16 0x000000000040d611 in qr_task_complete (handle=<optimized out>) at daemon/worker.c:280
task = 0x697750
worker = 0x7ffff7f95010
#17 0x00007ffff7787698 in uv_run () from /usr/lib/x86_64-linux-gnu/libuv.so.1
No symbol table info available.
#18 0x00000000004087c6 in run_worker (engine=0x7fffffffe9f0, loop=0x7ffff799f980) at daemon/main.c:193
sock_file = 0x62f250 "tty/29364"
pipe = {data = 0x7fffffffe9f0, loop = 0x7ffff799f980, type = UV_NAMED_PIPE, close_cb = 0x0, handle_queue = {0x697878, 0x662270}, u = {fd = 5, reserved = {0x5, 0x17, 0x7ffff7feacb8,
0x7ffff7de55ce}}, next_closing = 0x0, flags = 24576, write_queue_size = 0, alloc_cb = 0x0, read_cb = 0x0, connect_req = 0x0, shutdown_req = 0x0, io_watcher = {cb = 0x7ffff7790540,
pending_queue = {0x7fffffffe970, 0x7fffffffe970}, watcher_queue = {0x7fffffffe980, 0x7fffffffe980}, pevents = 1, events = 1, fd = 21}, write_queue = {0x7fffffffe9a0, 0x7fffffffe9a0},
write_completed_queue = {0x7fffffffe9b0, 0x7fffffffe9b0}, connection_cb = 0x411010 <tty_accept>, delayed_error = 0, accepted_fd = -1, queued_fds = 0x0, ipc = 0,
pipe_fname = 0x62f3f0 "tty/29364"}
#19 main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:350
forks = <optimized out>
addr_set = {at = 0x648470, len = 2, cap = <optimized out>}
keyfile = 0x6289c0 <keyfile_buf> "/usr/share/dns/root.key"
config = 0x0
keyfile_buf = "/usr/share/dns/root.key", '\000' <repeats 4073 times>
c = <optimized out>
li = 0
ret = 0
opts = {{name = 0x42000d "addr", has_arg = 1, flag = 0x0, val = 97}, {name = 0x41e96c "config", has_arg = 1, flag = 0x0, val = 99}, {name = 0x420422 "keyfile", has_arg = 1, flag = 0x0,
val = 107}, {name = 0x42042a "forks", has_arg = 1, flag = 0x0, val = 102}, {name = 0x41e9ae "verbose", has_arg = 0, flag = 0x0, val = 118}, {name = 0x420430 "version", has_arg = 0,
flag = 0x0, val = 86}, {name = 0x41e99b "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
loop = 0x7ffff799f980
sigint = {data = 0x7ffff7feacb8, loop = 0x7ffff799f980, type = UV_SIGNAL, close_cb = 0x97a26e6c, handle_queue = {0x7fffffffe760, 0x7ffff799fa50}, u = {fd = -134304584, reserved = {
0x7ffff7feacb8, 0x7ffff7de55ce, 0x7ffff7ff8160, 0x7fffffffe720}}, next_closing = 0x0, flags = 24576, signal_cb = 0x410fd0 <signal_handler>, signum = 2, tree_entry = {rbe_left = 0x0,
rbe_right = 0x7fffffffe740, rbe_parent = 0x0, rbe_color = 0}, caught_signals = 0, dispatched_signals = 0}
sigterm = {data = 0x7ffff5ec1438, loop = 0x7ffff799f980, type = UV_SIGNAL, close_cb = 0x1000000ab, handle_queue = {0x6616e0, 0x7fffffffe6c0}, u = {fd = -5952, reserved = {0x7fffffffe8c0,
0x7ffff7de4c5c, 0x7fffffffe8e8, 0xd82b830}}, next_closing = 0x0, flags = 24576, signal_cb = 0x410fd0 <signal_handler>, signum = 15, tree_entry = {rbe_left = 0x0, rbe_right = 0x0,
rbe_parent = 0x7fffffffe6a0, rbe_color = 1}, caught_signals = 0, dispatched_signals = 0}
pool = {ctx = 0x648530, alloc = 0x411830 <mp_alloc>, free = 0x0}
engine = {resolver = {options = 0, opt_rr = 0x6485a0, trust_anchors = {root = 0x634f30, malloc = 0x411e50 <malloc_std>, free = 0x411e40 <free_std>, baton = 0x0}, negative_anchors = {
root = 0x0, malloc = 0x411e50 <malloc_std>, free = 0x411e40 <free_std>, baton = 0x0}, root_hints = {name = 0x6485d8 "", nsset = {root = 0x6486a1, malloc = 0x7ffff7bcb7b0 <mm_alloc>,
free = 0x7ffff7bcb7d0 <mm_free>, baton = 0x7fffffffe680}, key = 0x0, trust_anchor = 0x0, parent = 0x0, pool = 0x7fffffffe680}, cache = {db = 0x648cb8, api = 0x7ffff7dda300,
stats = {hit = 26, miss = 2, insert = 2, delete = 0, txn_read = 1, txn_write = 3}}, cache_rtt = 0x649550, cache_rep = 0x659590, modules = 0x7fffffffeaf8, pool = 0x7fffffffe680},
net = {loop = 0x7ffff799f980, endpoints = {root = 0x62b911, malloc = 0x411e50 <malloc_std>, free = 0x411e40 <free_std>, baton = 0x0}}, modules = {at = 0x662750, len = 9, cap = 10},
storage_registry = {at = 0x661930, len = 1, cap = 5}, pool = 0x7fffffffe680, L = 0x40000378}
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/240cache size limitation does not work properly with multiple processes2017-09-06T15:45:11+02:00Petr Špačekcache size limitation does not work properly with multiple processesIt seems that kresd cache flush does not work with multile processes.
Setup: kresd 536fa6106767db144dec6342afbb8ef9528ae7cd (branch quit-fix-2) with configuration `kresd -f 16` and LMDB `cache.size = 3 * GB`.
As far as I can tell the f...It seems that kresd cache flush does not work with multile processes.
Setup: kresd 536fa6106767db144dec6342afbb8ef9528ae7cd (branch quit-fix-2) with configuration `kresd -f 16` and LMDB `cache.size = 3 * GB`.
As far as I can tell the flusing sometimes does not work because kresd fills 4 GB filesystem completely instead of stopping at 3 GB. Sometimes I can see sharp drop in disk usage from 3 GB to few MBs but sometimes the cache grows on and on until the FS is full.
This can be reproduced using query list from `entrada:/srv/entrada/_upload/odvr/2017-08-25T09\:23\:01+0000`, just replay the traffic to the resolver. I'm going to attach my script I use to replay the traffic.Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/247migrate code to monotonic timers (as appropriate)2017-12-17T01:10:18+01:00Petr Špačekmigrate code to monotonic timers (as appropriate)Some parts of code use `gettimeofday()` to get real time and compute differences between consecutive calls.
This approach is causing problems when real time changes e.g. as a result of adminisrator's action.
Code which works with t...Some parts of code use `gettimeofday()` to get real time and compute differences between consecutive calls.
This approach is causing problems when real time changes e.g. as a result of adminisrator's action.
Code which works with time differences should use monotonic timers, please see man `gettimeofday`, `clock_gettime`, and docs in libuv - [libuv has its own monotonic timer](http://docs.libuv.org/en/v1.x/loop.html#c.uv_now).
There is some code which needs real time (DNSSEC signature verification, potentially logging etc.) so this needs to stay.
Beware, there are potential gotchas with monotonic clock when the value is transferred between processes or system reboots. Please make sure the monotonic values which get stored somewhere (e.g. in case) will make sense across processes and reboots (or find a way to make them sensical).2017 Q3https://gitlab.nic.cz/knot/knot-resolver/-/issues/271tight loop in kresd 1.3.3 after SIGPIPE2017-12-14T18:21:19+01:00Daniel Kahn Gillmortight loop in kresd 1.3.3 after SIGPIPEI'm running kresd 1.3.3, I found it was stuck in a tight loop. here's the output of strace:
```
write(20, "\27\3\3\1\356\0\0\0\0\0\0\0\2H\364\352e\235\t\274\237YF\244\260\250K\223q\211EW"..., 499) = -1 EPIPE (Broken pipe)
--- SIGPIPE ...I'm running kresd 1.3.3, I found it was stuck in a tight loop. here's the output of strace:
```
write(20, "\27\3\3\1\356\0\0\0\0\0\0\0\2H\364\352e\235\t\274\237YF\244\260\250K\223q\211EW"..., 499) = -1 EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=24582, si_uid=110} ---
write(20, "\27\3\3\1\356\0\0\0\0\0\0\0\2H\364\352e\235\t\274\237YF\244\260\250K\223q\211EW"..., 499) = -1 EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=24582, si_uid=110} ---
```
looking at the open file descriptors with `lsof`, i see:
```
kresd 24582 knot-resolver 18ur REG 0,35 8192 12524 /var/cache/knot-resolver/lock.mdb
kresd 24582 knot-resolver 19u REG 0,35 104857600 12525 /var/cache/knot-resolver/data.mdb
kresd 24582 knot-resolver 20u sock 0,8 0t0 4310946 protocol: TCPv6
```
If i kill and restart the daemon, it will likely work fine again.2017 Q4Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/272tests broken in 1.5.02017-11-14T13:47:55+01:00Ondřej Surýtests broken in 1.5.0```
config-test: hints
/bin/sh: 1: /usr/sbin/kresd: not found
tests/config/test_config.mk:12: recipe for target 'check-config' failed
make[2]: *** [check-config] Error 1
``````
config-test: hints
/bin/sh: 1: /usr/sbin/kresd: not found
tests/config/test_config.mk:12: recipe for target 'check-config' failed
make[2]: *** [check-config] Error 1
```2017 Q4https://gitlab.nic.cz/knot/knot-resolver/-/issues/274failure to validate No Data response for explicit wildcard2018-08-04T11:53:46+02:00Jan Včelákfailure to validate No Data response for explicit wildcardkresd 1.5.0 fails to validate No Data response for explicit wildcard.
Query for an existent type:
```
$ kdig @::1 -p 53530 +tcp +adflag \*.wc.dnssec.test +dnssec TXT
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 41557
;; Flags: q...kresd 1.5.0 fails to validate No Data response for explicit wildcard.
Query for an existent type:
```
$ kdig @::1 -p 53530 +tcp +adflag \*.wc.dnssec.test +dnssec TXT
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 41557
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; *.wc.dnssec.test. IN TXT
;; ANSWER SECTION:
*.wc.dnssec.test. 1200 IN TXT "wc"
*.wc.dnssec.test. 1200 IN RRSIG TXT 13 3 1200 20171124132134 20171110132134 59809 dnssec.test. X45WDd9WkTnhlB60DImXo7pdNirsaQc/wTnR5ccJJglAypL121DkvkuMJmbYCWvt1O+U+ycVAKQznmF7D/DyTg==
;; Received 163 B
;; Time 2017-11-13 16:02:29 CET
;; From ::1@53530(TCP) in 41.5 ms
```
Query for a non-existent type:
```
$ kdig @::1 -p 53530 +tcp +adflag \*.wc.dnssec.test +dnssec AAAA
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 43702
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; *.wc.dnssec.test. IN AAAA
;; Received 32 B
;; Time 2017-11-13 16:02:37 CET
;; From ::1@53530(TCP) in 45.2 ms
```
kresd trace:
```
[21405][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 21405
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
*.wc.dnssec.test. AAAA
;; AUTHORITY SECTION
dnssec.test. 1200 SOA a.ns.fcelda.cz. hostmaster.fcelda.cz. 344 3600 1800 2678400 1200
*.wc.dnssec.test. 1200 NSEC no.wc.dnssec.test. TXT RRSIG NSEC
dnssec.test. 1400 RRSIG SOA 13 2 1400 20171124142134 20171110142134 59809 dnssec.test. 0n0ZDgLbhEJTmcbxR6V50T1Xk+39xo8vEzjnEcIdI+m/2fWWw45/MrRU/H5oT8y+LrtFu/wiFI0crvj+lH6NbQ==
*.wc.dnssec.test. 1200 RRSIG NSEC 13 3 1200 20171124132134 20171110132134 59809 dnssec.test. wwOzuf0QBcv1w7WBHlIMvxwZi0cPXDGfYRjxnXUaHx87ekMdislJwk+6Dc1kY8wjA24TAkvY9ViYHUHAikl1aQ==
[21405][iter] <= rcode: NOERROR
[21405][vldr] <= bad NODATA proof
```2018 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/277kresd 1.5.0 assertion failure2018-01-08T12:41:41+01:00Marek Vavrusakresd 1.5.0 assertion failureI'm running the server in a test environment in which it's getting a constant stream of random queries.
This is the configuration (sans network interfaces):
```lua
-- Modules
modules = {
'policy', -- Enforce query/response pol...I'm running the server in a test environment in which it's getting a constant stream of random queries.
This is the configuration (sans network interfaces):
```lua
-- Modules
modules = {
'policy', -- Enforce query/response policies
'view', -- Views for certain clients
'hints > iterate', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch soon-to-expire records
}
-- Cache configuration
cache.open(4096 * MB, env.CACHE_STORAGE)
cache.max_ttl(1 * 3600) -- 1 hour
cache.min_ttl(5) -- 5 seconds
-- DNSSEC configuration
trust_anchors.file = 'root.keys' -- Enable RFC5011
```
The log:
```
2017-11-22T04:33:19.000 host1 error: /usr/local/lib/kdns_modules/predict.lua:34: 'struct rr_type' has no member named 'TYPE65535'
2017-11-22T23:38:20.000 host1 kresd: daemon/io.c:51: session_clear: Assertion `s->outgoing || s->tasks.len == 0' failed.
```2017 Q4https://gitlab.nic.cz/knot/knot-resolver/-/issues/278confusing error message when root hints cannot be loaded2017-12-17T01:10:17+01:00Horigome Yoshihitoconfusing error message when root hints cannot be loadedI compile 1.5.0 from the source file and try to find the root.hints file even though I set the following parameters in the setting file.
```
modules = {
'view', -- Views for certain clients
predict = {
...I compile 1.5.0 from the source file and try to find the root.hints file even though I set the following parameters in the setting file.
```
modules = {
'view', -- Views for certain clients
predict = {
window = 60, -- 60 minutes sampling window
period = 24*(60/15) -- track last 24 hours
},
'daf',
'hints', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
}
modules.list() -- Check module call order
hints.root_file = ('named.root')
```
```
$ sudo kresd --version
Knot DNS Resolver, version 1.5.0
```
```
$ sudo /usr/local/sbin/kresd -c /etc/knot-resolver/kresd.conf -v -f 1 -k /etc/knot-resolver/root.keys /var/knot-resolver
[system] bind to 'fe80::25fb:404d:7dd0:3f8b@9953' Invalid argument
[ 0][plan] plan '.' type 'DNSKEY'
[46588][iter] '.' type 'DNSKEY' id was assigned, parent id 0
[46588][resl] => using root hints
[50083][iter] '.' type 'DNSKEY' id was assigned, parent id 0
[50083][resl] => no valid NS left
[ 0][resl] finished: 8, queries: 1, mempool: 81952 B
[ ta ] new state of trust anchors for a domain:
. 172800 DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
[ ta ] new state of trust anchors for a domain:
. 172800 DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
. 172800 DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
error when opening '/etc/knot-resolver//root.hints': failed to open root hints file
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/284detect_time_jump fires on suspend-to-RAM2018-02-14T11:04:34+01:00Vladimír Čunátvladimir.cunat@nic.czdetect_time_jump fires on suspend-to-RAM~~I'm not sure why exactly. I hope it's just "some race" and not suspend-to-RAM breaking differences between real and monotonic time.~~
Seems low-priority; maybe noticeable in notebooks running kresd, losing cache on resume.~~I'm not sure why exactly. I hope it's just "some race" and not suspend-to-RAM breaking differences between real and monotonic time.~~
Seems low-priority; maybe noticeable in notebooks running kresd, losing cache on resume.Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/285Knot resolver 1.5.1 hangs doing dns over tls on port 853 in a tight loop on S...2018-01-08T12:41:15+01:00JohnKnot resolver 1.5.1 hangs doing dns over tls on port 853 in a tight loop on SIGPIPEKnot resolver 1.5.1 crashed doing dns over tls on port 853
```
Program received signal SIGPIPE, Broken pipe.
0x00007f91958144a0 in __write_nocancel () at ../sysdeps/unix/syscall-template.S:84
84 ../sysdeps/unix/syscall-template.S: No suc...Knot resolver 1.5.1 crashed doing dns over tls on port 853
```
Program received signal SIGPIPE, Broken pipe.
