Knot Resolver issueshttps://gitlab.nic.cz/knot/knot-resolver/-/issues2022-02-07T19:06:08+01:00https://gitlab.nic.cz/knot/knot-resolver/-/issues/303TLS forwarding: allow EDNS padding2022-02-07T19:06:08+01:00Vladimír Čunátvladimir.cunat@nic.czTLS forwarding: allow EDNS paddingand probably use 128 as the default as suggested by https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/247
So far we only pad on server side.and probably use 128 as the default as suggested by https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/247
So far we only pad on server side.https://gitlab.nic.cz/knot/knot-resolver/-/issues/302DNS over TLS repeated error: GNUTLS_E_AGAIN (-28)2018-02-12T09:09:46+01:00Ghost UserDNS over TLS repeated error: GNUTLS_E_AGAIN (-28)Hello,
I started using the DNS over TLS and I am facing some issues. Queries seem to fail a lot of times especially on the first try. For example `Temporary failure resolving 'cdn-fastly.deb.debian.org'`. There is an error that keeps bei...Hello,
I started using the DNS over TLS and I am facing some issues. Queries seem to fail a lot of times especially on the first try. For example `Temporary failure resolving 'cdn-fastly.deb.debian.org'`. There is an error that keeps being spammed in the log a lot:
```
[gnutls] (5) REC[0x556bfb5e98a0]: Preparing Packet Application Data(23) with length: 41 and min pad: 0
.
.
.
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_writev_emu]:464
[gnutls] (2) WRITE: -1 returned from 0x556bfb55e290, errno: 11
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_send_tlen_int]:555
[tls] gnutls_record_uncork: too many sequential non-fatal errors (101), last error is: GNUTLS_E_AGAIN (-28)
[tls] gnutls_record_uncork didn't send all data: GNUTLS_E_SUCCESS (0)
```
The three lines starting with ASSERT, WRITE get spammed, so here is the full log https://psb1.org/paste/4a35b1ae/2632c9f1ef31f4fb
The resolver is available live at:
```
pin_sha256="UXGqCMdLvdkVB3sIxfb41G5gIn8lR8zjOMj13czd/V8="
node3.psb1.org. has IPv4 address 81.2.239.149
node3.psb1.org. has IPv6 address 2001:15e8:110:795::1
```
Both servers are `Knot DNS Resolver, version 2.0.0`. Running on the `Debian buster/sid with Linux 4.14.13-1`. My *libknot* is `2.6.4-1`. My *libgnutls is* `3.6.1-1`. And are built from source.
My setup consists of two Knot Resolvers where one is doing the resolving and the second one is just forwarding to the first.
First server's config (the resolver):
```
-- load modules
modules = {
"policy",
"view",
"version",
"stats",
"daf",
predict = {
-- 15 minutes sampling window
window = 15,
-- track last 31 days
period = 31 * 24 * (60 / 15)
},
hints = "/etc/knot-resolver/hosts/compiled.hosts",
http = {
host = "xxxx.xxxx.xxx",
port = 8053,
cert = false,
-- key = "/mnt/xxxx/xxxxxxxx.key",
-- cert = "/mnt/xxxx/xxxxxxxx.cer",
geoip = "/etc/knot-resolver/GeoLite2-City_20180102/GeoLite2-City.mmdb"
}
}
-- init tls
net.tls(
"/mnt/xxxx/xxxxxxxx.cer",
"/mnt/xxxx/xxxxxxxx.key"
)
-- setup cache
cache.storage = "lmdb:///var/cache/knot-resolver"
cache.size = 100 * MB
-- set mode
mode("normal")
-- setup trust anchors for DNSSEC
trust_anchors.file = "/var/cache/knot-resolver/root.key"
```
Second server's config (the forwarder):
```
-- load modules
modules = {
"policy",
"view",
"version",
"stats",
"daf",
predict = {
-- 15 minutes sampling window
window = 15,
-- track last 31 days
period = 31 * 24 * (60 / 15)
}
}
-- setup policies
policy.add(policy.all(policy.TLS_FORWARD({{ "81.2.239.149", pin_sha256="UXGqCMdLvdkVB3sIxfb41G5gIn8lR8zjOMj13czd/V8=" }})))
-- init tls
net.tls(
"/mnt/xxxx/xxxxxxxx.cer",
"/mnt/xxxx/xxxxxxxx.key"
)
-- setup cache
cache.storage = "lmdb:///var/cache/knot-resolver"
cache.size = 100 * MB
-- set mode
mode("normal")
-- setup trust anchors for DNSSEC
trust_anchors.file = "/var/cache/knot-resolver/root.key"
```
Thank you in advance for looking into this.Grigorii DemidovGrigorii Demidovhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/301Kresd segfault on resolving domain name from hints2018-02-13T16:49:44+01:00Maria MatejkaKresd segfault on resolving domain name from hintsUsing this config file:
```
net = { '127.0.0.1', '::1', '192.168.7.200' }
user('knot-resolver','knot-resolver')
modules = { 'hints < iterate' }
hints.set("dns.msftncsi.com. 192.168.7.200")
```
and resolving (`dig dns.msftncsi.com @localh...Using this config file:
```
net = { '127.0.0.1', '::1', '192.168.7.200' }
user('knot-resolver','knot-resolver')
modules = { 'hints < iterate' }
hints.set("dns.msftncsi.com. 192.168.7.200")
```
and resolving (`dig dns.msftncsi.com @localhost`) causes kresd to segfault. Stack trace is like this:
```
#0 0x00007ffff7948183 in knot_dname_is_equal () from /usr/lib/x86_64-linux-gnu/libknot.so.7
#1 0x00007ffff3870a80 in ?? () from /usr/local/lib/kdns_modules/hints.so
#2 0x00007ffff3871454 in ?? () from /usr/local/lib/kdns_modules/hints.so
#3 0x00007ffff7b87a98 in kr_resolve_produce () from /usr/local/lib/libkres.so.4
#4 0x00005555555603b5 in ?? ()
#5 0x000055555555b65b in ?? ()
#6 0x00007ffff72c318b in ?? () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#7 0x00007ffff72c4ef8 in ?? () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#8 0x00007ffff72b6934 in uv_run () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#9 0x000055555555b465 in ?? ()
#10 0x00007ffff5e122b1 in __libc_start_main (main=0x55555555a240, argc=5, argv=0x7fffffffe4a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe498) at ../csu/libc-start.c:291
#11 0x000055555555b4ba in _start ()
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/300Cannot handle MTU-reklated timeouts?2020-10-26T15:18:35+01:00Stéphane BortzmeyerCannot handle MTU-reklated timeouts?From one vantage point, Knot resolver cannot get answers with DNS+DNSSEC, from any of the name servers. It cannot retry without EDNS because it would break DNSSEC but shouldn't it retry automatically with TCP?
