Knot Resolver issueshttps://gitlab.nic.cz/knot/knot-resolver/-/issues2021-05-21T01:52:53+02:00https://gitlab.nic.cz/knot/knot-resolver/-/issues/673trust_anchors.set_insecure may miss some names2021-05-21T01:52:53+02:00Vladimír Čunátvladimir.cunat@nic.cztrust_anchors.set_insecure may miss some namesIf the same authoritative server IPs serve names both above and below the configured negative trust anchors, the downgrade to insecure may not happen in some cases.If the same authoritative server IPs serve names both above and below the configured negative trust anchors, the downgrade to insecure may not happen in some cases.Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.czhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/668Replace potentially zero-length VLAs in selection_iter.c with arrays from lib...2021-05-20T13:20:57+02:00Štěpán BalážikReplace potentially zero-length VLAs in selection_iter.c with arrays from lib/genericOver the weekend I was playing with undefined behavior sanitizer (i.e. compiling with `-fsanitize=undefined`) and ran Deckard with it.
While most of the errors point to `member access within misaligned address type '(const)? struct entr...Over the weekend I was playing with undefined behavior sanitizer (i.e. compiling with `-fsanitize=undefined`) and ran Deckard with it.
While most of the errors point to `member access within misaligned address type '(const)? struct entry_h', which requires 4 byte alignment` in `lib/cache` (which are false positives I suppose, I don't understand the cache implementation enough), there is also this one:
`lib/selection_iter.c:243:16: runtime error: variable length array bound evaluates to non-positive value 0`
The code in question is in the `iter_choose_transport` function and prepares a VLA for flattening of a trie for easier manipulation.
```c
struct choice choices[trie_weight(local_state->addresses)];
/* We may try to resolve A and AAAA record for each name, so therefore
* 2*trie_weight(…) is here. */
struct to_resolve resolvable[2 * trie_weight(local_state->names)];
```
`trie_weight` however can be 0 which leads to undefined behavior.
Replacing these with arrays from `lib/generic` should be easy and would maybe even lead to nicer code since they include a length field which is needed later down the line.
Furthermore coverage from Deckard probably isn't that great so we may consider running more tests with `-fsanitize=undefined` .Štěpán BalážikŠtěpán Balážikhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/9daemon: RPC interface (json-based, possibly unbound-rpc/rndc wrapper)2021-04-16T19:20:19+02:00Ghost Userdaemon: RPC interface (json-based, possibly unbound-rpc/rndc wrapper)2015 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/8daemon: configuration parser/interface2021-04-16T19:20:19+02:00Ghost Userdaemon: configuration parser/interface2015 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/7cache: garbage collection scheme / aging2021-04-16T19:20:19+02:00Ghost Usercache: garbage collection scheme / aging2015 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/6tests: CMocka-based unit tests for current APIs2021-04-16T19:20:19+02:00Ghost Usertests: CMocka-based unit tests for current APIslibrary:
* resolution
* cache
* zone cuts
* utils
daemon:
* tcp
* udp
* workerlibrary:
* resolution
* cache
* zone cuts
* utils
daemon:
* tcp
* udp
* worker2015 Q1https://gitlab.nic.cz/knot/knot-resolver/-/issues/5tests: test binary using socket_wrapper (cwrap)2021-04-16T19:20:19+02:00Ghost Usertests: test binary using socket_wrapper (cwrap)Things missing:
* [x] Wrap I/O syscalls instead of libknot library calls (more portable, generic)
* [ ] Make Python test server listen on all addresses listed in the test
* [ ] use socket_wrapper to isolate it in a test environmen...Things missing:
* [x] Wrap I/O syscalls instead of libknot library calls (more portable, generic)
* [ ] Make Python test server listen on all addresses listed in the test
* [ ] use socket_wrapper to isolate it in a test environment https://cwrap.org/socket_wrapper.html
* [ ] isolate the binary as well and test if it connects to the faked servers
* [ ] prepare configuration for binary in the test cases
* [ ] check that all tests pass on the binary!