0x00007f91958144a0 in __write_nocancel () at ../sysdeps/unix/syscall-template.S:84
84 ../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) bt
#0 0x00007f91958144a0 in __write_nocancel () at ../sysdeps/unix/syscall-template.S:84
#1 0x00007f9195a33a93 in ?? () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#2 0x00007f9195a35514 in uv_write2 () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#3 0x00007f9195a355f5 in uv_try_write () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#4 0x00005646d9e8fc67 in kres_gnutls_push (h=<optimized out>, buf=<optimized out>, len=<optimized out>) at daemon/tls.c:75
#5 0x00007f91952640f5 in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
#6 0x00007f9195264782 in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
#7 0x00007f919525f675 in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
#8 0x00007f91952618b1 in gnutls_record_send () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
#9 0x00007f9195261988 in gnutls_record_uncork () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
#10 0x00005646d9e8fdab in tls_push (task=<optimized out>, handle=<optimized out>, pkt=pkt@entry=0x5646db0d4908)
at daemon/tls.c:220
#11 0x00005646d9e8a0a0 in qr_task_send (task=task@entry=0x5646db0d30b0, handle=0x5646db0defb0, addr=addr@entry=0x5646db0d3250,
pkt=0x5646db0d4908) at daemon/worker.c:487
#12 0x00005646d9e8a31f in qr_task_finalize (task=0x5646db0d30b0, state=4) at daemon/worker.c:733
#13 0x00005646d9e8aa0e in qr_task_step (task=0x5646db0d30b0, packet_source=packet_source@entry=0x7ffc48c3b580,
packet=0x5646dad92510) at daemon/worker.c:761
#14 0x00005646d9e8b240 in worker_submit (worker=worker@entry=0x7f9196478010, handle=handle@entry=0x5646db0d71b0,
msg=<optimized out>, addr=addr@entry=0x7ffc48c3b580) at daemon/worker.c:885
#15 0x00005646d9e8587b in udp_recv (handle=0x5646db0d71b0, nread=<optimized out>, buf=<optimized out>, addr=0x7ffc48c3b580,
flags=<optimized out>) at daemon/io.c:152
#16 0x00007f9195a37999 in ?? () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#17 0x00007f9195a396d8 in ?? () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#18 0x00007f9195a2b0ac in uv_run () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#19 0x00005646d9e85477 in run_worker (control_fd=-1, leader=true, ipc_set=0x7ffc48c3e8b0, engine=0x7ffc48c3e8f0,
loop=0x7f9195c43760) at daemon/main.c:407
#20 main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:759
```2018 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/287crash on startup if cache directory is not writeable2018-09-12T11:08:36+02:00Petr Špačekcrash on startup if cache directory is not writeable```
$ chmod u-w .
$ kresd
[cache] LMDB error: Permission denied
kresd: lib/cdb_lmdb.c:67: lmdb_error: Assertion `false' failed.
Aborted (core dumped)
``````
$ chmod u-w .
$ kresd
[cache] LMDB error: Permission denied
kresd: lib/cdb_lmdb.c:67: lmdb_error: Assertion `false' failed.
Aborted (core dumped)
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/292tls forwarding: there are high likelyhood of msg-id duplication for active qu...2018-02-16T11:04:58+01:00Grigorii Demidovtls forwarding: there are high likelyhood of msg-id duplication for active query under heavy loadhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/293forwarding: knot doesn't repeat query when receives SERVFAIL or REFUSE answer.2018-02-02T18:19:18+01:00Grigorii Demidovforwarding: knot doesn't repeat query when receives SERVFAIL or REFUSE answer.2018 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/296regression: failure to follow a referral (sometimes?)2018-02-02T18:20:10+01:00Vladimír Čunátvladimir.cunat@nic.czregression: failure to follow a referral (sometimes?)Test case: `www.automobile.fr. AAAA`, bisected to commit e7c5c102d0eb. (In particular, it works OK on 1.5.1.)
Interesting part from log:
```
[52590][iter] 'www.automobile.fr.' type 'AAAA' id was assigned, parent id 0
[52590][resl] ...Test case: `www.automobile.fr. AAAA`, bisected to commit e7c5c102d0eb. (In particular, it works OK on 1.5.1.)
Interesting part from log:
```
[52590][iter] 'www.automobile.fr.' type 'AAAA' id was assigned, parent id 0
[52590][resl] => querying: '2a04:cb41:a516:3::3' score: 10 zone cut: 'automobile.fr.' m12n: 'WWW.automOBilE.fr.' type: 'AAAA' proto: 'udp'
[52590][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52590
;; Flags: qr QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1280 B; ext-rcode: Unused
;; QUESTION SECTION
www.automobile.fr. AAAA
;; AUTHORITY SECTION
www.automobile.fr. 600 NS ns1.p13.dynect.net.
www.automobile.fr. 600 NS ns2.p13.dynect.net.
www.automobile.fr. 600 NS ns3.p13.dynect.net.
www.automobile.fr. 600 NS ns4.p13.dynect.net.
[52590][iter] <= referral response, follow
[52590][ rc ] => stashing rank: 010, NS www.automobile.fr.
[40645][iter] 'www.automobile.fr.' type 'AAAA' id was assigned, parent id 0
[40645][plan] plan 'dns47-2.mobile.de.' type 'A'
[27333][iter] 'dns47-2.mobile.de.' type 'A' id was assigned, parent id 40645
[27333][ rc ] => rank: 001, lowest 000, A dns47-2.mobile.de.
[27333][ rc ] => satisfied from cache
[27333][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27333
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
dns47-2.mobile.de. A
;; ANSWER SECTION
dns47-2.mobile.de. 86400 A 91.211.75.18
[27333][iter] <= rcode: NOERROR
[40645][iter] <= using glue for 'dns47-2.mobile.de.': '91.211.75.18'
[28159][iter] 'www.automobile.fr.' type 'AAAA' id was assigned, parent id 0
[28159][resl] => querying: '91.211.75.18' score: 10 zone cut: 'www.automobile.fr.' m12n: 'www.AutOMoBILe.fr.' type: 'AAAA' proto: 'udp'
```
On the last line kresd queries `@dns47-2.mobile.de.` (again), despite getting referral for the `www` zone to `ns*.p13.dynect.net.` in the previous iteration step.
Another example: `settings.services.mozilla.com. SOA`. This one also gets broken on that commit though the log _looks_ different: `mirror.nsc.liu.se. CNAME`.https://gitlab.nic.cz/knot/knot-resolver/-/issues/297docker start fails on libstdc++.so.6 @ ahocorasick.so2018-01-25T15:39:58+01:00Ghost Userdocker start fails on libstdc++.so.6 @ ahocorasick.soHi,
`docker run cznic/knot-resolver`
results in
`error: error loading module 'ahocorasick' from file '/usr/local/lib/kdns_modules/ahocorasick.so':
Error loading shared library libstdc++.so.6: No such file or directory (needed by /usr...Hi,
`docker run cznic/knot-resolver`
results in
`error: error loading module 'ahocorasick' from file '/usr/local/lib/kdns_modules/ahocorasick.so':
Error loading shared library libstdc++.so.6: No such file or directory (needed by /usr/local/lib/kdns_modules/ahocorasick.so)
[system] error error: No such file or directory`
I tried a Dockerfile from https://hub.docker.com/r/cznic/knot-resolver/~/dockerfile/
It compiles, but it does not run.
I unsuccessfully tried it on multiple Ubuntu hosts, no good. I also tried to install *libstdc++.6*, or change LD_LIBRARY_PATH=/usr/lib/x86_64-linux-gnu/ (or another), but the outcome was always the same.https://gitlab.nic.cz/knot/knot-resolver/-/issues/301Kresd segfault on resolving domain name from hints2018-02-13T16:49:44+01:00Maria MatejkaKresd segfault on resolving domain name from hintsUsing this config file:
```
net = { '127.0.0.1', '::1', '192.168.7.200' }
user('knot-resolver','knot-resolver')
modules = { 'hints < iterate' }
hints.set("dns.msftncsi.com. 192.168.7.200")
```
and resolving (`dig dns.msftncsi.com @localh...Using this config file:
```
net = { '127.0.0.1', '::1', '192.168.7.200' }
user('knot-resolver','knot-resolver')
modules = { 'hints < iterate' }
hints.set("dns.msftncsi.com. 192.168.7.200")
```
and resolving (`dig dns.msftncsi.com @localhost`) causes kresd to segfault. Stack trace is like this:
```
#0 0x00007ffff7948183 in knot_dname_is_equal () from /usr/lib/x86_64-linux-gnu/libknot.so.7
#1 0x00007ffff3870a80 in ?? () from /usr/local/lib/kdns_modules/hints.so
#2 0x00007ffff3871454 in ?? () from /usr/local/lib/kdns_modules/hints.so
#3 0x00007ffff7b87a98 in kr_resolve_produce () from /usr/local/lib/libkres.so.4
#4 0x00005555555603b5 in ?? ()
#5 0x000055555555b65b in ?? ()
#6 0x00007ffff72c318b in ?? () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#7 0x00007ffff72c4ef8 in ?? () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#8 0x00007ffff72b6934 in uv_run () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#9 0x000055555555b465 in ?? ()
#10 0x00007ffff5e122b1 in __libc_start_main (main=0x55555555a240, argc=5, argv=0x7fffffffe4a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe498) at ../csu/libc-start.c:291
#11 0x000055555555b4ba in _start ()
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/306TLS forwarding: configure multiple IPv4 targets2018-02-15T10:40:53+01:00Tomas KrizekTLS forwarding: configure multiple IPv4 targetsTLS forwarding can't be configured with multiple IPv4 targets. Attempting to do so results in `TLS_FORWARD configuration cannot declare two configs for IP address A.B.C.D` error. It doesn't affect IPv6.
Reproducer: extend [modules/polic...TLS forwarding can't be configured with multiple IPv4 targets. Attempting to do so results in `TLS_FORWARD configuration cannot declare two configs for IP address A.B.C.D` error. It doesn't affect IPv6.
Reproducer: extend [modules/policy/policy.test.lua](https://gitlab.labs.nic.cz/knot/knot-resolver/blob/master/modules/policy/policy.test.lua) with the following test cases.
```
ok(policy.TLS_FORWARD({{'100:dead::', insecure=true},
{'100:beef::', insecure=true}
}), 'TLS_FORWARD with different IPv6 addresses is allowed')
ok(policy.TLS_FORWARD({{'127.0.0.1', insecure=true},
{'127.0.0.2', insecure=true}
}), 'TLS_FORWARD with different IPv4 addresses is allowed')
```
For some reason, `ffi.string(sockaddr_c, ffi.C.kr_inaddr_len(sockaddr_c))` ([policy.lua#L212](https://gitlab.labs.nic.cz/knot/knot-resolver/blob/master/modules/policy/policy.lua#L212)) returns the same value for different IPv4 addresses.Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/307debian stretch PPA: missing icann-ca.pem2018-02-28T10:18:47+01:00Ghost Userdebian stretch PPA: missing icann-ca.pemIf I install the current knot-resolver package (1.5.0-1+0~20171112102149.11+stretch~1.gbp1554e1) from the projects debian repositories I can't get it running with the following error:
```
/usr/lib/knot-resolver/trust_anchors.lua:380: [ ...If I install the current knot-resolver package (1.5.0-1+0~20171112102149.11+stretch~1.gbp1554e1) from the projects debian repositories I can't get it running with the following error:
```
/usr/lib/knot-resolver/trust_anchors.lua:380: [ ta ] fetch of "https://data.iana.org/root-anchors/root-anchors.xml" failed: error loading CA locations (No such file or directory)
[ ta ] Failed to bootstrap root trust anchors; see:
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec
```
Looking further with strace there is call to open `/etc/knot-resolver/icann-ca.pem`
```
open("/etc/knot-resolver/icann-ca.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
```
But querying the package files with `dpkg-query -L knot-resolver` shows that the requested file is also missing in the package.
```
/etc
/etc/default
/etc/default/kresd
/etc/init.d
/etc/init.d/kresd
/etc/knot-resolver
/etc/knot-resolver/kresd.conf
```
This are the only files in the `/etc` directory. So the missing file should be added to the package if the code depends on it. Adding the missing file fixed the problem in my local installation.Tomas KrizekTomas Krizekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/308debian stretch PPA: systemd service doesn't have privileges to bind to well-k...2018-02-28T10:19:28+01:00Ghost Userdebian stretch PPA: systemd service doesn't have privileges to bind to well-known portsIf I install the current knot-resolver package (1.5.0-1+0~20171112102149.11+stretch~1.gbp1554e1) from the projects debian repositories to a up to date debian stretch I can't get it running because it can't bind to the configured interfac...If I install the current knot-resolver package (1.5.0-1+0~20171112102149.11+stretch~1.gbp1554e1) from the projects debian repositories to a up to date debian stretch I can't get it running because it can't bind to the configured interface addresses.
The problem is that the daemon is started as user knot-resolver over systemd. This users hasn't the permission to bind to the necessary interface addresses and port configured in the config. Also the dropping of permissions over the config doesn't work because there are no permission to drop. This looks like a wrong default value for the user in the systemd config file. If this is on purpose there should be a hint in the documentation an default config file.Tomas KrizekTomas Krizekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/315policy.TLS_FORWARD emits UDP packets (cleartext DNS) on port 853 after some ...2018-02-21T19:59:40+01:00Daniel Kahn Gillmorpolicy.TLS_FORWARD emits UDP packets (cleartext DNS) on port 853 after some timeI set up a local `kresd` instance, version 2.1.0 on debian testing/unstable, with the following policy:
policy.add(policy.all(policy.TLS_FORWARD({{'9.9.9.9', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt'}}))...I set up a local `kresd` instance, version 2.1.0 on debian testing/unstable, with the following policy:
policy.add(policy.all(policy.TLS_FORWARD({{'9.9.9.9', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt'}})))
I did a few queries on it while using wireshark to gather all traffic to/from `9.9.9.9`.
As expected, most traffic was TCP port 853, consisting of TLS traffic.
However, i did see occasional bursts of UDP traffic, also on port 853.
that traffic appears to actually be cleartext UDP traffic, described by wireshark (when i decode it as DNS) as:
W.X.Y.Z 9.9.9.9 DNS 70 Standard query 0x1c30 DNSKEY <Root> OPT
perhaps this is intended to be a priming query?
note that 9.9.9.9 sends ICMP "Host administratively prohibited" responses to UDP traffic on port 853. They only support TLS (over TCP).
In another case, i saw a query going out for an actual A record:
W.X.Y.Z 9.9.9.9 DNS 83 Standard query 0x08ee A WWW.IetF.org OPT
So in addition to a bug, this appears to be a leak of the private dns request! I have not tried to debug it further.Grigorii DemidovGrigorii Demidovhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/318map_set is used incorrectly on some places2018-05-03T17:06:32+02:00Vladimír Čunátvladimir.cunat@nic.czmap_set is used incorrectly on some placesProbably due to misleading API docs; when it returns 1, it's replaced the value, but sometimes we free the value afterwards assuming ENOMEM. Some `set_add` call sites might also be affected.Probably due to misleading API docs; when it returns 1, it's replaced the value, but sometimes we free the value afterwards assuming ENOMEM. Some `set_add` call sites might also be affected.https://gitlab.nic.cz/knot/knot-resolver/-/issues/321resolving broken DNSSEC domain with CD flag sometimes returns SERVFAIL2018-02-27T15:32:36+01:00Tomas Krizekresolving broken DNSSEC domain with CD flag sometimes returns SERVFAILWhen DNSSEC validation is turned on and I attempt to resolve a broken DNSSEC domain with the CD flag on, kresd should return NOERROR. Instead, it occasionally returns SERVFAIL.
```
dig rhybar.cz +cd
```
[log.txt](/uploads/64e219320eef0...When DNSSEC validation is turned on and I attempt to resolve a broken DNSSEC domain with the CD flag on, kresd should return NOERROR. Instead, it occasionally returns SERVFAIL.
```
dig rhybar.cz +cd
```
[log.txt](/uploads/64e219320eef0f1eb4c8faae5478a19d/log.txt): when kresd return SERVFAILhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/322DAF module doesn't work properly2019-12-18T15:48:15+01:00Jan PavlinecDAF module doesn't work properlyI was following instruction from stable documentation http://knot-resolver.readthedocs.io/en/stable/modules.html#dns-application-firewall
Tests were done on omnia (knot-resolver 2.0.0) I was cleaning cache after every test.
```
daf.add...I was following instruction from stable documentation http://knot-resolver.readthedocs.io/en/stable/modules.html#dns-application-firewall
Tests were done on omnia (knot-resolver 2.0.0) I was cleaning cache after every test.
```
daf.add 'qname ~ atlas.cz mirror 147.229.9.43'
```
Returns 2018-02-27T15:55:13+01:00 err kresd[7435]: **/usr/lib/kdns_modules/policy.lua:70: missing luasocket, can't create socket client**
```
daf.add('dst = 185.17.117.32 deny')
--or
daf.add('dst = 185.17.117.32 drop')
```
Doesn't work (dig idnes.cz returns NOERROR and ip 185.17.117.32). src rule acts in the same way.
```
daf.add('qname = idnes.cz deny')
-- or
daf.add('qname = idnes.cz drop')
-- or
daf.add('qname = idnes.cz pass')
```
Partly works (dig idnes.cz returns SERVFAIL everytime)
For me it seems that action part is always broken.Marek VavrusaMarek Vavrusahttps://gitlab.nic.cz/knot/knot-resolver/-/issues/329Daemon is leaking requests2018-06-20T20:02:58+02:00Marek VavrusaDaemon is leaking requestsThe server seems to be leaking requests since version 2.0. This is the graph of `worker.stats().concurrent` between restarts:
![Screen_Shot_2018-03-18_at_11.55.51_PM](/uploads/312ed5998f674b4cff442dc614744512/Screen_Shot_2018-03-18_at_1...The server seems to be leaking requests since version 2.0. This is the graph of `worker.stats().concurrent` between restarts:
![Screen_Shot_2018-03-18_at_11.55.51_PM](/uploads/312ed5998f674b4cff442dc614744512/Screen_Shot_2018-03-18_at_11.55.51_PM.png)
This counter gets increment every time a new task gets created https://gitlab.labs.nic.cz/knot/knot-resolver/blob/master/daemon/worker.c#L690 and decremented every time it gets freed, so that doesn't right.
