Knot Resolver issueshttps://gitlab.nic.cz/knot/knot-resolver/-/issues2022-02-19T10:40:59+01:00https://gitlab.nic.cz/knot/knot-resolver/-/issues/694docs: generating documentation from configuration datamodel2022-02-19T10:40:59+01:00Aleš Mrázekdocs: generating documentation from configuration datamodelLightweight documentation of every declarative configuration option should be generated automatically from our configuration schema. If something is changed in the configuration model, it will be automatically reflected in the documentat...Lightweight documentation of every declarative configuration option should be generated automatically from our configuration schema. If something is changed in the configuration model, it will be automatically reflected in the documentation.
It includes:
- structure defined by `SchemaNode` subclasses
- configuration options/fields names, types and default values
- docstrings of `SchemaNode` subclassesVaclav SraierVaclav Sraierhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/673trust_anchors.set_insecure may miss some names2021-05-21T01:52:53+02:00Vladimír Čunátvladimir.cunat@nic.cztrust_anchors.set_insecure may miss some namesIf the same authoritative server IPs serve names both above and below the configured negative trust anchors, the downgrade to insecure may not happen in some cases.If the same authoritative server IPs serve names both above and below the configured negative trust anchors, the downgrade to insecure may not happen in some cases.Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/671TLS_FORWARD can get stuck on broken addresses (v5.3.0)2021-03-24T16:09:15+01:00Vladimír Čunátvladimir.cunat@nic.czTLS_FORWARD can get stuck on broken addresses (v5.3.0)With normal TLS-forwarding config, e.g.:
```lua
policy.add(policy.all(policy.TLS_FORWARD({
{ '8.8.8.8', hostname='dns.google' },
{ '8.8.4.4', hostname='dns.google' },
{ '2001:4860:4860::8888', hostname='dns.google' },
{ '2001:4860:48...With normal TLS-forwarding config, e.g.:
```lua
policy.add(policy.all(policy.TLS_FORWARD({
{ '8.8.8.8', hostname='dns.google' },
{ '8.8.4.4', hostname='dns.google' },
{ '2001:4860:4860::8888', hostname='dns.google' },
{ '2001:4860:4860::8844', hostname='dns.google' },
})))
```
but part of addresses disabled, e.g.
```bash
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
```
some queries get stuck in a very long "loop" of attempting connection to the non-working IPs, even though half of them works. Example log snippet: [tls_forward.log](/uploads/a5716360f9a3e6879160ff0766e37add/tls_forward.log)
_!1143 doesn't trigger here; it wasn't meant for forwarding and individual addresses might be broken for other reasons anyway._5.3.1https://gitlab.nic.cz/knot/knot-resolver/-/issues/670"map() error while connecting to control socket" regression [5.2.0, 5.2.1, 5....2022-03-16T16:42:56+01:00Jonathan Coetzee"map() error while connecting to control socket" regression [5.2.0, 5.2.1, 5.3.0]I've noticed this regression when using 5.2.0+ my ARMv7 (32-bit) on Docker on Raspberry Pi OS. My logs will fill up with hundreds of the following entries
map() error while connecting to control socket /srv/knot-resolver/data/contro...I've noticed this regression when using 5.2.0+ my ARMv7 (32-bit) on Docker on Raspberry Pi OS. My logs will fill up with hundreds of the following entries
map() error while connecting to control socket /srv/knot-resolver/data/control/9: socket:connect: Connection refused (ignoring this socket)
map() error while connecting to control socket /srv/knot-resolver/data/control/6: socket:connect: Connection refused (ignoring this socket)
map() error while connecting to control socket /srv/knot-resolver/data/control/9: socket:connect: Connection refused (ignoring this socket)
map() error while connecting to control socket /srv/knot-resolver/data/control/6: socket:connect: Connection refused (ignoring this socket)
map() error while connecting to control socket /srv/knot-resolver/data/control/9: socket:connect: Connection refused (ignoring this socket)
map() error while connecting to control socket /srv/knot-resolver/data/control/6: socket:connect: Connection refused (ignoring this socket)
These logs aren't present on 5.1.3. Please let me know what other information you need.https://gitlab.nic.cz/knot/knot-resolver/-/issues/668Replace potentially zero-length VLAs in selection_iter.c with arrays from lib...2021-05-20T13:20:57+02:00Štěpán BalážikReplace potentially zero-length VLAs in selection_iter.c with arrays from lib/genericOver the weekend I was playing with undefined behavior sanitizer (i.e. compiling with `-fsanitize=undefined`) and ran Deckard with it.
While most of the errors point to `member access within misaligned address type '(const)? struct entr...Over the weekend I was playing with undefined behavior sanitizer (i.e. compiling with `-fsanitize=undefined`) and ran Deckard with it.
While most of the errors point to `member access within misaligned address type '(const)? struct entry_h', which requires 4 byte alignment` in `lib/cache` (which are false positives I suppose, I don't understand the cache implementation enough), there is also this one:
`lib/selection_iter.c:243:16: runtime error: variable length array bound evaluates to non-positive value 0`
The code in question is in the `iter_choose_transport` function and prepares a VLA for flattening of a trie for easier manipulation.
```c
struct choice choices[trie_weight(local_state->addresses)];
/* We may try to resolve A and AAAA record for each name, so therefore
* 2*trie_weight(…) is here. */
struct to_resolve resolvable[2 * trie_weight(local_state->names)];
```
`trie_weight` however can be 0 which leads to undefined behavior.
Replacing these with arrays from `lib/generic` should be easy and would maybe even lead to nicer code since they include a length field which is needed later down the line.
Furthermore coverage from Deckard probably isn't that great so we may consider running more tests with `-fsanitize=undefined` .Štěpán BalážikŠtěpán Balážikhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/667After TCP connect succeeds, resolver gets stuck if the authoritative doesn't ...2021-11-08T13:40:26+01:00Štěpán BalážikAfter TCP connect succeeds, resolver gets stuck if the authoritative doesn't send a replyCurrently resolution of `tipsport.cz A` triggers this sometimes, so let's use it as example:
There are 8 authoritative server for `tipsport.cz`:
```
$ dig @a.ns.nic.cz tipsport.cz NS
[…]
;; QUESTION SECTION:
;tipsport.cz. IN NS
;; A...Currently resolution of `tipsport.cz A` triggers this sometimes, so let's use it as example:
There are 8 authoritative server for `tipsport.cz`:
```
$ dig @a.ns.nic.cz tipsport.cz NS
[…]
;; QUESTION SECTION:
;tipsport.cz. IN NS
;; AUTHORITY SECTION:
tipsport.cz. 3600 IN NS ns1.tipsport.cz.
tipsport.cz. 3600 IN NS ns2.tipsport.cz.
tipsport.cz. 3600 IN NS ns3.tipsport.cz.
tipsport.cz. 3600 IN NS ns4.tipsport.cz.
;; ADDITIONAL SECTION:
ns1.tipsport.cz. 3600 IN A 195.39.239.11
ns1.tipsport.cz. 3600 IN AAAA 2001:678:320:0:f5::1
ns2.tipsport.cz. 3600 IN A 195.39.239.12
ns2.tipsport.cz. 3600 IN AAAA 2001:678:320:0:f5::2
ns3.tipsport.cz. 3600 IN A 195.39.239.13
ns3.tipsport.cz. 3600 IN AAAA 2001:678:320:0:f5::3
ns4.tipsport.cz. 3600 IN A 195.39.239.14
ns4.tipsport.cz. 3600 IN AAAA 2001:678:320:0:f5::4
```
None of the IPv6 will answer the query `tipsport.cz A` but all will accept a TCP connection to them.
The reply to `tipsport.cz A` is too big and the working servers will reply with TC=1.
So, if the resolver chooses one of the working servers first, gets a TC bit and then chooses to connect over TCP to one of the not working ones, the request will starve and eventually be cancelled by a timer and resolver replies with a SERVFAIL.
```
[16708.11][iter] 'tipsport.cz.' type 'A' new uid was assigned .14, parent uid .00
[16708.14][slct] => id: '27900' choosing: 'ns4.tipsport.cz.'@'195.39.239.14#00053' with timeout 1600 ms zone cut: 'tipsport.cz.'
[16708.14][resl] => id: '27900' querying: 'ns4.tipsport.cz.'@'195.39.239.14#00053' zone cut: 'tipsport.cz.' qname: 'tIPSpOrt.cZ.' qtype: 'A' proto: 'udp'
[16708.14][slct] => id: '27900' updating: 'ns4.tipsport.cz.'@'195.39.239.14#00053' zone cut: 'tipsport.cz.' with rtt 14 to srtt: 14 and variance: 7
[16708.14][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27900
;; Flags: qr aa tc QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
tipsport.cz. A
;; ADDITIONAL SECTION
[16708.14][iter] <= truncated response, failover to TCP
[16708.14][slct] => id: '27900' noting selection error: 'ns4.tipsport.cz.'@'195.39.239.14#00053' zone cut: 'tipsport.cz.' error: 12 TRUNCATED
[16708.14][iter] 'tipsport.cz.' type 'A' new uid was assigned .15, parent uid .00
[16708.15][slct] => id: '23152' choosing: 'ns4.tipsport.cz.'@'2001:678:320:0:f5::4#00053' with timeout 1600 ms zone cut: 'tipsport.cz.'
[16708.15][resl] => id: '23152' querying: 'ns4.tipsport.cz.'@'2001:678:320:0:f5::4#00053' zone cut: 'tipsport.cz.' qname: 'TipsPoRt.cz.' qtype: 'A' proto: 'tcp'
[16708.15][wrkr] => connecting to: '2001:678:320:0:f5::4#00053'
[wrkr]=> connected to '2001:678:320:0:f5::4#00053'
… long wait here, the whole request will timeout …
[16708.13][resl] AD: request NOT classified as SECURE
[16708.15][resl] finished in state: 8, queries: 3, mempool: 49200 B
[16708.00][dbg ] answer packet:
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 16708
;; Flags: qr rd ra QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
tipsport.cz. A
;; ADDITIONAL SECTION
[io] => closing connection to '2001:678:320:0:f5::4#00053'
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/666kr_pkt_make_auth_header: Assertion `pkt && pkt->wire' failed2021-01-14T08:47:36+01:00Ghost Userkr_pkt_make_auth_header: Assertion `pkt && pkt->wire' failedHi, I am using knot-resolver on Debian 9 and after upgrade to apt package version 5.2.1-1. I am not able to run daemons because of this error:
```
Jan 14 07:32:57 dnsr-res2 kresd[19169]: kresd: ../lib/utils.c:320: kr_pkt_make_auth_heade...Hi, I am using knot-resolver on Debian 9 and after upgrade to apt package version 5.2.1-1. I am not able to run daemons because of this error:
```
Jan 14 07:32:57 dnsr-res2 kresd[19169]: kresd: ../lib/utils.c:320: kr_pkt_make_auth_header: Assertion `pkt && pkt->wire' failed.
