fails to resolve planet.gnome.org when forwarding and DNSSEC validation is on
When I have Knot Resolver 5.5.0 on Debian Bullseye set to forward requests, Knot Resolver fails to resolve planet.gnome.org with SERVFAIL.
The problem occurs when forwarding to either Quad9 or Cloudflare, with different systems on different networks (even in different countries). The problem does not happen when I disable forwarding. It also does not happen when I add +cd.
frederik@torino:~$ kdig planet.gnome.org
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 51346
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; planet.gnome.org. IN A
;; Received 34 B
;; Time 2022-04-13 17:59:50 CEST
;; From ::1@53(UDP) in 294.8 ms
frederik@torino:~$ kdig +cd planet.gnome.org
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 3633
;; Flags: qr rd ra cd; QUERY: 1; ANSWER: 4; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; planet.gnome.org. IN A
;; ANSWER SECTION:
planet.gnome.org. 894 IN CNAME router-default.apps.openshift4.gnome.org.
router-default.apps.openshift4.gnome.org. 900 IN A 8.43.85.5
router-default.apps.openshift4.gnome.org. 900 IN A 8.43.85.3
router-default.apps.openshift4.gnome.org. 900 IN A 8.43.85.4
;; Received 127 B
;; Time 2022-04-13 17:59:56 CEST
;; From ::1@53(UDP) in 136.4 msLog:
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][policy][07606.00] request packet:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7606
;; Flags: rd QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
planet.gnome.org. A
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][policy][07606.00] following rrsets were marked as interesting:
;; selected from ANSWER sections:
; ranked rrset to_wire true, rank 060 (secure auth), cached false, qry_uid 1, revalidations 0
planet.gnome.org. 614 CNAME router-default.apps.openshift4.gnome.org.
; ranked rrset to_wire true, rank 021 (omit auth), cached false, qry_uid 1, revalidations 0
planet.gnome.org. 614 RRSIG CNAME 5 3 900 1651937377 1649345377 40692 gnome.org. LwqhAFM+ukN4HHE6QBHSehacwNgodYZrwGykePnayxgD4WCELd887iW7xnQm+CgebWligBJhFLQB5a0VV13j0UD95ji2q+1QBQbJ/lcxdHoh++i2Bhb0nWHQ148FsoE613oMX5wwWm4fpN0fmRPUugKXD2f5fAGFBD83e82QBZk=
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 5, revalidations 0
. 27913 DNSKEY 256 3 8 AwEAAak/ZU9wDNQD7XTAGTDkn32UR8I6auRDekbGky+yyWKdUHmwAJv90YHCUTib8aVBgNgbxkeeZGRx3W4+XhMZbfUr5fMwmD3u9P2yzJpbRtjGNM/XZvzGs9HHNymz3Bp851anHZfNy6pJud265/XMKzFlAY8sMJjum0hvx/DuCDELLyhsvdfOD9rHM93UXO0bcAjvI8tjZsGI+Pfp9KdxF9vS/sAzpFXKsldix+e6xv8rRS6WPg2LAooxF+eO5DgFSilYmnyCK4VPJ7ntjD/8m0bs128ZT1eY3oXCbojDv59lLAgrdGSbcVxQF2KHoUHDmkOC5BzG/1xRtW4v/3y4/H8=