I managed to reproduce it:
1. Compile from latest master, start with no special configuration: `/usr/local/sbin/kresd -a 127.0.0.1#5354 -k root.keys`
2. Run dnsperf with the sample query data from https://www.nominum.com/measurement-tools/ for some time (~ 125651 queries) and stop it
3. Check `worker.stats()` in console, it should drain to zero over time, but it stays 5-20 concurrent queries forever
```
> worker.stats()
[rss] => 73400320
[pagefaults] => 5330
[concurrent_requests] => 18
[queries] => 125651
[systime] => 198.250469
[timeout] => 8186
[csw] => 151011
[swaps] => 0
[udp] => 156770
[dropped] => 0
[ipv6] => 50576
[concurrent] => 18
[tcp] => 1848
[ipv4] => 108042
[usertime] => 22.501294
```
(I added tracking of `worker->stats.rconcurrent` just to make sure it's the same as `worker->stats.concurrent`)
cc @anb @vendemiatMarek VavrusaMarek Vavrusahttps://gitlab.nic.cz/knot/knot-resolver/-/issues/334knot-resolver 2.2.0 crashes when malformed response, which include SIG record...2018-05-31T10:22:34+02:00Toshifumi Sakaguchiknot-resolver 2.2.0 crashes when malformed response, which include SIG record in authority section, is received.## Overview
Knot-resolver crashes when malformed response is received from a malicious
authoritative server in my test environment.
response from authoritative server.
```
;; QUESTION SECTION:
;www.example.com. IN ...## Overview
Knot-resolver crashes when malformed response is received from a malicious
authoritative server in my test environment.
response from authoritative server.
```
;; QUESTION SECTION:
;www.example.com. IN A
;; AUTHORITY SECTION:
www.example.com. 600 CH SIG A 1 3 3600 19700102034640 19700101135320 174 www.example.com. AQE.... snip ....
```
message at crach.
```
# /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
[system] interactive mode
> kresd: lib/cache/api.c:254: key_exact_type_maypkt: Assertion `!knot_rrtype_is_metatype(type)' failed.
Aborted
```
Please read README.md whichi includes reproduce steps.
[README.md](/uploads/1f87bb00d6ce354120772fc2d1f4dd60/README.md)
[test-files.tar.gz](/uploads/9633ee2f097827b3149758f4b886a0d7/test-files.tar.gz)
[test-tools.tar.gz](/uploads/22cb32ed448550be29e8f55a2d6994dc/test-tools.tar.gz)2018 Q2Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/335knot-resolver 2.2.0 segfault when malformed response, which has label "\000".2018-05-31T10:16:51+02:00Toshifumi Sakaguchiknot-resolver 2.2.0 segfault when malformed response, which has label "\000".## Overview
Knot-resolver crashes when malformed response is received from a malicious
authoritative server in my test(fuzzing) environment.
response from authoritative server.
```
;; QUESTION SECTION:
;www.example.com. IN A
;; AUT...## Overview
Knot-resolver crashes when malformed response is received from a malicious
authoritative server in my test(fuzzing) environment.
response from authoritative server.
```
;; QUESTION SECTION:
;www.example.com. IN A
;; AUTHORITY SECTION:
www.example.com. 600 IN NS \000.example.com.
;; ADDITIONAL SECTION:
\000.example.com. 600 IN A 192.168.33.101
```
message at crach.
```
# /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
[system] interactive mode
> Segmentation fault
```
debugger output.
```
# gdb /usr/local/sbin/kresd
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-100.el7_4.1
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/sbin/kresd...(no debugging symbols found)...done.
(gdb) run -c /usr/local/etc/knot-resolver/kresd.conf
Starting program: /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[system] interactive mode
>
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7947488 in knot_dname_lf () from /lib64/libknot.so.7
Missing separate debuginfos, use: debuginfo-install glibc-2.17-196.el7_4.2.x86_64 gmp-6.0.0-15.el7.x86_64 gnutls-3.3.26-9.el7.x86_64 knot-libs-2.6.5-1.el7.x86_64 libcap-ng-0.7.5-4.el7.x86_64 libffi-3.0.13-18.el7.x86_64 libgcc-4.8.5-16.el7_4.2.x86_64 libstdc++-4.8.5-16.el7_4.2.x86_64 libtasn1-4.10-1.el7.x86_64 libuv-1.10.2-1.el7.x86_64 lmdb-libs-0.9.18-1.el7.x86_64 luajit-2.0.4-3.el7.x86_64 nettle-2.7.1-8.el7.x86_64 p11-kit-0.23.5-3.el7.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb) list
No symbol table is loaded. Use the "file" command.
(gdb) bt
#0 0x00007ffff7947488 in knot_dname_lf () from /lib64/libknot.so.7
#1 0x00007ffff7b7736f in peek_exact_real.isra.9 ()
from /usr/local/lib/libkres.so.7
#2 0x00007ffff7b8ea23 in kr_zonecut_find_cached ()
from /usr/local/lib/libkres.so.7
#3 0x00007ffff7b88aae in zone_cut_check () from /usr/local/lib/libkres.so.7
#4 0x00007ffff7b8a657 in kr_resolve_produce ()
from /usr/local/lib/libkres.so.7
#5 0x0000555555561c83 in qr_task_step ()
#6 0x000055555555c19a in udp_recv ()
#7 0x00007ffff72c2696 in uv__udp_io () from /lib64/libuv.so.1
#8 0x00007ffff72c42e8 in uv__io_poll () from /lib64/libuv.so.1
#9 0x00007ffff72b5db8 in uv_run () from /lib64/libuv.so.1
#10 0x000055555555bd19 in main ()
```
## Environment
### IP Addresses of each servers.
* root DNS server: 192.168.33.100/24
* malicious authoritative server: 192.168.33.101/24
* victim full service resolver: 192.168.33.102/24
### OS, Software of each servers.
#### root DNS server
* OS: CentOS 7.4 x86_64 on VirtualBox VM
* DNS: bind
#### Malicious authoritative server
* OS: CentOS 7.4 x86_64 on VirtualBox VM
#### victim full service resolver
* OS: CentOS 7.4 x86_64 on VirtualBox VM
* DNS: knot-resolver 2.2.0
## Setup steps of Environment
### root servers
Install CentOS 7.4 from install ISO image.
Set IP address VM to 192.168.33.100/24.
Set firewalld.
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Bind.
```
# yum install bind bind-utils
```
Upload and extract test-files.tar.gz
```
# cd /tmp
# tar xzf /path/to/test-files.tar.gz
```
Copy named.conf and root zone file.
```
# cp /tmp/test-files/root.named.conf /etc/named.conf
# cp /tmp/test-files/root.zone /var/named/root.zone
# chmod 644 /var/named/root.zone
```
Start named.
```
# systemctl start named
# systemctl enable named
```
#### Malicious authoritative server
Install CentOS 7.4 from install ISO image.
Set IP address to 192.168.33.101/24.
Set firewalld
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Build tools.
```
# yum install epel-release
# yum install gcc-c++ boost-devel wget perl yaml-cpp-devel bind-utils
# wget https://cmake.org/files/v3.10/cmake-3.10.0-Linux-x86_64.sh
# sh cmake-3.10.0-Linux-x86_64.sh --skip-license --prefix=/usr/local
```
Install openssl 1.0.1 from source file.
```
# wget https://www.openssl.org/source/openssl-1.1.0g.tar.gz
# tar xzf openssl-1.1.0g.tar.gz
# cd openssl-1.1.0g
# ./config
# maket
# make install
```
Upload and extract test-tools.tar.gz.
```
# cd /tmp
# tar xzf /path/to/test-tools.tar.gz
# cd test-tools
# OPENSSL_ROOT_DIR=/usr/local/ssl cmake .
# make
```
Start DNS service foreground.
```
# ./bin/knot-dname_lf
```
Login to authoritative server from other terminal, and check response of knot-dname_lf on other terminal.
```
# dig \@127.0.0.1 www.example.com a +norec
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> @127.0.0.1 www.example.com a +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44651
;; flags: qr aa ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.example.com. IN A
;; AUTHORITY SECTION:
www.example.com. 600 IN NS \000.example.com.
;; ADDITIONAL SECTION:
\000.example.com. 600 IN A 192.168.33.101
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 04 01:10:59 JST 2018
;; MSG SIZE rcvd: 104
```
### victim full service resolver
Install CentOS 7.4 from install ISO image.
Set IP address to 192.168.33.102/24.
Install Build tools.
```
# yum install epel-release
# yum install gcc-c++ openssl-devel wget knot-devel bind-utils luajit-devel libuv-devel
```
Install knot-resolver
```
# wget https://secure.nic.cz/files/knot-resolver/knot-resolver-2.2.0.tar.xz
# tar xJf knot-resolver-2.2.0.tar.xz
# cd knot-resolver-2.2.0
# make CFLAGS=-DNDEBUG
# make install
# echo /usr/local/lib > /etc/ld.so.conf.d/knot.conf
# ldconfig
```
Upload and extract test-files.tar.gz.
```
# cd /tmp
# tar xzf /path/to/test-files.tar.gz
```
Copy kresd.conf and hints file.
```
# cp /tmp/test-files/kresd.conf /usr/local/etc/knot-resolver
# cp /tmp/test-files/root.hints /usr/local/etc/knot-resolver
```
Start knot-resolver
```
# mkdir -p /tmp/db
# cd /tmp/db
# rm -f * ; /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
```
Login to victim full service resolver from other terminal, and send queries to knot-resolver.
```
# sh -x /tmp/test-files/crash.sh
```
Check knot-resolver process.
```
# /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
[system] interactive mode
> Segmentation fault
```
[test-files.tar.gz](/uploads/afe8c7be07dd8efdc28b28f28516509c/test-files.tar.gz)
[test-tools.tar.gz](/uploads/79014a2e4e99983e5662412c8d88a0d6/test-tools.tar.gz)https://gitlab.nic.cz/knot/knot-resolver/-/issues/336crash while processing malformed query with 0 question with OPT2018-05-31T10:23:09+02:00vendemiatcrash while processing malformed query with 0 question with OPT```
(gdb) bt
#0 knot_wire_is_pointer (pos=0x557aac60607c "\300\f") at ./libknot/packet/wire.h:901
#1 knot_wire_get_pointer (pos=0x557aac60607c "\300\f") at libknot/packet/wire.c:122
#2 0x00007f6bee68c105 in knot_wire_seek_label (wire=...```
(gdb) bt
#0 knot_wire_is_pointer (pos=0x557aac60607c "\300\f") at ./libknot/packet/wire.h:901
#1 knot_wire_get_pointer (pos=0x557aac60607c "\300\f") at libknot/packet/wire.c:122
#2 0x00007f6bee68c105 in knot_wire_seek_label (wire=0x557aac605ff0 "", lp=<optimized out>) at ./libknot/packet/wire.h:910
#3 knot_wire_next_label (wire=0x557aac605ff0 "", lp=<optimized out>) at ./libknot/packet/wire.h:920
#4 knot_dname_labels (name=<optimized out>, pkt=0x557aac605ff0 "") at libknot/dname.c:781
#5 0x00007f6bee68e7e8 in knot_pkt_put (pkt=0x557aac5c9760, compr_hint=<optimized out>, rr=0x557aac5c9868, flags=<optimized out>)
at libknot/packet/pkt.c:563
#6 0x00007f6bee9254e9 in kr_resolve_finish () from /usr/local/lib/libkres.so.6
#7 0x0000557aa81ecb26 in ?? ()
#8 0x0000000000000106 in ?? ()
#9 0x0000557aac5c7eb0 in ?? ()
#10 0x0000000000000106 in ?? ()
#11 0x0000000000000008 in ?? ()
#12 0x00007f6beedad010 in ?? ()
#13 0x0000557aa81edae9 in ?? ()
#14 0x0000000000000000 in ?? ()
(gdb) f 5
#5 0x00007f6bee68e7e8 in knot_pkt_put (pkt=0x557aac5c9760,
compr_hint=<optimized out>, rr=0x557aac5c9868, flags=<optimized out>)
at libknot/packet/pkt.c:563
563 libknot/packet/pkt.c: No such file or directory.
(gdb) print pkt
$4 = (knot_pkt_t *) 0x557aac5c9760
(gdb) print *pkt
$5 = {wire = 0x557aac605ff0 "", size = 12, max_size = 65535, parsed = 0,
reserved = 0, qname_size = 0, rrset_count = 0, flags = 2,
opt_rr = 0x557aac5c9868, tsig_rr = 0x0, tsig_wire = {pos = 0x0, len = 0},
current = KNOT_ADDITIONAL, sections = {{pkt = 0x557aac5c9760, pos = 0,
count = 0}, {pkt = 0x557aac5c9760, pos = 0, count = 0}, {
pkt = 0x557aac5c9760, pos = 0, count = 0}}, rrset_allocd = 16,
rr_info = 0x557aac5c9898, rr = 0x557aac5c9ad8, mm = {ctx = 0x557aac5c7e40,
alloc = 0x557aa81faee0 <mp_alloc>, free = 0x0}, compr = {
wire = 0x557aac605ff0 "", rrinfo = 0x557aac5c9898, suffix = {pos = 12,
labels = 0 '\000'}}}
(gdb) print rr
$6 = (const knot_rrset_t *) 0x557aac5c9868
(gdb) print *rr
$7 = {owner = 0x557aac5c9860 "", type = 41, rclass = 1536, rrs = {
rr_count = 1, data = 0x557aac5c9890 ""}, additional = 0x0}
```
it shouldnt read qname if it's not there
https://github.com/CZ-NIC/knot/blob/master/src/libknot/packet/pkt.c#L522
cc @vavrusam @anbGrigorii DemidovGrigorii Demidovhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/346www.nrl.navy.mil. validation broken without query minimization2018-09-04T16:29:06+02:00Filip Sirokywww.nrl.navy.mil. validation broken without query minimizationValidation is broken without query minimization for www.nrl.navy.mil. after it was fixed with it in merge !543.
Kresd log:
[server.log](/uploads/199eaec49170e46882d23c12e6db646b/server.log)
Deckard scenario:
[gen_navy.rpl](/uploads/aaa4...Validation is broken without query minimization for www.nrl.navy.mil. after it was fixed with it in merge !543.
Kresd log:
[server.log](/uploads/199eaec49170e46882d23c12e6db646b/server.log)
Deckard scenario:
[gen_navy.rpl](/uploads/aaa46e764a232e811ee9d32813953325/gen_navy.rpl)https://gitlab.nic.cz/knot/knot-resolver/-/issues/347knot-resolver fails to build from source on hurd due to missing MAXPATHLEN2018-05-03T12:48:02+02:00Daniel Kahn Gillmorknot-resolver fails to build from source on hurd due to missing MAXPATHLENthe [debian hurd build daemon](https://buildd.debian.org/status/fetch.php?pkg=knot-resolver&arch=hurd-i386&ver=2.3.0-2&stamp=1524785893&raw=0) shows:
```
daemon/engine.c: In function 'engine_set_moduledir':
daemon/engine.c:231:15: error...the [debian hurd build daemon](https://buildd.debian.org/status/fetch.php?pkg=knot-resolver&arch=hurd-i386&ver=2.3.0-2&stamp=1524785893&raw=0) shows:
```
daemon/engine.c: In function 'engine_set_moduledir':
daemon/engine.c:231:15: error: 'MAXPATHLEN' undeclared (first use in this function); did you mean 'MAXNAMLEN'?
char l_paths[MAXPATHLEN] = { 0 };
^~~~~~~~~~
MAXNAMLEN
```
See [Justus Winter's thoughts on MAXPATHLEN](https://lists.debian.org/debian-hurd/2012/01/msg00166.html) about why this might not be something worth relying on.https://gitlab.nic.cz/knot/knot-resolver/-/issues/366knot-resolver 2.3.0 aborted with "kresd: libknot/packet/pkt.c:84: pkt_wire_al...2018-08-02T16:15:47+02:00Toshifumi Sakaguchiknot-resolver 2.3.0 aborted with "kresd: libknot/packet/pkt.c:84: pkt_wire_alloc: Assertion `len >= KNOT_WIRE_HEADER_SIZE' failed."## Overview
Kresd aborted with following messages in my test(fuzzing) environment.
```
# rm -f *mdb ; /usr/local/sbin/kresd -c /usr/local/etc/knotolver/kresd.conf
[system] interactive mode
> [ ta ] key: 59407 state: Valid
[ ta ] next ...## Overview
Kresd aborted with following messages in my test(fuzzing) environment.
```
# rm -f *mdb ; /usr/local/sbin/kresd -c /usr/local/etc/knotolver/kresd.conf
[system] interactive mode
> [ ta ] key: 59407 state: Valid
[ ta ] next refresh for . in 12 hours
kresd: libknot/packet/pkt.c:84: pkt_wire_alloc: Assertion `len >= KNOT_WIRE_HEADER_SIZE' failed.
Aborted (core dumped)
```
debugger output.
```
# gdb /usr/local/sbin/kresd
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-110.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/sbin/kresd...done.
(gdb) core-file core.25240
[New LWP 25240]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf'.
Program terminated with signal 6, Aborted.