```
% dig A www.afnic.fr
...From one vantage point, Knot resolver cannot get answers with DNS+DNSSEC, from any of the name servers. It cannot retry without EDNS because it would break DNSSEC but shouldn't it retry automatically with TCP?
```
% dig A www.afnic.fr
; <<>> DiG 9.11.2-P1-1-Debian <<>> A www.afnic.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6594
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.afnic.fr. IN A
;; Query time: 2066 msec
;; SERVER: 192.168.2.254#53(192.168.2.254)
;; WHEN: Thu Jan 25 15:44:33 UTC 2018
;; MSG SIZE rcvd: 41
% dig @ns2.nic.fr A www.afnic.fr
; <<>> DiG 9.11.2-P1-1-Debian <<>> @ns2.nic.fr A www.afnic.fr
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached
% dig +nodnssec @ns2.nic.fr A www.afnic.fr
; <<>> DiG 9.11.2-P1-1-Debian <<>> +nodnssec @ns2.nic.fr A www.afnic.fr
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3789
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 10
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 4bbe8d53108364eabca57f7a5a69fbee7ec3de6b2d63de14 (good)
;; QUESTION SECTION:
;www.afnic.fr. IN A
;; ANSWER SECTION:
www.afnic.fr. 600 IN CNAME www.nic.fr.
www.nic.fr. 600 IN CNAME lb01-1.nic.fr.
lb01-1.nic.fr. 600 IN A 192.134.5.24
;; AUTHORITY SECTION:
nic.fr. 172800 IN NS ns2.nic.fr.
nic.fr. 172800 IN NS ns1.nic.fr.
nic.fr. 172800 IN NS ns3.nic.fr.
nic.fr. 172800 IN NS ns6.ext.nic.fr.
nic.fr. 172800 IN NS ns1.ext.nic.fr.
;; ADDITIONAL SECTION:
ns1.nic.fr. 172800 IN AAAA 2001:67c:2218:2::4:1
ns2.nic.fr. 172800 IN AAAA 2001:660:3005:1::1:2
ns3.nic.fr. 172800 IN AAAA 2001:660:3006:1::1:1
ns6.ext.nic.fr. 172800 IN AAAA 2001:620:0:ff::2f
ns1.ext.nic.fr. 172800 IN A 193.51.208.13
ns1.nic.fr. 172800 IN A 192.134.4.1
ns2.nic.fr. 172800 IN A 192.93.0.4
ns3.nic.fr. 172800 IN A 192.134.0.49
ns6.ext.nic.fr. 172800 IN A 130.59.31.29
;; Query time: 7 msec
;; SERVER: 2001:660:3005:1::1:2#53(2001:660:3005:1::1:2)
;; WHEN: Thu Jan 25 15:46:54 UTC 2018
;; MSG SIZE rcvd: 414
% dig +tcp @ns2.nic.fr A www.afnic.fr
; <<>> DiG 9.11.2-P1-1-Debian <<>> +tcp @ns2.nic.fr A www.afnic.fr
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25722
;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 6, ADDITIONAL: 19
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 55f9b6f5342698c35f05f3875a69fbfc73e77c5cf608ac42 (good)
;; QUESTION SECTION:
;www.afnic.fr. IN A
;; ANSWER SECTION:
www.afnic.fr. 600 IN CNAME www.nic.fr.
www.afnic.fr. 600 IN RRSIG CNAME 8 3 600 (
20180213225107 20180115074143 64491 afnic.fr.
OrzJ7+UmRiFpyz33DA7VvL7ZQADDd862bR6PSWrCuSIv
U4eE6BHKDjXkzDpp2TYUI+n+NSmkkOkmsD4tlOhfo8ao
573RhBnmoPVO3dnqrUWZf8omi4KfpS9sZmybV30DzN8m
lB2UbO5FtvN5p3L8kVWmqcxZyW/fNO07IUf7bwoIAoaS
XzJQfAPfoa7i93kbfleI5OTpjwmfHHEdcnl+a6bpcv2i
Uquo34c5SfD3aWThw54mS+zQXEhaW38Oxbnfsz0tSy4V
0ng4o4PVFqF/wpWt1x1NxfCe6wg6ODFhutuzDu7EQdH0
OI6Btn9lsMEl5hNEJGksudyjlvV9SkYyug== )
www.nic.fr. 600 IN CNAME lb01-1.nic.fr.
www.nic.fr. 600 IN RRSIG CNAME 8 3 600 (
20180222212642 20180123144323 64491 nic.fr.
TUVAhMpnA+WtxiisXpBtVf+MkkwLm1vApGmzy23lc9+m
/Mi6yBuiRaXVuWUZ/M8CoOzm8vL7maU4hI5tgqwccMem
nAnrgM34m93rKf5AUnYLw85OHPgf7d6Kr79O6UOI5tUX
R5l4pyZv3HpYPNsOmSUxkXYURZrByuF6IvXV2J+yzvDV
k28e5mTAMc2sTrDZJ/7ZGF6vi6FoGp/Qe/gujPv3GBLw
CMCNd9FXYyLP8I22iLoPPxcgOhulUBNHuzGjM3X4GIAm
9D3Jjz/Hrm2G6mFgcsyt0CUOSK+ClZx4temUrEI73KPK
I6VWzvgLVV2pzdpDDNaZUJHnDY0ovfxtgg== )
lb01-1.nic.fr. 600 IN A 192.134.5.24
lb01-1.nic.fr. 600 IN RRSIG A 8 3 600 (
20180220192248 20180122044323 64491 nic.fr.
JoKmE6E79tkrh4elgng92IJ4lErXM1yMX8pu6jsh/6Gc
hrY6KsCh9YLAab4qKqDGOEjoqH74op3HWw0GY3usAjPN
k4+FtZoGfZGLLfREOn0oZSgSSHjiga+VcnVFS7Fw2v8s
WI+TzCsOYRyDOtUSMielnanfdxvi4HtNieh0u9m+tz5G
BwVsQAdMD3o34P48DBZASjXCNvcoMpTCI5E0r6wXhnqI
vNAAW2JS1pHLXUxxqme22p/g8HWcZ+cW4uLTBAlZW8Xe
6uLQYMircoT7EhPOndQMrzHB0rqjrHYdXyJe/htJEcfP
XR5sQqOGQFMuTiPXXv1uP0v0wme1161kkA== )
;; AUTHORITY SECTION:
nic.fr. 172800 IN NS ns3.nic.fr.
nic.fr. 172800 IN NS ns2.nic.fr.
nic.fr. 172800 IN NS ns1.ext.nic.fr.
nic.fr. 172800 IN NS ns6.ext.nic.fr.
nic.fr. 172800 IN NS ns1.nic.fr.
nic.fr. 172800 IN RRSIG NS 8 2 172800 (
20180210074028 20180111115419 64491 nic.fr.