```
My configuration file:
```
-- Config file example useable for multi-user ISP resolver
-- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration
-- Drop root privileges
user('knot-resolver', 'knot-resolver')
-- Set Internal hostname
hostname("xxxxxx")
net.listen('127.0.0.1', 53, { kind = 'dns' })
net.listen('109.202.xx.xx', 53, { kind = 'dns' })
net.listen('::1', 53, { kind = 'dns', freebind = true })
net.listen('2a06:x:x:x::x', 53, { kind = 'dns', freebind = true })
-- Auto-maintain root TA
--trust_anchors.file = 'root.keys'
-- Large cache size, so we don't need to flush often
-- This can be larger than available RAM, least frequently accessed
-- records will be paged out
cache.size = 500 * MB
-- Load Useful modules
modules = {
'hints > iterate',
'bogus_log',
'view',
'stats',
'predict',
graphite = {
prefix = 'xxx',
host = 'xxx',
tcp = false
}
}
view:addr('127.0.0.1', policy.all(policy.PASS))
view:addr('::1', policy.all(policy.PASS))
view:addr('10.0.0.0/8', policy.all(policy.PASS))
view:addr('172.20.0.0/21', policy.all(policy.PASS))
view:addr('172.29.0.0/16', policy.all(policy.PASS))
view:addr('172.30.15.42', policy.all(policy.PASS))
view:addr('192.168.0.0/16', policy.all(policy.PASS))
view:addr('100.64.0.0/10', policy.all(policy.PASS))
view:addr('0.0.0.0/0', policy.all(policy.DROP))
view:addr('::/0', policy.all(policy.DROP))
local rpz_hazard = require('rpz-hazard_xxxxx')
-- Apply RPZ for all clients
policy.add(policy.suffix(rpz_hazard.genRPZ_RR, {
kres.str2dname('1-x-bet.com.'),
kres.str2dname('1x-bet.com.'),
kres.str2dname('1x-02.com.'),
kres.str2dname('1xbet.com.'),
kres.str2dname('1xbet1.com.'),
kres.str2dname('1xbet10.com.'),
kres.str2dname('1xbet101.com.'),
kres.str2dname('1xbet102.com.'),
kres.str2dname('1xbet103.com.'),
kres.str2dname('1xbet104.com.'),
kres.str2dname('1xbet105.com.'),
kres.str2dname('1xbet106.com.'),
kres.str2dname('1xbet107.com.'),
kres.str2dname('1xbet108.com.'),
kres.str2dname('1xbet109.com.'),
kres.str2dname('1xbet11.com.'),
kres.str2dname('1xbet110.com.'),
kres.str2dname('1xbet12.com.'),
kres.str2dname('1xbet13.com.'),
kres.str2dname('1xbet14.com.'),
kres.str2dname('1xbet15.com.'),
kres.str2dname('1xbet16.com.'),
kres.str2dname('1xbet17.com.'),
kres.str2dname('1xbet18.com.'),
kres.str2dname('1xbet19.com.'),
kres.str2dname('1xbet2.com.'),
kres.str2dname('1xbet20.com.'),
kres.str2dname('1xbet21.com.'),
kres.str2dname('1xbet23.com.'),
kres.str2dname('1xbet24.com.'),
kres.str2dname('1xbet25.com.'),
kres.str2dname('1xbet26.com.'),
kres.str2dname('1xbet27.com.'),
kres.str2dname('1xbet28.com.'),
kres.str2dname('1xbet29.com.'),
kres.str2dname('1xbet3.com.'),
kres.str2dname('1xbet30.com.'),
kres.str2dname('1xbet31.com.'),
kres.str2dname('1xbet32.com.'),
kres.str2dname('1xbet34.com.'),
kres.str2dname('1xbet35.com.'),
kres.str2dname('1xbet36.com.'),
kres.str2dname('1xbet37.com.'),
kres.str2dname('1xbet38.com.'),
kres.str2dname('1xbet39.com.'),
kres.str2dname('1xbet4.com.'),
kres.str2dname('1xbet40.com.'),
kres.str2dname('1xbet41.com.'),
kres.str2dname('1xbet42.com.'),
kres.str2dname('1xbet43.com.'),
kres.str2dname('1xbet45.com.'),
kres.str2dname('1xbet46.com.'),
kres.str2dname('1xbet47.com.'),
kres.str2dname('1xbet48.com.'),
kres.str2dname('1xbet49.com.'),
kres.str2dname('1xbet5.com.'),
kres.str2dname('1xbet50.com.'),
kres.str2dname('1xbet51.com.'),
kres.str2dname('1xbet52.com.'),
kres.str2dname('1xbet53.com.'),
kres.str2dname('1xbet54.com.'),
kres.str2dname('1xbet6.com.'),
kres.str2dname('1xbet60.com.'),
kres.str2dname('1xbet61.com.'),
kres.str2dname('1xbet62.com.'),
kres.str2dname('1xbet63.com.'),
kres.str2dname('1xbet64.com.'),
kres.str2dname('1xbet65.com.'),
kres.str2dname('1xbet67.com.'),
kres.str2dname('1xbet68.com.'),
kres.str2dname('1xbet69.com.'),
kres.str2dname('1xbet7.com.'),
kres.str2dname('1xbet70.com.'),
kres.str2dname('1xbet71.com.'),
kres.str2dname('1xbet72.com.'),
kres.str2dname('1xbet73.com.'),
kres.str2dname('1xbet74.com.'),
kres.str2dname('1xbet75.com.'),
kres.str2dname('1xbet76.com.'),
kres.str2dname('1xbet78.com.'),
kres.str2dname('1xbet79.com.'),
kres.str2dname('1xbet8.com.'),
kres.str2dname('1xbet80.com.'),
kres.str2dname('1xbet82.com.'),
kres.str2dname('1xbet84.com.'),
kres.str2dname('1xbet86.com.'),
kres.str2dname('1xbet87.com.'),
kres.str2dname('1xbet9.com.'),
kres.str2dname('1xbet90.com.'),
kres.str2dname('1xbet91.com.'),
kres.str2dname('1xbet92.com.'),
kres.str2dname('1xbet94.com.'),
kres.str2dname('1xbet95.com.'),
kres.str2dname('1xbetbk6.com.'),
kres.str2dname('1xbetbk13.com.'),
kres.str2dname('1xbkbet-1.com.'),
kres.str2dname('1xhov.xyz.'),
kres.str2dname('1xiiv.xyz.'),
kres.str2dname('betworld.com.'),
kres.str2dname('bk-1x-bet.com.'),
kres.str2dname('bosscasino.eu.'),
kres.str2dname('eatsleepbet.com.'),
kres.str2dname('sportingbull.com.'),
kres.str2dname('thelotter.com.'),
kres.str2dname('webmoneycasino.com.'),
kres.str2dname('xbet-1.com.'),
kres.str2dname('betworld1.com.'),
kres.str2dname('betworld2.com.'),
kres.str2dname('betworld3.com.'),
kres.str2dname('betworld4.com.'),
kres.str2dname('betworld5.com.'),
kres.str2dname('betworld6.com.'),
kres.str2dname('betworld7.com.'),
kres.str2dname('betworld8.com.'),
kres.str2dname('betworld9.com.'),
kres.str2dname('betworld10.com.'),
kres.str2dname('cz.sportingbull174.com.'),
kres.str2dname('agentlotto3.ru.'),
kres.str2dname('agentlotto.com.'),
kres.str2dname('lottoevents.com.'),
kres.str2dname('bet2u.com.'),
kres.str2dname('gunsbet.com.'),
kres.str2dname('playamo.com.'),
kres.str2dname('lokicasino.com.'),
}))
```
and lua script:
```
local policy = require('kres_modules/policy')
local ffi = require('ffi')
local rpz = {}
function rpz.gen_answer_section(answer, sname, cname, answer_type, ip)
answer:begin(kres.section.ANSWER)
answer:put(sname, 5, answer:qclass(), kres.type.CNAME, kres.str2dname(cname))
answer:put(kres.str2dname(cname), 900, answer:qclass(), answer_type, kres.str2ip(ip))
end
function rpz.gen_authority_section(answer)
answer:begin(kres.section.AUTHORITY)
answer:put(kres.str2dname('xxxx'), 900, answer:qclass(), kres.type.NS, kres.str2dname('dnsa1.xxxx'))
answer:put(kres.str2dname('xxxx'), 900, answer:qclass(), kres.type.NS, kres.str2dname('dnsa2.xxxx'))
answer:put(kres.str2dname('xxxx'), 900, answer:qclass(), kres.type.NS, kres.str2dname('dnsa3.xxxx'))
end
function rpz.gen_additional_section(answer)
answer:begin(kres.section.ADDITIONAL)
answer:put(kres.str2dname('dnsa1.xxxx'), 900, answer:qclass(), kres.type.A, kres.str2ip('109.202.xxxx'))
answer:put(kres.str2dname('dnsa1.xxxx'), 900, answer:qclass(), kres.type.AAAA, kres.str2ip('2a06:xxx'))
answer:put(kres.str2dname('dnsa2.xxxx'), 900, answer:qclass(), kres.type.A, kres.str2ip('109.202.xxx'))
answer:put(kres.str2dname('dnsa2.xxxx'), 900, answer:qclass(), kres.type.AAAA, kres.str2ip('2a06:xxx'))
answer:put(kres.str2dname('dnsa3.xxxx'), 900, answer:qclass(), kres.type.A, kres.str2ip('85.xxxxx'))
answer:put(kres.str2dname('dnsa3.xxxx'), 900, answer:qclass(), kres.type.AAAA, kres.str2ip('2a02xxxx'))
end
function rpz.genRPZ_RR (state, req)
local answer = req.answer
local qry = req:current()
if qry.stype == kres.type.A then
ffi.C.kr_pkt_make_auth_header(answer)
answer:rcode(kres.rcode.NOERROR)
rpz.gen_answer_section(answer, qry.sname, 'hazard.xxxx', kres.type.A, '109.xxxxx')
rpz.gen_authority_section(answer)
rpz.gen_additional_section(answer)
return kres.DONE
elseif qry.stype == kres.type.AAAA then
ffi.C.kr_pkt_make_auth_header(answer)
answer:rcode(kres.rcode.NOERROR)
rpz.gen_answer_section(answer, qry.sname, 'hazard.xxxxx', kres.type.AAAA, '2a06:xxxxx')
rpz.gen_authority_section(answer)
rpz.gen_additional_section(answer)
return kres.DONE
else
return state
end
end
return rpz
```
Can you tell me where I should look to find some bug, please?https://gitlab.nic.cz/knot/knot-resolver/-/issues/662SERVFAIL when resolving `www.cdc.gov` (knot-resolver 3.2.1, 5.1.3, and 5.2.1)2022-01-04T13:48:58+01:00Daniel Kahn GillmorSERVFAIL when resolving `www.cdc.gov` (knot-resolver 3.2.1, 5.1.3, and 5.2.1)starting from a cleared cache, I tried to resolve `www.cdc.gov` from a `knot-resolver` instance. I got a SERVFAIL.
I've seen this behavior in knot-resolver 3.2.1 and 5.1.3 and 5.2.1.
I think it has something to do with DNSSEC and QNAM...starting from a cleared cache, I tried to resolve `www.cdc.gov` from a `knot-resolver` instance. I got a SERVFAIL.
I've seen this behavior in knot-resolver 3.2.1 and 5.1.3 and 5.2.1.
I think it has something to do with DNSSEC and QNAME minimization, but i might be misunderstanding it too. in particular, Akamai seems to be authoritative for the `akam.cdc.gov` zone, which maybe has a `DS` record but no `DNSKEY` record? maybe there are other issues i don't understand though.
Below is a log from a 5.2.1 instance running with `verbose(true)`:
```
Dec 22 14:01:50 alice kresd[814779]: [00000.00][plan] plan 'www.cdc.gov.' type 'A' uid [49186.00]
Dec 22 14:01:50 alice kresd[814779]: [49186.00][iter] 'www.cdc.gov.' type 'A' new uid was assigned .01, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.01][resl] => using root hints
Dec 22 14:01:50 alice kresd[814779]: [49186.01][iter] 'www.cdc.gov.' type 'A' new uid was assigned .02, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.02][resl] >< TA: '.'
Dec 22 14:01:50 alice kresd[814779]: [49186.02][plan] plan '.' type 'DNSKEY' uid [49186.03]
Dec 22 14:01:50 alice kresd[814779]: [49186.03][iter] '.' type 'DNSKEY' new uid was assigned .04, parent uid .02
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl] => id: '54881' querying: '2001:500:9f::42#00053' score: 10 zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl] => id: '54881' querying: '199.7.83.42#00053' score: 10 zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.04][iter] <= rcode: NOERROR
Dec 22 14:01:50 alice kresd[814779]: [49186.04][vldr] <= parent: updating DNSKEY
Dec 22 14:01:50 alice kresd[814779]: [49186.04][vldr] <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [49186.04][cach] => stashed . DNSKEY, rank 060, 1090 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [ta_signal_query] signalling query trigered: _ta-4f66.
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl] <= server: '2001:500:9f::42' rtt: >= 220 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl] <= server: '199.7.83.42' rtt: 20 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.02][iter] 'www.cdc.gov.' type 'A' new uid was assigned .05, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl] => id: '15349' querying: '2001:dc3::35#00053' score: 10 zone cut: '.' qname: 'GOV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [00000.00][plan] plan '_ta-4f66.' type 'NULL' uid [65566.00]
Dec 22 14:01:50 alice kresd[814779]: [65566.00][iter] '_ta-4f66.' type 'NULL' new uid was assigned .01, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [65566.01][resl] => using root hints
Dec 22 14:01:50 alice kresd[814779]: [65566.01][iter] '_ta-4f66.' type 'NULL' new uid was assigned .02, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [65566.02][resl] >< TA: '.'