#0 0x00007fc078ef3277 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.17-222.el7.x86_64 gmp-6.0.0-15.el7.x86_64 gnutls-3.3.26-9.el7.x86_64 libffi-3.0.13-18.el7.x86_64 libgcc-4.8.5-28.el7_5.1.x86_64 libstdc++-4.8.5-28.el7_5.1.x86_64 libtasn1-4.10-1.el7.x86_64 libuv-1.19.2-1.el7.x86_64 luajit-2.0.4-3.el7.x86_64 nettle-2.7.1-8.el7.x86_64 p11-kit-0.23.5-3.el7.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb) bt
#0 0x00007fc078ef3277 in raise () from /lib64/libc.so.6
#1 0x00007fc078ef4968 in abort () from /lib64/libc.so.6
#2 0x00007fc078eec096 in __assert_fail_base () from /lib64/libc.so.6
#3 0x00007fc078eec142 in __assert_fail () from /lib64/libc.so.6
#4 0x00007fc07a719f04 in pkt_wire_alloc (len=11, pkt=0x559f324636b8)
at libknot/packet/pkt.c:84
#5 pkt_init (mm=0x559f324608a8, len=11, wire=0x0, pkt=0x559f324636b8)
at libknot/packet/pkt.c:200
#6 pkt_new_mm (mm=0x559f324608a8, len=11, wire=0x0)
at libknot/packet/pkt.c:252
#7 knot_pkt_new (wire=wire@entry=0x0, len=11, mm=mm@entry=0x559f324608a8)
at libknot/packet/pkt.c:270
#8 0x00007fc07a96d817 in consume_yield (ctx=ctx@entry=0x7ffd9c03a850,
pkt=pkt@entry=0x559f2983d500) at lib/resolve.c:78
#9 0x00007fc07a96f3a7 in kr_resolve_consume (
request=request@entry=0x559f32460770, src=src@entry=0x7ffd9c03aa10,
packet=packet@entry=0x559f2983d500) at lib/resolve.c:935
#10 0x0000559f27ac3455 in qr_task_step (task=0x559f32461a20,
packet_source=0x7ffd9c03aa10, packet=0x559f2983d500)
at daemon/worker.c:1565
#11 0x0000559f27ac5406 in worker_submit (worker=worker@entry=0x7fc07ad0e010,
handle=handle@entry=0x559f29842830, query=<optimized out>,
addr=<optimized out>, addr@entry=0x7ffd9c03aa10) at daemon/worker.c:1897
---Type <return> to continue, or q <return> to quit---
#12 0x0000559f27abd92a in udp_recv (handle=0x559f29842830,
nread=<optimized out>, buf=<optimized out>, addr=0x7ffd9c03aa10,
flags=<optimized out>) at daemon/io.c:166
#13 0x00007fc07a08fec6 in uv__udp_io () from /lib64/libuv.so.1
#14 0x00007fc07a091bb8 in uv__io_poll () from /lib64/libuv.so.1
#15 0x00007fc07a082f28 in uv_run () from /lib64/libuv.so.1
#16 0x0000559f27abd4a9 in run_worker (args=0x7ffd9c03de20,
leader=<optimized out>, ipc_set=0x7ffd9c03dca0, engine=0x7ffd9c03dfd0,
loop=0x7fc07a29dd00) at daemon/main.c:422
#17 main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:755
(gdb)
```
## Environments.
### IP Addresses of each servers.
* root DNS server: 192.168.33.100/24
* malicious authoritative server: 192.168.33.101/24
* victim full service resolver: 192.168.33.102/24
### OS, Software of each servers.
root DNS server
* OS: CentOS 7.5 x86_64 on VirtualBox VM
* DNS: bind
Malicious authoritative server
* OS: CentOS 7.5 x86_64 on VirtualBox VM
victim full service resolver
* OS: CentOS 7.5 x86_64 on VirtualBox VM
* DNS: knot-resolver 2.3.0, knot-dns(libknot) 2.6.7
## Reproduce steps
### root server
Install CentOS 7.5 from install ISO image.
Set IP address VM to 192.168.33.100/24.
Set firewalld.
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Bind.
```
# yum install -y bind bind-utils
```
Upload and extract test-files.tar.gz
```
# cd /tmp
# tar xzf /path/to/test-files.tar.gz
```
Copy named.conf and root zone file.
```
# cp /tmp/test-files/root.named.conf /etc/named.conf
# cp /tmp/test-files/root.zone.signed /var/named/root.zone.signed
# chmod 644 /var/named/root.zone.signed
```
Start named.
```
# systemctl start named
# systemctl enable named
```
### Malicious authoritative server
Install CentOS 7.5 from install ISO image.
Set IP address to 192.168.33.101/24.
Set firewalld
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Build tools.
```
# yum install -y epel-release
# yum install -y gcc-c++ boost-devel wget perl yaml-cpp-devel bind-utils gtest-devel
# wget https://cmake.org/files/v3.10/cmake-3.10.0-Linux-x86_64.sh
# sh cmake-3.10.0-Linux-x86_64.sh --skip-license --prefix=/usr/local
```
Install openssl 1.1.0 from source file.
```
# wget https://www.openssl.org/source/openssl-1.1.0g.tar.gz
# tar xzf openssl-1.1.0g.tar.gz
# cd openssl-1.1.0g
# ./config shared
# make
# make install
# echo /usr/local/lib64 > /etc/ld.so.conf.d/local.conf
# ldconfig
```
Upload and extract dns-fuzz-server.tar.gz.
```
# tar xzf /path/to/dns-fuzz-server.tar.gz
# cd dns-fuzz-server
# cmake .
# make
```
Start DNS service foreground.
```
# ./bin/fuzz_server -z example.com -f data/example.com.zone.full -K data/example.com.ksk.yaml -Z data/example.com.zsk.yaml -n 4
```
### victim full service resolver
Install CentOS 7.5 from install ISO image.
Set IP address to 192.168.33.102/24.
Set firewalld
```
# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload
```
Install Build tools.
```
# yum install -y epel-release
# yum install -y gcc-c++ openssl-devel wget luajit-devel libuv-devel userspace-rcu-devel.x86_64 libedit-devel.x86_64 gcc-c++ gnutls-devel
```
Install knot-dns(libnot) 2.6.7 from source file.
```
$ wget https://secure.nic.cz/files/knot-dns/knot-2.6.7.tar.xz
$ tar xJf knot-2.6.7.tar.xz
$ cd knot-2.6.7
$ ./configure
$ make
$ su
# make install
```
Install knot-resolver 2.3.0 from source.
```
# wget https://secure.nic.cz/files/knot-resolver/knot-resolver-2.3.0.tar.xz
# tar xJf knot-resolver-2.3.0.tar.xz
# cd knot-resolver-2.3.0
# PKG_CONFIG_PATH=/usr/local/lib/pkgconfig make LDFLAGS="-Wl,-rpath=/usr/local/lib" PREFIX="/usr/local" CFLAGS="-DNDEBUG -g" install
```
Upload and extract test-files.tar.gz.
```
# cd /tmp
# tar xzf /path/to/test-files.tar.gz
```
Copy kresd.conf, trust anchor and hints file.
```
# cp /tmp/test-files/kresd.conf /usr/local/etc/knot-resolver
# cp /tmp/test-files/root.hints /usr/local/etc/knot-resolver
# cp /tmp/test-files/root.keys /usr/local/etc/knot-resolver
```
Start knot-resolver.
```
# mkdir -p /tmp/db
# cd /tmp/db
# rm -f * ; /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf
```
Login to malicios authoritative server, and send queries by `fuzz_client`.
```
# cd /path/to/dns-fuzz-server
# ./bin/fuzz_client -s 192.168.33.102 -b example.com -i 100
```
Please wait sevral hours or days.
[test-files.tar.gz](/uploads/014e5a07c6c80a5f29f03f1b31b4a15c/test-files.tar.gz)
[dns-fuzz-server.tar.gz](/uploads/39148d8d68c200350a0a34e7c85a8943/dns-fuzz-server.tar.gz)https://gitlab.nic.cz/knot/knot-resolver/-/issues/374in-bailiwick nameservers (possibly) not re-probed2018-12-17T15:33:58+01:00Vladimír Čunátvladimir.cunat@nic.czin-bailiwick nameservers (possibly) not re-probedThere is some possibility of getting into a situation when NS is never retried. Here's a 2.3.0 log (from Omnia):
```
[ 0][plan] plan 'ns.udag.de.' type 'A'
[22310][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[22310][c...There is some possibility of getting into a situation when NS is never retried. Here's a 2.3.0 log (from Omnia):
```
[ 0][plan] plan 'ns.udag.de.' type 'A'
[22310][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[22310][cach] => skipping exact RR: rank 030 (min. 030), new TTL -7934
[22310][cach] => trying zone: udag.de.
[22310][cach] => NSEC sname: range search found stale or insecure entry
[22310][zcut] found cut: udag.de. (return codes: DS 1, DNSKEY 1)
[22310][resl] => NS is provably without DS, going insecure
[11561][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[ ][nsre] probing timeouted NS: 185.61.8.11, score 1910
[11561][plan] plan 'ns.udag.net.' type 'A'
[58910][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[58910][cach] => skipping exact RR: rank 030 (min. 000), new TTL -4331
[58910][cach] => trying zone: udag.net.
[58910][cach] => NSEC sname: range search found inconsistent entry
[58910][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[58910][resl] => NS is provably without DS, going insecure
[20592][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[20592][resl] => unresolvable NS address, bailing out
[20592][resl] => circular dependepcy, retrying with non-minimized name
[ 2400][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[ 2400][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[ 2400][resl] => NS is provably without DS, going insecure
[ 2400][resl] => unresolvable NS address, bailing out
Last message '[ 2400][resl] =>' repeated 1 times, suppressed by syslog-ng on turris
[ 2400][resl] => no valid NS left
[18717][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[18717][resl] => no valid NS left
[37402][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[37402][resl] => unresolvable NS address, bailing out
[37402][resl] => circular dependepcy, retrying with non-minimized name
[ 9258][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[ 9258][zcut] found cut: udag.de. (return codes: DS 1, DNSKEY 1)
[ 9258][resl] => NS is provably without DS, going insecure
[ 9258][plan] plan 'ns.udag.net.' type 'A'
[43035][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[43035][cach] => skipping exact RR: rank 030 (min. 000), new TTL -4331
[43035][cach] => trying zone: udag.net.
[43035][cach] => NSEC sname: range search found inconsistent entry
[43035][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[43035][resl] => NS is provably without DS, going insecure
[49223][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[49223][resl] => circular dependepcy, retrying with non-minimized name
[16076][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[16076][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[16076][resl] => NS is provably without DS, going insecure
[16076][resl] => unresolvable NS address, bailing out
Last message '[16076][resl] =>' repeated 1 times, suppressed by syslog-ng on turris
[16076][resl] => no valid NS left
[ 9260][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[ 9260][resl] => no valid NS left
[43246][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[43246][resl] => unresolvable NS address, bailing out
Last message '[43246][resl] => u' repeated 1 times, suppressed by syslog-ng on turris
[43246][resl] => no valid NS left
[48690][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[48690][resl] => no valid NS left
[ 0][resl] AD: secure (start)
[ 0][resl] AD: secure (between ANS and AUTH)
[ 0][resl] AD: secure (1)
[48690][resl] finished: 0, queries: 3, mempool: 49176 B
```
_ATM I only estimate the characteristics/causes._2018 Q4Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/375DNS64 should not perform synthesis for queries with CD and DO flags2018-07-02T15:41:42+02:00Ondřej CaletkaDNS64 should not perform synthesis for queries with CD and DO flagsAccording to [RFC 6147, section 5.5, paragraph 3](https://tools.ietf.org/html/rfc6147#section-5.5), DNS64 synthesis MUST NOT be performed for queries with CD and DO flags (not to fool validating stub resolvers). Knot Resolver is not comp...According to [RFC 6147, section 5.5, paragraph 3](https://tools.ietf.org/html/rfc6147#section-5.5), DNS64 synthesis MUST NOT be performed for queries with CD and DO flags (not to fool validating stub resolvers). Knot Resolver is not compliant with this requirement.
# dig ipv4only.arpa aaaa +cdflag +dnssec +short
64:ff9b::c000:aa
64:ff9b::c000:ab
Both BIND and Unbound DNS64 modules perform well:
# dig ipv4only.arpa aaaa +cdflag +dnssec +short
<empty>2018 Q2Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/377kresd fails to bind IPv6 TLS socket sometimes (but IPv4 works)2019-06-06T12:46:11+02:00Petr Špačekkresd fails to bind IPv6 TLS socket sometimes (but IPv4 works)I have no idea why, this issues is here to remind us to inspect code for stream socket binding:
kresd should be listening on port 53028 for IPv4 and IPv6 at the same time but it is not. [config](/uploads/864f0d5638e9ec828d0d8085869938d3...I have no idea why, this issues is here to remind us to inspect code for stream socket binding:
kresd should be listening on port 53028 for IPv4 and IPv6 at the same time but it is not. [config](/uploads/864f0d5638e9ec828d0d8085869938d3/config)
```
$ netstat -lptn | grep kresd
tcp 0 0 127.0.0.1:53021 0.0.0.0:* LISTEN 79892/kresd
tcp 0 0 127.0.0.1:53022 0.0.0.0:* LISTEN 79894/kresd
tcp 0 0 127.0.0.1:53028 0.0.0.0:* LISTEN 79892/kresd
tcp6 0 0 ::1:53021 :::* LISTEN 79892/kresd
tcp6 0 0 ::1:53022 :::* LISTEN 79894/kresd
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/384NSEC3 caching doesn't seem to work2018-07-27T19:48:16+02:00Marek VavrusaNSEC3 caching doesn't seem to workI was trying the aggressive NSEC3 caching in the v2.4.0 tag (4141975d2f8d5c2e45cc319de20af356eb2a8b3e).
```
$ cat config # Empty configuration
$ rm *.mdb
$ kresd -a 127.0.0.1#5354 -k root.keys -v
[tls] session ticket: epoch 374032, sch...I was trying the aggressive NSEC3 caching in the v2.4.0 tag (4141975d2f8d5c2e45cc319de20af356eb2a8b3e).
```
$ cat config # Empty configuration
$ rm *.mdb
$ kresd -a 127.0.0.1#5354 -k root.keys -v
[tls] session ticket: epoch 374032, scheduling rotation check in 3276245 ms
[ ta ] new state of trust anchors for a domain: . 172800 DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
[ ta ] new state of trust anchors for a domain: . 172800 DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
. 172800 DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
[system] interactive mode
>
```
When I query for a name that exists, caching seems to work:
```
$ kdig @127.0.0.1 -p 5354 nic.cz | grep From
;; From 127.0.0.1@5354(UDP) in 870.8 ms
$ kdig @127.0.0.1 -p 5354 nic.cz | grep From
;; From 127.0.0.1@5354(UDP) in 0.2 ms
```
When I query for a name that doesn't exist, caching doesn't seem to work:
```
$ kdig @127.0.0.1 -p 5354 bla2.nic.cz | grep From
;; From 127.0.0.1@5354(UDP) in 1208.7 ms
$ kdig @127.0.0.1 -p 5354 bla2.nic.cz | grep From
;; From 127.0.0.1@5354(UDP) in 412.8 ms
```
Here's the server log:
```
[ 0][plan] plan 'bla2.nic.cz.' type 'A'
[63031][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[63031][cach] => no NSEC* cached for zone: cz.
[63031][zcut] found cut: cz. (rank 002 return codes: DS 0, DNSKEY 0)
[29651][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[29651][resl] => querying: '194.0.13.1' score: 95 zone cut: 'cz.' qname: 'NiC.cZ.' qtype: 'NS' proto: 'udp'
[29651][resl] => querying: '2001:678:10::1' score: 95 zone cut: 'cz.' qname: 'NiC.cZ.' qtype: 'NS' proto: 'udp'
[29651][iter] <= rcode: NOERROR
[29651][iter] <= continuing with qname minimization
[29651][resl] <= server: '194.0.13.1' rtt: 175 ms
[28702][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[28702][plan] plan 'nic.cz.' type 'DS'
[40723][iter] 'nic.cz.' type 'DS' id was assigned, parent id 28702
[40723][cach] => satisfied by exact RRset: rank 060, new TTL 3513
[40723][iter] <= rcode: NOERROR
[40723][vldr] <= DS: OK
[40723][vldr] <= parent: updating DS
[40723][vldr] <= answer valid, OK
[60915][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[60915][plan] plan 'nic.cz.' type 'DNSKEY'
[ 5674][iter] 'nic.cz.' type 'DNSKEY' id was assigned, parent id 60915
[ 5674][cach] => satisfied by exact RRset: rank 060, new TTL 1713
[ 5674][iter] <= rcode: NOERROR
[ 5674][vldr] <= parent: updating DNSKEY
[ 5674][vldr] <= answer valid, OK
[29278][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[29278][resl] => query[29278][resl] => querying: '2001:678:f::1' score: 11 zone cut: 'nic.cz.' qname: 'BLa2.Nic.Cz.' qtype: 'A' proto: 'udp'
[29278][iter] <= rcode: NXDOMAIN
[29278][vldr] <= answer valid, OK
[29278][cach] => stashed 61irsbhhtmb5arro3jt924s607pojbnu.nic.cz. NSEC3, rank 060, 149 B total, incl. 1 RRSIGs
[29278][cach] => stashed 7cnkran8antk3fkqoiivftbr83c4fk16.nic.cz. NSEC3, rank 060, 141 B total, incl. 1 RRSIGs
[29278][cach] => stashed 038c9fesqq3ofr3cefq91hji5h3mq5mc.nic.cz. NSEC3, rank 060, 150 B total, incl. 1 RRSIGs
[29278][cach] => stashed nic.cz. SOA, rank 060, 159 B total, incl. 1 RRSIGs
[29278][cach] => nsec_p stash skipped (extra TTL: 88)
[29278][resl] <= server: '194.0.12.1' rtt: 169 ms
[ 0][resl] AD: request classified as SECURE
[29278][resl] finished: 4, queries: 3, mempool: 82000 B
[ 0][plan] plan 'bla2.nic.cz.' type 'A'
[24186][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[24186][cach] => no NSEC* cached for zone: cz.