* [ ] Documentation (may reference to the https://www.unbound.net/documentation/doxygen/replay_8h.html#details)
* [ ] Publish this as a tool to test recursive/auth DNS compliance2015 Q3Grigorii DemidovGrigorii Demidovhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/4cache using namedb api2021-04-16T19:20:18+02:00Ghost Usercache using namedb apiThe cache should use the generic namedb api, but it's not possible right now for couple reasons:
* No single key - multiple values paradigm, but we probably shouldn't implement it in the API as it's too complex
* Current node seriali...The cache should use the generic namedb api, but it's not possible right now for couple reasons:
* No single key - multiple values paradigm, but we probably shouldn't implement it in the API as it's too complex
* Current node serialization is expensive, it would be the best if the "node" was stored in linear memory, and the "rrdata" as well. This way, pickling/unpickling could be as simple as memory mapping. This is important, as the node access is potentially a very frequent operation. Unless we implement this, the direct access + SKMV is the best thing.https://gitlab.nic.cz/knot/knot-resolver/-/issues/3lib: basic query-response implementation, based on requestor2021-04-16T19:20:17+02:00Ghost Userlib: basic query-response implementation, based on requestorNeeds imported requestor and list of root hints.Needs imported requestor and list of root hints.https://gitlab.nic.cz/knot/knot-resolver/-/issues/2Mockup tests for synchronous name resolution api2021-04-16T19:20:17+02:00Ghost UserMockup tests for synchronous name resolution apihttps://gitlab.nic.cz/knot/knot-resolver/-/issues/1Import libknot, dummy interface for synchronous resolving2021-04-16T19:20:17+02:00Ghost UserImport libknot, dummy interface for synchronous resolvinghttps://gitlab.nic.cz/knot/knot-resolver/-/issues/426SIGBUS on ARM2021-04-16T11:10:40+02:00Vladimír Čunátvladimir.cunat@nic.czSIGBUS on ARM@dkg wrote: fwiw, i think we're having a problem just running the armhf (32-bit arm with hard-float) build of knot-resolver on top of an arm64 kernel (despite the kernel otherwise running fine with an entirely 32-bit userland). you can...@dkg wrote: fwiw, i think we're having a problem just running the armhf (32-bit arm with hard-float) build of knot-resolver on top of an arm64 kernel (despite the kernel otherwise running fine with an entirely 32-bit userland). you can see the [build logs for knot-resolver on armhf](https://buildd.debian.org/status/logs.php?pkg=knot-resolver&arch=armhf&suite=sid) -- the machine named `arm-arm-01` is an arm64 kernel and armhf userland, and the test suite was fully re-enabled on all platforms in version 3.0.0-4.https://gitlab.nic.cz/knot/knot-resolver/-/issues/671TLS_FORWARD can get stuck on broken addresses (v5.3.0)2021-03-24T16:09:15+01:00Vladimír Čunátvladimir.cunat@nic.czTLS_FORWARD can get stuck on broken addresses (v5.3.0)With normal TLS-forwarding config, e.g.:
```lua
policy.add(policy.all(policy.TLS_FORWARD({
{ '8.8.8.8', hostname='dns.google' },
{ '8.8.4.4', hostname='dns.google' },
{ '2001:4860:4860::8888', hostname='dns.google' },
{ '2001:4860:48...With normal TLS-forwarding config, e.g.:
```lua
policy.add(policy.all(policy.TLS_FORWARD({
{ '8.8.8.8', hostname='dns.google' },
{ '8.8.4.4', hostname='dns.google' },
{ '2001:4860:4860::8888', hostname='dns.google' },
{ '2001:4860:4860::8844', hostname='dns.google' },
})))
```
but part of addresses disabled, e.g.
```bash
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
```
some queries get stuck in a very long "loop" of attempting connection to the non-working IPs, even though half of them works. Example log snippet: [tls_forward.log](/uploads/a5716360f9a3e6879160ff0766e37add/tls_forward.log)
_!1143 doesn't trigger here; it wasn't meant for forwarding and individual addresses might be broken for other reasons anyway._5.3.1https://gitlab.nic.cz/knot/knot-resolver/-/issues/649server selection: consider switching to TCP instead of backing off the timeou...2021-02-18T16:56:41+01:00Štěpán Balážikserver selection: consider switching to TCP instead of backing off the timeouts to high valuesThe following discussion from !1030 should be addressed:
- [ ] @sbalazik started a [discussion](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1030#note_184303): (+1 comment)
> `config.hints` test [is timing out sometim...The following discussion from !1030 should be addressed:
- [ ] @sbalazik started a [discussion](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1030#note_184303): (+1 comment)
> `config.hints` test [is timing out sometimes](https://gitlab.nic.cz/knot/knot-resolver/-/jobs/463522) on this branch and so far, I have no idea why.
>
> ```
> 22/36 knot-resolver:postinstall+config+skip_asan / config.hints TIMEOUT 120.05 s
> --- command ---
> KRESD_NO_LISTEN='1' PATH='/builds/knot/knot-resolver/.local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' TEST_FILE='/builds/knot/knot-resolver/modules/hints/tests/hints.test.lua' SOURCE_PATH='/builds/knot/knot-resolver/tests/config' /builds/knot/knot-resolver/tests/config/../../scripts/test-config.sh -c /builds/knot/knot-resolver/build_ci/../tests/config/test.cfg -n
> --- stdout ---
> /builds/knot/knot-resolver/.local/sbin/kresd
> processing test file /builds/knot/knot-resolver/modules/hints/tests/hints.test.lua
> ok 1 - has IP address for a.root-servers.net.
> ok 2 - load root hints from file
> ok 3 - can retrieve root hints
> ok 4 - real IP address for a.root-servers.net. is replaced
> ok 5 - real IP address for a.root-servers.net. is correct
> [65536.00][rplan] [qry tree] badname.lan. A (0) <-
> [65536.00][rplan] [push] pending 1; badname.lan. A (0) | resolved 0
> [65536.03][rplan] [qry tree] . DNSKEY (3) <- badname.lan. A (2) <-
> [65536.03][rplan] [push] pending 2; . DNSKEY (3); badname.lan. A (2) | resolved 0
> ```
This is because the `iter_ns_badip.rpl` workaround allows the pushing of the same query to `rplan` twice in the row which leads to multiple tries with back-off of the timeout to resolve `. DNSKEY` or `a.root-servers.net AAAA` (if DNSSEC is turned off). The old selection implementation switches to TCP after a few tries and there the connection fails and the NS address is `flagged as 'bad'`.