Dec 22 14:01:50 alice kresd[814779]: [65566.02][plan] plan '.' type 'DNSKEY' uid [65566.03]
Dec 22 14:01:50 alice kresd[814779]: [65566.03][iter] '.' type 'DNSKEY' new uid was assigned .04, parent uid .02
Dec 22 14:01:50 alice kresd[814779]: [65566.04][cach] => satisfied by exact RRset: rank 060, new TTL 172800
Dec 22 14:01:50 alice kresd[814779]: [65566.04][iter] <= rcode: NOERROR
Dec 22 14:01:50 alice kresd[814779]: [65566.04][vldr] <= parent: updating DNSKEY
Dec 22 14:01:50 alice kresd[814779]: [65566.04][vldr] <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [65566.02][iter] '_ta-4f66.' type 'NULL' new uid was assigned .05, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl] => id: '48678' querying: '199.7.83.42#00053' score: 20 zone cut: '.' qname: '_tA-4f66.' qtype: 'NULL' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [65566.05][iter] <= rcode: NXDOMAIN
Dec 22 14:01:50 alice kresd[814779]: [65566.05][vldr] <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [65566.05][cach] => stashed . SOA, rank 060, 358 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [65566.05][cach] => stashed . NSEC, rank 060, 308 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [65566.05][cach] => nsec_p stashed for . (new, hash: 0)
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl] <= server: '199.7.83.42' rtt: 21 ms
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl] AD: request classified as SECURE
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl] finished in state: 4, queries: 2, mempool: 98352 B
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl] => id: '15349' querying: '202.12.27.33#00053' score: 10 zone cut: '.' qname: 'GOV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.05][iter] <= loaded 8 glue addresses
Dec 22 14:01:50 alice kresd[814779]: [49186.05][iter] <= referral response, follow
Dec 22 14:01:50 alice kresd[814779]: [49186.05][vldr] <= DS: OK
Dec 22 14:01:50 alice kresd[814779]: [49186.05][vldr] <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [49186.05][cach] => stashed gov. DS, rank 060, 356 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [49186.05][cach] => stashed gov. NS, rank 002, 102 B total, incl. 0 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [49186.05][cach] => stashed also 8 nonauth RRsets
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl] <= server: '2001:dc3::35' rtt: >= 279 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl] <= server: '202.12.27.33' rtt: 79 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.05][iter] 'www.cdc.gov.' type 'A' new uid was assigned .06, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.06][plan] plan 'gov.' type 'DNSKEY' uid [49186.07]
Dec 22 14:01:50 alice kresd[814779]: [49186.07][iter] 'gov.' type 'DNSKEY' new uid was assigned .08, parent uid .06
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach] => no NSEC* cached for zone: gov.
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach] => skipping zone: gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach] => skipping zone: gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl] => id: '16918' querying: '2620:74:28::2:30#00053' score: 10 zone cut: 'gov.' qname: 'gov.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl] => id: '16918' querying: '69.36.153.30#00053' score: 10 zone cut: 'gov.' qname: 'gov.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.08][iter] <= rcode: NOERROR
Dec 22 14:01:50 alice kresd[814779]: [49186.08][vldr] <= parent: updating DNSKEY
Dec 22 14:01:50 alice kresd[814779]: [49186.08][vldr] <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach] => stashed gov. DNSKEY, rank 060, 730 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl] <= server: '2620:74:28::2:30' rtt: >= 237 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl] <= server: '69.36.153.30' rtt: 37 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.06][iter] 'www.cdc.gov.' type 'A' new uid was assigned .09, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.09][resl] => id: '06201' querying: '2620:74:27::2:30#00053' score: 10 zone cut: 'gov.' qname: 'cdc.goV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.09][resl] => id: '06201' querying: '209.112.123.30#00053' score: 10 zone cut: 'gov.' qname: 'cdc.goV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.09][iter] <= loaded 3 glue addresses
Dec 22 14:01:51 alice kresd[814779]: [49186.09][iter] <= referral response, follow
Dec 22 14:01:51 alice kresd[814779]: [49186.09][vldr] <= DS: OK
Dec 22 14:01:51 alice kresd[814779]: [49186.09][vldr] <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.09][cach] => stashed cdc.gov. DS, rank 060, 264 B total, incl. 1 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.09][cach] => stashed cdc.gov. NS, rank 002, 104 B total, incl. 0 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.09][cach] => stashed also 3 nonauth RRsets
Dec 22 14:01:51 alice kresd[814779]: [49186.09][resl] <= server: '2620:74:27::2:30' rtt: >= 257 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.09][resl] <= server: '209.112.123.30' rtt: 57 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.09][iter] 'www.cdc.gov.' type 'A' new uid was assigned .10, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.10][plan] plan 'cdc.gov.' type 'DNSKEY' uid [49186.11]
Dec 22 14:01:51 alice kresd[814779]: [49186.11][iter] 'cdc.gov.' type 'DNSKEY' new uid was assigned .12, parent uid .10
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach] => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.12][resl] => id: '05583' querying: '198.246.96.92#00053' score: 10 zone cut: 'cdc.gov.' qname: 'cDC.gOv.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.12][iter] <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.12][vldr] <= parent: updating DNSKEY
Dec 22 14:01:51 alice kresd[814779]: [49186.12][vldr] <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach] => stashed cdc.gov. DNSKEY, rank 060, 862 B total, incl. 2 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.12][resl] <= server: '198.246.96.92' rtt: 52 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.10][iter] 'www.cdc.gov.' type 'A' new uid was assigned .13, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.13][resl] => id: '31795' querying: '198.246.96.61#00053' score: 10 zone cut: 'cdc.gov.' qname: 'Www.Cdc.Gov.' qtype: 'A' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.13][iter] <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.13][iter] <= cname chain, following
Dec 22 14:01:51 alice kresd[814779]: [00000.00][plan] plan 'www.akam.cdc.gov.' type 'A' uid [49186.14]
Dec 22 14:01:51 alice kresd[814779]: [49186.13][vldr] <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.13][cach] => stashed www.cdc.gov. CNAME, rank 060, 192 B total, incl. 1 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.13][resl] <= server: '198.246.96.61' rtt: 55 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.14][iter] 'www.akam.cdc.gov.' type 'A' new uid was assigned .15, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.15][cach] => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.15][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.15][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.15][zcut] found cut: cdc.gov. (rank 002 return codes: DS 0, DNSKEY 0)
Dec 22 14:01:51 alice kresd[814779]: [49186.15][resl] => id: '24013' querying: '198.246.125.10#00053' score: 10 zone cut: 'cdc.gov.' qname: 'aKam.cdC.Gov.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.15][iter] <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.15][iter] <= continuing with qname minimization
Dec 22 14:01:51 alice kresd[814779]: [49186.15][resl] <= server: '198.246.125.10' rtt: 53 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.15][iter] 'www.akam.cdc.gov.' type 'A' new uid was assigned .16, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.16][plan] plan 'akam.cdc.gov.' type 'DS' uid [49186.17]
Dec 22 14:01:51 alice kresd[814779]: [49186.17][iter] 'akam.cdc.gov.' type 'DS' new uid was assigned .18, parent uid .16
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach] => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.18][zcut] found cut: cdc.gov. (rank 002 return codes: DS 0, DNSKEY 0)
Dec 22 14:01:51 alice kresd[814779]: [49186.18][resl] => id: '02506' querying: '198.246.96.92#00053' score: 52 zone cut: 'cdc.gov.' qname: 'aKAM.cdc.GOv.' qtype: 'DS' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.18][iter] <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.18][vldr] <= DS: OK
Dec 22 14:01:51 alice kresd[814779]: [49186.18][vldr] <= parent: updating DS
Dec 22 14:01:51 alice kresd[814779]: [49186.18][vldr] <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach] => stashed akam.cdc.gov. DS, rank 060, 210 B total, incl. 1 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.18][resl] <= server: '198.246.96.92' rtt: 50 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.16][iter] 'www.akam.cdc.gov.' type 'A' new uid was assigned .19, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.19][plan] plan 'akam.cdc.gov.' type 'DNSKEY' uid [49186.20]
Dec 22 14:01:51 alice kresd[814779]: [49186.20][iter] 'akam.cdc.gov.' type 'DNSKEY' new uid was assigned .21, parent uid .19
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach] => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl] => id: '42245' querying: '198.246.96.92#00053' score: 51 zone cut: 'akam.cdc.gov.' qname: 'akaM.CdC.Gov.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.21][iter] <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.21][vldr] >< cut changed, needs revalidation
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl] <= server: '198.246.96.92' rtt: 48 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl] => resuming yielded answer
Dec 22 14:01:51 alice kresd[814779]: [49186.21][vldr] <= bad NODATA proof
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach] => stashed packet: rank 025, TTL 3600, DNSKEY akam.cdc.gov. (125 B)
Dec 22 14:01:51 alice kresd[814779]: [49186.00][resl] request failed, answering with empty SERVFAIL
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl] finished in state: 8, queries: 5, mempool: 49200 B
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/661resolution of `mail.comcast.com MX` fails2021-01-28T12:25:07+01:00Štěpán Balážikresolution of `mail.comcast.com MX` fails`respdiff` suggests it should succeed.
I haven't looked closely into this, but from the surface it looks related to #626 and #659.
Log from 63d02c443f8217650cc84c32cc9fb27d207f18d0.
```
[00000.00][plan] plan 'mail.comcast.net.' type '...`respdiff` suggests it should succeed.
I haven't looked closely into this, but from the surface it looks related to #626 and #659.
Log from 63d02c443f8217650cc84c32cc9fb27d207f18d0.
```
[00000.00][plan] plan 'mail.comcast.net.' type 'MX' uid [46333.00]
[46333.00][iter] 'mail.comcast.net.' type 'MX' new uid was assigned .01, parent uid .00
[46333.01][cach] => no NSEC* cached for zone: net.
[46333.01][cach] => skipping zone: net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.01][cach] => skipping zone: net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.01][zcut] found cut: net. (rank 002 return codes: DS 0, DNSKEY 0)
[46333.01][resl] => id: '15433' querying: '2001:503:eea3::30#00053' score: 79 zone cut: 'net.' qname: 'CoMCAst.neT.' qtype: 'NS' proto: 'udp'
[46333.01][iter] <= loaded 10 glue addresses
[46333.01][iter] <= referral response, follow
[46333.01][vldr] <= DS: OK
[46333.01][vldr] <= answer valid, OK
[46333.01][cach] => stashed comcast.net. DS, rank 060, 264 B total, incl. 1 RRSIGs
[46333.01][cach] => stashed comcast.net. NS, rank 002, 124 B total, incl. 0 RRSIGs
[46333.01][cach] => stashed also 10 nonauth RRsets
[46333.01][resl] <= server: '2001:503:eea3::30' rtt: 43 ms
[46333.01][iter] 'mail.comcast.net.' type 'MX' new uid was assigned .02, parent uid .00
[46333.02][plan] plan 'comcast.net.' type 'DNSKEY' uid [46333.03]
[46333.03][iter] 'comcast.net.' type 'DNSKEY' new uid was assigned .04, parent uid .02
[46333.04][cach] => no NSEC* cached for zone: comcast.net.
[46333.04][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.04][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.04][resl] => id: '01302' querying: '2001:558:1014:c:68:87:76:228#00053' score: 10 zone cut: 'comcast.net.' qname: 'COMcasT.neT.' qtype: 'DNSKEY' proto: 'udp'
[46333.04][iter] <= rcode: NOERROR
[46333.04][vldr] <= parent: updating DNSKEY
[46333.04][vldr] <= answer valid, OK
[46333.04][cach] => stashed comcast.net. DNSKEY, rank 060, 870 B total, incl. 2 RRSIGs
[46333.04][resl] <= server: '2001:558:1014:c:68:87:76:228' rtt: 191 ms
[46333.02][iter] 'mail.comcast.net.' type 'MX' new uid was assigned .05, parent uid .00
[46333.05][resl] => id: '50780' querying: '68.87.76.228#00053' score: 10 zone cut: 'comcast.net.' qname: 'MaIL.COmCAST.Net.' qtype: 'MX' proto: 'udp'
[46333.05][iter] <= rcode: NOERROR
[46333.05][iter] <= cname chain, following
[00000.00][plan] plan 'imap.ge.xfinity.com.' type 'MX' uid [46333.06]
[46333.05][vldr] <= answer valid, OK
[46333.05][cach] => stashed mail.comcast.net. CNAME, rank 060, 200 B total, incl. 1 RRSIGs
[46333.05][resl] <= server: '68.87.76.228' rtt: 194 ms
[46333.06][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .07, parent uid .00
[46333.07][cach] => trying zone: ., NSEC, hash 0
[46333.07][cach] => NSEC sname: range search miss (!covers)
[46333.07][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[46333.07][zcut] found cut: . (rank 060 return codes: DS -2, DNSKEY 0)
[46333.07][resl] >< TA: '.'
[46333.07][resl] => id: '16802' querying: '2001:500:12::d0d#00053' score: 53 zone cut: '.' qname: 'Com.' qtype: 'NS' proto: 'udp'
[46333.07][iter] <= loaded 26 glue addresses
[46333.07][iter] <= referral response, follow
[46333.07][vldr] <= DS: OK
[46333.07][vldr] <= answer valid, OK
[46333.07][cach] => stashed com. DS, rank 060, 330 B total, incl. 1 RRSIGs
[46333.07][cach] => stashed com. NS, rank 002, 300 B total, incl. 0 RRSIGs
[46333.07][cach] => not overwriting AAAA a.gtld-servers.net.