[24186][zcut] found cut: cz. (rank 002 return codes: DS 0, DNSKEY 0)
[ 390][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[ 390][resl] => querying: '194.0.12.1' score: 90 zone cut: 'cz.' qname: 'NIc.cZ.' qtype: 'NS' proto: 'udp'
[ 390][resl] => querying: '2001:678:f::1' score: 90 zone cut: 'cz.' qname: 'NIc.cZ.' qtype: 'NS' proto: 'udp'
[ 390][iter] <= rcode: NOERROR
[ 390][iter] <= continuing with qname minimization
[ 390][resl] <= server: '194.0.12.1' rtt: 180 ms
[21470][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[21470][plan] plan 'nic.cz.' type 'DS'
[60687][iter] 'nic.cz.' type 'DS' id was assigned, parent id 21470
[60687][cach] => satisfied by exact RRset: rank 060, new TTL 3512
[60687][iter] <= rcode: NOERROR
[60687][vldr] <= DS: OK
[60687][vldr] <= parent: updating DS
[60687][vldr] <= answer valid, OK
[31813][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[31813][plan] plan 'nic.cz.' type 'DNSKEY'
[52521][iter] 'nic.cz.' type 'DNSKEY' id was assigned, parent id 31813
[52521][cach] => satisfied by exact RRset: rank 060, new TTL 1712
[52521][iter] <= rcode: NOERROR
[52521][vldr] <= parent: updating DNSKEY
[52521][vldr] <= answer valid, OK
[47111][iter] 'bla2.nic.cz.' type 'A' id was assigned, parent id 0
[47111][resl] => query[47111][resl] => querying: '194.0.14.1' score: 116 zone cut: 'nic.cz.' qname: 'bla2.Nic.cZ.' qtype: 'A' proto: 'udp'
[47111][iter] <= rcode: NXDOMAIN
[47111][vldr] <= answer valid, OK
[47111][cach] => stashed 61irsbhhtmb5arro3jt924s607pojbnu.nic.cz. NSEC3, rank 060, 149 B total, incl. 1 RRSIGs
[47111][cach] => stashed 7cnkran8antk3fkqoiivftbr83c4fk16.nic.cz. NSEC3, rank 060, 141 B total, incl. 1 RRSIGs
[47111][cach] => stashed 038c9fesqq3ofr3cefq91hji5h3mq5mc.nic.cz. NSEC3, rank 060, 150 B total, incl. 1 RRSIGs
[47111][cach] => stashed nic.cz. SOA, rank 060, 159 B total, incl. 1 RRSIGs
[47111][cach] => nsec_p stash skipped (extra TTL: 89)
[47111][resl] <= server: '2001:678:11::1' rtt: 157 ms
[ 0][resl] AD: request classified as SECURE
[47111][resl] finished: 4, queries: 3, mempool: 82000 B
```
When I clear cache and restart the daemon, the caching sometimes works, but most of the time it doesn't. That's strange.
I was trying to test aggressive NSEC3 caching originally with bla3, bla4, bla5, ... bla10.nic.cz, but it doesn't seem to work even when I ask the same name repetitively, so I'm not sure what am I doing wrong.
cc @anb @pspacek @vcunat2018 Q3Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/385log flood from TLS session key rotation2018-08-16T00:17:26+02:00Petr Špačeklog flood from TLS session key rotationFor some reason kresd log is full of these:
```
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling ro...For some reason kresd log is full of these:
```
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374131, scheduling rotation check in 0 ms
[tls] session ticket: epoch 374132, scheduling rotation check in 4096000 ms
```
This is post-2.4.0 code c222c545d8bd3feec94a59f1a624ffda253586e3 running in single process.https://gitlab.nic.cz/knot/knot-resolver/-/issues/390unsigned same-server delegation does not work (SERVFAIL when iterating)2020-08-10T12:38:58+02:00Petr Špačekunsigned same-server delegation does not work (SERVFAIL when iterating)Attached [test](/uploads/faf14f8a4d04b5331a3d3ec150027dfc/qlist) asks for `unsigned2.box. SOA` and the request ends with SERVFAIL.
I believe that it should work because the domain is an unsigned delegation from parent, with child hosted...Attached [test](/uploads/faf14f8a4d04b5331a3d3ec150027dfc/qlist) asks for `unsigned2.box. SOA` and the request ends with SERVFAIL.
I believe that it should work because the domain is an unsigned delegation from parent, with child hosted on the same server.
The delegation is inside opt-out range so resolver should verify unsigned status of zone and continue.
(I hope there is no mistake in the test, I did my best. If there is a mistake in test itself I apologize.)https://gitlab.nic.cz/knot/knot-resolver/-/issues/396SERVFAIL answer still contains bogus RRsets2020-04-15T10:25:21+02:00Petr ŠpačekSERVFAIL answer still contains bogus RRsetsAttached test [val_ad_qtype_ds.rpl](/uploads/a35e1072c53b8e68374b158d36d04d3a/val_ad_qtype_ds.rpl) contains incorrect SOA serial, i.e. RRSIG for `. SOA` does not match the SOA RR.
Kresd 3.0.0 correctly detects bogus answer, clears AD bi...Attached test [val_ad_qtype_ds.rpl](/uploads/a35e1072c53b8e68374b158d36d04d3a/val_ad_qtype_ds.rpl) contains incorrect SOA serial, i.e. RRSIG for `. SOA` does not match the SOA RR.
Kresd 3.0.0 correctly detects bogus answer, clears AD bit and sets RCODE=SERVFAIL but the bogus RR is still present in response sent to client:
```
E id 43842
E opcode QUERY
E rcode SERVFAIL
E flags QR RD RA
E edns 0
E eflags DO
E payload 4096
E ;QUESTION
E test. IN DS
E ;ANSWER
E ;AUTHORITY
E . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2017030902 1800 900 604800 86400
E test. 86400 IN NSEC . NS RRSIG NSEC
E . 86400 IN RRSIG SOA 8 0 86400 20180922145219 20180823145219 61125 . oUmzRZlxlk8WMI6EVAVqveSrD7gY7dxo g/KF0xIsUgb4wuw7ysD4C1E7GCKA8UqF XKsJn+RpKJHiHAASLctCL8Ewnger2ebe RtTNENEuqyvWlJwWHIY9Bk9YvMr5RzNd TfyLS+EGFGQzk2G793DOoi0DuNFaFK1A kN/jDDzDuGxwK/9oZ4X9Sk2mKeZfjKWI oXaPhMonfnWtX+6rKeMvgSjMZYEXz0+E XYHeHwvtUIPYzMfO2iCrEfCABH04OG61 NP5N9W+IiOKP1KAmT8id3JyFJACHjSP6 BeEIv6Ydzz3M9vq4B4pj0Cr9ePH0GnNC 0Sg8uOfHzjC5bHldoaJs4g==
E test. 86400 IN RRSIG NSEC 8 1 86400 20180922145219 20180823145219 61125 . Fgq94cQgkH4LhB0NFRSzqZT09eLTr4Jd P+xV+s5HEPiipfmaRSy3Y1ZoihtofwjO +LObPVLmyPz7WUWmJBCu3bPRS0GU4Ltq YmpBpUxjuaVqbiw07/GO3IS6nLD1IVYp uXzktncdJDkwalkPb/qMtrMTSEzH5V6a 9CJErKJRIEn36Ypg6+hvKXJT5uJyqcTs eqFXnHDXBzIQjlc6rm7gPCdUCzxx9UrP SxVeNfLSYUV96RA2G1NgksCejP7TPpIi heRXDIItvl/XtQy5pdaPsdE+bJHQaxC2 uTabzvGPoLHRahfCjtH2XxuFsWCSm7ad 0bRQH4v1o05CB8Cv9JkDEQ==
E ;ADDITIONAL
```
RR `. SOA` should not be there, it is bogus.Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/404incorrect handling of EDNS version 1+2019-07-09T17:12:25+02:00Petr Špačekincorrect handling of EDNS version 1+Apparently we do not return BADVERS as we should:
```
$ dig +nocookie +rec +noad +edns=1 +noednsneg +ednsopt=100 soa isc.org. @1.1.1.1
; <<>> DiG 9.13.0-dev <<>> +nocookie +rec +noad +edns=1 +noednsneg +ednsopt=100 soa isc.org. @1.1.1....Apparently we do not return BADVERS as we should:
```
$ dig +nocookie +rec +noad +edns=1 +noednsneg +ednsopt=100 soa isc.org. @1.1.1.1
; <<>> DiG 9.13.0-dev <<>> +nocookie +rec +noad +edns=1 +noednsneg +ednsopt=100 soa isc.org. @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20124
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;isc.org. IN SOA
;; ANSWER SECTION:
isc.org. 6914 IN SOA ns-int.isc.org. hostmaster.isc.org. 2018092500 7200 3600 24796800 3600
;; Query time: 16 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Oct 01 13:40:13 CEST 2018
;; MSG SIZE rcvd: 90
```
Test suite:
https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing
run `genreport -R` with input like:
`nic.cz. resolver.test. 1.1.1.1`
Output at the moment:
```
nic.cz. @1.1.1.1 (resolver.test.): dns=ok edns=ok edns1=noerror,badversion,soa edns@512=ok ednsopt=ok edns1opt=noerror,badversion,soa do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=ok
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/406validate: fails to accept some correct proofs in deeper NSEC zones2022-05-09T11:46:29+02:00Vladimír Čunátvladimir.cunat@nic.czvalidate: fails to accept some correct proofs in deeper NSEC zonesReal-life example: `_domainkey.bronz.cz` - it's an empty non-terminal covered by
```
*.bronz.cz. 3589 IN NSEC arcz._domainkey.bronz.cz. CNAME RRSIG NSEC
```
Note: aggressive cache does generate the proof correctly...Real-life example: `_domainkey.bronz.cz` - it's an empty non-terminal covered by
```
*.bronz.cz. 3589 IN NSEC arcz._domainkey.bronz.cz. CNAME RRSIG NSEC
```
Note: aggressive cache does generate the proof correctly, if the record is in cache; it's just validator not accepting it. In real life this issue will probably be rarely causing problems, moreover NODATA isn't often recognizable from SERVFAIL.https://gitlab.nic.cz/knot/knot-resolver/-/issues/407Knot Resolver can't resolve dc01.integricloud.com2022-01-12T14:16:46+01:00Ghost UserKnot Resolver can't resolve dc01.integricloud.comKnot DNS Resolver, version 2.4.1 in latest TurrisOS, can't resolve `dc01.integricloud.com`, it gives `status: SERVFAIL`. Even 1.1.1.1 can't resolve this name. Other resolvers return `status: NOERROR` and `IN A 108.178.208.107`.Knot DNS Resolver, version 2.4.1 in latest TurrisOS, can't resolve `dc01.integricloud.com`, it gives `status: SERVFAIL`. Even 1.1.1.1 can't resolve this name. Other resolvers return `status: NOERROR` and `IN A 108.178.208.107`.https://gitlab.nic.cz/knot/knot-resolver/-/issues/416Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function ...2019-04-16T09:03:53+02:00Ghost UserAssertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997I am using The Knot DNS Resolver on macOS Mojave (10.14.1). I tested the resolver with 1.1.1.1 and 9.9.9.9 DNS Servers. It works good but periodically (after Mac exits sleep) the daemon stops working and "sudo brew services restart knot-...I am using The Knot DNS Resolver on macOS Mojave (10.14.1). I tested the resolver with 1.1.1.1 and 9.9.9.9 DNS Servers. It works good but periodically (after Mac exits sleep) the daemon stops working and "sudo brew services restart knot-resolver" doesn't help as well. After Mac's reboot it starts working again.
[kresd.log](/uploads/fdcbb5629cdde9ba263e2af0e5acc5ee/kresd.log) tells the following:
```
Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997.
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[detect_time_skew] cannot resolve '.' NS
[ ta ] active refresh failed for . with rcode: 2
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[priming] cannot resolve address 'a.root-servers.net.', type: 1
Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997.
[priming] cannot resolve address 'a.root-servers.net.', type: 1
[ ta ] active refresh failed for . with rcode: 2
[ ta ] active refresh failed for . with rcode: 2
Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997.
[priming] cannot resolve address 'a.root-servers.net.', type: 1
[priming] cannot resolve address 'b.root-servers.net.', type: 1
[priming] cannot resolve address 'g.root-servers.net.', type: 28
[priming] cannot resolve address 'h.root-servers.net.', type: 1
[priming] cannot resolve address 'k.root-servers.net.', type: 1
[ ta ] active refresh failed for . with rcode: 2
Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997.
[priming] cannot resolve address 'a.root-servers.net.', type: 1
[priming] cannot resolve address 'b.root-servers.net.', type: 1
[ ta ] active refresh failed for . with rcode: 2
[priming] cannot resolve address 'g.root-servers.net.', type: 28
[priming] cannot resolve address 'k.root-servers.net.', type: 1
[ ta ] active refresh failed for . with rcode: 2
Assertion failed: (map_contains(&worker->tcp_connected, key) == 0), function worker_add_tcp_connected, file daemon/worker.c, line 1997.
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[detect_time_skew] cannot resolve '.' NS
[ ta ] active refresh failed for . with rcode: 2
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[priming] cannot resolve '.' NS, next priming query in 10 seconds
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/437knot-resolver as a DNSoTLS client fails upon sleep2019-02-15T09:42:54+01:00Dustin Hodgesknot-resolver as a DNSoTLS client fails upon sleepOn **macOS Mojave 10.14.2**, when using ```knot-resolver``` as a *DNSoTLS client* (setting ```knot-resolver``` to communicate with Cloudflare's public DNS over TLS, and setting OS network DNS configuration to the local host, ```127.0.0.1...On **macOS Mojave 10.14.2**, when using ```knot-resolver``` as a *DNSoTLS client* (setting ```knot-resolver``` to communicate with Cloudflare's public DNS over TLS, and setting OS network DNS configuration to the local host, ```127.0.0.1``` & ```::1```), when Mac system enters sleep, knot-resolver stops communicating, either with macOS (local side), or Cloudflare (network side); unsure as to wich. Communication does not resume when resuming from sleep.
When this failure occurs, ```KRESD.LOG``` is given a single line:
> ```Assertion failed: (tls_p->consumed == tls_p->nread), function tls_process_input_data, file daemon/tls.c, line 508.```
Attemps to test connectivity using ```kdig bing.com``` result in
> ```;; WARNING: response timeout for ::1@53(UDP)```
>
> ```;; WARNING: response timeout for 127.0.0.1@53(UDP)```
Suggesting that it is local side, assuming the timeout is between macOS itself and
Temporary solution is to run ```sudo brew services restart knot-resolver``` via terminal, restarting the service and returning functionality of knot-resolver as a DNSoTLS client.2019 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/440kresd 3.2.0 coredump2020-11-16T12:32:42+01:00ilfkresd 3.2.0 coredump```
% kresd --version
Knot Resolver, version 3.2.0
```
```
% cat /etc/knot-resolver/kresd.conf
-- vim:syntax=lua:
-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
-- Load useful modules
modul...```
% kresd --version
Knot Resolver, version 3.2.0
```
```
% cat /etc/knot-resolver/kresd.conf
-- vim:syntax=lua:
-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
-- Load useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'hints > iterate', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
-- 'predict', -- Prefetch expiring/frequent records
}
-- See kresd.systemd(7) about configuring network interfaces when using systemd
-- Listen on localhost (default)
-- net = { '127.0.0.1', '::1' }
-- Enable DNSSEC validation
trust_anchors.file = '/etc/knot-resolver/root.keys'
-- Cache size
cache.size = 100 * MB
-- https://dns.cmrg.net/
policy.add(policy.all(policy.TLS_FORWARD({
{'199.58.81.218', hostname='dns.cmrg.net', ca_file='/etc/ssl/certs/ca-certificates.crt'},
})))
```
```
% sudo coredumpctl gdb 673
PID: 673 (kresd)
UID: 972 (knot-resolver)
GID: 972 (knot-resolver)
Signal: 6 (ABRT)
Timestamp: Sat 2019-01-05 16:48:08 CET (14min ago)
Command Line: /usr/sbin/kresd --config=/etc/knot-resolver/kresd.conf
Executable: /usr/bin/kresd
Control Group: /system.slice/system-kresd.slice/kresd@1.service
Unit: kresd@1.service
Slice: system-kresd.slice
Storage: /var/lib/systemd/coredump/core.kresd.972.41f1b997dbba4fc1a3959eeb94b783ef.673.1546703288000000.lz4
Message: Process 673 (kresd) of user 972 dumped core.
Stack trace of thread 673:
#0 0x00007fd9ab352d7f raise (libc.so.6)
#1 0x00007fd9ab33d672 abort (libc.so.6)
#2 0x00007fd9ab33d548 __assert_fail_base.cold.0 (libc.so.6)
#3 0x00007fd9ab34b396 __assert_fail (libc.so.6)
#4 0x000055ab58ecd1f4 session_tls_hs_cb (kresd)
#5 0x000055ab58ed34ca tls_handshake (kresd)
#6 0x000055ab58ed3b8b tls_process_input_data (kresd)
#7 0x000055ab58ec5a20 tcp_recv (kresd)
#8 0x00007fd9ab9e9a19 n/a (libuv.so.1)
#9 0x00007fd9ab9ea668 n/a (libuv.so.1)
#10 0x00007fd9ab9ef370 uv__io_poll (libuv.so.1)
#11 0x00007fd9ab9e0ab0 uv_run (libuv.so.1)
#12 0x000055ab58ec5139 run_worker (kresd)
#13 0x00007fd9ab33f223 __libc_start_main (libc.so.6)
#14 0x000055ab58ec523e _start (kresd)
```
```
(gdb) backtrace
#0 0x00007fd9ab352d7f in raise () from /usr/lib/libc.so.6
#1 0x00007fd9ab33d672 in abort () from /usr/lib/libc.so.6
#2 0x00007fd9ab33d548 in __assert_fail_base.cold.0 () from /usr/lib/libc.so.6
#3 0x00007fd9ab34b396 in __assert_fail () from /usr/lib/libc.so.6
#4 0x000055ab58ecd1f4 in session_tls_hs_cb (session=session@entry=0x55ab596762e0, status=status@entry=0) at daemon/worker.c:751
#5 0x000055ab58ed34ca in tls_handshake (ctx=ctx@entry=0x55ab597d33b0, handshake_cb=0x55ab58eccfb0 <session_tls_hs_cb>) at daemon/tls.c:256
#6 0x000055ab58ed3b8b in tls_process_input_data (s=s@entry=0x55ab596762e0, buf=0x55ab597d33e8 "\026\003\003\n\252\v", nread=nread@entry=3082) at daemon/tls.c:472
#7 0x000055ab58ec5a20 in tcp_recv (handle=0x55ab5968ac50, nread=3082, buf=0x7ffec983b810) at daemon/io.c:237
#8 0x00007fd9ab9e9a19 in ?? () from /usr/lib/libuv.so.1
#9 0x00007fd9ab9ea668 in ?? () from /usr/lib/libuv.so.1
#10 0x00007fd9ab9ef370 in uv.io_poll () from /usr/lib/libuv.so.1
#11 0x00007fd9ab9e0ab0 in uv_run () from /usr/lib/libuv.so.1
#12 0x000055ab58ec5139 in run_worker (args=0x7ffec983ec20, leader=<optimized out>, ipc_set=0x7ffec983ebe0, engine=0x7ffec983ecc0, loop=0x7fd9ab9fc240) at daemon/main.c:476
#13 main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:825
```
```
(gdb) backtrace full
#0 0x00007fd9ab352d7f in raise () from /usr/lib/libc.so.6
No symbol table info available.