Switching to TCP instead of backing off into big timeouts might be a good idea which might even help with the pathological cases that appear in `respdiff` now.5.3.0https://gitlab.nic.cz/knot/knot-resolver/-/issues/640remove SAFEMODE2021-02-09T13:54:01+01:00Štěpán Balážikremove SAFEMODEI have no real solution in mind, I'll just keep a running list of what `SAFEMODE` does here, since I have been bitten in the backparts by it multiple times and the documentation really doesn't cut it (“Don’t use fancy stuff (EDNS, 0x20, ...I have no real solution in mind, I'll just keep a running list of what `SAFEMODE` does here, since I have been bitten in the backparts by it multiple times and the documentation really doesn't cut it (“Don’t use fancy stuff (EDNS, 0x20, …)”).
* turns off `Ox20` randomization
* turns off server selection (to be changed in !1030)
* turns off some EDNS stuff that I don't understand
* ensures that there is a retry after REFUSED (see code below; this means that if you overwrite `query->SAFEMODE` after this, the resolver may cycle on REFUSED)
```
static int resolve_badmsg(knot_pkt_t *pkt, struct kr_request *req, struct kr_query *query)
{
#ifndef STRICT_MODE
/* Work around broken auths/load balancers */
if (query->flags.SAFEMODE) {
return resolve_error(pkt, req);
} else if (query->flags.NO_MINIMIZE) {
query->flags.SAFEMODE = true;
return KR_STATE_DONE;
} else {
query->flags.NO_MINIMIZE = true;
return KR_STATE_DONE;
}
#else
return resolve_error(pkt, req);
#endif
}
```
Removing it, is probably a better idea: especially with the new server selection error reporting we could probably make the workarounds more granular than they are now.Štěpán BalážikŠtěpán Balážikhttps://gitlab.nic.cz/knot/knot-resolver/-/issues/661resolution of `mail.comcast.com MX` fails2021-01-28T12:25:07+01:00Štěpán Balážikresolution of `mail.comcast.com MX` fails`respdiff` suggests it should succeed.
I haven't looked closely into this, but from the surface it looks related to #626 and #659.
Log from 63d02c443f8217650cc84c32cc9fb27d207f18d0.
```
[00000.00][plan] plan 'mail.comcast.net.' type '...`respdiff` suggests it should succeed.
I haven't looked closely into this, but from the surface it looks related to #626 and #659.
Log from 63d02c443f8217650cc84c32cc9fb27d207f18d0.
```
[00000.00][plan] plan 'mail.comcast.net.' type 'MX' uid [46333.00]
[46333.00][iter] 'mail.comcast.net.' type 'MX' new uid was assigned .01, parent uid .00
[46333.01][cach] => no NSEC* cached for zone: net.
[46333.01][cach] => skipping zone: net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.01][cach] => skipping zone: net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.01][zcut] found cut: net. (rank 002 return codes: DS 0, DNSKEY 0)
[46333.01][resl] => id: '15433' querying: '2001:503:eea3::30#00053' score: 79 zone cut: 'net.' qname: 'CoMCAst.neT.' qtype: 'NS' proto: 'udp'
[46333.01][iter] <= loaded 10 glue addresses
[46333.01][iter] <= referral response, follow
[46333.01][vldr] <= DS: OK
[46333.01][vldr] <= answer valid, OK
[46333.01][cach] => stashed comcast.net. DS, rank 060, 264 B total, incl. 1 RRSIGs
[46333.01][cach] => stashed comcast.net. NS, rank 002, 124 B total, incl. 0 RRSIGs
[46333.01][cach] => stashed also 10 nonauth RRsets
[46333.01][resl] <= server: '2001:503:eea3::30' rtt: 43 ms
[46333.01][iter] 'mail.comcast.net.' type 'MX' new uid was assigned .02, parent uid .00
[46333.02][plan] plan 'comcast.net.' type 'DNSKEY' uid [46333.03]
[46333.03][iter] 'comcast.net.' type 'DNSKEY' new uid was assigned .04, parent uid .02
[46333.04][cach] => no NSEC* cached for zone: comcast.net.
[46333.04][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.04][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.04][resl] => id: '01302' querying: '2001:558:1014:c:68:87:76:228#00053' score: 10 zone cut: 'comcast.net.' qname: 'COMcasT.neT.' qtype: 'DNSKEY' proto: 'udp'
[46333.04][iter] <= rcode: NOERROR
[46333.04][vldr] <= parent: updating DNSKEY
[46333.04][vldr] <= answer valid, OK
[46333.04][cach] => stashed comcast.net. DNSKEY, rank 060, 870 B total, incl. 2 RRSIGs
[46333.04][resl] <= server: '2001:558:1014:c:68:87:76:228' rtt: 191 ms
[46333.02][iter] 'mail.comcast.net.' type 'MX' new uid was assigned .05, parent uid .00
[46333.05][resl] => id: '50780' querying: '68.87.76.228#00053' score: 10 zone cut: 'comcast.net.' qname: 'MaIL.COmCAST.Net.' qtype: 'MX' proto: 'udp'
[46333.05][iter] <= rcode: NOERROR
[46333.05][iter] <= cname chain, following
[00000.00][plan] plan 'imap.ge.xfinity.com.' type 'MX' uid [46333.06]
[46333.05][vldr] <= answer valid, OK
[46333.05][cach] => stashed mail.comcast.net. CNAME, rank 060, 200 B total, incl. 1 RRSIGs
[46333.05][resl] <= server: '68.87.76.228' rtt: 194 ms
[46333.06][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .07, parent uid .00
[46333.07][cach] => trying zone: ., NSEC, hash 0
[46333.07][cach] => NSEC sname: range search miss (!covers)
[46333.07][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[46333.07][zcut] found cut: . (rank 060 return codes: DS -2, DNSKEY 0)
[46333.07][resl] >< TA: '.'