[46333.07][cach] => not overwriting A a.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA e.gtld-servers.net.
[46333.07][cach] => not overwriting A e.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA h.gtld-servers.net.
[46333.07][cach] => not overwriting A h.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA k.gtld-servers.net.
[46333.07][cach] => not overwriting A k.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA m.gtld-servers.net.
[46333.07][cach] => not overwriting A m.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA g.gtld-servers.net.
[46333.07][cach] => not overwriting A g.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA i.gtld-servers.net.
[46333.07][cach] => not overwriting A i.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA c.gtld-servers.net.
[46333.07][cach] => not overwriting A c.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA f.gtld-servers.net.
[46333.07][cach] => not overwriting A f.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA d.gtld-servers.net.
[46333.07][cach] => not overwriting A d.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA b.gtld-servers.net.
[46333.07][cach] => not overwriting A b.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA j.gtld-servers.net.
[46333.07][cach] => not overwriting A j.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA l.gtld-servers.net.
[46333.07][cach] => not overwriting A l.gtld-servers.net.
[46333.07][resl] <= server: '2001:500:12::d0d' rtt: 53 ms
[46333.07][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .08, parent uid .00
[46333.08][plan] plan 'com.' type 'DNSKEY' uid [46333.09]
[46333.09][iter] 'com.' type 'DNSKEY' new uid was assigned .10, parent uid .08
[46333.10][cach] => no NSEC* cached for zone: com.
[46333.10][cach] => skipping zone: com., NSEC, hash 0;new TTL -123456789, ret -2
[46333.10][cach] => skipping zone: com., NSEC, hash 0;new TTL -123456789, ret -2
[46333.10][resl] => id: '64293' querying: '2001:503:83eb::30#00053' score: 72 zone cut: 'com.' qname: 'cOM.' qtype: 'DNSKEY' proto: 'udp'
[46333.10][iter] <= rcode: NOERROR
[46333.10][vldr] <= parent: updating DNSKEY
[46333.10][vldr] <= answer valid, OK
[46333.10][cach] => stashed com. DNSKEY, rank 060, 730 B total, incl. 1 RRSIGs
[46333.10][resl] <= server: '2001:503:83eb::30' rtt: 46 ms
[46333.08][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .11, parent uid .00
[46333.11][resl] => id: '12580' querying: '2001:502:8cc::30#00053' score: 44 zone cut: 'com.' qname: 'xFiNiTy.COm.' qtype: 'NS' proto: 'udp'
[46333.11][iter] <= referral response, follow
[46333.11][vldr] <= DS: OK
[46333.11][vldr] <= answer valid, OK
[46333.11][cach] => stashed xfinity.com. DS, rank 060, 264 B total, incl. 1 RRSIGs
[46333.11][cach] => stashed xfinity.com. NS, rank 002, 124 B total, incl. 0 RRSIGs
[46333.11][resl] <= server: '2001:502:8cc::30' rtt: 45 ms
[46333.11][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .12, parent uid .00
[46333.12][plan] plan 'xfinity.com.' type 'DNSKEY' uid [46333.13]
[46333.13][iter] 'xfinity.com.' type 'DNSKEY' new uid was assigned .14, parent uid .12
[46333.14][cach] => no NSEC* cached for zone: xfinity.com.
[46333.14][cach] => skipping zone: xfinity.com., NSEC, hash 0;new TTL -123456789, ret -2
[46333.14][cach] => skipping zone: xfinity.com., NSEC, hash 0;new TTL -123456789, ret -2
[46333.14][plan] plan 'dns103.comcast.net.' type 'AAAA' uid [46333.15]
[46333.15][iter] 'dns103.comcast.net.' type 'AAAA' new uid was assigned .16, parent uid .14
[46333.16][cach] => satisfied by exact RRset: rank 001, new TTL 172800
[46333.16][iter] <= rcode: NOERROR
[46333.14][iter] 'xfinity.com.' type 'DNSKEY' new uid was assigned .17, parent uid .12
[46333.17][resl] => id: '36870' querying: '2001:558:1014:c:68:87:76:228#00053' score: 191 zone cut: 'xfinity.com.' qname: 'XFINiTY.coM.' qtype: 'DNSKEY' proto: 'udp'
[46333.17][iter] <= rcode: NOERROR
[46333.17][vldr] <= parent: updating DNSKEY
[46333.17][vldr] <= answer valid, OK
[46333.17][cach] => stashed xfinity.com. DNSKEY, rank 060, 870 B total, incl. 2 RRSIGs
[46333.17][resl] <= server: '2001:558:1014:c:68:87:76:228' rtt: 193 ms
[46333.12][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .18, parent uid .00
[46333.18][plan] plan 'dns104.comcast.net.' type 'AAAA' uid [46333.19]
[46333.19][iter] 'dns104.comcast.net.' type 'AAAA' new uid was assigned .20, parent uid .18
[46333.20][cach] => satisfied by exact RRset: rank 001, new TTL 172800
[46333.20][iter] <= rcode: NOERROR
[46333.18][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .21, parent uid .00
[46333.21][resl] => id: '58082' querying: '2001:558:100a:5:68:87:68:244#00053' score: 10 zone cut: 'xfinity.com.' qname: 'ge.xFINIty.CoM.' qtype: 'NS' proto: 'udp'
[46333.21][iter] <= referral response, follow
[46333.21][vldr] <= answer valid, OK
[46333.21][cach] => stashed ge.xfinity.com. NSEC, rank 060, 210 B total, incl. 1 RRSIGs
[46333.21][cach] => stashed ge.xfinity.com. NS, rank 010, 188 B total, incl. 0 RRSIGs
[46333.21][cach] => nsec_p stashed for xfinity.com. (new, hash: 0)
[46333.21][resl] <= server: '2001:558:100a:5:68:87:68:244' rtt: 144 ms
[46333.21][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .22, parent uid .00
[46333.22][resl] <= DS doesn't exist, going insecure
[46333.22][plan] plan 'gtd03-d.hillsboro.or.ndchlsbr.comcast.net.' type 'AAAA' uid [46333.23]
[46333.23][iter] 'gtd03-d.hillsboro.or.ndchlsbr.comcast.net.' type 'AAAA' new uid was assigned .24, parent uid .22
[46333.24][cach] => no NSEC* cached for zone: comcast.net.
[46333.24][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.24][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.24][zcut] found cut: comcast.net. (rank 002 return codes: DS 0, DNSKEY 0)
[46333.24][resl] => id: '62333' querying: '2001:558:1004:7:68:87:85:132#00053' score: 10 zone cut: 'comcast.net.' qname: 'NdchLsbR.CoMCAST.nEt.' qtype: 'NS' proto: 'udp'
[46333.24][iter] <= rcode: NOERROR
[46333.24][iter] <= retrying with non-minimized name
[46333.24][resl] <= server: '2001:558:1004:7:68:87:85:132' rtt: 165 ms
[46333.24][iter] 'gtd03-d.hillsboro.or.ndchlsbr.comcast.net.' type 'AAAA' new uid was assigned .25, parent uid .22
[46333.25][resl] => id: '33890' querying: '2001:558:fe23:8:69:252:250:103#00053' score: 10 zone cut: 'comcast.net.' qname: 'GTD03-D.HiLLsBoRO.OR.ndChLsbR.cOMCASt.NET.' qtype: 'AAAA' proto: 'udp'
[46333.25][iter] <= rcode: NOERROR
[46333.25][vldr] >< cut changed, needs revalidation
[46333.25][resl] <= server: '2001:558:fe23:8:69:252:250:103' rtt: 127 ms
[46333.25][resl] => resuming yielded answer
[46333.25][vldr] >< no valid RRSIGs found: gtd03-d.hillsboro.or.ndchlsbr.comcast.net. AAAA (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[46333.25][plan] plan 'ndchlsbr.comcast.net.' type 'DS' uid [46333.26]
[46333.26][iter] 'ndchlsbr.comcast.net.' type 'DS' new uid was assigned .27, parent uid .25
[46333.27][cach] => no NSEC* cached for zone: comcast.net.
[46333.27][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.27][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.27][resl] => id: '63949' querying: '2001:558:100e:5:68:87:72:244#00053' score: 10 zone cut: 'comcast.net.' qname: 'ndchLsbr.COMCAST.net.' qtype: 'DS' proto: 'udp'
[46333.27][iter] <= rcode: NOERROR
[46333.27][vldr] <= parent: updating DS
[46333.27][vldr] <= answer valid, OK
[46333.27][cach] => stashed northlake.il.ndchgo.comcast.net. NSEC, rank 060, 222 B total, incl. 1 RRSIGs
[46333.27][cach] => stashed comcast.net. SOA, rank 060, 248 B total, incl. 1 RRSIGs
[46333.27][cach] => nsec_p stashed for comcast.net. (new, hash: 0)
[46333.27][resl] <= server: '2001:558:100e:5:68:87:72:244' rtt: 146 ms
[46333.25][resl] => resuming yielded answer
[46333.25][vldr] >< no valid RRSIGs found: gtd03-d.hillsboro.or.ndchlsbr.comcast.net. AAAA (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[46333.25][plan] plan 'ndchlsbr.comcast.net.' type 'DS' uid [46333.28]
[46333.28][iter] 'ndchlsbr.comcast.net.' type 'DS' new uid was assigned .29, parent uid .25
[46333.29][cach] => trying zone: comcast.net., NSEC, hash 0
[46333.29][cach] => NSEC sname: covered by: northlake.il.ndchgo.comcast.net. -> hillsboro.or.ndchlsbr.comcast.net., new TTL 3600
[46333.29][cach] => NSEC sname: empty non-terminal by the same RR
[46333.29][iter] <= rcode: NOERROR
[46333.29][vldr] <= parent: updating DS
[46333.29][vldr] <= answer valid, OK
[46333.25][resl] => resuming yielded answer
[46333.25][vldr] >< no valid RRSIGs found: gtd03-d.hillsboro.or.ndchlsbr.comcast.net. AAAA (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[46333.25][vldr] <= continuous revalidation, fails
[46333.25][cach] => stashed gtd03-d.hillsboro.or.ndchlsbr.comcast.net. AAAA, rank 027, 32 B total, incl. 0 RRSIGs
[46333.25][cach] => not overwriting AAAA gtd03-d.hillsboro.or.ndchlsbr.comcast.net.
[46333.00][resl] request failed, answering with empty SERVFAIL
[46333.25][resl] finished in state: 8, queries: 8, mempool: 65600 B
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/660kresd won't resolve if zone doesn't support both TCP and 0x202020-12-18T17:44:20+01:00Štěpán Balážikkresd won't resolve if zone doesn't support both TCP and 0x20This is because fallback from not supporting 0x20 is a switch to TCP.
Example at the time of writing: md.tvzhe.com.cname284.yjs-cdn.comThis is because fallback from not supporting 0x20 is a switch to TCP.
Example at the time of writing: md.tvzhe.com.cname284.yjs-cdn.comhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/657policy: actions don't populate OPT when they should2021-11-23T19:52:44+01:00Vladimír Čunátvladimir.cunat@nic.czpolicy: actions don't populate OPT when they should[RFC 6891](https://tools.ietf.org/html/rfc6891#section-6.1.1):
> If an OPT record is present in a received request, compliant responders MUST include an OPT record in their respective responses.
Original report: https://forum.turris.cz...[RFC 6891](https://tools.ietf.org/html/rfc6891#section-6.1.1):
> If an OPT record is present in a received request, compliant responders MUST include an OPT record in their respective responses.
Original report: https://forum.turris.cz/t/kresd-response-missing-opt-pseudo-rr/14437
It causes practical issues with systemd-resolved (see the report).https://gitlab.nic.cz/knot/knot-resolver/-/issues/655create package for dnstap module2021-01-15T14:51:35+01:00Tomas Krizekcreate package for dnstap moduleSupport for `dnstap` module should be packaged. Using a separate package, such as `knot-resolver-module-dnstap` probably makes the most sense. It also needs to be mentioned in dnstap documentation that an extra package is needed.
Report...Support for `dnstap` module should be packaged. Using a separate package, such as `knot-resolver-module-dnstap` probably makes the most sense. It also needs to be mentioned in dnstap documentation that an extra package is needed.