#1 0x00007fd9ab33d672 in abort () from /usr/lib/libc.so.6
No symbol table info available.
#2 0x00007fd9ab33d548 in __assert_fail_base.cold.0 () from /usr/lib/libc.so.6
No symbol table info available.
#3 0x00007fd9ab34b396 in __assert_fail () from /usr/lib/libc.so.6
No symbol table info available.
#4 0x000055ab58ecd1f4 in session_tls_hs_cb (session=session@entry=0x55ab596762e0, status=status@entry=0) at daemon/worker.c:751
key = 0x55ab58eed3a0 <str> "199.58.81.218#00853"
__PRETTY_FUNCTION__ = "session_tls_hs_cb"
handle = <optimized out>
loop = <optimized out>
worker = 0x55ab593295c0
peer = 0x55ab596762e4
deletion_res = -2
ret = 0
tls_client_ctx = <optimized out>
tls_params = 0x55ab59353550
tls_session = 0x55ab5967d8d0
#5 0x000055ab58ed34ca in tls_handshake (ctx=ctx@entry=0x55ab597d33b0, handshake_cb=0x55ab58eccfb0 <session_tls_hs_cb>) at daemon/tls.c:256
peer = <optimized out>
session = 0x55ab596762e0
logstring = 0x55ab58ee2e30 <client_logstring> "tls_client"
err = <optimized out>
#6 0x000055ab58ed3b8b in tls_process_input_data (s=s@entry=0x55ab596762e0, buf=0x55ab597d33e8 "\026\003\003\n\252\v", nread=nread@entry=3082) at daemon/tls.c:472
err = <optimized out>
tls_p = 0x55ab597d33b0
__PRETTY_FUNCTION__ = "tls_process_input_data"
ok = true
logstring = 0x55ab58ee2e30 <client_logstring> "tls_client"
submitted = <optimized out>
wire_buf = <optimized out>
wire_buf_size = <optimized out>
#7 0x000055ab58ec5a20 in tcp_recv (handle=0x55ab5968ac50, nread=3082, buf=0x7ffec983b810) at daemon/io.c:237
s = 0x55ab596762e0
__PRETTY_FUNCTION__ = "tcp_recv"
consumed = 0
data = 0x55ab597d33e8 "\026\003\003\n\252\v"
data_len = 3082
ret = <optimized out>
worker = <optimized out>
#8 0x00007fd9ab9e9a19 in ?? () from /usr/lib/libuv.so.1
No symbol table info available.
#9 0x00007fd9ab9ea668 in ?? () from /usr/lib/libuv.so.1
No symbol table info available.
#10 0x00007fd9ab9ef370 in uv.io_poll () from /usr/lib/libuv.so.1
No symbol table info available.
#11 0x00007fd9ab9e0ab0 in uv_run () from /usr/lib/libuv.so.1
No symbol table info available.
#12 0x000055ab58ec5139 in run_worker (args=0x7ffec983ec20, leader=<optimized out>, ipc_set=0x7ffec983ebe0, engine=0x7ffec983ecc0, loop=0x7fd9ab9fc240) at daemon/main.c:476
sock_file = <optimized out>
pipe = {data = 0x7ffec983ec20, loop = 0x7fd9ab9fc240, type = UV_NAMED_PIPE, close_cb = 0x0, handle_queue = {0x55ab595a1cc0, 0x55ab5933ce40}, u = {fd = 0, reserved = {0x0, 0x0, 0x0, 0x0}}, next_closing = 0x0, flags = 49164,
write_queue_size = 0, alloc_cb = 0x0, read_cb = 0x0, connect_req = 0x0, shutdown_req = 0x0, io_watcher = {cb = 0x7fd9ab9eaab0 <uv.server_io>, pending_queue = {0x7ffec983f070, 0x7ffec983f070}, watcher_queue = {0x7ffec983f080,
0x7ffec983f080}, pevents = 1, events = 1, fd = 5}, write_queue = {0x7ffec983f0a0, 0x7ffec983f0a0}, write_completed_queue = {0x7ffec983f0b0, 0x7ffec983f0b0}, connection_cb = 0x55ab58ed9190 <tty_accept>, delayed_error = 0,
accepted_fd = -1, queued_fds = 0x0, ipc = 0, pipe_fname = 0x0}
sock_file = <optimized out>
pipe = <optimized out>
pipe_ret = <optimized out>
i = <optimized out>
#13 main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:825
ret = <optimized out>
args = {forks = 1, addr_set = {at = 0x0, len = 0, cap = 0}, tls_set = {at = 0x0, len = 0, cap = 0}, fd_set = {at = 0x55ab593115b0, len = 4, cap = 5}, tls_fd_set = {at = 0x55ab59311670, len = 2, cap = 5}, keyfile = 0x0,
keyfile_unmanaged = 0, moduledir = 0x55ab58ee424e "/usr/lib/kdns_modules", config = 0x7ffec9840e7d "/etc/knot-resolver/kresd.conf", control_fd = 5, rundir = 0x0, interactive = false, quiet = false, tty_binary_output = false}
socket_names = 0x55ab59327f20
sd_nsocks = <optimized out>
ipc_set = {at = 0x0, len = 0, cap = 0}
fork_id = <optimized out>
pool = {ctx = 0x55ab59328280, alloc = 0x55ab58edc340 <mp_alloc>, free = 0x0}
engine = {resolver = {options = {NO_MINIMIZE = false, NO_THROTTLE = false, NO_IPV6 = false, NO_IPV4 = false, TCP = false, RESOLVED = false, AWAIT_IPV4 = false, AWAIT_IPV6 = false, AWAIT_CUT = false, SAFEMODE = false,
CACHED = false, NO_CACHE = false, EXPIRING = false, ALLOW_LOCAL = false, DNSSEC_WANT = false, DNSSEC_BOGUS = false, DNSSEC_INSECURE = false, DNSSEC_CD = false, STUB = false, ALWAYS_CUT = false, DNSSEC_WEXPAND = false,
PERMISSIVE = false, STRICT = false, BADCOOKIE_AGAIN = false, CNAME = false, REORDER_RR = false, TRACE = false, NO_0X20 = false, DNSSEC_NODS = false, DNSSEC_OPTOUT = false, NONAUTH = false, FORWARD = false,
DNS64_MARK = false, CACHE_TRIED = false, NO_NS_FOUND = false}, opt_rr = 0x55ab593282f0, trust_anchors = {root = 0x55ab5930fea0, pool = 0x0}, negative_anchors = {root = 0x0, pool = 0x0}, root_hints = {
name = 0x55ab59328f68 "", key = 0x0, trust_anchor = 0x0, parent = 0x0, nsset = 0x55ab59328f70, pool = 0x7ffec983ec00}, cache = {db = 0x55ab5933c940, api = 0x7fd9abae0480 <api>, stats = {hit = 0, miss = 0, insert = 3621,
delete = 0}, ttl_min = 5, ttl_max = 518400, checkpoint_walltime = {tv_sec = 1546542717, tv_usec = 57135}, checkpoint_monotime = 48358}, cache_rtt = 0x7fd9a980f010, cache_rtt_tout_retry_interval = 1000,
cache_rep = 0x7fd9a978e010, modules = 0x7ffec983ee38, cookie_ctx = {clnt = {enabled = false, current = {secr = 0x0, alg_id = 0}, recent = {secr = 0x0, alg_id = 0}}, srvr = {enabled = false, current = {secr = 0x0, alg_id = 0},
recent = {secr = 0x0, alg_id = 0}}}, cache_cookie = 0x55ab59328360, tls_padding = -1, pool = 0x7ffec983ec00}, net = {loop = 0x7fd9ab9fc240, endpoints = {root = 0x55ab5930d811, pool = 0x0}, tls_credentials = 0x0,
tls_client_params = {root = 0x55ab593530d0, pool = 0x0}, tls_session_ticket_ctx = 0x55ab593294d0, tcp = {in_idle_timeout = 10000, tls_handshake_timeout = 6000}, tcp_backlog = 511}, modules = {at = 0x55ab5933cc50, len = 12,
cap = 15}, backends = {at = 0x55ab593292d0, len = 1, cap = 5}, ipc_set = {at = 0x0, len = 0, cap = 0}, pool = 0x7ffec983ec00, hostname = 0x0, L = 0x411ec378, moduledir = 0x55ab5930def0 "/usr/lib/kdns_modules"}
worker = 0x55ab593295c0
loop = 0x7fd9ab9fc240
sigint = {data = 0x7ffec983eef0, loop = 0x7fd9ab9fc240, type = UV_SIGNAL, close_cb = 0x0, handle_queue = {0x7ffec983ef60, 0x55ab593294f0}, u = {fd = 0, reserved = {0x0, 0x0, 0x7fd9abb138c8, 0x7fd9abb3e480}}, next_closing = 0x0,
flags = 12, signal_cb = 0x55ab58ed8ef0 <signal_handler>, signum = 2, tree_entry = {rbe_left = 0x0, rbe_right = 0x7ffec983ef40, rbe_parent = 0x0, rbe_color = 0}, caught_signals = 0, dispatched_signals = 0}
sigterm = {data = 0x28, loop = 0x7fd9ab9fc240, type = UV_SIGNAL, close_cb = 0x0, handle_queue = {0x55ab59339ef0, 0x7ffec983eec0}, u = {fd = 232, reserved = {0xe8, 0x2d00000000, 0xf0, 0x7}}, next_closing = 0x0, flags = 12,
signal_cb = 0x55ab58ed8ef0 <signal_handler>, signum = 15, tree_entry = {rbe_left = 0x0, rbe_right = 0x0, rbe_parent = 0x7ffec983eea0, rbe_color = 1}, caught_signals = 0, dispatched_signals = 0}
```2019 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/443DNSSEC validation failing for NSEC signed zone with deeper wildcard2022-05-18T16:25:24+02:00Štěpán BalážikDNSSEC validation failing for NSEC signed zone with deeper wildcardWhen testing on the zones linked below (in local `knotd`), and when asked for `dig @127.0.0.1 -p 53 A shit.wildc.nsec.test.knot-resolver.cz +dnssec` Resolver ends up servfailing because it can't validate proof of non-existence of `wildc....When testing on the zones linked below (in local `knotd`), and when asked for `dig @127.0.0.1 -p 53 A shit.wildc.nsec.test.knot-resolver.cz +dnssec` Resolver ends up servfailing because it can't validate proof of non-existence of `wildc.nsec.test.knot-resolver.cz. DS` record:
```
[44720.12][resl] => id: '36540' querying: '127.0.0.1#05353' score: 21 zone cut: 'nsec.test.knot-resolver.cz.' qname: 'wilDC.nSEc.teSt.KnOT-REsolVER.cz.' qtype: 'DS' proto: 'udp'
[44720.12][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 36540
;; Flags: qr aa rd QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
wildc.nsec.test.knot-resolver.cz. DS
;; AUTHORITY SECTION
nsec.test.knot-resolver.cz. 3600 SOA dns1.example.com. hostmaster.example.com. 2010111238 21600 3600 604800 86400
*.wild.nsec.test.knot-resolver.cz. 86400 NSEC *.wildc.nsec.test.knot-resolver.cz. A RRSIG NSEC
*.wildc.nsec.test.knot-resolver.cz. 86400 NSEC nsec.test.knot-resolver.cz. CNAME RRSIG NSEC
nsec.test.knot-resolver.cz. 3600 RRSIG SOA 13 4 3600 20370101153211 20190118140211 25023 nsec.test.knot-resolver.cz. YlGILkcuX6EpClR9YBmNZP/2G6UaCWLFB2LxLMfU40h+qARSMwsaaRrBPt9mO7kMS1e6r/vG9muP/tkgIPmEJA==
*.wild.nsec.test.knot-resolver.cz. 86400 RRSIG NSEC 13 5 86400 20370101153211 20190118140211 25023 nsec.test.knot-resolver.cz. HnNsj0OoA82ltnf+iFEdyvUqpw/3DSkeZCGGKKCbvvP0ENgT6jeRP8euL19WBVvloPTb8LUMQWb9FhgauuRtmg==
*.wildc.nsec.test.knot-resolver.cz. 86400 RRSIG NSEC 13 5 86400 20370101153211 20190118140211 25023 nsec.test.knot-resolver.cz. rbFDZXGXSY1J4wWzeIN+EqnKCjr6ZsA/9lZV/yy5ILzi9K2z4IxIp09uKS2qasK/nVuWAdqonFgLteCLuUew6g==
[44720.12][iter] <= rcode: NOERROR
[44720.12][vldr] <= bad NODATA proof
[44720.12][cach] => stashed nsec.test.knot-resolver.cz. SOA, rank 020, 190 B total, incl. 1 RRSIGs
[44720.12][cach] => stashed packet: rank 025, TTL 1, DS wildc.nsec.test.knot-resolver.cz. (615 B)
[44720.12][resl] finished: 8, queries: 3, mempool: 32800 B
```
When asked for the respective record in the NSEC3 signed zone Resolver validates with no problem.
Bellow I link all three zonefiles as well as the configurations of both `kresd` and `knotd` I used.
[kresd.log](/uploads/5360e41e89323adf2636cc868e0caab2/kresd.log)
[kresd.conf](/uploads/3465c6d90d6681e94e87091af39f6c00/kresd.conf)
[knotd.conf](/uploads/519da89b51c4ff77f97bd9c847274230/knotd.conf)
[test.knot-resolver.cz.zone](/uploads/8d6a2b3497134f9895bd4e4592b027b7/test.knot-resolver.cz.zone)
[nsec.test.knot-resolver.cz.zone](/uploads/afe51a85acb768e0b4552b3fad4d1dbb/nsec.test.knot-resolver.cz.zone)
[nsec3.test.knot-resolver.cz.zone](/uploads/ca69754b0afd55d2362c3da28cf6491d/nsec3.test.knot-resolver.cz.zone)5.5.1Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/448net.list() ignores multiple ports on the same IP address2019-03-12T14:03:36+01:00Petr Špačeknet.list() ignores multiple ports on the same IP addressMultiple invocations of `net.listen()` using the same IP address but different port will confuse output of `net.list()`. Only single endpoint description listening for a given IP address is returned by `net.list`:
Example:
```
$ KRESD_N...Multiple invocations of `net.listen()` using the same IP address but different port will confuse output of `net.list()`. Only single endpoint description listening for a given IP address is returned by `net.list`:
Example:
```
$ KRESD_NO_LISTEN=1 kresd
> net.list()
> net.listen('::1', 5353)
true
> net.list()
[::1] => {
[tcp] => true
[tls] => false
[udp] => true
[port] => 5353
}
> net.listen('::1', 53000)
true
> net.list()
[::1] => {
[tcp] => true
[tls] => false
[udp] => true
[port] => 5353
}
```
Fixing this obviously requires change to `net.list()` output format, which can be done in upcoming 4.0.
The main question is how the new output should look like. Preliminary proposal:
{ address = 'string',
transport = udp/tcp/quic,
transport_params = { [transport-dependent parameters - port etc.] },
security = tls/dtls/...,
format = plain DNS/DNS-over-HTTP-binary/DNS-over-HTTP-JSON
}
`net.list()` would then produce numbered list of tuples, each tuple describing single combination.
While this would be technically correct I don't know if it would be too verbose and ugly. Maybe we should introduce `net.summary()` which could produce a nicer output out of `net.list()` or something like that.4.0.0Tomas KrizekTomas Krizekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/449RFC 5011 will crash resolver if key is rolled to an unsupported algorithm2019-04-04T15:03:11+02:00Petr ŠpačekRFC 5011 will crash resolver if key is rolled to an unsupported algorithmReported by: Matthijs Mekking <matthijs@isc.org>
PANIC if kresd performs 5011 and retrieves an unsupported algorithm
===================================================================
Summary
-------
tldr; When refreshing trust anchor...Reported by: Matthijs Mekking <matthijs@isc.org>
PANIC if kresd performs 5011 and retrieves an unsupported algorithm
===================================================================
Summary
-------
tldr; When refreshing trust anchors and kresd receives an unsupported
DNSSEC algorithm, kresd will exit with a PANIC:
PANIC: unprotected error in call to Lua API
(/usr/local/lib/kdns_modules/trust_anchors.lua:208: invalid RR:
5011.isc.pletterpet.nl. 60 DNSKEY 257 3 16
GjgC97LCct7HZhArY9KRvynmXLKF/OGPCOX8jVqNaQ5Tj58lqxaNQ/tx2l8sftpLHHQj9KOsRzjN:
invalid key algorithm)
Knot resolver versions used
---------------------------
knot-resolver-3.2.1
Steps to reproduce
------------------
1. Set up an authoritative zone, DNSSEC signed with a supported
algorithm, for example RSA-SHA256 (8).