[46333.07][resl] => id: '16802' querying: '2001:500:12::d0d#00053' score: 53 zone cut: '.' qname: 'Com.' qtype: 'NS' proto: 'udp'
[46333.07][iter] <= loaded 26 glue addresses
[46333.07][iter] <= referral response, follow
[46333.07][vldr] <= DS: OK
[46333.07][vldr] <= answer valid, OK
[46333.07][cach] => stashed com. DS, rank 060, 330 B total, incl. 1 RRSIGs
[46333.07][cach] => stashed com. NS, rank 002, 300 B total, incl. 0 RRSIGs
[46333.07][cach] => not overwriting AAAA a.gtld-servers.net.
[46333.07][cach] => not overwriting A a.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA e.gtld-servers.net.
[46333.07][cach] => not overwriting A e.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA h.gtld-servers.net.
[46333.07][cach] => not overwriting A h.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA k.gtld-servers.net.
[46333.07][cach] => not overwriting A k.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA m.gtld-servers.net.
[46333.07][cach] => not overwriting A m.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA g.gtld-servers.net.
[46333.07][cach] => not overwriting A g.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA i.gtld-servers.net.
[46333.07][cach] => not overwriting A i.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA c.gtld-servers.net.
[46333.07][cach] => not overwriting A c.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA f.gtld-servers.net.
[46333.07][cach] => not overwriting A f.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA d.gtld-servers.net.
[46333.07][cach] => not overwriting A d.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA b.gtld-servers.net.
[46333.07][cach] => not overwriting A b.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA j.gtld-servers.net.
[46333.07][cach] => not overwriting A j.gtld-servers.net.
[46333.07][cach] => not overwriting AAAA l.gtld-servers.net.
[46333.07][cach] => not overwriting A l.gtld-servers.net.
[46333.07][resl] <= server: '2001:500:12::d0d' rtt: 53 ms
[46333.07][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .08, parent uid .00
[46333.08][plan] plan 'com.' type 'DNSKEY' uid [46333.09]
[46333.09][iter] 'com.' type 'DNSKEY' new uid was assigned .10, parent uid .08
[46333.10][cach] => no NSEC* cached for zone: com.
[46333.10][cach] => skipping zone: com., NSEC, hash 0;new TTL -123456789, ret -2
[46333.10][cach] => skipping zone: com., NSEC, hash 0;new TTL -123456789, ret -2
[46333.10][resl] => id: '64293' querying: '2001:503:83eb::30#00053' score: 72 zone cut: 'com.' qname: 'cOM.' qtype: 'DNSKEY' proto: 'udp'
[46333.10][iter] <= rcode: NOERROR
[46333.10][vldr] <= parent: updating DNSKEY
[46333.10][vldr] <= answer valid, OK
[46333.10][cach] => stashed com. DNSKEY, rank 060, 730 B total, incl. 1 RRSIGs
[46333.10][resl] <= server: '2001:503:83eb::30' rtt: 46 ms
[46333.08][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .11, parent uid .00
[46333.11][resl] => id: '12580' querying: '2001:502:8cc::30#00053' score: 44 zone cut: 'com.' qname: 'xFiNiTy.COm.' qtype: 'NS' proto: 'udp'
[46333.11][iter] <= referral response, follow
[46333.11][vldr] <= DS: OK
[46333.11][vldr] <= answer valid, OK
[46333.11][cach] => stashed xfinity.com. DS, rank 060, 264 B total, incl. 1 RRSIGs
[46333.11][cach] => stashed xfinity.com. NS, rank 002, 124 B total, incl. 0 RRSIGs
[46333.11][resl] <= server: '2001:502:8cc::30' rtt: 45 ms
[46333.11][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .12, parent uid .00
[46333.12][plan] plan 'xfinity.com.' type 'DNSKEY' uid [46333.13]
[46333.13][iter] 'xfinity.com.' type 'DNSKEY' new uid was assigned .14, parent uid .12
[46333.14][cach] => no NSEC* cached for zone: xfinity.com.