Reported from: https://github.com/CZ-NIC/knot-resolver/issues/71Jakub RužičkaJakub Ružičkahttps://gitlab.nic.cz/knot/knot-resolver/-/issues/653Make kresd 5.x build reproducible2020-12-10T15:32:23+01:00SantiagoMake kresd 5.x build reproducibleHi,
5.2.0 failed to build reproducibly in Debian due to scripts/get-date.sh used to populate the date on manages. See
Debian bug [#976827](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976827) and [diffoscope results](https://tests...Hi,
5.2.0 failed to build reproducibly in Debian due to scripts/get-date.sh used to populate the date on manages. See
Debian bug [#976827](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976827) and [diffoscope results](https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/knot-resolver.html). The attached patch by Chris Lamb should solve the issue.[0002-reproducible-build.patch](/uploads/9bcfbfcbd2e5b19749babbd682bd8fc6/0002-reproducible-build.patch)
Thanks,
-- Shttps://gitlab.nic.cz/knot/knot-resolver/-/issues/650Transform Graphite tags into Prometheus labels2020-12-18T11:43:56+01:00Héctor Molinero FernándezTransform Graphite tags into Prometheus labelsCurrently the http module exposes Prometheus metrics and [replaces the `.` character with `_` in the metrics name](https://gitlab.nic.cz/knot/knot-resolver/-/blob/8ed646c507c43d5aea708dbd7aa90047029b046e/modules/http/prometheus.lua#L105)...Currently the http module exposes Prometheus metrics and [replaces the `.` character with `_` in the metrics name](https://gitlab.nic.cz/knot/knot-resolver/-/blob/8ed646c507c43d5aea708dbd7aa90047029b046e/modules/http/prometheus.lua#L105). Perhaps this can be extended to also transform [Graphite tags](https://graphite.readthedocs.io/en/stable/tags.html) into [Prometheus labels](https://prometheus.io/docs/concepts/data_model/).
Since I don't have permission to fork the project, I leave a patch attached that implements this feature.
[knot-resolver-prometheus-labels.patch](/uploads/bf7fa713617ce3c00fc1770799edf7e6/knot-resolver-prometheus-labels.patch)https://gitlab.nic.cz/knot/knot-resolver/-/issues/649server selection: consider switching to TCP instead of backing off the timeou...2021-02-18T16:56:41+01:00Štěpán Balážikserver selection: consider switching to TCP instead of backing off the timeouts to high valuesThe following discussion from !1030 should be addressed:
- [ ] @sbalazik started a [discussion](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1030#note_184303): (+1 comment)
> `config.hints` test [is timing out sometim...The following discussion from !1030 should be addressed:
- [ ] @sbalazik started a [discussion](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1030#note_184303): (+1 comment)
> `config.hints` test [is timing out sometimes](https://gitlab.nic.cz/knot/knot-resolver/-/jobs/463522) on this branch and so far, I have no idea why.
>
> ```
> 22/36 knot-resolver:postinstall+config+skip_asan / config.hints TIMEOUT 120.05 s
> --- command ---
> KRESD_NO_LISTEN='1' PATH='/builds/knot/knot-resolver/.local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' TEST_FILE='/builds/knot/knot-resolver/modules/hints/tests/hints.test.lua' SOURCE_PATH='/builds/knot/knot-resolver/tests/config' /builds/knot/knot-resolver/tests/config/../../scripts/test-config.sh -c /builds/knot/knot-resolver/build_ci/../tests/config/test.cfg -n
> --- stdout ---
> /builds/knot/knot-resolver/.local/sbin/kresd
> processing test file /builds/knot/knot-resolver/modules/hints/tests/hints.test.lua
> ok 1 - has IP address for a.root-servers.net.
> ok 2 - load root hints from file
> ok 3 - can retrieve root hints
> ok 4 - real IP address for a.root-servers.net. is replaced
> ok 5 - real IP address for a.root-servers.net. is correct
> [65536.00][rplan] [qry tree] badname.lan. A (0) <-
> [65536.00][rplan] [push] pending 1; badname.lan. A (0) | resolved 0
> [65536.03][rplan] [qry tree] . DNSKEY (3) <- badname.lan. A (2) <-
> [65536.03][rplan] [push] pending 2; . DNSKEY (3); badname.lan. A (2) | resolved 0
> ```
This is because the `iter_ns_badip.rpl` workaround allows the pushing of the same query to `rplan` twice in the row which leads to multiple tries with back-off of the timeout to resolve `. DNSKEY` or `a.root-servers.net AAAA` (if DNSSEC is turned off). The old selection implementation switches to TCP after a few tries and there the connection fails and the NS address is `flagged as 'bad'`.
Switching to TCP instead of backing off into big timeouts might be a good idea which might even help with the pathological cases that appear in `respdiff` now.5.3.0https://gitlab.nic.cz/knot/knot-resolver/-/issues/645FORMERR does not trigger EDNS fallback2021-10-11T13:06:06+02:00Petr ŠpačekFORMERR does not trigger EDNS fallbackVersion: 5.2.0
Domain `spam.molax.co.kr.` qtype `A` does not work with EDNS. Auth servers correctly return FORMERR but kresd 5.2.0 does not fallback to non-EDNS and SERVFAILs request from client.
[spam.molax.co.kr.A.log](/uploads/edde7...Version: 5.2.0
Domain `spam.molax.co.kr.` qtype `A` does not work with EDNS. Auth servers correctly return FORMERR but kresd 5.2.0 does not fallback to non-EDNS and SERVFAILs request from client.
[spam.molax.co.kr.A.log](/uploads/edde70e988fcf6ab810e693802c8896d/spam.molax.co.kr.A.log)
We need to:
- fix kresd
- investigate why test https://gitlab.nic.cz/knot/deckard/-/blob/master/sets/resolver/iter_formerr.rpl did not detect this and fix it!https://gitlab.nic.cz/knot/knot-resolver/-/issues/643SAD DNS (Side channel AttackeD DNS)2021-01-28T09:36:23+01:00Matt TaggartSAD DNS (Side channel AttackeD DNS)New DNS cache poisoning attack, https://www.saddns.net/
I scanned the [paper](https://dl.acm.org/doi/pdf/10.1145/3372297.3417280) and it explicitly mentions bind, unbound, and dnsmasq as being effected, no mention either way for knot. I...New DNS cache poisoning attack, https://www.saddns.net/
I scanned the [paper](https://dl.acm.org/doi/pdf/10.1145/3372297.3417280) and it explicitly mentions bind, unbound, and dnsmasq as being effected, no mention either way for knot. I'm not sure if they make their tests available. Maybe it makes the most sense to contact the authors and work with them (I wish they had reached out to knot).https://gitlab.nic.cz/knot/knot-resolver/-/issues/642Can't resolve www.hashicorp.com2020-11-12T20:24:46+01:00ThushjandanCan't resolve www.hashicorp.comKnot resolver returns the IP 0.0.0.0 for www.hashicorp.com instead of the correct IP. It looks like that it doesn't use the A record, which was returned with the CNAME in the first request.
I am using Knot resolver version 5.2.0. Is it m...Knot resolver returns the IP 0.0.0.0 for www.hashicorp.com instead of the correct IP. It looks like that it doesn't use the A record, which was returned with the CNAME in the first request.
I am using Knot resolver version 5.2.0. Is it maybe a bug or can I change the behavior?
Resolve www.hashicorp.com from Knot resolver.
```
$ dig @192.168.12.90 www.hashicorp.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.12.90 www.hashicorp.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52565
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.hashicorp.com. IN A
;; ANSWER SECTION:
www.hashicorp.com. 300 IN CNAME cname.vercel-dns.com.
cname.vercel-dns.com. 60 IN A 0.0.0.0
;; Query time: 217 msec
;; SERVER: 192.168.12.90#53(192.168.12.90)
;; WHEN: Thu Nov 12 19:23:39 CET 2020
;; MSG SIZE rcvd: 93
```
Resolve from Cloudflare DNS
```
$ dig @1.1.1.2 www.hashicorp.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @1.1.1.2 www.hashicorp.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44228
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.hashicorp.com. IN A
;; ANSWER SECTION:
www.hashicorp.com. 300 IN CNAME cname.vercel-dns.com.
cname.vercel-dns.com. 60 IN A 76.76.21.21
;; Query time: 22 msec
;; SERVER: 1.1.1.2#53(1.1.1.2)
;; WHEN: Thu Nov 12 19:23:31 CET 2020
;; MSG SIZE rcvd: 93
```
Trace from the Knot resolver:
```
$ curl http://192.168.12.90:8453/trace/www.hashicorp.com
[69907.00][iter] 'www.hashicorp.com.' type 'A' new uid was assigned .01, parent uid .00
[69907.01][cach] => skipping unfit CNAME RR: rank 030, new TTL -26745
[69907.01][cach] => no NSEC* cached for zone: hashicorp.com.
[69907.01][cach] => skipping zone: hashicorp.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.01][cach] => skipping zone: hashicorp.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.01][plan] plan '.' type 'DNSKEY' uid [69907.02]
[69907.02][iter] '.' type 'DNSKEY' new uid was assigned .03, parent uid .01
[69907.03][cach] => satisfied by exact RRset: rank 060, new TTL 6959
[69907.03][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 21761
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
. DNSKEY
;; ANSWER SECTION
. 6959 DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfiobeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5CsDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdLQHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jEhCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmnNHNmH2FjUE8=
. 6959 DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
. 172800 RRSIG DNSKEY 8 0 172800 20201201000000 20201110000000 20326 . SkIHirgYkYi7NAig66n3yDX00Vmu+nbdwNrjHq3b8F9MjOKrWkymnBpbu/mvkhNhzCEk/6lAkE6u/7oqvu09uP9hvnTTBRVKUk3JjWBROe0RhQqlmwxb7Vu9s2ag9Tr67zHUKj1/0xBvqRCfq3EPSqd/CjWYw+93s4+32ZEkMmLGdAu5I5phTgAxesjCy550m7xsFwWo5SKotP3g1420D4iaCpZE1SpkEybQ9WoveCWBNnZnnMI8BdN33W+EOVHEkAKevYRYIpG93XP/IeIcf3MetEmBt+DD0AcGIyorfiBQVrvNsha1Ek+iMm59KS8pYqiXhS1zmFz91cvKueMgsQ==