2. Start Knot resolver with a trust anchor file that contains the KSK
for the authoritative zone.
kresd -c config.test
3. Update the authoritative zone, add a new algorithm that is not
supported by BIND, for example Ed448 (16).
4. Wait until kresd refreshes trust anchors.
You should hit the same error if you do step 2 and the authoritative
server already has the DNSKEY with the unsupported algorithm in the zone.
What is the current bug behavior?
---------------------------------
The Knot resolver will exit with a PANIC.
What is the expected correct behavior?
--------------------------------------
The Knot resolver will log an error (or warning) and ignore the new key.
Relevant configuration files
----------------------------
config.test:
net = { '127.0.0.1', '::1' }
trust_anchors.config('trustanchors.conf', 0)
modules = {
'hints > iterate',
'stats',
'predict',
}
cache.size = 10 * MB4.0.0https://gitlab.nic.cz/knot/knot-resolver/-/issues/451trust_anchors.lua: keyset_read() parameter shadows string library2019-03-12T12:12:22+01:00Petr Špačektrust_anchors.lua: keyset_read() parameter shadows string libraryIn file
/usr/lib/kdns_modules/trust_anchors.lua
around line 376, the `local function keyset_read(path, string)` shadows `string` library, which causes weird problems. We have to remove shadowing before release.In file
/usr/lib/kdns_modules/trust_anchors.lua
around line 376, the `local function keyset_read(path, string)` shadows `string` library, which causes weird problems. We have to remove shadowing before release.4.0.0Tomas KrizekTomas Krizekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/460Building 4.0.0 fails with unity build enabled2019-04-25T13:26:32+02:00Jonathan CoetzeeBuilding 4.0.0 fails with unity build enabledWas playing around with the new build system (which is great!) and tried enabling [unity builds](https://mesonbuild.com/Unity-builds.html) but the build fails. Sure this isn't an important feature for anyone but maybe it's an option to r...Was playing around with the new build system (which is great!) and tried enabling [unity builds](https://mesonbuild.com/Unity-builds.html) but the build fails. Sure this isn't an important feature for anyone but maybe it's an option to remove it as a configuration parameter until it can be investigated?
```
# meson build_dir -Dunity=on
The Meson build system
Version: 0.48.2
Source dir: /knot-resolver-v4.0.0
Build dir: /knot-resolver-v4.0.0/build_dir
Build type: native build
Project name: knot-resolver
Project version: 4.0.0
Native C compiler: cc (gcc 8.3.0 "cc (Alpine 8.3.0) 8.3.0")
Native C++ compiler: c++ (gcc 8.3.0 "c++ (Alpine 8.3.0) 8.3.0")
Build machine cpu family: x86_64
Build machine cpu: x86_64
Message: --- required dependencies ---
Found pkg-config: /usr/bin/pkg-config (1.6.0)
Dependency libknot found: YES 2.8.1
Dependency libdnssec found: YES 2.8.1
Dependency libzscanner found: YES 2.8.1
Dependency libuv found: YES 1.23.2
Dependency lmdb found: YES @PACKAGE_VERSION@
Dependency gnutls found: YES 3.6.7
Dependency luajit found: YES 2.1.0-beta3
Message: ------------------------------
Message: --- systemd socket activation ---
Dependency libsystemd found: NO (tried pkgconfig)
Message: ---------------------------
Configuring kresconfig.h using configuration
Message: --- client dependencies ---
Dependency libedit found: NO (tried pkgconfig)
Library edit found: NO
Message: ---------------------------
Configuring trust_anchors.lua using configuration
Configuring sandbox.lua using configuration
Program ./kres-gen.sh found: YES (/knot-resolver-v4.0.0/daemon/lua/./kres-gen.sh)
Message: --- dnstap module dependencies ---
Dependency libprotobuf-c found: NO (tried pkgconfig)
Dependency libfstrm found: NO (tried pkgconfig)
Program protoc-c found: NO
Message: ----------------------------------
Configuring http.lua using configuration
Message: --- unit_tests dependencies ---
Dependency cmocka found: NO (tried pkgconfig)
Message: -------------------------------
Configuring kresd.8 using configuration
Program ../scripts/make-doc.sh found: YES (/knot-resolver-v4.0.0/doc/../scripts/make-doc.sh)
Configuring config.cluster using configuration
Configuring config.docker using configuration
Configuring config.isp using configuration
Configuring config.personal using configuration
Configuring config.splitview using configuration
Configuring kresd.conf using configuration
Message: --- lint dependencies ---
Program clang-tidy found: NO
Program luacheck found: NO
Program flake8 found: NO
Program scripts/run-pylint.sh found: YES (/knot-resolver-v4.0.0/scripts/run-pylint.sh)
Message: -------------------------
Message:
======================= SUMMARY =======================
paths
prefix: /usr/local
lib_dir: /usr/local/lib/knot-resolver
sbin_dir: /usr/local/sbin
etc_dir: /usr/local/etc/knot-resolver
root.hints: /usr/local/etc/knot-resolver/root.hints
trust_anchors
keyfile_default: /usr/local/etc/knot-resolver/root.keys
managed_ta: enabled
systemd:
socket activation: disabled
files: disabled
work_dir:
optional components
client: disabled
dnstap: disabled
unit_tests: disabled
config_tests: disabled
extra_tests: disabled
additional
user: knot-resolver
group: knot-resolver
install_kresd_conf: enabled
=======================================================
Build targets in project: 12
Found ninja-1.8.2 at /usr/bin/ninja
/knot-resolver-v4.0.0 # ninja -C build_dir
ninja: Entering directory `build_dir'
[7/19] Compiling C object 'contrib/contrib@@contrib@sta/meson-generated_contrib-unity.c.o'.
In file included from contrib/contrib@@contrib@sta/contrib-unity.c:8:
/knot-resolver-v4.0.0/build_dir/../contrib/base64.c:24: warning: "MAX_BIN_DATA_LEN" redefined
#define MAX_BIN_DATA_LEN ((INT32_MAX / 4) * 3)
In file included from contrib/contrib@@contrib@sta/contrib-unity.c:7:
/knot-resolver-v4.0.0/build_dir/../contrib/base32hex.c:23: note: this is the location of the previous definition
#define MAX_BIN_DATA_LEN ((INT32_MAX / 8) * 5)
In file included from contrib/contrib@@contrib@sta/contrib-unity.c:8:
/knot-resolver-v4.0.0/build_dir/../contrib/base64.c:35: warning: "PD" redefined
#define PD 64
In file included from contrib/contrib@@contrib@sta/contrib-unity.c:7:
/knot-resolver-v4.0.0/build_dir/../contrib/base32hex.c:33: note: this is the location of the previous definition
#define PD 32
[13/19] Compiling C object 'lib/lib@@kres@sha/meson-generated_kres-unity.c.o'.
FAILED: lib/lib@@kres@sha/meson-generated_kres-unity.c.o
cc -Ilib/lib@@kres@sha -Ilib -I../lib -Ilib/.. -I../lib/.. -Icontrib -I../contrib -Icontrib/.. -I../contrib/.. -I. -I../ -I/usr/local/include -I/usr/include/p11-kit-1 -I/usr/include/luajit-2.1 -fdiagnostics-color=always -pipe -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -std=gnu11 -g -D_GNU_SOURCE -Wformat -Wformat-security -Wtype-limits -Wshadow -fvisibility=hidden -fPIC -MD -MQ 'lib/lib@@kres@sha/meson-generated_kres-unity.c.o' -MF 'lib/lib@@kres@sha/meson-generated_kres-unity.c.o.d' -o 'lib/lib@@kres@sha/meson-generated_kres-unity.c.o' -c 'lib/lib@@kres@sha/kres-unity.c'
In file included from lib/lib@@kres@sha/kres-unity.c:8:
/knot-resolver-v4.0.0/build_dir/../lib/cache/nsec3.c:255:12: error: conflicting types for 'dname_wire_reconstruct'
static int dname_wire_reconstruct(knot_dname_t *buf, const knot_dname_t *zname,
^~~~~~~~~~~~~~~~~~~~~~
In file included from lib/lib@@kres@sha/kres-unity.c:7:
/knot-resolver-v4.0.0/build_dir/../lib/cache/nsec1.c:28:12: note: previous definition of 'dname_wire_reconstruct' was here
static int dname_wire_reconstruct(knot_dname_t *buf, const struct key *k,
^~~~~~~~~~~~~~~~~~~~~~
In file included from lib/lib@@kres@sha/kres-unity.c:20:
/knot-resolver-v4.0.0/build_dir/../lib/layer/iterate.c:48: warning: "VERBOSE_MSG" redefined
#define VERBOSE_MSG(...) QRVERBOSE(req->current_query, "iter", __VA_ARGS__)
In file included from /knot-resolver-v4.0.0/build_dir/../lib/cache/api.c:40,
from lib/lib@@kres@sha/kres-unity.c:1:
../lib/../lib/cache/impl.h:394: note: this is the location of the previous definition
#define VERBOSE_MSG(qry, ...) QRVERBOSE((qry), "cach", ## __VA_ARGS__)
[15/19] Compiling C++ object 'modules/policy/modules@policy@@ahocorasick@sha/meson-generated_ahocorasick-unity.cpp.o'.
ninja: build stopped: subcommand failed.
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/462resolving broken DNSSEC domain succeeds2019-04-30T12:39:49+02:00Daniel Stirnimannresolving broken DNSSEC domain succeedsThe query 'www.promotext.ch TXT' cannot be resolved on DNSSEC validating resolvers except for knot-resolver where it works!
The error according dnsviz:
> NSEC proving non-existence of www.promotext.ch/A: The NSEC RR covers the wildcard ...The query 'www.promotext.ch TXT' cannot be resolved on DNSSEC validating resolvers except for knot-resolver where it works!
The error according dnsviz:
> NSEC proving non-existence of www.promotext.ch/A: The NSEC RR covers the wildcard itself (*.promotext.ch), indicating that it doesn't exist.
dig output from my knot-resolver 3.2.1-2 (running on turris omnia)
```
dig @::1 www.promotext.ch TXT +dnssec
; <<>> DiG 9.12.3-P4 <<>> @::1 www.promotext.ch TXT +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14110
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.promotext.ch. IN TXT
;; AUTHORITY SECTION:
promotext.ch. 770 IN SOA dns11.firestorm.ch. info.firestorm.ch. 2019044974 10800 3600 604800 3600
promotext.ch. 770 IN RRSIG SOA 13 2 3600 20190509000000 20190418000000 32821 promotext.ch. Eex+u6NKjUSn897vTM0KjFWOfooKqg0gvxnqa6wiCxcTnRB2v2A8I1cA pi1c3EO/QPGX8fW5ZXi0fvN4t9N/oA==
promotext.ch. 770 IN NSEC promotext.ch. A NS SOA MX TXT RRSIG NSEC DNSKEY CDS CDNSKEY CAA
promotext.ch. 770 IN RRSIG NSEC 13 2 3600 20190509000000 20190418000000 32821 promotext.ch. B4iCQU8wY30D2btNEOnREsu3hNtz61iWCXwVUcgSbZC360uwvAiF7FJv gicQLvymzP4khZ6P+aAlOZeVIJGVxw==
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Apr 25 17:38:35 CEST 2019
;; MSG SIZE rcvd: 357
```
dig output from Cloudflare running some version of knot-resolver
```
dig @1.1.1.1 www.promotext.ch TXT +dnssec
; <<>> DiG 9.12.3-P4 <<>> @1.1.1.1 www.promotext.ch TXT +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54293
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;www.promotext.ch. IN TXT
;; AUTHORITY SECTION:
promotext.ch. 3600 IN SOA dns11.firestorm.ch. info.firestorm.ch. 2019044974 10800 3600 604800 3600
promotext.ch. 3600 IN RRSIG SOA 13 2 3600 20190509000000 20190418000000 32821 promotext.ch. 9OXanEGne/gEGPvmrFGjjMUe+BK/rZWxEZiiKg3VFqIqHPgNOXQJcgtv cBA2ko9prGl0/A7fAKbYTA2NAghC1Q==
promotext.ch. 3600 IN NSEC promotext.ch. A NS SOA MX TXT RRSIG NSEC DNSKEY CDS CDNSKEY CAA
promotext.ch. 3600 IN RRSIG NSEC 13 2 3600 20190509000000 20190418000000 32821 promotext.ch. 4k1lb9+ip/NbLKfs/J/YeQ1fiYpY2YXe+3SVOhPywDwFuxHNtaJetS7T bjadxH0Vei4YrS1tsUp4lsIeP9rl/Q==
;; Query time: 16 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Apr 25 17:38:41 CEST 2019
;; MSG SIZE rcvd: 357
```
Any other DNSSEC validating resolver I have tried returns SERVFAIL e.g.
```
dig @8.8.8.8 www.promotext.ch TXT +dnssec
; <<>> DiG 9.12.3-P4 <<>> @8.8.8.8 www.promotext.ch TXT +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62110
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.promotext.ch. IN TXT
;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Apr 25 17:38:32 CEST 2019
;; MSG SIZE rcvd: 45
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/470SERVFAIL when serving from cache, don't know how to debug2019-12-18T15:39:25+01:00ValdikSSSERVFAIL when serving from cache, don't know how to debugI'm running knot-resolver 3.2.1-3~bpo9+1, Debian stretch-backports.
From time to time, resolving random domain names return SERVFAIL, which is being put into knot-resolver's cache.
Running `dig +trace` to such domains usually return look...I'm running knot-resolver 3.2.1-3~bpo9+1, Debian stretch-backports.
From time to time, resolving random domain names return SERVFAIL, which is being put into knot-resolver's cache.
Running `dig +trace` to such domains usually return lookup errors even earlier in a chain.
If I clear cache with `cache.clear()`, DNS works again as expected.
I don't know how to debug this issue and what could be the cause. How can I provide more logs to fix this issue?
My configuration:
```
user('knot-resolver','knot-resolver')
cache.size = 300 * MB
modules = { 'workarounds < iterate', 'stats', 'bogus_log' }
dofile("/etc/knot-resolver/knot-aliases-alt.conf")
policy.add(
policy.suffix(
policy.STUB(
{'127.0.0.4'}
),
policy.todnames(blocked_hosts)
)
)
```
Where `/etc/knot-resolver/knot-aliases-alt.conf` is a file with single `blocked_hosts={}` table with lots of hosts. It shouldn't affect DNS lookups and this issue.
Before clearing the cache:
```
# dig jprosto.ru
; <<>> DiG 9.10.3-P4-Debian <<>> jprosto.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8684
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;jprosto.ru. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Apr 28 14:40:51 CEST 2019
;; MSG SIZE rcvd: 39
# dig +trace jprosto.ru
; <<>> DiG 9.10.3-P4-Debian <<>> +trace jprosto.ru
;; global options: +cmd
. 120086 IN NS a.root-servers.net.
. 120086 IN NS b.root-servers.net.
. 120086 IN NS c.root-servers.net.
. 120086 IN NS d.root-servers.net.
. 120086 IN NS e.root-servers.net.
. 120086 IN NS f.root-servers.net.
. 120086 IN NS g.root-servers.net.
. 120086 IN NS h.root-servers.net.
. 120086 IN NS i.root-servers.net.
. 120086 IN NS j.root-servers.net.
. 120086 IN NS k.root-servers.net.
. 120086 IN NS l.root-servers.net.
. 120086 IN NS m.root-servers.net.
. 120086 IN RRSIG NS 8 0 518400 20190506170000 20190423160000 25266 . tRFeXF0ccHkCHTB11jEKDzXtoQtiSrCDX3GRzqyLvl2D5+ML6yqEkYTc e9Bs2sKYmXFk2pdldVbub3n0IQTXAW5MSuWDWqv/WtCA5v6FCCJTXCm+ mGDSKEbTdfLJDfzxYunWUKo1sYCs2d8im5LFs0RJMY/1EIngrJK1ujkj JrSXZjdmlaUv1cTBIXuV/Xn3CansYP3wOwIY3W4fOVYgfLAE1MEvnAUR 0xxjFj1eXNuv3wYE5mYGtumYL1fPHiU/XAIACZj3FWdWiG2loDz/u+ty zGPB6t+Ms7DKbaFp7EiWskWL60zWzxHcd3vxOUL0o0Ic+8csLqL6tO1h zJA3nA==
;; Received 717 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
ru. 172800 IN NS a.dns.ripn.net.
ru. 172800 IN NS b.dns.ripn.net.
ru. 172800 IN NS d.dns.ripn.net.
ru. 172800 IN NS e.dns.ripn.net.
ru. 172800 IN NS f.dns.ripn.net.
ru. 86400 IN DS 15506 8 2 331CBB1932E7CF201F81AB299EF8711AD7175E8812508679E475930C 2B145C97
ru. 86400 IN RRSIG DS 8 1 86400 20190511050000 20190428040000 25266 . nmGftS2ztiLhDImmEPgPAOnoBKrwOpARMkP03EJ4kyIGgGOESH5ePJDX bKiU74vp68hBetKPC8toxtBCD4Q6s7cYxelSKpuuchAvbT1V+6KQMdMp mhuLc9ix1A0PsmWr78ZrjngKSqmgg4lFW1Kgy1wxnHXicdGeyK4Gk0Tm Fb1AivBjgjnMY/KaV2ylocCKePIW+fT666ReFf2RteIdSTPHwqFfBj3s QuoZS+lSlMPrwM+Npj60hv/BE+B8tTzJxCQuTZf4talUND10ySUuEJqa GuSngvz8UY9HznZTHSyUn21orZggJcdTLFS3CpYsxU6tee4NjHlBG3sT hkvz1Q==
couldn't get address for 'a.dns.ripn.net': failure
couldn't get address for 'b.dns.ripn.net': failure
couldn't get address for 'd.dns.ripn.net': failure
couldn't get address for 'e.dns.ripn.net': failure
couldn't get address for 'f.dns.ripn.net': failure
dig: couldn't get address for 'a.dns.ripn.net': no more
```
After clearing the cache:
```
> cache.clear()
[count] => 675199
# dig jprosto.ru
; <<>> DiG 9.10.3-P4-Debian <<>> jprosto.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29704
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;jprosto.ru. IN A
;; ANSWER SECTION:
jprosto.ru. 300 IN A 5.101.152.156
;; Query time: 750 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Apr 28 14:44:18 CEST 2019
;; MSG SIZE rcvd: 55
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/473validate: NSEC proofs can confuse NXDOMAIN with NODATA2019-04-30T12:39:49+02:00Vladimír Čunátvladimir.cunat@nic.czvalidate: NSEC proofs can confuse NXDOMAIN with NODATA[Real-life example](https://gitlab.labs.nic.cz/knot/knot-resolver/issues/462#note_104852).