EcoBebipzdTzUEP8TGx5m72+NlQV7a57S9aXZyYLxmiI
1n8w23ScIWE5w5aBUwZdlg9wDvkBSRX17VUxG37wxEgR
VxD+qH0vLIl45GjRUSaWbWXPLjWTuAoy+5euDKsdT/Ej
x1wOu0KcUPxKBur6eTEj0TaNETSD7h4b5eTouff/JoWV
T727DCkr9lYSMqrC7jFav6YiJRlv7zXMWRFMPlD4hssC
ejLQ2E3OlPE+0SoqpIVJI0TqzNJYEiPnSJ7AaDuI2dji
fT6E4iArnU8XSRtXjMrtBJd6oRNJn+v9qH73oIiMpZC1
5AEbfH1q9tj8MT1FCa43iEePOr36+WFUbg== )
;; ADDITIONAL SECTION:
ns1.nic.fr. 172800 IN AAAA 2001:67c:2218:2::4:1
ns2.nic.fr. 172800 IN AAAA 2001:660:3005:1::1:2
ns3.nic.fr. 172800 IN AAAA 2001:660:3006:1::1:1
ns6.ext.nic.fr. 172800 IN AAAA 2001:620:0:ff::2f
ns1.ext.nic.fr. 172800 IN A 193.51.208.13
ns1.nic.fr. 172800 IN A 192.134.4.1
ns2.nic.fr. 172800 IN A 192.93.0.4
ns3.nic.fr. 172800 IN A 192.134.0.49
ns6.ext.nic.fr. 172800 IN A 130.59.31.29
ns1.ext.nic.fr. 172800 IN RRSIG A 8 4 172800 (
20180218001157 20180119024323 64491 nic.fr.
EbvmCLKgiLEojrvu+G9jNIWtAX0zuu/7NOpU1Tisjpop
Zx9hX7qYb1HLCH1qhU8s3iBhFedqSUXF6rtZHzz2qtJ+
h+G4UgNAWCyDsHVeH5lisXirUDx+Hp9+Z1EAoUb5Kf6F
0f2tNAt6MkJYBg+DjxcuRDRWoG5LBBphPz8mhgnoVp9r
Jh4C6XqfrT9T18k999ijdIcIfXwhP+ghmXhg0zW2PIUr
3B9KKkfo4YDWJOZ2hpH3wM8l0Ka/C6v9naU1RQ+j01Ay
izENN2xnevbaTCp4D6FYE2JVWHASuYlbZynqs0N4K6R/
EoGjHHkG2xgSgHTpeHbs0YYzQbdJo63m5w== )
ns1.nic.fr. 172800 IN RRSIG A 8 3 172800 (
20180221220313 20180123084323 64491 nic.fr.
Rnwhloou1+lYWji0oVvMrODRsank5EHRLDN85WVXv4JW
z2fHI+5IZLWaGlUProhkwqfobH0rjWFA/phPkhL0Bije
gfhTGpQNheD5BN8MfPEMxYYQgZ7O/V6bWGh3M+IezrZv
rBESOBpCnGbdadxJvUlZAmaYWJ2AL1wKYQ6OWP/viz0X
AfIE6qxWfGa4xG3LrEWSL7Y+RFrM41TaY+Dd2fEnOJbo
pUXtd6EC871zxdmzUQJbcpjWxKzXN4qysfSsk+T8H1my
R4OnbczneKb/EmAfII6BMblJyuTyVnHu+3Q0Yd8NaXtE
Sg1rL+bKwIowuIzW5wbnMRU8dQs5axgEGA== )
ns1.nic.fr. 172800 IN RRSIG AAAA 8 3 172800 (
20180219001645 20180120004323 64491 nic.fr.
ikRbTnsIqZ6s+i/QTyALVrOtdY68VtPZFyD56V0RzoTB
ZPBM25OCRERAPbNSBpStTnsUL8v8bSwV/L1kcL5dkZNz
C/TJyhZtSJHVUAUi2ngOF2BjzjF3o2L7+44Ke1vnCGmv
ObjJdjYMa9AK+/ybhvecLQ67+I84gN9v+srLmpGTeOIh
Zebzj4QKWe97GHWbzF2CroAynJg3efEaU/WTXf6lhHIW
/Tytwg1voUja/oWL55ABO6rjcMghYI/t81iBf/kwstmq
Mo6PxeiT9UKS9b18Kh2vOGmcsP3b5+L3Kz4OW1ujFV37
aklHXJbQCMcrFGH5VFO9cHoKlJxOIxSpSw== )
ns2.nic.fr. 172800 IN RRSIG A 8 3 172800 (
20180218140517 20180119224323 64491 nic.fr.
FLsCHaSy4D2o0ScOmuRb7jb2BuKuh5bXIokv/wHHSjcr
h95xA5HDToX4iP9vTplnkFPl1MNNMOKob7wB51+n6w5i
DX/WecFhktOm41M/a0RXt0FUv4YRCnWKWjGZ23pqpsO4
W7aQvk9MYVqQbjJacEyfGzeDjlYSzXwkiH4dOONFeNs6
VoE6ihnRm+9pOKReyyr50tro7PcMakIXI8S0B9wGT2y8
kRPLTcrsDobLnVCL+1H2bH0pA068n/YOPih1QZLa2Pw6
RzzypcGECRuSxm34spNSD06/gfyjRPao78cMPW/dN3Fc
1Yp7jbdX6gJ28TnmhTSFfj0xdZaBNDR0Ig== )
ns2.nic.fr. 172800 IN RRSIG AAAA 8 3 172800 (
20180216033932 20180117084323 64491 nic.fr.
QI1REwIzT+XKk1vfRT3vBeoOvJtc8raJO/8Gv4AJQQBF
MHEEvNuMiKYG7KCP4sBomh3YGgQdlKe/yWpoSIfdpg9b
naLoFXxl+aPMLEEOihgkONUIsp/D4f16xlR03vWRYPYr
vAUZCjblJ1Drb9ht9UoX5wiWuJIfhU8hjRm0kAE3duE4
mNAHbHbr2diCyFEVHiqXT9360gB9XET3PWprJoLzsn+R
N+fyTMAEruOeWVH8J3+MxrzdBKyxCS5dzUml0iPlcFr+
G5sAa4XdZK5ja2kMHuPfuIQj8C83GzPj1ZrRLpmjEpb1
DE9xnZO4obIkiAhmvB1J65CDi/2KEj5MeA== )
ns3.nic.fr. 172800 IN RRSIG A 8 3 172800 (
20180217182034 20180119004323 64491 nic.fr.