[69907.03][iter] <= rcode: NOERROR
[69907.03][vldr] <= parent: updating DNSKEY
[69907.03][vldr] <= answer valid, OK
[69907.01][iter] 'www.hashicorp.com.' type 'A' new uid was assigned .04, parent uid .00
[69907.04][plan] plan 'com.' type 'DS' uid [69907.05]
[69907.05][iter] 'com.' type 'DS' new uid was assigned .06, parent uid .04
[69907.06][cach] => satisfied by exact RRset: rank 060, new TTL 80465
[69907.06][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 13789
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
com. DS
;; ANSWER SECTION
com. 80465 DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com. 86400 RRSIG DS 8 1 86400 20201125050000 20201112040000 26116 . RowjzJyN/XzMW/4Rpt2D4wPdI/cHQHlX05FhT/WQ0QXSat/0T4kzM+ND+R7lQNnOf6i2rC0ZAxwnEbbKyUHZl8eXdLMVmNSWfVKaQQ6LOUB9k2TBbBY6v4M4vCt1VH++CwYkLafxVs8QuhUTYXmhPdfWAlRQTdZEvAdltuhIDpsYhjRMh67LO12fCD1j54JGRJvoJP+mi7gSQ9VrLwc4fyiAqLbirbHXWtWO6jehnN3hdPLquFgVNJQaxqZUmE0LVSEheT6l3Dlckj9yFZ5WKE2WvHXgLE9F+A+1qK2e0o21Xy4hY0fXL9zL4nd83hHV3amWhVdWfLuio5OkJKZVsQ==
[69907.06][iter] <= rcode: NOERROR
[69907.06][vldr] <= DS: OK
[69907.06][vldr] <= parent: updating DS
[69907.06][vldr] <= answer valid, OK
[69907.04][iter] 'www.hashicorp.com.' type 'A' new uid was assigned .07, parent uid .00
[69907.07][plan] plan 'com.' type 'DNSKEY' uid [69907.08]
[69907.08][iter] 'com.' type 'DNSKEY' new uid was assigned .09, parent uid .07
[69907.09][cach] => satisfied by exact RRset: rank 060, new TTL 4771
[69907.09][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 32862
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
com. DNSKEY
;; ANSWER SECTION
com. 4771 DNSKEY 256 3 8 AwEAAadfNlrLwDe1W0klTRoNDeeEfZAop76YMUvOtl2pu0lXE5Fzj1sDROflxnOGTI9RfwrA0rD0ixBkW32Pu1nheytLBrPZ32hva+iY8jYQ/TPiMsbc/soa8KHQ77eaJtJAImc+VLuXrI1QmRyrywJWU1fkZ9GyPP5YAhgnttH6ZDXgMeJYjzs5CLfMiV9vAWFgJvy98bG97JP3PpHL9/8BTGM=
com. 4771 DNSKEY 257 3 8 AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsBfKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEmu/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPNIwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0HXvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpKNnv4oPo/
com. 86400 RRSIG DNSKEY 8 1 86400 20201126192421 20201111191921 30909 com. p+3loL9LZjCTV2qOLVrHGTQUJpRsILARSVfNyu3DgnMKL+PnyAf01536ptf8R4hOL5dotMExgKySfE3MjogoWz+Y+C34jYoasWKTctMmT8xDW5Cv7Md3Apz7XyXprdy6aZedWfDTeWvYPgGOhLVY7KnL2TezDQ0n08lpeK70QJv6kD9kCTfwq45VWo5aPhDTFt7RqW7Qlkva0GtnYdSJRiH7QtfIvLZddp6ZIAZ/7INllsbdIn0THHPPiiyYwe7WEz25cEU6LR9t7NdmLjEFwgCD5IJzcWk0VXy9Ca9b/17hodH7HsvlR1hrx56ay0SQ2E16wAfKhYlLGAENMzQnWg==
[69907.09][iter] <= rcode: NOERROR
[69907.09][vldr] <= parent: updating DNSKEY
[69907.09][vldr] <= answer valid, OK
[69907.07][iter] 'www.hashicorp.com.' type 'A' new uid was assigned .10, parent uid .00
[69907.10][plan] plan 'hashicorp.com.' type 'DS' uid [69907.11]
[69907.11][iter] 'hashicorp.com.' type 'DS' new uid was assigned .12, parent uid .10
[69907.12][cach] => skipping exact packet: rank 060 (min. 030), new TTL -26145
[69907.12][cach] => trying zone: ., NSEC, hash 0
[69907.12][cach] => NSEC sname: range search miss (!covers)
[69907.12][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[69907.12][resl] => id: '16684' querying: '2606:4700:4700::1112#00053' score: 1 zone cut: 'com.' qname: 'HasHiCorP.Com.' qtype: 'DS' proto: 'udp'
[69907.12][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 16684
;; Flags: qr rd ra cd QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
hashicorp.com. DS
;; AUTHORITY SECTION
com. 209 SOA a.gtld-servers.net. nstld.verisign-grs.com. 1605203800 1800 900 604800 86400
com. 900 RRSIG SOA 8 1 900 20201119175640 20201112164640 31510 com. jvN32o59bVS1f8KkIEFLP4NtQg41m8sOAqbzFVixQGSZQewKOJZ+lzJx472f+/pGBe+77RySnHKUH4X50r61wnrU3HoTF0WVyPsB7Zecav8qk/WF0kKVoOjUeKytIWd30noatVI+AEaYf2f5wfaRYDRFtRHONf8W09i9W74IoPlH+8/3agwgrt9Ph5LWpYFjjIbpY9pD5D4VNSrFV6lgXw==
ck0pojmg874ljref7efn8430qvit8bsm.com. 85709 NSEC3 1 1 0 - ck0q1gin43n1arrc9osm6qpqr81h5m9a NS SOA RRSIG DNSKEY NSEC3PARAM
ck0pojmg874ljref7efn8430qvit8bsm.com. 86400 RRSIG NSEC3 8 2 86400 20201117054050 20201110043050 31510 com. QcCRv0+WLMMhx/fo86861gisW7X+bjfa2dNfTCc8NT+8lGOccnPlELGCrupodzjN4aJ8eSDV6k2y5c+S8LdA2N9hRmN6gKA+BjRxIcdh2Yg5v1UUoG4/szoFZT34lzkDX8KtIePwBGIEH8LEMXYhf3gtkD7TLd5UfNpokZwyzEeeRQz5eD68Ax1bO4TkaYRN2Z9KiiE6SzQRMXuhSmg2Cw==
55ajmvj26qps66dvcfjf4qgitlh6olfd.com. 85709 NSEC3 1 1 0 - 55ak9166puhhq99kh7ojjhtk6un1fvs4 NS DS RRSIG
55ajmvj26qps66dvcfjf4qgitlh6olfd.com. 86400 RRSIG NSEC3 8 2 86400 20201116053951 20201109042951 31510 com. CVq6J1Gcv3Hu/lYiYwMCN4waTw6rlshFq2mdItEiBTLGRcPm3myhOL1GveU5lLe6s+xkTKjZdJ6yRRCbZoip/aV8QbQbMW4TDIe4LKeOpSdOltNt9cG0fpjSW6kBP3xnG/EH4ziq7Jq+OXAx4aaW+j2MkPeFwWkd44EdqoIJwZnyl2LmN7GS2VXzwVyonD7uKPf2OmQsNRQNcgxm+Y7PMg==
;; ADDITIONAL SECTION
[69907.12][iter] <= rcode: NOERROR
[69907.12][vldr] <= can't prove NODATA due to optout, going insecure
[69907.12][vldr] <= parent: updating DS
[69907.12][vldr] <= answer valid, OK
[69907.12][cach] => stashed com. SOA, rank 060, 266 B total, incl. 1 RRSIGs
[69907.12][cach] => stashed packet: rank 060, TTL 209, DS hashicorp.com. (871 B)
[69907.12][resl] <= server: '2606:4700:4700::1112' rtt: 14 ms
[69907.10][iter] 'www.hashicorp.com.' type 'A' new uid was assigned .13, parent uid .00
[69907.13][plan] plan 'hashicorp.com.' type 'NS' uid [69907.14]
[69907.14][iter] 'hashicorp.com.' type 'NS' new uid was assigned .15, parent uid .13
[69907.15][cach] => skipping exact RR: rank 020 (min. 030), new TTL 56518
[69907.15][cach] => no NSEC* cached for zone: hashicorp.com.
[69907.15][cach] => skipping zone: hashicorp.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.15][cach] => skipping zone: hashicorp.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.15][resl] => id: '60605' querying: '2606:4700:4700::1112#00053' score: 1 zone cut: 'com.' qname: 'hASHicorp.coM.' qtype: 'NS' proto: 'udp'
[69907.15][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 60605
;; Flags: qr rd ra cd QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
hashicorp.com. NS
;; ANSWER SECTION
hashicorp.com. 86400 NS sam.ns.cloudflare.com.
hashicorp.com. 86400 NS zara.ns.cloudflare.com.
;; ADDITIONAL SECTION
[69907.15][iter] <= rcode: NOERROR
[69907.15][cach] => not overwriting NS hashicorp.com.
[69907.15][resl] <= server: '2606:4700:4700::1112' rtt: 15 ms
[69907.13][iter] 'www.hashicorp.com.' type 'A' new uid was assigned .16, parent uid .00
[69907.16][resl] => id: '54728' querying: '2606:4700:4700::1112#00053' score: 1 zone cut: 'hashicorp.com.' qname: 'www.hAsHIcorp.coM.' qtype: 'A' proto: 'udp'
[69907.16][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 54728
;; Flags: qr rd ra cd QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
www.hashicorp.com. A
;; ANSWER SECTION
www.hashicorp.com. 300 CNAME cname.vercel-dns.com.
cname.vercel-dns.com. 60 A 76.76.21.21
;; ADDITIONAL SECTION
[69907.16][iter] <= rcode: NOERROR
[69907.16][iter] <= cname chain, following
[69907.16][cach] => stashed www.hashicorp.com. CNAME, rank 030, 38 B total, incl. 0 RRSIGs
[69907.16][resl] <= server: '2606:4700:4700::1112' rtt: 23 ms
[69907.17][iter] 'cname.vercel-dns.com.' type 'A' new uid was assigned .18, parent uid .00
[69907.18][cach] => skipping exact RR: rank 030 (min. 030), new TTL -26922
[69907.18][cach] => no NSEC* cached for zone: vercel-dns.com.
[69907.18][cach] => skipping zone: vercel-dns.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.18][cach] => skipping zone: vercel-dns.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.18][plan] plan '.' type 'DNSKEY' uid [69907.19]
[69907.19][iter] '.' type 'DNSKEY' new uid was assigned .20, parent uid .18
[69907.20][cach] => satisfied by exact RRset: rank 060, new TTL 6959
[69907.20][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 39615
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
. DNSKEY
;; ANSWER SECTION
. 6959 DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfiobeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5CsDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdLQHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jEhCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmnNHNmH2FjUE8=
. 6959 DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
. 172800 RRSIG DNSKEY 8 0 172800 20201201000000 20201110000000 20326 . SkIHirgYkYi7NAig66n3yDX00Vmu+nbdwNrjHq3b8F9MjOKrWkymnBpbu/mvkhNhzCEk/6lAkE6u/7oqvu09uP9hvnTTBRVKUk3JjWBROe0RhQqlmwxb7Vu9s2ag9Tr67zHUKj1/0xBvqRCfq3EPSqd/CjWYw+93s4+32ZEkMmLGdAu5I5phTgAxesjCy550m7xsFwWo5SKotP3g1420D4iaCpZE1SpkEybQ9WoveCWBNnZnnMI8BdN33W+EOVHEkAKevYRYIpG93XP/IeIcf3MetEmBt+DD0AcGIyorfiBQVrvNsha1Ek+iMm59KS8pYqiXhS1zmFz91cvKueMgsQ==
[69907.20][iter] <= rcode: NOERROR
[69907.20][vldr] <= parent: updating DNSKEY
[69907.20][vldr] <= answer valid, OK
[69907.18][iter] 'cname.vercel-dns.com.' type 'A' new uid was assigned .21, parent uid .00
[69907.21][plan] plan 'com.' type 'DS' uid [69907.22]
[69907.22][iter] 'com.' type 'DS' new uid was assigned .23, parent uid .21
[69907.23][cach] => satisfied by exact RRset: rank 060, new TTL 80465
[69907.23][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 40853
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
com. DS
;; ANSWER SECTION