[46333.14][cach] => skipping zone: xfinity.com., NSEC, hash 0;new TTL -123456789, ret -2
[46333.14][cach] => skipping zone: xfinity.com., NSEC, hash 0;new TTL -123456789, ret -2
[46333.14][plan] plan 'dns103.comcast.net.' type 'AAAA' uid [46333.15]
[46333.15][iter] 'dns103.comcast.net.' type 'AAAA' new uid was assigned .16, parent uid .14
[46333.16][cach] => satisfied by exact RRset: rank 001, new TTL 172800
[46333.16][iter] <= rcode: NOERROR
[46333.14][iter] 'xfinity.com.' type 'DNSKEY' new uid was assigned .17, parent uid .12
[46333.17][resl] => id: '36870' querying: '2001:558:1014:c:68:87:76:228#00053' score: 191 zone cut: 'xfinity.com.' qname: 'XFINiTY.coM.' qtype: 'DNSKEY' proto: 'udp'
[46333.17][iter] <= rcode: NOERROR
[46333.17][vldr] <= parent: updating DNSKEY
[46333.17][vldr] <= answer valid, OK
[46333.17][cach] => stashed xfinity.com. DNSKEY, rank 060, 870 B total, incl. 2 RRSIGs
[46333.17][resl] <= server: '2001:558:1014:c:68:87:76:228' rtt: 193 ms
[46333.12][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .18, parent uid .00
[46333.18][plan] plan 'dns104.comcast.net.' type 'AAAA' uid [46333.19]
[46333.19][iter] 'dns104.comcast.net.' type 'AAAA' new uid was assigned .20, parent uid .18
[46333.20][cach] => satisfied by exact RRset: rank 001, new TTL 172800
[46333.20][iter] <= rcode: NOERROR
[46333.18][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .21, parent uid .00
[46333.21][resl] => id: '58082' querying: '2001:558:100a:5:68:87:68:244#00053' score: 10 zone cut: 'xfinity.com.' qname: 'ge.xFINIty.CoM.' qtype: 'NS' proto: 'udp'
[46333.21][iter] <= referral response, follow
[46333.21][vldr] <= answer valid, OK
[46333.21][cach] => stashed ge.xfinity.com. NSEC, rank 060, 210 B total, incl. 1 RRSIGs
[46333.21][cach] => stashed ge.xfinity.com. NS, rank 010, 188 B total, incl. 0 RRSIGs
[46333.21][cach] => nsec_p stashed for xfinity.com. (new, hash: 0)
[46333.21][resl] <= server: '2001:558:100a:5:68:87:68:244' rtt: 144 ms
[46333.21][iter] 'imap.ge.xfinity.com.' type 'MX' new uid was assigned .22, parent uid .00
[46333.22][resl] <= DS doesn't exist, going insecure
[46333.22][plan] plan 'gtd03-d.hillsboro.or.ndchlsbr.comcast.net.' type 'AAAA' uid [46333.23]
[46333.23][iter] 'gtd03-d.hillsboro.or.ndchlsbr.comcast.net.' type 'AAAA' new uid was assigned .24, parent uid .22
[46333.24][cach] => no NSEC* cached for zone: comcast.net.
[46333.24][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.24][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.24][zcut] found cut: comcast.net. (rank 002 return codes: DS 0, DNSKEY 0)
[46333.24][resl] => id: '62333' querying: '2001:558:1004:7:68:87:85:132#00053' score: 10 zone cut: 'comcast.net.' qname: 'NdchLsbR.CoMCAST.nEt.' qtype: 'NS' proto: 'udp'
[46333.24][iter] <= rcode: NOERROR
[46333.24][iter] <= retrying with non-minimized name
[46333.24][resl] <= server: '2001:558:1004:7:68:87:85:132' rtt: 165 ms
[46333.24][iter] 'gtd03-d.hillsboro.or.ndchlsbr.comcast.net.' type 'AAAA' new uid was assigned .25, parent uid .22
[46333.25][resl] => id: '33890' querying: '2001:558:fe23:8:69:252:250:103#00053' score: 10 zone cut: 'comcast.net.' qname: 'GTD03-D.HiLLsBoRO.OR.ndChLsbR.cOMCASt.NET.' qtype: 'AAAA' proto: 'udp'
[46333.25][iter] <= rcode: NOERROR
[46333.25][vldr] >< cut changed, needs revalidation
[46333.25][resl] <= server: '2001:558:fe23:8:69:252:250:103' rtt: 127 ms
[46333.25][resl] => resuming yielded answer
[46333.25][vldr] >< no valid RRSIGs found: gtd03-d.hillsboro.or.ndchlsbr.comcast.net. AAAA (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[46333.25][plan] plan 'ndchlsbr.comcast.net.' type 'DS' uid [46333.26]
[46333.26][iter] 'ndchlsbr.comcast.net.' type 'DS' new uid was assigned .27, parent uid .25
[46333.27][cach] => no NSEC* cached for zone: comcast.net.