KmEbNRoN4hIRNIqoJGOTgUfviyVQ9120n21/Rs4/Io5u
snCdSWCTvf/D3Hha/LgZJorAmrREg7bBUxUaa3cnfIDh
YGOYFKR/2MX0X6Deto7SZQmE/v9US/4OEdw3Ljt3a+Wf
2wpEskAEghShiGyx6FxjC8e/u7k0+ezoj6LQ937EChmQ
8mbQ1lqGTjyNAYdjnMX4Xn+lMLZS/Pdakjfe8R2+v83b
r3kR/CaUDe83XyQcEquuZxc1ZAJRlxU9zf6eipIm2vaK
oQUhlfY9nY1lh26YWOieUOc3lRXc4WGUTJD2COhKqzAH
LXMilBwDaFyKzCKKjaEDYgXzBfzXbH+5Kg== )
ns3.nic.fr. 172800 IN RRSIG AAAA 8 3 172800 (
20180217223849 20180119024323 64491 nic.fr.
IHcI0GyJuHGaEVRKih40IEVtVRiAR6RcMvLoNVAhXfj4
7zjOdglQVSrRo0/S+rWCH7d09XLpr41lzcQH6OpDFlMT
Mvo7Qmznpq9Ji9UpZxVLvTmsjtE5jyeZLBzCct3BPz8J
ArszsygEpdKz4uKI8OM6xu7NMb/ALTaNgOo0zLYSe8xh
VRniLMmfr0yGN9iPD6Jex4Dx4YpyEQ0v4V0kxyHzY5M0
FS0naX7PdsF+0rnQ2J89LutYrT+v2P8lmGSSK1EWNbyM
dDvxn95aWmcEy797jjETaJb/fn/+ZjFf44mBYXX6e44I
rvGNUIN3M7+Xbim7AW0gcukrL3Z/S5/J9g== )
ns6.ext.nic.fr. 172800 IN RRSIG A 8 4 172800 (
20180217143618 20180118084323 64491 nic.fr.
D1KGzW/W3KxrqCw0w8t0u7sLVwwYc5xcrGkdpc85ww5z
EKEWKCx8VvfjAboeVaRgUK28Dz5YbNU7IAecGjY1I8+k
5uoVRXltm7M10Hj8lrsMn5CCnn+GUM86yBHX3d5TTYI7
fhyYOV5JBcA4HHX2i9DIUu3NucXFFIk3DeZtcDJO8G4H
/6SUQW3Dh/ro2SoVjYLwuCUv/Fxj38hSMjBhcOcTRsD9
Id+8nKSkwearfP1T6TwTCeyOFOyzpLD7F2voEgOP9hmc
IRHNPCEcBz5bG1lNK7rGlHRtX7AfXzxR7679Izu1KYfX
3cD+dhAzP+tX+O/UHEEf57gR2jKp1TzHcw== )
ns6.ext.nic.fr. 172800 IN RRSIG AAAA 8 4 172800 (
20180220151403 20180122004323 64491 nic.fr.
eao2DZ3WqSdUU+uY/etN6HD+Ior6+TbxMYyNvODVTJMy
j3+W01c1bufanNDDd1LGzLy3ZcFXzvywkD5gdh1+ehk0
8XfP2gVkguQT3ofzO5qhFQw4esmtFczVzpHc+Zkjc1uu
9cQ6MZvvVp6H+ndgAipKgB+siQvHQ1wnXhUaiL7RAU8b
ittpsr1yjweKDiKCF0NGKyhe3ALDqin7/PQRFZ40l87Y
vZxloZL9lwb+L/TiWr8lm+iGrHuqHkxCpXrIDKX7GwZL
cj4rggFVS+jwjFYZdeDYmVo9HamYL2b+PYMt+/PJlRBg
ccuvVmZyCiEyeLC4tjCoHfMWHjJZW+cAHQ== )
;; Query time: 11 msec
;; SERVER: 2001:660:3005:1::1:2#53(2001:660:3005:1::1:2)
;; WHEN: Thu Jan 25 15:47:08 UTC 2018
;; MSG SIZE rcvd: 4238
```
(Same thing with the two other authoritative name servers.)https://gitlab.nic.cz/knot/knot-resolver/-/issues/299return descriptive answers for RFC 6761 zones2018-02-13T16:51:27+01:00Petr Špačekreturn descriptive answers for RFC 6761 zonesRight now, the policy by default blocks queries for RFC 6303 & 6761 zones and answers them with rcode=NXDOMAIN and SOA RR in authority section with names like `blocked.` in it.
This confuse less experienced users, so we could add an exp...Right now, the policy by default blocks queries for RFC 6303 & 6761 zones and answers them with rcode=NXDOMAIN and SOA RR in authority section with names like `blocked.` in it.
This confuse less experienced users, so we could add an explanatory TXT record into ADDITIONAL section, and document this using terms like "automatic empty zone" from BIND and Unbound's equivalent.
Links:
https://www.iana.org/assignments/special-use-domain-names
https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtmlhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/298improving latency of nameserver chasing2021-01-04T11:26:09+01:00Vladimír Čunátvladimir.cunat@nic.czimproving latency of nameserver chasingWhen chasing addresses of nameservers, kresd by default only trusts glue addresses if in bailiwick of the zone we asked. This isn't optimal even in some common cases, e.g. `com` and `net` TLD zones are served by the same set of servers,...When chasing addresses of nameservers, kresd by default only trusts glue addresses if in bailiwick of the zone we asked. This isn't optimal even in some common cases, e.g. `com` and `net` TLD zones are served by the same set of servers, so when a delegation from either has `NS` records from the other, we *could* safely trust the glue. Doing this check generally won't be trivial, but it might be worth the latency gains on cold cache; some nameservers cause us to chase through multiple zones until we find a trusted glue.
On a related note, we might also accept the glue if the child zone is signed. (seems easier to implement)https://gitlab.nic.cz/knot/knot-resolver/-/issues/297docker start fails on libstdc++.so.6 @ ahocorasick.so2018-01-25T15:39:58+01:00Ghost Userdocker start fails on libstdc++.so.6 @ ahocorasick.soHi,
`docker run cznic/knot-resolver`
results in
`error: error loading module 'ahocorasick' from file '/usr/local/lib/kdns_modules/ahocorasick.so':
Error loading shared library libstdc++.so.6: No such file or directory (needed by /usr...Hi,
`docker run cznic/knot-resolver`
results in
`error: error loading module 'ahocorasick' from file '/usr/local/lib/kdns_modules/ahocorasick.so':
Error loading shared library libstdc++.so.6: No such file or directory (needed by /usr/local/lib/kdns_modules/ahocorasick.so)
[system] error error: No such file or directory`
I tried a Dockerfile from https://hub.docker.com/r/cznic/knot-resolver/~/dockerfile/
It compiles, but it does not run.