com. 80465 DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com. 86400 RRSIG DS 8 1 86400 20201125050000 20201112040000 26116 . RowjzJyN/XzMW/4Rpt2D4wPdI/cHQHlX05FhT/WQ0QXSat/0T4kzM+ND+R7lQNnOf6i2rC0ZAxwnEbbKyUHZl8eXdLMVmNSWfVKaQQ6LOUB9k2TBbBY6v4M4vCt1VH++CwYkLafxVs8QuhUTYXmhPdfWAlRQTdZEvAdltuhIDpsYhjRMh67LO12fCD1j54JGRJvoJP+mi7gSQ9VrLwc4fyiAqLbirbHXWtWO6jehnN3hdPLquFgVNJQaxqZUmE0LVSEheT6l3Dlckj9yFZ5WKE2WvHXgLE9F+A+1qK2e0o21Xy4hY0fXL9zL4nd83hHV3amWhVdWfLuio5OkJKZVsQ==
[69907.23][iter] <= rcode: NOERROR
[69907.23][vldr] <= DS: OK
[69907.23][vldr] <= parent: updating DS
[69907.23][vldr] <= answer valid, OK
[69907.21][iter] 'cname.vercel-dns.com.' type 'A' new uid was assigned .24, parent uid .00
[69907.24][plan] plan 'com.' type 'DNSKEY' uid [69907.25]
[69907.25][iter] 'com.' type 'DNSKEY' new uid was assigned .26, parent uid .24
[69907.26][cach] => satisfied by exact RRset: rank 060, new TTL 4771
[69907.26][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 1785
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
com. DNSKEY
;; ANSWER SECTION
com. 4771 DNSKEY 256 3 8 AwEAAadfNlrLwDe1W0klTRoNDeeEfZAop76YMUvOtl2pu0lXE5Fzj1sDROflxnOGTI9RfwrA0rD0ixBkW32Pu1nheytLBrPZ32hva+iY8jYQ/TPiMsbc/soa8KHQ77eaJtJAImc+VLuXrI1QmRyrywJWU1fkZ9GyPP5YAhgnttH6ZDXgMeJYjzs5CLfMiV9vAWFgJvy98bG97JP3PpHL9/8BTGM=
com. 4771 DNSKEY 257 3 8 AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsBfKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEmu/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPNIwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0HXvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpKNnv4oPo/
com. 86400 RRSIG DNSKEY 8 1 86400 20201126192421 20201111191921 30909 com. p+3loL9LZjCTV2qOLVrHGTQUJpRsILARSVfNyu3DgnMKL+PnyAf01536ptf8R4hOL5dotMExgKySfE3MjogoWz+Y+C34jYoasWKTctMmT8xDW5Cv7Md3Apz7XyXprdy6aZedWfDTeWvYPgGOhLVY7KnL2TezDQ0n08lpeK70QJv6kD9kCTfwq45VWo5aPhDTFt7RqW7Qlkva0GtnYdSJRiH7QtfIvLZddp6ZIAZ/7INllsbdIn0THHPPiiyYwe7WEz25cEU6LR9t7NdmLjEFwgCD5IJzcWk0VXy9Ca9b/17hodH7HsvlR1hrx56ay0SQ2E16wAfKhYlLGAENMzQnWg==
[69907.26][iter] <= rcode: NOERROR
[69907.26][vldr] <= parent: updating DNSKEY
[69907.26][vldr] <= answer valid, OK
[69907.24][iter] 'cname.vercel-dns.com.' type 'A' new uid was assigned .27, parent uid .00
[69907.27][plan] plan 'vercel-dns.com.' type 'DS' uid [69907.28]
[69907.28][iter] 'vercel-dns.com.' type 'DS' new uid was assigned .29, parent uid .27
[69907.29][cach] => skipping exact packet: rank 060 (min. 030), new TTL -26566
[69907.29][cach] => trying zone: ., NSEC, hash 0
[69907.29][cach] => NSEC sname: range search miss (!covers)
[69907.29][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[69907.29][resl] => id: '24114' querying: '2606:4700:4700::1112#00053' score: 1 zone cut: 'com.' qname: 'VErCel-dNs.coM.' qtype: 'DS' proto: 'udp'
[69907.29][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 24114
;; Flags: qr rd ra cd QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
vercel-dns.com. DS
;; AUTHORITY SECTION
com. 900 SOA a.gtld-servers.net. nstld.verisign-grs.com. 1605204490 1800 900 604800 86400
com. 900 RRSIG SOA 8 1 900 20201119180810 20201112165810 31510 com. jHymJ9+FoWKJ80bnJyvqpgPlbEW+uaIT9lFNMNgZUf+lgp3NaR+e0F59wN36B/R4eL2ejbB+I5x3vWK9MgD6wt0f+1AK84nAEDNYndp5CYRtjTNBHGeieO6S/RJKUJQSTjM3KKlewVT0QoRtNiRjhJ4VsdeX85AoMfOcxup9kDHnq2UN4RFr/ba2w9Y9z5ajEaKip2GraYYZt7mUOKF7mw==
ck0pojmg874ljref7efn8430qvit8bsm.com. 86400 NSEC3 1 1 0 - ck0q1gin43n1arrc9osm6qpqr81h5m9a NS SOA RRSIG DNSKEY NSEC3PARAM
ck0pojmg874ljref7efn8430qvit8bsm.com. 86400 RRSIG NSEC3 8 2 86400 20201117054050 20201110043050 31510 com. QcCRv0+WLMMhx/fo86861gisW7X+bjfa2dNfTCc8NT+8lGOccnPlELGCrupodzjN4aJ8eSDV6k2y5c+S8LdA2N9hRmN6gKA+BjRxIcdh2Yg5v1UUoG4/szoFZT34lzkDX8KtIePwBGIEH8LEMXYhf3gtkD7TLd5UfNpokZwyzEeeRQz5eD68Ax1bO4TkaYRN2Z9KiiE6SzQRMXuhSmg2Cw==
28va0kf9hvfvhk3rij8dd0uhlvld2bk3.com. 86400 NSEC3 1 1 0 - 28vasp4p2jno8gj0l2doqd24npevik9l NS DS RRSIG
28va0kf9hvfvhk3rij8dd0uhlvld2bk3.com. 86400 RRSIG NSEC3 8 2 86400 20201118070201 20201111055201 31510 com. gvdrxGsODv/hZtLqUzZcSG+LVJPJX2gEEWj9eulb3jtooiG7dpUZnRVcbXauZZ6jaW62u0JKxjjYY13/1adnBtvCSAZBKLVFZtmq2N9JEfxKRpcm1+p6R72NcY3QDML4jdCOS2VfFHIFH1SjpxQEK9VM6F+A6UDJVshb7mjG8t0HTo2ag+tVynJxl1jsqKnIaQxGo8lHmXqjMrOPRAhTXQ==
;; ADDITIONAL SECTION
[69907.29][iter] <= rcode: NOERROR
[69907.29][vldr] <= can't prove NODATA due to optout, going insecure
[69907.29][vldr] <= parent: updating DS
[69907.29][vldr] <= answer valid, OK
[69907.29][cach] => stashed com. SOA, rank 060, 266 B total, incl. 1 RRSIGs
[69907.29][cach] => stashed packet: rank 060, TTL 900, DS vercel-dns.com. (872 B)
[69907.29][resl] <= server: '2606:4700:4700::1112' rtt: 33 ms
[69907.27][iter] 'cname.vercel-dns.com.' type 'A' new uid was assigned .30, parent uid .00
[69907.30][plan] plan 'vercel-dns.com.' type 'NS' uid [69907.31]
[69907.31][iter] 'vercel-dns.com.' type 'NS' new uid was assigned .32, parent uid .30
[69907.32][cach] => skipping exact RR: rank 020 (min. 030), new TTL 5668
[69907.32][cach] => no NSEC* cached for zone: vercel-dns.com.
[69907.32][cach] => skipping zone: vercel-dns.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.32][cach] => skipping zone: vercel-dns.com., NSEC, hash 0;new TTL -123456789, ret -2
[69907.32][resl] => id: '37850' querying: '2606:4700:4700::1112#00053' score: 1 zone cut: 'com.' qname: 'VErcEL-dns.com.' qtype: 'NS' proto: 'udp'
[69907.32][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 37850
;; Flags: qr rd ra cd QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
vercel-dns.com. NS
;; ANSWER SECTION
vercel-dns.com. 86400 NS ns1.vercel-dns.com.
vercel-dns.com. 86400 NS ns2.vercel-dns.com.
;; ADDITIONAL SECTION
[69907.32][iter] <= rcode: NOERROR
[69907.32][cach] => not overwriting NS vercel-dns.com.
[69907.32][resl] <= server: '2606:4700:4700::1112' rtt: 18 ms
[69907.30][iter] 'cname.vercel-dns.com.' type 'A' new uid was assigned .33, parent uid .00
[69907.33][resl] => id: '36105' querying: '2606:4700:4700::1112#00053' score: 1 zone cut: 'vercel-dns.com.' qname: 'CNAmE.VeRcel-dns.cOm.' qtype: 'A' proto: 'udp'
[69907.33][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 36105
;; Flags: qr rd ra QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
cname.vercel-dns.com. A
;; ANSWER SECTION
cname.vercel-dns.com. 60 A 0.0.0.0
;; ADDITIONAL SECTION
[69907.33][iter] <= rcode: NOERROR
[69907.33][cach] => stashed cname.vercel-dns.com. A, rank 030, 20 B total, incl. 0 RRSIGs
[69907.33][resl] <= server: '2606:4700:4700::1112' rtt: 13 ms
[69907.33][resl] AD: request NOT classified as SECURE
[69907.33][resl] finished in state: 4, queries: 12, mempool: 163952 B
[69907.00][dbg ] selected rrsets from answer sections:
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 3, revalidations 0
. 6959 DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfiobeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5CsDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdLQHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jEhCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmnNHNmH2FjUE8=
. 6959 DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 3, revalidations 0
. 172800 RRSIG DNSKEY 8 0 172800 20201201000000 20201110000000 20326 . SkIHirgYkYi7NAig66n3yDX00Vmu+nbdwNrjHq3b8F9MjOKrWkymnBpbu/mvkhNhzCEk/6lAkE6u/7oqvu09uP9hvnTTBRVKUk3JjWBROe0RhQqlmwxb7Vu9s2ag9Tr67zHUKj1/0xBvqRCfq3EPSqd/CjWYw+93s4+32ZEkMmLGdAu5I5phTgAxesjCy550m7xsFwWo5SKotP3g1420D4iaCpZE1SpkEybQ9WoveCWBNnZnnMI8BdN33W+EOVHEkAKevYRYIpG93XP/IeIcf3MetEmBt+DD0AcGIyorfiBQVrvNsha1Ek+iMm59KS8pYqiXhS1zmFz91cvKueMgsQ==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 6, revalidations 0
com. 80465 DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 6, revalidations 0
com. 86400 RRSIG DS 8 1 86400 20201125050000 20201112040000 26116 . RowjzJyN/XzMW/4Rpt2D4wPdI/cHQHlX05FhT/WQ0QXSat/0T4kzM+ND+R7lQNnOf6i2rC0ZAxwnEbbKyUHZl8eXdLMVmNSWfVKaQQ6LOUB9k2TBbBY6v4M4vCt1VH++CwYkLafxVs8QuhUTYXmhPdfWAlRQTdZEvAdltuhIDpsYhjRMh67LO12fCD1j54JGRJvoJP+mi7gSQ9VrLwc4fyiAqLbirbHXWtWO6jehnN3hdPLquFgVNJQaxqZUmE0LVSEheT6l3Dlckj9yFZ5WKE2WvHXgLE9F+A+1qK2e0o21Xy4hY0fXL9zL4nd83hHV3amWhVdWfLuio5OkJKZVsQ==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 9, revalidations 0
com. 4771 DNSKEY 256 3 8 AwEAAadfNlrLwDe1W0klTRoNDeeEfZAop76YMUvOtl2pu0lXE5Fzj1sDROflxnOGTI9RfwrA0rD0ixBkW32Pu1nheytLBrPZ32hva+iY8jYQ/TPiMsbc/soa8KHQ77eaJtJAImc+VLuXrI1QmRyrywJWU1fkZ9GyPP5YAhgnttH6ZDXgMeJYjzs5CLfMiV9vAWFgJvy98bG97JP3PpHL9/8BTGM=
com. 4771 DNSKEY 257 3 8 AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsBfKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEmu/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPNIwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0HXvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpKNnv4oPo/
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 9, revalidations 0
com. 86400 RRSIG DNSKEY 8 1 86400 20201126192421 20201111191921 30909 com. p+3loL9LZjCTV2qOLVrHGTQUJpRsILARSVfNyu3DgnMKL+PnyAf01536ptf8R4hOL5dotMExgKySfE3MjogoWz+Y+C34jYoasWKTctMmT8xDW5Cv7Md3Apz7XyXprdy6aZedWfDTeWvYPgGOhLVY7KnL2TezDQ0n08lpeK70QJv6kD9kCTfwq45VWo5aPhDTFt7RqW7Qlkva0GtnYdSJRiH7QtfIvLZddp6ZIAZ/7INllsbdIn0THHPPiiyYwe7WEz25cEU6LR9t7NdmLjEFwgCD5IJzcWk0VXy9Ca9b/17hodH7HsvlR1hrx56ay0SQ2E16wAfKhYlLGAENMzQnWg==
; ranked rrset to_wire false, rank 020 (initial auth), cached false, qry_uid 15, revalidations 0
hashicorp.com. 86400 NS sam.ns.cloudflare.com.
hashicorp.com. 86400 NS zara.ns.cloudflare.com.
; ranked rrset to_wire true, rank 030 (insecure auth), cached true, qry_uid 16, revalidations 0
www.hashicorp.com. 300 CNAME cname.vercel-dns.com.