[46333.27][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.27][cach] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2
[46333.27][resl] => id: '63949' querying: '2001:558:100e:5:68:87:72:244#00053' score: 10 zone cut: 'comcast.net.' qname: 'ndchLsbr.COMCAST.net.' qtype: 'DS' proto: 'udp'
[46333.27][iter] <= rcode: NOERROR
[46333.27][vldr] <= parent: updating DS
[46333.27][vldr] <= answer valid, OK
[46333.27][cach] => stashed northlake.il.ndchgo.comcast.net. NSEC, rank 060, 222 B total, incl. 1 RRSIGs
[46333.27][cach] => stashed comcast.net. SOA, rank 060, 248 B total, incl. 1 RRSIGs
[46333.27][cach] => nsec_p stashed for comcast.net. (new, hash: 0)
[46333.27][resl] <= server: '2001:558:100e:5:68:87:72:244' rtt: 146 ms
[46333.25][resl] => resuming yielded answer
[46333.25][vldr] >< no valid RRSIGs found: gtd03-d.hillsboro.or.ndchlsbr.comcast.net. AAAA (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[46333.25][plan] plan 'ndchlsbr.comcast.net.' type 'DS' uid [46333.28]
[46333.28][iter] 'ndchlsbr.comcast.net.' type 'DS' new uid was assigned .29, parent uid .25
[46333.29][cach] => trying zone: comcast.net., NSEC, hash 0
[46333.29][cach] => NSEC sname: covered by: northlake.il.ndchgo.comcast.net. -> hillsboro.or.ndchlsbr.comcast.net., new TTL 3600
[46333.29][cach] => NSEC sname: empty non-terminal by the same RR
[46333.29][iter] <= rcode: NOERROR
[46333.29][vldr] <= parent: updating DS
[46333.29][vldr] <= answer valid, OK
[46333.25][resl] => resuming yielded answer
[46333.25][vldr] >< no valid RRSIGs found: gtd03-d.hillsboro.or.ndchlsbr.comcast.net. AAAA (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[46333.25][vldr] <= continuous revalidation, fails
[46333.25][cach] => stashed gtd03-d.hillsboro.or.ndchlsbr.comcast.net. AAAA, rank 027, 32 B total, incl. 0 RRSIGs
[46333.25][cach] => not overwriting AAAA gtd03-d.hillsboro.or.ndchlsbr.comcast.net.
[46333.00][resl] request failed, answering with empty SERVFAIL
[46333.25][resl] finished in state: 8, queries: 8, mempool: 65600 B
```https://gitlab.nic.cz/knot/knot-resolver/-/issues/643SAD DNS (Side channel AttackeD DNS)2021-01-28T09:36:23+01:00Matt TaggartSAD DNS (Side channel AttackeD DNS)New DNS cache poisoning attack, https://www.saddns.net/
I scanned the [paper](https://dl.acm.org/doi/pdf/10.1145/3372297.3417280) and it explicitly mentions bind, unbound, and dnsmasq as being effected, no mention either way for knot. I...New DNS cache poisoning attack, https://www.saddns.net/
I scanned the [paper](https://dl.acm.org/doi/pdf/10.1145/3372297.3417280) and it explicitly mentions bind, unbound, and dnsmasq as being effected, no mention either way for knot. I'm not sure if they make their tests available. Maybe it makes the most sense to contact the authors and work with them (I wish they had reached out to knot).https://gitlab.nic.cz/knot/knot-resolver/-/issues/108RFC 8198: Aggressive Use of DNSSEC-Validated Cache2021-01-26T10:03:00+01:00Ondřej SurýRFC 8198: Aggressive Use of DNSSEC-Validated CacheImplementing this would probably require some changes in the cache, but I think it will be worthwhile as it creates less work for resolver and less work for authoritative.
Closed by: !422Implementing this would probably require some changes in the cache, but I think it will be worthwhile as it creates less work for resolver and less work for authoritative.
Closed by: !4222017 Q3Vladimír Čunátvladimir.cunat@nic.czVladimír Čunátvladimir.cunat@nic.cz2017-10-31https://gitlab.nic.cz/knot/knot-resolver/-/issues/655create package for dnstap module2021-01-15T14:51:35+01:00Tomas Krizekcreate package for dnstap moduleSupport for `dnstap` module should be packaged. Using a separate package, such as `knot-resolver-module-dnstap` probably makes the most sense. It also needs to be mentioned in dnstap documentation that an extra package is needed.
Report...Support for `dnstap` module should be packaged. Using a separate package, such as `knot-resolver-module-dnstap` probably makes the most sense. It also needs to be mentioned in dnstap documentation that an extra package is needed.
Reported from: https://github.com/CZ-NIC/knot-resolver/issues/71Jakub RužičkaJakub Ružičkahttps://gitlab.nic.cz/knot/knot-resolver/-/issues/666kr_pkt_make_auth_header: Assertion `pkt && pkt->wire' failed2021-01-14T08:47:36+01:00Ghost Userkr_pkt_make_auth_header: Assertion `pkt && pkt->wire' failedHi, I am using knot-resolver on Debian 9 and after upgrade to apt package version 5.2.1-1. I am not able to run daemons because of this error:
```
Jan 14 07:32:57 dnsr-res2 kresd[19169]: kresd: ../lib/utils.c:320: kr_pkt_make_auth_heade...Hi, I am using knot-resolver on Debian 9 and after upgrade to apt package version 5.2.1-1. I am not able to run daemons because of this error:
```
Jan 14 07:32:57 dnsr-res2 kresd[19169]: kresd: ../lib/utils.c:320: kr_pkt_make_auth_header: Assertion `pkt && pkt->wire' failed.