The records get into aggressive cache that doesn't suffer from this bug, so only the first answer can be wrong. So far I can see no security imp...[Real-life example](https://gitlab.labs.nic.cz/knot/knot-resolver/issues/462#note_104852).
The records get into aggressive cache that doesn't suffer from this bug, so only the first answer can be wrong. So far I can see no security implications of exchanging NODATA with NXDOMAIN.https://gitlab.nic.cz/knot/knot-resolver/-/issues/474prefill crashes on empty zone file2019-07-09T14:20:05+02:00Petr Špačekprefill crashes on empty zone filehttps://lists.nic.cz/pipermail/knot-resolver-users/2019/000147.html
This occurs if for some reason the prefill file happens to be empty:
kresd[11812]: [prefill] root zone file valid for 17 hours 01 minutes,
reusing data from disk
kresd...https://lists.nic.cz/pipermail/knot-resolver-users/2019/000147.html
This occurs if for some reason the prefill file happens to be empty:
kresd[11812]: [prefill] root zone file valid for 17 hours 01 minutes,
reusing data from disk
kresd[11812]: segfault at 0 ip 00007f9b06017436 sp 00007ffc3142bb58
error 4 in libc-2.28.so[7f9b05fa1000+148000]
Apr 30 20:26:13 scruffy kernel: Code: 0f 1f 40 00 66 0f ef c0 66 0f ef
c9 66 0f ef d2 66 0f ef db 48 89 f8 48 89 f9 48 81 e1 ff 0f 00 00 48 81
f9 cf 0f 00 00 77 6a <f3> 0f 6f 20 66 0f 74 e0 66 0f d7 d4 85 d2 74 04
0f bc c2 c3 48 83
This happens in a loop until systemd gives up trying to start kresd.
Solved by removing /var/cache/knot-resolver/root.zone (0 bytes).
kresd version: 4.0.0
We use your example config from:
https://knot-resolver.readthedocs.io/en/stable/modules.html#cache-prefillingIvana KrumlovaIvana Krumlovahttps://gitlab.nic.cz/knot/knot-resolver/-/issues/479NOERROR from pre-RFC 2308 servers is treated as lame2019-05-23T16:40:41+02:00Petr ŠpačekNOERROR from pre-RFC 2308 servers is treated as lameKnot Resolver 4.0.0 does not accept NOERROR answers from pre-RFC 2308 auths, i.e. auths which do not send SOA RR in AUTHORITY section of NOERROR answer.
Example from live Internet:
```
resolve('blogs.cisco.com', kres.type.AAAA, kres.c...Knot Resolver 4.0.0 does not accept NOERROR answers from pre-RFC 2308 auths, i.e. auths which do not send SOA RR in AUTHORITY section of NOERROR answer.
Example from live Internet:
```
resolve('blogs.cisco.com', kres.type.AAAA, kres.class.IN, {}, function(pkt) print(pkt) end)
```
...
```
[65537.22][iter] 'blogs.glb-ext.cisco.com.' type 'AAAA' new uid was assigned .25, parent uid .00
[65537.25][resl] => id: '43849' querying: '72.163.5.22#00053' score: 10 zone cut: 'glb-ext.cisco.com.' qname: 'BLogS.glb-eXT.CiscO.Com.' qtype: 'AAAA' proto: 'udp'
[65537.25][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 43849
;; Flags: qr cd QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1280 B; ext-rcode: Unused
;; QUESTION SECTION
blogs.glb-ext.cisco.com. AAAA
[65537.25][iter] <= rcode: NOERROR
[65537.25][iter] <= lame response: non-auth sent negative response
```
This seems to be caused by `is_authoritative()` in lib/layer/iterate.c.https://gitlab.nic.cz/knot/knot-resolver/-/issues/482Not-yet-valid signature causes SERVFAIL + data in answer section2019-06-20T17:16:44+02:00Petr ŠpačekNot-yet-valid signature causes SERVFAIL + data in answer sectionReproducer:
```
# dig @::1 signotincepted.ok.ok.bad-dnssec.wb.sidnlabs.nl +rrcomments
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> @::1 signotincepted.ok.ok.bad-dnssec.wb.sidnlabs.nl +rrcomments
; (1 server found)
;; global options: +cmd
;...Reproducer:
```
# dig @::1 signotincepted.ok.ok.bad-dnssec.wb.sidnlabs.nl +rrcomments
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> @::1 signotincepted.ok.ok.bad-dnssec.wb.sidnlabs.nl +rrcomments
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5493
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;signotincepted.ok.ok.bad-dnssec.wb.sidnlabs.nl. IN A
;; ANSWER SECTION:
signotincepted.ok.ok.bad-dnssec.wb.sidnlabs.nl. 3600 IN A 94.198.159.39
;; Query time: 952 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Jun 20 14:09:32 UTC 2019
;; MSG SIZE rcvd: 91
```
We should return no data on DNSSEC validation errors (except for +CD bit).https://gitlab.nic.cz/knot/knot-resolver/-/issues/483DNS64 does not synthesise if AAAA query fails but A query works2019-12-18T19:56:41+01:00Petr ŠpačekDNS64 does not synthesise if AAAA query fails but A query worksQuery for `internetbanken.privat.nordea.se. AAAA` ends up with SERVFAIL because it is broken on the authoritative side, but query `internetbanken.privat.nordea.se. A` succeeds.
https://tools.ietf.org/html/rfc6147#section-5.1.2 seems to ...Query for `internetbanken.privat.nordea.se. AAAA` ends up with SERVFAIL because it is broken on the authoritative side, but query `internetbanken.privat.nordea.se. A` succeeds.
https://tools.ietf.org/html/rfc6147#section-5.1.2 seems to specify (using pretty convoluted language), that any failure in AAAA resolving should trigger A subquery and DNS64 synthesis.
This was reported during RIPE 78 meeting because some people were not able to reach their bank website.
I can see two problems with current DNS64 module (as in Knot Resolver 4.0.0):
- Failed AAAA query does not trigger synthesis, e.g. if we get SERVFAIL. This should be easy to fix.
- AAAA query which fails because of all NS servers do not respond for AAAA query will not call `consume()` layer in module, and thus DNS64 module does not get a chance to do A query and synthesis. This will be harder to fix.https://gitlab.nic.cz/knot/knot-resolver/-/issues/488can't reliably fetch stats when using SO_REUSEPORT2020-06-15T09:35:13+02:00Jean-Danielcan't reliably fetch stats when using SO_REUSEPORTI'm using knot resolver with systemd, and want to use the stats module + http module to fetch stats in prometheus format.
My problem is that if I start more that one instance (kresd@1, kresd@2, …), stats fetching requests are distribute...I'm using knot resolver with systemd, and want to use the stats module + http module to fetch stats in prometheus format.
My problem is that if I start more that one instance (kresd@1, kresd@2, …), stats fetching requests are distributed among the instances and returns only the stats from the answering instance.
I can't get a reliable way to fetch the stats in such configuration.
Workaround:
I can fetch and aggregate individual workers stats from the controls sockets, but the control socket is very unreliable (it is not able to properly parse 2 successives queries properly and often try to interpret them as a single query).https://gitlab.nic.cz/knot/knot-resolver/-/issues/489[tls_client] session resumption doesn't work when server sends session ticket...2020-01-14T18:50:52+01:00Tomas Krizek[tls_client] session resumption doesn't work when server sends session ticket along with other dataWhen using `policy.TLS_FORWARD` against a kresd that was compiled with new-enough gnutls to supports TLS 1.3 (Arch, Debian 10, ...), session resumption doesn't work.
When the connection is established for the first time, queries are an...When using `policy.TLS_FORWARD` against a kresd that was compiled with new-enough gnutls to supports TLS 1.3 (Arch, Debian 10, ...), session resumption doesn't work.
When the connection is established for the first time, queries are answered. When this connection is closed (usually after TCP keepalive expires, ~10secs), it can no longer be re-established and forwarding stops working. Log contains many attempts to reconnect, all ending up with the following error:
```
[tls_client] TLS handshake with 127.0.0.1#00853 has completed
[tls_client] TLS session has resumed
[gnutls] (5) REC[0x55989bcfd8f0]: Preparing Packet Application Data(23) with length: 33 and min pad: 0
[gnutls] (5) REC[0x55989bcfd8f0]: Sent Packet[1] Application Data(23) in epoch 2 and length: 55
[gnutls] (3) ASSERT: buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: record.c[_gnutls_recv_int]:1777
[gnutls] (5) REC[0x55989bcfd8f0]: SSL 3.3 Application Data packet received. Epoch 2, length: 268
[gnutls] (5) REC[0x55989bcfd8f0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x55989bcfd8f0]: Received Packet Application Data(23) with length: 268
[gnutls] (5) REC[0x55989bcfd8f0]: Decrypted Packet[0] Handshake(22) with length: 251
[gnutls] (3) ASSERT: buffers.c[get_last_packet]:1170
[gnutls] (4) HSK[0x55989bcfd8f0]: NEW SESSION TICKET (4) was received. Length 247[247], frag offset 0, frag length: 247, sequence: 0
[gnutls] (3) ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1431
[gnutls] (4) HSK[0x55989bcfd8f0]: parsing session ticket message
[gnutls] (3) ASSERT: record.c[_gnutls_recv_in_buffers]:1579
[gnutls] (3) ASSERT: record.c[_gnutls_recv_int]:1777
[io] => connection to '127.0.0.1#00853': error processing TLS data, close
```
The resolver attempt the same resolution multiple times with the same result, and ultimately answers the client with SERVFAIL. Cached queries are still answered correctly.
This can be easily to reproducible when both client and fwd target resolver are compiled with gnutls>3.6 and these configs are used:
```
# kresd_fwd_target.conf
net.listen('127.0.0.1', 853, { kind = 'tls' })
```
```
# kresd.conf
net.listen('127.0.0.1', 53535)
policy.add(policy.all(policy.TLS_FORWARD({
{'127.0.0.1', insecure=true}
})))
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/490req->add_selected is ignored2019-07-24T17:12:26+02:00Petr Špačekreq->add_selected is ignoredValues stored in `req->add_selected` are being ignored so modules cannot add stuff into additional section. That's unfortunate, we need to fix this.Values stored in `req->add_selected` are being ignored so modules cannot add stuff into additional section. That's unfortunate, we need to fix this.https://gitlab.nic.cz/knot/knot-resolver/-/issues/493Resolver stops working and returns SERVFAIL until restarted2022-02-04T17:49:26+01:00ValdikSSResolver stops working and returns SERVFAIL until restartedSome time after normal operation, knot-resolver stops resolving any domains and returns SERVFAIL on all DNS queries.
I have the following configuration:
```
# cat /etc/knot-resolver/kresd.conf
user('knot-resolver','knot-resolver')
cache...Some time after normal operation, knot-resolver stops resolving any domains and returns SERVFAIL on all DNS queries.
I have the following configuration:
```
# cat /etc/knot-resolver/kresd.conf
user('knot-resolver','knot-resolver')
cache.size = 300 * MB
net.ipv6 = false
modules = {
'hints > iterate', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
}
-- minimum TTL = 2 minutes
cache.min_ttl(120)
dofile("/etc/knot-resolver/knot-aliases-alt.conf")
policy.add(
policy.suffix(
policy.STUB(
{'127.0.0.4'}
),
policy.todnames(blocked_hosts)
)
)
# cat /etc/knot-resolver/knot-aliases-alt.conf
blocked_hosts = {
"0000a-fast-proxy.de.",
"002cc20.icu.",
"007ingyenletoltes.hu.",
"007rc.biz.",
"007slots.com.",
"00seeds.com.",
"010119azino777.com.",
"010119azino777.ru.",
…
"zzzes.ru.",
"zzztorrent.net.",
"zzzz1.live.",
"zzzz2.live.",
}
```
Both normal recursive queries and queries which should be forwarded to 127.0.0.4 (from blocked_hosts) fail to work.
I've just enabled verbose logging to monitor the issue, but the log seems to buffer a lot. I see new information in journald's journalctl in spikes, a large log every 30 seconds or so. I'm not sure if this is some sort of cache and is to be expected, or it shows some kind of lock problem.
It even triggered a watchdog once:
```
systemd[1]: kresd@1.service: Watchdog timeout (limit 10s)!
systemd[1]: kresd@1.service: Killing process 23036 (kresd) with signal SIGABRT.
systemd[1]: kresd@1.service: Main process exited, code=killed, status=6/ABRT
systemd[1]: kresd@1.service: Unit entered failed state.
systemd[1]: kresd@1.service: Failed with result 'watchdog'.
systemd[1]: kresd@1.service: Service hold-off time over, scheduling restart.
```
The issue happens irregularly. It used to works fine for weeks but in the last 3 days it happened for 3 times. Sometimes it takes dozens of hours, some time only several minutes. I did not update the configuration and updated the software only after second time. It happens on 4.1.0.
Right now I'm running verbose logging and will update this issue when it happens again.https://gitlab.nic.cz/knot/knot-resolver/-/issues/512prefill: deadlock issue2019-12-20T14:32:34+01:00Vladimír Čunátvladimir.cunat@nic.czprefill: deadlock issueThe https download of the (root) zone is blocking and it uses OS DNS. That combination will dead-lock e.g. in the case when kresd is the (only) resolver for the OS on which it runs. _Originally discovered in #506._
Plan &ndash; implem...The https download of the (root) zone is blocking and it uses OS DNS. That combination will dead-lock e.g. in the case when kresd is the (only) resolver for the OS on which it runs. _Originally discovered in #506._
Plan – implementation details: I expect we'd better convert the fetch to use `lua-http` library, as it's asynchronous and has a relatively [convenient API for this](https://daurnimator.github.io/lua-http/0.3/#retrieving-a-document).https://gitlab.nic.cz/knot/knot-resolver/-/issues/514Segfault on 4.2.1 on armv72019-10-04T08:52:06+02:00Jonathan CoetzeeSegfault on 4.2.1 on armv7I updated my personal knot-based container from 4.2.0 to 4.2.1 and it now fails to start up. Running `kresd` manually from inside the container shows that it's segfaulting on startup ([core](/uploads/daae8f89a99a18c67ce5e2ab92e9b518/core...I updated my personal knot-based container from 4.2.0 to 4.2.1 and it now fails to start up. Running `kresd` manually from inside the container shows that it's segfaulting on startup ([core](/uploads/daae8f89a99a18c67ce5e2ab92e9b518/core)). Turning on verbose logging doesn't seem to reveal anything. This is on my RPi 4 running up-to-date Raspbian Buster (image runs without error on my MacBook Pro). If you have an armv7 environment to test with I've pushed two tags `jonocoetzee/private-dns:v4.2.0` and `jonocoetzee/private-dns:v4.2.1` ([repo](https://gitlab.com/jonocoetzee/private-dns)). Let me know if there's any other info you need.4.2.2Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/542[tls_client] session resumption does not work properly2022-02-18T11:53:56+01:00Vladimír Čunátvladimir.cunat@nic.cz[tls_client] session resumption does not work properlyIt doesn't break handshake but resumption never happens. Maybe it's broken just on TLS 1.3, or some similar condition. I tried this with quad-{1,8,9} and it looks the same in verbose log.
We do receive resumption tickets from upstream...It doesn't break handshake but resumption never happens. Maybe it's broken just on TLS 1.3, or some similar condition. I tried this with quad-{1,8,9} and it looks the same in verbose log.
We do receive resumption tickets from upstream
```
[gnutls] (4) HSK[0x1644310]: NEW SESSION TICKET (4) was received. Length 246[496], frag offset 0, frag length: 246, sequence: 0
```
but never send it on on re-connection (no idea why so far)
```
[gnutls] (4) EXT[0x1644310]: Preparing extension (Session Ticket/35) for 'client hello'
[gnutls] (4) EXT[0x1644310]: Sending extension Session Ticket/35 (0 bytes)
```
and thus the session can't resume.
```
[tls_client] TLS session has not resumed
```
_Tested with latest releases: Knot Resolver 4.3.0 and GnuTLS 3.6.11.1._https://gitlab.nic.cz/knot/knot-resolver/-/issues/582fix locking around cache preallocation2020-06-25T14:52:04+02:00Petr Špačekfix locking around cache preallocation Caveats in [LMDB docs](http://www.lmdb.tech/doc/index.html) suggest that our cache preallocation might break LMDB locking:
> Do not have open an LMDB database twice in the same process at the same time. Not even from a plain open() ca... Caveats in [LMDB docs](http://www.lmdb.tech/doc/index.html) suggest that our cache preallocation might break LMDB locking:
> Do not have open an LMDB database twice in the same process at the same time. Not even from a plain open() call - close()ing it breaks flock() advisory locking.