I unsuccessfully tried it on multiple Ubuntu hosts, no good. I also tried to install *libstdc++.6*, or change LD_LIBRARY_PATH=/usr/lib/x86_64-linux-gnu/ (or another), but the outcome was always the same.https://gitlab.nic.cz/knot/knot-resolver/-/issues/296regression: failure to follow a referral (sometimes?)2018-02-02T18:20:10+01:00Vladimír Čunátvladimir.cunat@nic.czregression: failure to follow a referral (sometimes?)Test case: `www.automobile.fr. AAAA`, bisected to commit e7c5c102d0eb. (In particular, it works OK on 1.5.1.)
Interesting part from log:
```
[52590][iter] 'www.automobile.fr.' type 'AAAA' id was assigned, parent id 0
[52590][resl] ...Test case: `www.automobile.fr. AAAA`, bisected to commit e7c5c102d0eb. (In particular, it works OK on 1.5.1.)
Interesting part from log:
```
[52590][iter] 'www.automobile.fr.' type 'AAAA' id was assigned, parent id 0
[52590][resl] => querying: '2a04:cb41:a516:3::3' score: 10 zone cut: 'automobile.fr.' m12n: 'WWW.automOBilE.fr.' type: 'AAAA' proto: 'udp'
[52590][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52590
;; Flags: qr QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1280 B; ext-rcode: Unused
;; QUESTION SECTION
www.automobile.fr. AAAA
;; AUTHORITY SECTION
www.automobile.fr. 600 NS ns1.p13.dynect.net.
www.automobile.fr. 600 NS ns2.p13.dynect.net.
www.automobile.fr. 600 NS ns3.p13.dynect.net.
www.automobile.fr. 600 NS ns4.p13.dynect.net.
[52590][iter] <= referral response, follow
[52590][ rc ] => stashing rank: 010, NS www.automobile.fr.
[40645][iter] 'www.automobile.fr.' type 'AAAA' id was assigned, parent id 0
[40645][plan] plan 'dns47-2.mobile.de.' type 'A'
[27333][iter] 'dns47-2.mobile.de.' type 'A' id was assigned, parent id 40645
[27333][ rc ] => rank: 001, lowest 000, A dns47-2.mobile.de.
[27333][ rc ] => satisfied from cache
[27333][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27333
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
dns47-2.mobile.de. A
;; ANSWER SECTION
dns47-2.mobile.de. 86400 A 91.211.75.18
[27333][iter] <= rcode: NOERROR
[40645][iter] <= using glue for 'dns47-2.mobile.de.': '91.211.75.18'
[28159][iter] 'www.automobile.fr.' type 'AAAA' id was assigned, parent id 0
[28159][resl] => querying: '91.211.75.18' score: 10 zone cut: 'www.automobile.fr.' m12n: 'www.AutOMoBILe.fr.' type: 'AAAA' proto: 'udp'
```
On the last line kresd queries `@dns47-2.mobile.de.` (again), despite getting referral for the `www` zone to `ns*.p13.dynect.net.` in the previous iteration step.
Another example: `settings.services.mozilla.com. SOA`. This one also gets broken on that commit though the log _looks_ different: `mirror.nsc.liu.se. CNAME`.https://gitlab.nic.cz/knot/knot-resolver/-/issues/295validator might better ignore out-of-bailiwick crap2018-01-22T15:27:22+01:00Vladimír Čunátvladimir.cunat@nic.czvalidator might better ignore out-of-bailiwick crapReal-life example: `www.vikhockey.se. AAAA` fails in validator, due to server returning:
```
kdig @195.74.39.30 www.vikhockey.se. AAAA +dnssec
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 50218
;; Flags: qr aa rd; QUERY: 1; ANSWE...Real-life example: `www.vikhockey.se. AAAA` fails in validator, due to server returning:
```
kdig @195.74.39.30 www.vikhockey.se. AAAA +dnssec
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 50218
;; Flags: qr aa rd; QUERY: 1; ANSWER: 2; AUTHORITY: 8; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1680 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; www.vikhockey.se. IN AAAA
;; ANSWER SECTION:
www.vikhockey.se. 600 IN CNAME vvik1-vvik.ramses.nu.
www.vikhockey.se. 600 IN RRSIG CNAME 8 3 600 20180201000000 20180111000000 34296 vikhockey.se. mnn7gL0v3BupFGZi4N/CV6vINkNOFy2y4H0Vx0ukrYDScxCubeLA0YCYCIE3thu13DCkOFuijUbWtaA9KSMivfJUb1q5yX0jdT0b5nvwK1/YSk2YnXMEbrjWqTu4rig+KsrZ0XSb76E0d/9wN5VtFxNkhfZypu5HSj85Isy46Bw=
;; AUTHORITY SECTION:
ramses.nu. 3600 IN SOA ns3.binero.se. registry.binero.se. 1516233600 86400 5400 604800 3600
ramses.nu. 3600 IN RRSIG SOA 8 2 3600 20180201000000 20180111000000 34296 ramses.nu. g4KxoD6HuieeEBgG6Z6oUTlhwdGelcUWRUq3Jd9osVaFzvn8XscQDdmcGh4maK0yofoz8t/ShRVjC4XQGnj5//eejMXY1jgra39VMbJ9P+7JOvGUuETw0WJL8oT7YehfFkCv1CRL5IoM6d9SYdYkmcDt/aoDMeoG+WgEZ6QHW5Y=
v8ssphenr3p30k9a4dpae5pr9ib7m3l1.ramses.nu. 3600 IN NSEC3 1 1 1 AB 18AJT6FFNC06017DT70ELSCVH3763P1C NS SOA MX RRSIG DNSKEY NSEC3PARAM
v8ssphenr3p30k9a4dpae5pr9ib7m3l1.ramses.nu. 3600 IN RRSIG NSEC3 8 3 3600 20180201000000 20180111000000 34296 ramses.nu. wSFv8izGquRzjaZJSnXn+7hgpaqfKGEr3l5OwtEI0KlBRPFmXGv8RD1d9dhJqp1QeaDK67rZqzFHioA/p13RP7kYDUCiOHX8VoA9hbQr3nFHeerkt+zSiYNaAH43sWT7oHpnrN9ODUIIB0s4Tbm1+U2G7tJ90JyjCjmMEXu+UQQ=
3dnbf1prkcm9234cr9atsv8a2gfs2oua.ramses.nu. 3600 IN NSEC3 1 1 1 AB 71O8H4PM96IP6HK4FDMQ2G34KD9KKGV4 A RRSIG
3dnbf1prkcm9234cr9atsv8a2gfs2oua.ramses.nu. 3600 IN RRSIG NSEC3 8 3 3600 20180201000000 20180111000000 34296 ramses.nu. dFKDMKzdwDmNEFfItTlEIIhAqqbk13WEO/etgywJLzEt3PRW1s70jfFCWqTeOjAUdeF6JEfLWklPYkhpBe0UwmYEVqlQcYJ37AKX7gUyN/iBKTtMfQWTXfdHMyjj1fyfEoeFh2SMk1Vl5bys1HKajB0SkOnKmzDKnZjBftDuimE=
j8qedtq6ned9n5sl7e99incs8s1m29sb.ramses.nu. 3600 IN NSEC3 1 1 1 AB MUE5EI8JM7A860A6HCDO7LQ42OSF6V55 A RRSIG
j8qedtq6ned9n5sl7e99incs8s1m29sb.ramses.nu. 3600 IN RRSIG NSEC3 8 3 3600 20180201000000 20180111000000 34296 ramses.nu. HTN4XXRy53RX8p2wksZ5HwW8gYisHHCWwbD/yjiUc4CC+q2tc9jiX9NTriGuKd32BCKqceHlPrAeU62Bn1fujCCKvmctVavr0oUXw4XSl0sJblyH5FitapCBwSW2rmiFY53Jup8oUQLpuNeNP8euADbai//gUiBl9UwHR0qR65c=
;; Received 1224 B
;; Time 2018-01-19 13:42:17 CET
;; From 195.74.39.30@53(UDP) in 130.5 ms
```
The part about CNAME is OK, but the NXDOMAIN on the target is BOGUS. (Seems like outdated `ramses.nu.` zone remaining on the server.)https://gitlab.nic.cz/knot/knot-resolver/-/issues/294merge TLS client and TLS server code2018-02-13T17:00:35+01:00Petr Špačekmerge TLS client and TLS server codeFile daemon/tls.c has almost idential code for TLS client and TLS server, e.g.