```
My configuration file:
```
-- Config file example useable for multi-user ISP resolver
-- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration
-- Drop root privileges
user('knot-resolver', 'knot-resolver')
-- Set Internal hostname
hostname("xxxxxx")
net.listen('127.0.0.1', 53, { kind = 'dns' })
net.listen('109.202.xx.xx', 53, { kind = 'dns' })
net.listen('::1', 53, { kind = 'dns', freebind = true })
net.listen('2a06:x:x:x::x', 53, { kind = 'dns', freebind = true })
-- Auto-maintain root TA
--trust_anchors.file = 'root.keys'
-- Large cache size, so we don't need to flush often
-- This can be larger than available RAM, least frequently accessed
-- records will be paged out
cache.size = 500 * MB
-- Load Useful modules
modules = {
'hints > iterate',
'bogus_log',
'view',
'stats',
'predict',
graphite = {
prefix = 'xxx',
host = 'xxx',
tcp = false
}
}
view:addr('127.0.0.1', policy.all(policy.PASS))
view:addr('::1', policy.all(policy.PASS))
view:addr('10.0.0.0/8', policy.all(policy.PASS))
view:addr('172.20.0.0/21', policy.all(policy.PASS))
view:addr('172.29.0.0/16', policy.all(policy.PASS))
view:addr('172.30.15.42', policy.all(policy.PASS))
view:addr('192.168.0.0/16', policy.all(policy.PASS))
view:addr('100.64.0.0/10', policy.all(policy.PASS))
view:addr('0.0.0.0/0', policy.all(policy.DROP))
view:addr('::/0', policy.all(policy.DROP))
local rpz_hazard = require('rpz-hazard_xxxxx')
-- Apply RPZ for all clients
policy.add(policy.suffix(rpz_hazard.genRPZ_RR, {
kres.str2dname('1-x-bet.com.'),
kres.str2dname('1x-bet.com.'),
kres.str2dname('1x-02.com.'),
kres.str2dname('1xbet.com.'),
kres.str2dname('1xbet1.com.'),
kres.str2dname('1xbet10.com.'),
kres.str2dname('1xbet101.com.'),
kres.str2dname('1xbet102.com.'),
kres.str2dname('1xbet103.com.'),
kres.str2dname('1xbet104.com.'),
kres.str2dname('1xbet105.com.'),
kres.str2dname('1xbet106.com.'),
kres.str2dname('1xbet107.com.'),
kres.str2dname('1xbet108.com.'),
kres.str2dname('1xbet109.com.'),
kres.str2dname('1xbet11.com.'),
kres.str2dname('1xbet110.com.'),
kres.str2dname('1xbet12.com.'),
kres.str2dname('1xbet13.com.'),
kres.str2dname('1xbet14.com.'),
kres.str2dname('1xbet15.com.'),
kres.str2dname('1xbet16.com.'),
kres.str2dname('1xbet17.com.'),
kres.str2dname('1xbet18.com.'),
kres.str2dname('1xbet19.com.'),
kres.str2dname('1xbet2.com.'),
kres.str2dname('1xbet20.com.'),
kres.str2dname('1xbet21.com.'),
kres.str2dname('1xbet23.com.'),
kres.str2dname('1xbet24.com.'),
kres.str2dname('1xbet25.com.'),
kres.str2dname('1xbet26.com.'),
kres.str2dname('1xbet27.com.'),
kres.str2dname('1xbet28.com.'),
kres.str2dname('1xbet29.com.'),
kres.str2dname('1xbet3.com.'),
kres.str2dname('1xbet30.com.'),
kres.str2dname('1xbet31.com.'),
kres.str2dname('1xbet32.com.'),
kres.str2dname('1xbet34.com.'),
kres.str2dname('1xbet35.com.'),
kres.str2dname('1xbet36.com.'),
kres.str2dname('1xbet37.com.'),
kres.str2dname('1xbet38.com.'),
kres.str2dname('1xbet39.com.'),
kres.str2dname('1xbet4.com.'),
kres.str2dname('1xbet40.com.'),
kres.str2dname('1xbet41.com.'),
kres.str2dname('1xbet42.com.'),
kres.str2dname('1xbet43.com.'),
kres.str2dname('1xbet45.com.'),
kres.str2dname('1xbet46.com.'),
kres.str2dname('1xbet47.com.'),
kres.str2dname('1xbet48.com.'),
kres.str2dname('1xbet49.com.'),
kres.str2dname('1xbet5.com.'),
kres.str2dname('1xbet50.com.'),
kres.str2dname('1xbet51.com.'),
kres.str2dname('1xbet52.com.'),
kres.str2dname('1xbet53.com.'),
kres.str2dname('1xbet54.com.'),
kres.str2dname('1xbet6.com.'),
kres.str2dname('1xbet60.com.'),
kres.str2dname('1xbet61.com.'),
kres.str2dname('1xbet62.com.'),
kres.str2dname('1xbet63.com.'),
kres.str2dname('1xbet64.com.'),
kres.str2dname('1xbet65.com.'),
kres.str2dname('1xbet67.com.'),
kres.str2dname('1xbet68.com.'),
kres.str2dname('1xbet69.com.'),
kres.str2dname('1xbet7.com.'),
kres.str2dname('1xbet70.com.'),
kres.str2dname('1xbet71.com.'),
kres.str2dname('1xbet72.com.'),