. 27913 DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 5, revalidations 0
. 27913 RRSIG DNSKEY 8 0 172800 1651449600 1649635200 20326 . e/e+lsjJGKLiH638XbnFQrI1EUG8CTYh52loAQkKdzX2YzXpTePNDuvPAF7EreJoBNS9EabkwvLwo2O16kXu5kK7TIznS2IO4krC/7ILGVZAbq9EhdsIBKInkBavnokBC+qRrvE78wvbMcl/pt92j5AuoPMmv5lOdowxW/U1m8/MgLh1wU07tkZ2HRGRP6pGMefWDqzb3AvHnEp5rzMnpcOlrVQLPDutztZ6kpRMhTHnL+QN3BqYYIFFg/IQn+YvVSyHR/6/8UTawV9kLSYkab3Cbhgb6jYbxlOG8LcXvtTGwq/PfOcZjttBSsar3X7RjyGYM2hAfrGkMf7gk4X4KA==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 8, revalidations 0
org. 35188 DS 26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D16E1DE32
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 8, revalidations 0
org. 35188 RRSIG DS 8 1 86400 1650906000 1649779200 47671 . gt0yxpNr3DEe3vdglp5pAUwx7Mudxs+wrfsn/UY0a8Qu0hbwygtyxBDGkAbpxlXH0tLGTdcHfselrNekixdXHAnoSHZKiyZNX5OEp3wShJoqln/+0Qs6VLgHrACcoUFQEZnXGTer2flE3imPYux6LPaY+vv2KVGcgJCxkMWgjY/2uMsc03h2XcDplQr6ESdeA7gnxA9pxvjIvY793GTgnybGVbAtgSQSCxvxTClpZxsltuxF+ZBGTxeveNtgLEinTQpQUNy6aekL+H/PEsk6R7S/y8Cx8j6OIdg1MEpTr0Sz6wVJPsD7RhQpAjTbMx2V+2j4is/5815kC4HVKHtg4g==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 11, revalidations 0
org. 107 DNSKEY 256 3 8 AwEAAa5uc5s6co7l6C0rgiH0om3XgV6pe2aWmtiNL5/gN82xImSB5ovvjRg1TPfcqNq1CCjtafdWTdtrX2f9hzDMJ1vZxzgcyRDYroiC22kaGQHtlLpw73pVHHrTzqjuJ0lPeko0/SDI0iBIqimY2mT3KJTts3gbXywksWjIHcw5FTAV
org. 107 DNSKEY 256 3 8 AwEAAbdHIC3iJRkEm4k0aIcj1Q5JPlyCkazmt0j2wFIXze88D5yTStbMFEjVGhTCNVtKGomSxz89GnnCA+MdkDzlJJofSNigEUoTZp5U6tEgtt61NNrKxz0GnJkW/1yeS5dP27hYCSBp9264feY/7z/wjoZyKfbsoymBrC5EZA6iHxFd
org. 107 DNSKEY 257 3 8 AwEAAexZJ/1wfyNCxNPrTZizaG7UlibGhP+AyogR6bqjptKweEgE4gD8GxRQJkt+Fn5pCoNqzmm1ZnEoKqvm93uOYtbKkYQDGH+W69J66MSKpgIyS+mT/4iaXn+lpb5o99l/sf7lHMa975O/fqN6aPUll4hUbN2T1LHv6HzQuQCtNRJA8jHGwX5q0NMmh2Z+yaG6B9cISerje9l5L+ID2ydJ6zXquYteoIUvX2xzqnXCdHPSvD+oL6R/weW+tztdFS1hok/1z3tn5NzmcaOLll9nXniCozEpLFEGPswyvtphWgCYhI8bBTqhUsIwfIwLSBQTEg2oCX7sS5CbXg44OqwhIW8=
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 11, revalidations 0
org. 107 RRSIG DNSKEY 8 1 900 1651332155 1649514155 26974 org. dSvEYdnhQOlzIu9rs3M/kjais/ifG51gF4IKE6GEwikhx/tYFrJuUuGzXpqoQcOkdoZXySoUYoMVF3wwUR7aD8EH+D5NQ4CmGLs1lQil6GGE+CKjglZPZrrklIsVhBmD+AZLAC+HIMkOX7vPLrqPz93IqUs+NtIRY15VEvi15JMSydNUIvmxc1HTPaar6r50TxKwfIR92pYDXWqKTe5HQPJ1uj55oyUAwtEISjKM/BdoV5RRjyC+1+i/by9wkGIJLMCkzX/4UnGqBM2jFm66due25GULAMZRYvnhqQvMMc/yyIe3NoeeMh7wqIXqRaHhXNZfjPXNaCOxkPHVeJuYAg==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 14, revalidations 0
gnome.org. 6809 DS 51496 5 2 F676D322A3E9EE31F1078F38256315214078E46A47064CBDEE76E933739CC8C7
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 14, revalidations 0