- [x] `kres_gnutls_client_pull` vs. `kres_gnutls_pull`
- [x] `kres_gnutls_client_push` vs. `kres_gnutls_push`
- [ ] others
We need to refactor this to have o...File daemon/tls.c has almost idential code for TLS client and TLS server, e.g.
- [x] `kres_gnutls_client_pull` vs. `kres_gnutls_pull`
- [x] `kres_gnutls_client_push` vs. `kres_gnutls_push`
- [ ] others
We need to refactor this to have only single copy. It will certainly require changes to `tls_ctx_t` and related structures, but it seems that we could save good deal of code.https://gitlab.nic.cz/knot/knot-resolver/-/issues/293forwarding: knot doesn't repeat query when receives SERVFAIL or REFUSE answer.2018-02-02T18:19:18+01:00Grigorii Demidovforwarding: knot doesn't repeat query when receives SERVFAIL or REFUSE answer.2018 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/292tls forwarding: there are high likelyhood of msg-id duplication for active qu...2018-02-16T11:04:58+01:00Grigorii Demidovtls forwarding: there are high likelyhood of msg-id duplication for active query under heavy loadhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/291refactor excessively long functions2018-12-17T13:29:42+01:00Marek Vavrusarefactor excessively long functionsFor readability's sake, we should refactor functions so that they're reasonably short.
The screen size is ~80 lines, some functions are >300 lines, which makes it easier to make mistakes.
The !432 added an upper bound limit of 400 statem...For readability's sake, we should refactor functions so that they're reasonably short.
The screen size is ~80 lines, some functions are >300 lines, which makes it easier to make mistakes.
The !432 added an upper bound limit of 400 statements / 500 lines, but we should do better.
These functions exceed the 200 statements / 300 lines limit:
* [ ] layer/validate.c:824 function 'validate' 337 statements (threshold 200)
* [ ] resolve.c:1310 function 'kr_resolve_produce' 250 statements (threshold 200)
* [x] worker.c:1406 function 'qr_task_step' 221 statements (threshold 200)
* [x] worker.c:1872 function 'worker_process_tcp' 260 statements (threshold 200)
* [ ] main.c:425 function 'main' 247 statements (threshold 200)https://gitlab.nic.cz/knot/knot-resolver/-/issues/290Remove support for Go modules?2019-03-12T12:12:24+01:00Marek VavrusaRemove support for Go modules?There is still optional build support for Go modules, which has never been (and probably never will be) more than experimental due to challenges with differences between Go and C runtime. Do you have any plan for keeping it supported or ...There is still optional build support for Go modules, which has never been (and probably never will be) more than experimental due to challenges with differences between Go and C runtime. Do you have any plan for keeping it supported or removing it?Tomas KrizekTomas Krizekhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/289Support NSID Option (RFC 5001)2018-11-13T20:50:15+01:00Petr ŠpačekSupport NSID Option (RFC 5001)https://tools.ietf.org/html/rfc5001https://tools.ietf.org/html/rfc5001https://gitlab.nic.cz/knot/knot-resolver/-/issues/288introduce proper metatype for knot_dname_t2020-04-06T14:51:49+02:00Petr Špačekintroduce proper metatype for knot_dname_tFollow-up from "WIP: Add useful lua functions to handle knot types"
The following discussion from !425 should be addressed:
- [ ] Eventually `knot_dname_t` should be a proper metatype, but this will require multitude of changes that I ...Follow-up from "WIP: Add useful lua functions to handle knot types"
The following discussion from !425 should be addressed:
- [ ] Eventually `knot_dname_t` should be a proper metatype, but this will require multitude of changes that I didn't want to bundle in this PR. [discussion](https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/425#note_65039): (+5 comments)https://gitlab.nic.cz/knot/knot-resolver/-/issues/287crash on startup if cache directory is not writeable2018-09-12T11:08:36+02:00Petr Špačekcrash on startup if cache directory is not writeable```
$ chmod u-w .
$ kresd
[cache] LMDB error: Permission denied
kresd: lib/cdb_lmdb.c:67: lmdb_error: Assertion `false' failed.
Aborted (core dumped)
``````
$ chmod u-w .
$ kresd
[cache] LMDB error: Permission denied
kresd: lib/cdb_lmdb.c:67: lmdb_error: Assertion `false' failed.