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 20, revalidations 0
. 6959 DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfiobeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5CsDVbMmhTD0C0yxWICRQ1M+Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX+zdLQHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jEhCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD+BvSnmnNHNmH2FjUE8=
. 6959 DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 20, revalidations 0
. 172800 RRSIG DNSKEY 8 0 172800 20201201000000 20201110000000 20326 . SkIHirgYkYi7NAig66n3yDX00Vmu+nbdwNrjHq3b8F9MjOKrWkymnBpbu/mvkhNhzCEk/6lAkE6u/7oqvu09uP9hvnTTBRVKUk3JjWBROe0RhQqlmwxb7Vu9s2ag9Tr67zHUKj1/0xBvqRCfq3EPSqd/CjWYw+93s4+32ZEkMmLGdAu5I5phTgAxesjCy550m7xsFwWo5SKotP3g1420D4iaCpZE1SpkEybQ9WoveCWBNnZnnMI8BdN33W+EOVHEkAKevYRYIpG93XP/IeIcf3MetEmBt+DD0AcGIyorfiBQVrvNsha1Ek+iMm59KS8pYqiXhS1zmFz91cvKueMgsQ==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 23, revalidations 0
com. 80465 DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 23, revalidations 0
com. 86400 RRSIG DS 8 1 86400 20201125050000 20201112040000 26116 . RowjzJyN/XzMW/4Rpt2D4wPdI/cHQHlX05FhT/WQ0QXSat/0T4kzM+ND+R7lQNnOf6i2rC0ZAxwnEbbKyUHZl8eXdLMVmNSWfVKaQQ6LOUB9k2TBbBY6v4M4vCt1VH++CwYkLafxVs8QuhUTYXmhPdfWAlRQTdZEvAdltuhIDpsYhjRMh67LO12fCD1j54JGRJvoJP+mi7gSQ9VrLwc4fyiAqLbirbHXWtWO6jehnN3hdPLquFgVNJQaxqZUmE0LVSEheT6l3Dlckj9yFZ5WKE2WvHXgLE9F+A+1qK2e0o21Xy4hY0fXL9zL4nd83hHV3amWhVdWfLuio5OkJKZVsQ==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 26, revalidations 0
com. 4771 DNSKEY 256 3 8 AwEAAadfNlrLwDe1W0klTRoNDeeEfZAop76YMUvOtl2pu0lXE5Fzj1sDROflxnOGTI9RfwrA0rD0ixBkW32Pu1nheytLBrPZ32hva+iY8jYQ/TPiMsbc/soa8KHQ77eaJtJAImc+VLuXrI1QmRyrywJWU1fkZ9GyPP5YAhgnttH6ZDXgMeJYjzs5CLfMiV9vAWFgJvy98bG97JP3PpHL9/8BTGM=
com. 4771 DNSKEY 257 3 8 AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsBfKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEmu/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPNIwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0HXvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpKNnv4oPo/
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 26, revalidations 0
com. 86400 RRSIG DNSKEY 8 1 86400 20201126192421 20201111191921 30909 com. p+3loL9LZjCTV2qOLVrHGTQUJpRsILARSVfNyu3DgnMKL+PnyAf01536ptf8R4hOL5dotMExgKySfE3MjogoWz+Y+C34jYoasWKTctMmT8xDW5Cv7Md3Apz7XyXprdy6aZedWfDTeWvYPgGOhLVY7KnL2TezDQ0n08lpeK70QJv6kD9kCTfwq45VWo5aPhDTFt7RqW7Qlkva0GtnYdSJRiH7QtfIvLZddp6ZIAZ/7INllsbdIn0THHPPiiyYwe7WEz25cEU6LR9t7NdmLjEFwgCD5IJzcWk0VXy9Ca9b/17hodH7HsvlR1hrx56ay0SQ2E16wAfKhYlLGAENMzQnWg==
; ranked rrset to_wire false, rank 020 (initial auth), cached false, qry_uid 32, revalidations 0
vercel-dns.com. 86400 NS ns1.vercel-dns.com.
vercel-dns.com. 86400 NS ns2.vercel-dns.com.
; ranked rrset to_wire true, rank 030 (insecure auth), cached true, qry_uid 33, revalidations 0
cname.vercel-dns.com. 60 A 0.0.0.0
[69907.00][dbg ] selected rrsets from authority sections:
; ranked rrset to_wire false, rank 060 (secure auth), cached true, qry_uid 12, revalidations 0
com. 209 SOA a.gtld-servers.net. nstld.verisign-grs.com. 1605203800 1800 900 604800 86400
; ranked rrset to_wire false, rank 060 (secure auth), cached true, qry_uid 12, revalidations 0
com. 900 RRSIG SOA 8 1 900 20201119175640 20201112164640 31510 com. jvN32o59bVS1f8KkIEFLP4NtQg41m8sOAqbzFVixQGSZQewKOJZ+lzJx472f+/pGBe+77RySnHKUH4X50r61wnrU3HoTF0WVyPsB7Zecav8qk/WF0kKVoOjUeKytIWd30noatVI+AEaYf2f5wfaRYDRFtRHONf8W09i9W74IoPlH+8/3agwgrt9Ph5LWpYFjjIbpY9pD5D4VNSrFV6lgXw==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 12, revalidations 0
ck0pojmg874ljref7efn8430qvit8bsm.com. 85709 NSEC3 1 1 0 - ck0q1gin43n1arrc9osm6qpqr81h5m9a NS SOA RRSIG DNSKEY NSEC3PARAM
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 12, revalidations 0
ck0pojmg874ljref7efn8430qvit8bsm.com. 86400 RRSIG NSEC3 8 2 86400 20201117054050 20201110043050 31510 com. QcCRv0+WLMMhx/fo86861gisW7X+bjfa2dNfTCc8NT+8lGOccnPlELGCrupodzjN4aJ8eSDV6k2y5c+S8LdA2N9hRmN6gKA+BjRxIcdh2Yg5v1UUoG4/szoFZT34lzkDX8KtIePwBGIEH8LEMXYhf3gtkD7TLd5UfNpokZwyzEeeRQz5eD68Ax1bO4TkaYRN2Z9KiiE6SzQRMXuhSmg2Cw==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 12, revalidations 0
55ajmvj26qps66dvcfjf4qgitlh6olfd.com. 85709 NSEC3 1 1 0 - 55ak9166puhhq99kh7ojjhtk6un1fvs4 NS DS RRSIG
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 12, revalidations 0
55ajmvj26qps66dvcfjf4qgitlh6olfd.com. 86400 RRSIG NSEC3 8 2 86400 20201116053951 20201109042951 31510 com. CVq6J1Gcv3Hu/lYiYwMCN4waTw6rlshFq2mdItEiBTLGRcPm3myhOL1GveU5lLe6s+xkTKjZdJ6yRRCbZoip/aV8QbQbMW4TDIe4LKeOpSdOltNt9cG0fpjSW6kBP3xnG/EH4ziq7Jq+OXAx4aaW+j2MkPeFwWkd44EdqoIJwZnyl2LmN7GS2VXzwVyonD7uKPf2OmQsNRQNcgxm+Y7PMg==
; ranked rrset to_wire false, rank 060 (secure auth), cached true, qry_uid 29, revalidations 0
com. 900 SOA a.gtld-servers.net. nstld.verisign-grs.com. 1605204490 1800 900 604800 86400
; ranked rrset to_wire false, rank 060 (secure auth), cached true, qry_uid 29, revalidations 0
com. 900 RRSIG SOA 8 1 900 20201119180810 20201112165810 31510 com. jHymJ9+FoWKJ80bnJyvqpgPlbEW+uaIT9lFNMNgZUf+lgp3NaR+e0F59wN36B/R4eL2ejbB+I5x3vWK9MgD6wt0f+1AK84nAEDNYndp5CYRtjTNBHGeieO6S/RJKUJQSTjM3KKlewVT0QoRtNiRjhJ4VsdeX85AoMfOcxup9kDHnq2UN4RFr/ba2w9Y9z5ajEaKip2GraYYZt7mUOKF7mw==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 29, revalidations 0
ck0pojmg874ljref7efn8430qvit8bsm.com. 86400 NSEC3 1 1 0 - ck0q1gin43n1arrc9osm6qpqr81h5m9a NS SOA RRSIG DNSKEY NSEC3PARAM
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 29, revalidations 0
ck0pojmg874ljref7efn8430qvit8bsm.com. 86400 RRSIG NSEC3 8 2 86400 20201117054050 20201110043050 31510 com. QcCRv0+WLMMhx/fo86861gisW7X+bjfa2dNfTCc8NT+8lGOccnPlELGCrupodzjN4aJ8eSDV6k2y5c+S8LdA2N9hRmN6gKA+BjRxIcdh2Yg5v1UUoG4/szoFZT34lzkDX8KtIePwBGIEH8LEMXYhf3gtkD7TLd5UfNpokZwyzEeeRQz5eD68Ax1bO4TkaYRN2Z9KiiE6SzQRMXuhSmg2Cw==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 29, revalidations 0
28va0kf9hvfvhk3rij8dd0uhlvld2bk3.com. 86400 NSEC3 1 1 0 - 28vasp4p2jno8gj0l2doqd24npevik9l NS DS RRSIG
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 29, revalidations 0
28va0kf9hvfvhk3rij8dd0uhlvld2bk3.com. 86400 RRSIG NSEC3 8 2 86400 20201118070201 20201111055201 31510 com. gvdrxGsODv/hZtLqUzZcSG+LVJPJX2gEEWj9eulb3jtooiG7dpUZnRVcbXauZZ6jaW62u0JKxjjYY13/1adnBtvCSAZBKLVFZtmq2N9JEfxKRpcm1+p6R72NcY3QDML4jdCOS2VfFHIFH1SjpxQEK9VM6F+A6UDJVshb7mjG8t0HTo2ag+tVynJxl1jsqKnIaQxGo8lHmXqjMrOPRAhTXQ==
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/640remove SAFEMODE2021-02-09T13:54:01+01:00Štěpán Balážikremove SAFEMODEI have no real solution in mind, I'll just keep a running list of what `SAFEMODE` does here, since I have been bitten in the backparts by it multiple times and the documentation really doesn't cut it (“Don’t use fancy stuff (EDNS, 0x20, ...I have no real solution in mind, I'll just keep a running list of what `SAFEMODE` does here, since I have been bitten in the backparts by it multiple times and the documentation really doesn't cut it (“Don’t use fancy stuff (EDNS, 0x20, …)”).
* turns off `Ox20` randomization
* turns off server selection (to be changed in !1030)
* turns off some EDNS stuff that I don't understand
* ensures that there is a retry after REFUSED (see code below; this means that if you overwrite `query->SAFEMODE` after this, the resolver may cycle on REFUSED)
```
static int resolve_badmsg(knot_pkt_t *pkt, struct kr_request *req, struct kr_query *query)
{
#ifndef STRICT_MODE
/* Work around broken auths/load balancers */
if (query->flags.SAFEMODE) {
return resolve_error(pkt, req);
} else if (query->flags.NO_MINIMIZE) {
query->flags.SAFEMODE = true;
return KR_STATE_DONE;
} else {
query->flags.NO_MINIMIZE = true;
return KR_STATE_DONE;
}
#else
return resolve_error(pkt, req);
#endif
}
```
Removing it, is probably a better idea: especially with the new server selection error reporting we could probably make the workarounds more granular than they are now.Štěpán BalážikŠtěpán Balážikhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/639kdig TLS, handshake failed (A TLS fatal alert has been received.)2020-11-05T10:38:44+01:00Windy Gkdig TLS, handshake failed (A TLS fatal alert has been received.)I am trying DNS resolution via HTTPS. Other popular servers (google, cloudflare) work fine, but fail to run with `free.bravedns.com`, which is one of the URLs provided by the `curl` project here: https://github.com/curl/curl/wiki/DNS-ove...I am trying DNS resolution via HTTPS. Other popular servers (google, cloudflare) work fine, but fail to run with `free.bravedns.com`, which is one of the URLs provided by the `curl` project here: https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers
```
kdig -d @free.bravedns.com +https=/dns-query +https-get example.com -t A -4
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(free.bravedns.com), port(443), protocol(TCP)
;; WARNING: TLS, handshake failed (A TLS fatal alert has been received.)
;; WARNING: TLS, handshake failed (A TLS fatal alert has been received.)
;; WARNING: TLS, handshake failed (A TLS fatal alert has been received.)
;; ERROR: failed to query server free.bravedns.com@443(TCP)
```
Resolving the same domain using the same server with `curl` works fine though:
```
curl -H 'accept: application/dns-json' 'https://free.bravedns.com/dns-query?name=example.com&type=A'
"Status":0,"TC":false,"RD":true,"RA":true,"AD":true,"CD":false,"Question":[{"name":"example.com","type":1}],"Answer":[{"name":"example.com","type":1,"TTL":77546,"data":"93.184.216.34"}]}
```
Similarly, I could use `doh-jp.blahdns.com` with `curl` but got errors with `kdig`.
```
kdig -d @doh-jp.blahdns.com +https=/dns-query example.com -t A -4 +timeout=15
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(doh-jp.blahdns.com), port(443), protocol(TCP)
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, CN=dot-jp.blahdns.com
;; DEBUG: SHA-256 PIN: gIoiNFxX1Nw+7/pVsmUKBU941bMBYjEYuB2T9drULOM=
;; DEBUG: #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG: SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, skipping certificate verification
;; WARNING: TLS, peer has closed the connection
;; ERROR: failed to query server doh-jp.blahdns.com@443(TCP)
```
```
curl -H 'accept: application/dns-json' 'https://doh-jp.blahdns.com/dns-query?name=example.com&type=A'
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":true,"CD":false,"Question":[{"name":"example.com.","type":1}],"Answer":[{"name":"example.com.","type":1,"TTL":26102,"Expires":"Thu, 05 Nov 2020 13:36:21 UTC","data":"93.184.216.34"},{"name":"example.com.","type":46,"TTL":26102,"Expires":"Thu, 05 Nov 2020 13:36:21 UTC","data":"A 8 2 86400 20201115051118 20201025154454 62811 example.com. P8BE247EZ54+DZ1aZOVDYv3MxnxT+XAmd1W41PyBCB0QopMxAe7l6brVVXQtfDwsY6wL71BKZL7eTsyWYP9x4JQTYeY6UIwXeuOQ+uS8A+fGlQBaaPCIZCw0JQQTCCmCmmrrwpkIDAiunF0UOeRZl3CzE5QOX0lw4db/3M6nIKg="}]}
```