kres.str2dname('1xbet73.com.'),
kres.str2dname('1xbet74.com.'),
kres.str2dname('1xbet75.com.'),
kres.str2dname('1xbet76.com.'),
kres.str2dname('1xbet78.com.'),
kres.str2dname('1xbet79.com.'),
kres.str2dname('1xbet8.com.'),
kres.str2dname('1xbet80.com.'),
kres.str2dname('1xbet82.com.'),
kres.str2dname('1xbet84.com.'),
kres.str2dname('1xbet86.com.'),
kres.str2dname('1xbet87.com.'),
kres.str2dname('1xbet9.com.'),
kres.str2dname('1xbet90.com.'),
kres.str2dname('1xbet91.com.'),
kres.str2dname('1xbet92.com.'),
kres.str2dname('1xbet94.com.'),
kres.str2dname('1xbet95.com.'),
kres.str2dname('1xbetbk6.com.'),
kres.str2dname('1xbetbk13.com.'),
kres.str2dname('1xbkbet-1.com.'),
kres.str2dname('1xhov.xyz.'),
kres.str2dname('1xiiv.xyz.'),
kres.str2dname('betworld.com.'),
kres.str2dname('bk-1x-bet.com.'),
kres.str2dname('bosscasino.eu.'),
kres.str2dname('eatsleepbet.com.'),
kres.str2dname('sportingbull.com.'),
kres.str2dname('thelotter.com.'),
kres.str2dname('webmoneycasino.com.'),
kres.str2dname('xbet-1.com.'),
kres.str2dname('betworld1.com.'),
kres.str2dname('betworld2.com.'),
kres.str2dname('betworld3.com.'),
kres.str2dname('betworld4.com.'),
kres.str2dname('betworld5.com.'),
kres.str2dname('betworld6.com.'),
kres.str2dname('betworld7.com.'),
kres.str2dname('betworld8.com.'),
kres.str2dname('betworld9.com.'),
kres.str2dname('betworld10.com.'),
kres.str2dname('cz.sportingbull174.com.'),
kres.str2dname('agentlotto3.ru.'),
kres.str2dname('agentlotto.com.'),
kres.str2dname('lottoevents.com.'),
kres.str2dname('bet2u.com.'),
kres.str2dname('gunsbet.com.'),
kres.str2dname('playamo.com.'),
kres.str2dname('lokicasino.com.'),
}))
```
and lua script:
```
local policy = require('kres_modules/policy')
local ffi = require('ffi')
local rpz = {}
function rpz.gen_answer_section(answer, sname, cname, answer_type, ip)
answer:begin(kres.section.ANSWER)
answer:put(sname, 5, answer:qclass(), kres.type.CNAME, kres.str2dname(cname))
answer:put(kres.str2dname(cname), 900, answer:qclass(), answer_type, kres.str2ip(ip))
end
function rpz.gen_authority_section(answer)
answer:begin(kres.section.AUTHORITY)
answer:put(kres.str2dname('xxxx'), 900, answer:qclass(), kres.type.NS, kres.str2dname('dnsa1.xxxx'))
answer:put(kres.str2dname('xxxx'), 900, answer:qclass(), kres.type.NS, kres.str2dname('dnsa2.xxxx'))
answer:put(kres.str2dname('xxxx'), 900, answer:qclass(), kres.type.NS, kres.str2dname('dnsa3.xxxx'))
end
function rpz.gen_additional_section(answer)
answer:begin(kres.section.ADDITIONAL)
answer:put(kres.str2dname('dnsa1.xxxx'), 900, answer:qclass(), kres.type.A, kres.str2ip('109.202.xxxx'))
answer:put(kres.str2dname('dnsa1.xxxx'), 900, answer:qclass(), kres.type.AAAA, kres.str2ip('2a06:xxx'))
answer:put(kres.str2dname('dnsa2.xxxx'), 900, answer:qclass(), kres.type.A, kres.str2ip('109.202.xxx'))
answer:put(kres.str2dname('dnsa2.xxxx'), 900, answer:qclass(), kres.type.AAAA, kres.str2ip('2a06:xxx'))
answer:put(kres.str2dname('dnsa3.xxxx'), 900, answer:qclass(), kres.type.A, kres.str2ip('85.xxxxx'))
answer:put(kres.str2dname('dnsa3.xxxx'), 900, answer:qclass(), kres.type.AAAA, kres.str2ip('2a02xxxx'))
end
function rpz.genRPZ_RR (state, req)
local answer = req.answer
local qry = req:current()
if qry.stype == kres.type.A then
ffi.C.kr_pkt_make_auth_header(answer)
answer:rcode(kres.rcode.NOERROR)
rpz.gen_answer_section(answer, qry.sname, 'hazard.xxxx', kres.type.A, '109.xxxxx')
rpz.gen_authority_section(answer)
rpz.gen_additional_section(answer)
return kres.DONE
elseif qry.stype == kres.type.AAAA then
ffi.C.kr_pkt_make_auth_header(answer)
answer:rcode(kres.rcode.NOERROR)
rpz.gen_answer_section(answer, qry.sname, 'hazard.xxxxx', kres.type.AAAA, '2a06:xxxxx')
rpz.gen_authority_section(answer)
rpz.gen_additional_section(answer)
return kres.DONE
else
return state
end
end
return rpz
```
Can you tell me where I should look to find some bug, please?