Aborted (core dumped)
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/286how should we deal with DNS 0x20 failures?2019-09-18T11:45:21+02:00Marek Vavrusahow should we deal with DNS 0x20 failures?There's quite a few most popular names that fail because of failure to preserve question section letter case. For example:
```
$ curl 131m1.in.cfops.it:3102/trace/eicp.net
[64526] [iter] 'eicp.net.' type 'A' created outbound query, pare...There's quite a few most popular names that fail because of failure to preserve question section letter case. For example:
```
$ curl 131m1.in.cfops.it:3102/trace/eicp.net
[64526] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[60843] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[60843] [resl] => querying: '2001:503:d414::30' score: 22 zone cut: 'net.' m12n: 'eIcp.neT.' type: 'A' proto: 'udp'
[60843] [iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 60843
;; Flags: qr cd QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 5
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
eicp.net. A
;; AUTHORITY SECTION
eicp.net. 172800 NS ns1.exhera.com.
eicp.net. 172800 NS ns2.exhera.com.
a1rt98bs5qgc9nfi51s9hci47uljg6jh.net. 86400 NSEC3 1 1 0 - A1RUUFFJKCT2Q54P78F8EJGJ8JBK7I8B NS SOA RRSIG DNSKEY NSEC3PARAM
a1rt98bs5qgc9nfi51s9hci47uljg6jh.net. 86400 RRSIG NSEC3 8 2 86400 20171227062609 20171220051609 18737 net. nEhicHLkvsZVirHCoNYYNJKGcJOj9XtL57/ltvpBXqP6a4gnYeui3QOI2ru7WBgjx7B2Q/rlJN5CYa/5JIrLn1G13uOIU97rsoE93gpyicbxhEb0sz6NxpTrLlpK7I18Avdvc4u3wsqyMgN/G+fph/fNmk6ZMiIDvSFo5ouxlRI=
p2cngqrm82dqo3hk9aa6gobsrp72g5q7.net. 86400 NSEC3 1 1 0 - P2DRF6N042LFDI2S4AS6OSU2JESNJ0IL NS DS RRSIG
p2cngqrm82dqo3hk9aa6gobsrp72g5q7.net. 86400 RRSIG NSEC3 8 2 86400 20171227062037 20171220051037 18737 net. cWJS8lOxKCHz0SH2fJzuH6hPLoaXODhHsaiwTx89LKceWjRzOF+7Ka4QyNnJJ2xYJL44YaTE7L5aLZ7/PBCmyJIdjrTqwzni+5hVnAU0AkaSxaG92I0Nw5GQFYa/blorKT3icJnhypntnZgBMqzi78/YjtMAht7lxCREogcFlYM=
;; ADDITIONAL SECTION
ns1.exhera.com. 172800 A 103.44.145.248
ns1.exhera.com. 172800 A 175.6.228.196
ns2.exhera.com. 172800 A 120.26.12.130
ns2.exhera.com. 172800 A 121.40.91.126
[60843] [iter] <= referral response, follow
[60843] [vldr] >< failed to validate but skipping: eicp.net. NS
[60843] [vldr] <= DS doesn't exist, going insecure
[60843] [vldr] <= answer valid, OK
[60843] [ rc ] => orig. rank: 002
[60843] [resl] <= server: '2001:503:d414::30' rtt: 21 ms
[41955] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[41955] [plan] plan 'ns2.exhera.com.' type 'AAAA'
[ 5860] [iter] 'ns2.exhera.com.' type 'AAAA' created outbound query, parent id 41955
[ 5860] [ pc ] => rank: 030, lowest 030 -> satisfied=1
[ 5860] [iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5860
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 1
;; QUESTION SECTION
ns2.exhera.com. AAAA
;; AUTHORITY SECTION
exhera.com. 2687 SOA peanutmail.newpeanut.idc. domain_admin.oray.cn. 1817 900 600 86400 3600
;; ADDITIONAL SECTION
ns2.exhera.com. 60 RP dnscache.oray.com. .
[ 5860] [iter] <= rcode: NOERROR
[ 5860] [vldr] <= cached insecure response, going insecure
[28878] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[28878] [plan] plan 'ns2.exhera.com.' type 'A'
[48460] [iter] 'ns2.exhera.com.' type 'A' created outbound query, parent id 28878
[48460] [ rc ] => rank: 001, lowest 000, ns2.exhera.com. A
[48460] [ rc ] => satisfied from cache
[48460] [iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 48460
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
ns2.exhera.com. A
;; ANSWER SECTION
ns2.exhera.com. 172481 A 120.26.12.130
ns2.exhera.com. 172481 A 121.40.91.126
[48460] [iter] <= rcode: NOERROR
[28878] [iter] <= using glue for 'ns2.exhera.com.': '120.26.12.130'
[58636] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[58636] [resl] => querying: '120.26.12.130' score: 148 zone cut: 'eicp.net.' m12n: 'EICP.NET.' type: 'A' proto: 'udp'
[58636] [resl] => querying: '120.26.12.130' score: 148 zone cut: 'eicp.net.' m12n: 'EICP.NET.' type: 'A' proto: 'udp'
[58636] [resl] => querying: '120.26.12.130' score: 148 zone cut: 'eicp.net.' m12n: 'EICP.NET.' type: 'A' proto: 'udp'
[58636] [resl] => querying: '120.26.12.130' score: 148 zone cut: 'eicp.net.' m12n: 'EICP.NET.' type: 'A' proto: 'udp'
[58636] [iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58636
;; Flags: qr aa QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; QUESTION SECTION
EICP.NET. A
;; ANSWER SECTION
eicp.net. 300 A 61.152.96.115
;; ADDITIONAL SECTION
eicp.net. 60 RP dnsproxy.oray.com. .
[58636] [iter] <= ignoring mismatching response
[58636] [resl] <= server: '120.26.12.130' rtt: 806 ms
[59380] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[30302] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[30302] [plan] plan 'ns1.exhera.com.' type 'AAAA'
[39584] [iter] 'ns1.exhera.com.' type 'AAAA' created outbound query, parent id 30302
[39584] [ pc ] => rank: 030, lowest 030 -> satisfied=1
[39584] [iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 39584
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 1
;; QUESTION SECTION
ns1.exhera.com. AAAA
;; AUTHORITY SECTION
exhera.com. 2571 SOA peanutmail.newpeanut.idc. domain_admin.oray.cn. 1817 900 600 86400 3600
;; ADDITIONAL SECTION
ns1.exhera.com. 60 RP dnscache.oray.com. .
[39584] [iter] <= rcode: NOERROR
[39584] [vldr] <= cached insecure response, going insecure
[56616] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[56616] [plan] plan 'ns1.exhera.com.' type 'A'
[ 1371] [iter] 'ns1.exhera.com.' type 'A' created outbound query, parent id 56616
[ 1371] [ rc ] => rank: 001, lowest 000, ns1.exhera.com. A
[ 1371] [ rc ] => satisfied from cache
[ 1371] [iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 1371
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
ns1.exhera.com. A
;; ANSWER SECTION
ns1.exhera.com. 172477 A 103.44.145.248
ns1.exhera.com. 172477 A 175.6.228.196
[ 1371] [iter] <= rcode: NOERROR
[56616] [iter] <= using glue for 'ns1.exhera.com.': '103.44.145.248'
[52161] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[52161] [resl] => querying: '103.44.145.248' score: 222 zone cut: 'eicp.net.' m12n: 'eICp.neT.' type: 'A' proto: 'udp'
[52161] [iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52161
;; Flags: qr aa QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; QUESTION SECTION
eICp.neT. A
;; ANSWER SECTION
eicp.net. 144 A 61.152.96.115
;; ADDITIONAL SECTION
eicp.net. 60 RP dnscache.oray.com. .
[52161] [iter] <= ignoring mismatching response
[32654] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[45954] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[45954] [resl] => no valid NS left
[45954] [resl] finished: 0, queries: 5, mempool: 147552 B
Used records from answer:
-------------------------
cached: false, rank: omit, record: ns2.exhera.com. 172481 A 120.26.12.130
cached: false, rank: omit, record: ns2.exhera.com. 172481 A 121.40.91.126
cached: false, rank: omit, record: ns1.exhera.com. 172477 A 103.44.145.248
cached: false, rank: omit, record: ns1.exhera.com. 172477 A 175.6.228.196
Used records from authority:
----------------------------
cached: true, rank: try, record: eicp.net. 172800 NS ns1.exhera.com.
cached: true, rank: try, record: eicp.net. 172800 NS ns2.exhera.com.
cached: false, rank: secure, record: a1rt98bs5qgc9nfi51s9hci47uljg6jh.net. 86400 NSEC3 1 1 0 - A1RUUFFJKCT2Q54P78F8EJGJ8JBK7I8B NS SOA RRSIG DNSKEY NSEC3PARAM
cached: false, rank: omit, record: a1rt98bs5qgc9nfi51s9hci47uljg6jh.net. 86400 RRSIG NSEC3 8 2 86400 20171227062609 20171220051609 18737 net. nEhicHLkvsZVirHCoNYYNJKGcJOj9XtL57/ltvpBXqP6a4gnYeui3QOI2ru7WBgjx7B2Q/rlJN5CYa/5JIrLn1G13uOIU97rsoE93gpyicbxhEb0sz6NxpTrLlpK7I18Avdvc4u3wsqyMgN/G+fph/fNmk6ZMiIDvSFo5ouxlRI=
cached: false, rank: secure, record: p2cngqrm82dqo3hk9aa6gobsrp72g5q7.net. 86400 NSEC3 1 1 0 - P2DRF6N042LFDI2S4AS6OSU2JESNJ0IL NS DS RRSIG
cached: false, rank: omit, record: p2cngqrm82dqo3hk9aa6gobsrp72g5q7.net. 86400 RRSIG NSEC3 8 2 86400 20171227062037 20171220051037 18737 net. cWJS8lOxKCHz0SH2fJzuH6hPLoaXODhHsaiwTx89LKceWjRzOF+7Ka4QyNnJJ2xYJL44YaTE7L5aLZ7/PBCmyJIdjrTqwzni+5hVnAU0AkaSxaG92I0Nw5GQFYa/blorKT3icJnhypntnZgBMqzi78/YjtMAht7lxCREogcFlYM=
```
(It's Alexa global rank 164,642, 22,465 in China)
Should the resolver accept such answer if the current delegation is secure (and therefore DNSSEC signatures can be checked) ?https://gitlab.nic.cz/knot/knot-resolver/-/issues/285Knot resolver 1.5.1 hangs doing dns over tls on port 853 in a tight loop on S...2018-01-08T12:41:15+01:00JohnKnot resolver 1.5.1 hangs doing dns over tls on port 853 in a tight loop on SIGPIPEKnot resolver 1.5.1 crashed doing dns over tls on port 853
```
Program received signal SIGPIPE, Broken pipe.
0x00007f91958144a0 in __write_nocancel () at ../sysdeps/unix/syscall-template.S:84
84 ../sysdeps/unix/syscall-template.S: No suc...Knot resolver 1.5.1 crashed doing dns over tls on port 853
```
Program received signal SIGPIPE, Broken pipe.
0x00007f91958144a0 in __write_nocancel () at ../sysdeps/unix/syscall-template.S:84
84 ../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) bt
#0 0x00007f91958144a0 in __write_nocancel () at ../sysdeps/unix/syscall-template.S:84
#1 0x00007f9195a33a93 in ?? () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#2 0x00007f9195a35514 in uv_write2 () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#3 0x00007f9195a355f5 in uv_try_write () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#4 0x00005646d9e8fc67 in kres_gnutls_push (h=<optimized out>, buf=<optimized out>, len=<optimized out>) at daemon/tls.c:75
#5 0x00007f91952640f5 in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
#6 0x00007f9195264782 in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
#7 0x00007f919525f675 in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
#8 0x00007f91952618b1 in gnutls_record_send () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
#9 0x00007f9195261988 in gnutls_record_uncork () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
#10 0x00005646d9e8fdab in tls_push (task=<optimized out>, handle=<optimized out>, pkt=pkt@entry=0x5646db0d4908)
at daemon/tls.c:220
#11 0x00005646d9e8a0a0 in qr_task_send (task=task@entry=0x5646db0d30b0, handle=0x5646db0defb0, addr=addr@entry=0x5646db0d3250,
pkt=0x5646db0d4908) at daemon/worker.c:487
#12 0x00005646d9e8a31f in qr_task_finalize (task=0x5646db0d30b0, state=4) at daemon/worker.c:733
#13 0x00005646d9e8aa0e in qr_task_step (task=0x5646db0d30b0, packet_source=packet_source@entry=0x7ffc48c3b580,
packet=0x5646dad92510) at daemon/worker.c:761
#14 0x00005646d9e8b240 in worker_submit (worker=worker@entry=0x7f9196478010, handle=handle@entry=0x5646db0d71b0,
msg=<optimized out>, addr=addr@entry=0x7ffc48c3b580) at daemon/worker.c:885
#15 0x00005646d9e8587b in udp_recv (handle=0x5646db0d71b0, nread=<optimized out>, buf=<optimized out>, addr=0x7ffc48c3b580,
flags=<optimized out>) at daemon/io.c:152
#16 0x00007f9195a37999 in ?? () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#17 0x00007f9195a396d8 in ?? () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#18 0x00007f9195a2b0ac in uv_run () from /usr/lib/x86_64-linux-gnu/libuv.so.1
#19 0x00005646d9e85477 in run_worker (control_fd=-1, leader=true, ipc_set=0x7ffc48c3e8b0, engine=0x7ffc48c3e8f0,
loop=0x7f9195c43760) at daemon/main.c:407
#20 main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:759
```2018 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/284detect_time_jump fires on suspend-to-RAM2018-02-14T11:04:34+01:00Vladimír Čunátvladimir.cunat@nic.czdetect_time_jump fires on suspend-to-RAM~~I'm not sure why exactly. I hope it's just "some race" and not suspend-to-RAM breaking differences between real and monotonic time.~~
Seems low-priority; maybe noticeable in notebooks running kresd, losing cache on resume.~~I'm not sure why exactly. I hope it's just "some race" and not suspend-to-RAM breaking differences between real and monotonic time.~~
Seems low-priority; maybe noticeable in notebooks running kresd, losing cache on resume.Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.cz