gnome.org. 6809 RRSIG DS 8 2 86400 1651332155 1649514155 10449 org. Fj9K58DnO3WxVDtJKEk1csWU9WgXfrtJ9ZYXIOiPG5KdI5o9WIbrW51DqidP6QVVWGpzvVs8knf0h8AjneROMEBjLehQa+9uZ6bQ/x/DEElp2mW53q43b33I6Rt2rjlbazhjFSt+f9BuWPf3wke4IbRK6/pf57TuGgKYBuVwQwo=
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 17, revalidations 0
gnome.org. 264 DNSKEY 256 3 5 AwEAAaMI/dz7JwEtjvpr1uCvjs1AvVxiT4dwQGOXzp6r+pQXazhDn6+TlJDh0aEnwFc76ujViKcMruPsS49dtoCAmhBPuI2g+CGyr/PgAfxM4czfak8kKvIdxh1UMQrcIJ/rKJ5eue7fI2BG3plq9oMIPmDEOoPU4ePjIY4M/qrbjcev
gnome.org. 264 DNSKEY 257 3 5 AwEAAbRD7AymDFuKc2iXta7HXZMleMkUMwjOZTsn4f75ZUp0of8TJdlUDtFtqifEBnFcGJU5r+ZVvkBKQ0qDTTjayL54Nz56XGGoIBj6XxbG8Es+VbZCg0RsetDk5EsxLst0egrvOXga27jbsJ+7Me3D5Xp1bkBnQMrXEXQ9C43QfO2KUWJVljo1Bii3fTfnHSLRUsbRn8Puz+orK71qxs3G9mgGR6rmn91brkpfmHKr3S9Rbxq8iDRWDPiCaWkI7qfASdFk4TLV0gSVlA3OxyW9TCkPZStZ5r/WRW2jhUY/kjHERQd4qX5dHAuYrjJSV99P6FfCFXoJ3ty5s3fl1RZaTo8=
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 17, revalidations 0
gnome.org. 264 RRSIG DNSKEY 5 2 900 1651937377 1649345377 40692 gnome.org. FhZSI3iYe2SLfWAJR7DH4bOTTD4AlkPf9OsFZH6nhBJQEk9H8cRkHUzLUczY41daJwDKxlUnnEkEOa1jS8E8EXm3KSSxkraZv6BLsdhxB6UjbYT6ZrhzbneO1sygYc/6IU70DpryKNa6R9jPLEUEphez9MR6Bf/VREtkYNUnVXU=
gnome.org. 264 RRSIG DNSKEY 5 2 900 1651937377 1649345377 51496 gnome.org. jgJHprIvEOZL5K6sZhGKrjQEsU368ZzMJ/PJhQpeXz47HwfF0AhTycWSwWG8enqpFhl/QY2n2IEnnTtBC3IytvZBd+SfL82lkuGU1eDaSR4pkMiJCTLEitFEMlRj950A2S1RYxVafJAlJR0MrLEcgUYap+V9OVrGjoSnXTIs9XOY0aj0iTNRT5nm1RC533QKCu5PDwQlXbwUWC0LoYM3oHMG5sbliD0Sy2nObYs9cf7BfkLb97iZiJcQKNm5fpDnG4qaLlw0GRrybbHi1QeIJisC4Isg1gdZ2cPDntPVS8T0m6I5Dcsx1IvDubhucJ8U2SMIkSKIZ1Aidl+MslSTLw==
;; selected from AUTHORITY sections:
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 20, revalidations 0
gnome.org. 16 SOA ns-master.gnome.org. hostmaster.gnome.org. 1649348977 600 900 86400 3600
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 20, revalidations 0
gnome.org. 16 RRSIG SOA 5 2 900 1651937377 1649345377 40692 gnome.org. D4nUm9bExjX/lUoG+TgMdYuccR7InE2wSzBLR2a4ocU3IqpNvA7seBmll9x706ImEZ1oxtvXTZbozEG7W1c7KIlo+vvSl4yoQgQl37VncHhfW5U6Q69v9o1XRuledjb7l16OtynblHXQkDmZDrT9vwX0BV6eoZ78QG84lBqpaFk=
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 20, revalidations 0
*.openshift.gnome.org. 2716 NSEC *.openshift4.gnome.org. A AAAA RRSIG NSEC
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 20, revalidations 0
*.openshift.gnome.org. 2716 RRSIG NSEC 5 3 3600 1651937377 1649345377 40692 gnome.org. j3xWiApwlF6XY64qJnXepFklLWWOHYpQFl1ZBtEhT0THnbMMgwOUmhzvpCbeWJaNRZiqMNGBLo1g+4gaOA3RpzULFjH8GyW0fuzpZ7qwZAgxUsa9/Ii5tj5rtYTv8zZFkqv9xoQVLfwx09r12Sjrpg/aoXnHs0LEbSkCJWC3lAQ=
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][policy][07606.00] answer packet:
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 7606
;; Flags: qr rd ra QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
planet.gnome.org. A
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.00] 'planet.gnome.org.' type 'A' new uid was assigned .01, parent uid .00
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.01] => satisfied by exact CNAME: rank 060, new TTL 614
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.01] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 26361
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
planet.gnome.org. A
;; ANSWER SECTION
planet.gnome.org. 614 CNAME router-default.apps.openshift4.gnome.org.
planet.gnome.org. 614 RRSIG CNAME 5 3 900 1651937377 1649345377 40692 gnome.org. LwqhAFM+ukN4HHE6QBHSehacwNgodYZrwGykePnayxgD4WCELd887iW7xnQm+CgebWligBJhFLQB5a0VV13j0UD95ji2q+1QBQbJ/lcxdHoh++i2Bhb0nWHQ148FsoE613oMX5wwWm4fpN0fmRPUugKXD2f5fAGFBD83e82QBZk=
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.01] <= rcode: NOERROR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.01] <= cname chain, following
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.02] 'router-default.apps.openshift4.gnome.org.' type 'A' new uid was assigned .03, parent uid .00
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.03] => trying zone: gnome.org., NSEC, hash 0
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.03] => NSEC sname: range search miss (!covers)
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.03] => skipping zone: gnome.org., NSEC, hash 0;new TTL -123456789, ret -2
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][plan ][07606.03] plan '.' type 'DNSKEY' uid [07606.04]
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.04] '.' type 'DNSKEY' new uid was assigned .05, parent uid .03
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.05] => satisfied by exact RRset: rank 060, new TTL 27913
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.05] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 42892
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
. DNSKEY
;; ANSWER SECTION
. 27913 DNSKEY 256 3 8 AwEAAak/ZU9wDNQD7XTAGTDkn32UR8I6auRDekbGky+yyWKdUHmwAJv90YHCUTib8aVBgNgbxkeeZGRx3W4+XhMZbfUr5fMwmD3u9P2yzJpbRtjGNM/XZvzGs9HHNymz3Bp851anHZfNy6pJud265/XMKzFlAY8sMJjum0hvx/DuCDELLyhsvdfOD9rHM93UXO0bcAjvI8tjZsGI+Pfp9KdxF9vS/sAzpFXKsldix+e6xv8rRS6WPg2LAooxF+eO5DgFSilYmnyCK4VPJ7ntjD/8m0bs128ZT1eY3oXCbojDv59lLAgrdGSbcVxQF2KHoUHDmkOC5BzG/1xRtW4v/3y4/H8=
. 27913 DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
. 27913 RRSIG DNSKEY 8 0 172800 1651449600 1649635200 20326 . e/e+lsjJGKLiH638XbnFQrI1EUG8CTYh52loAQkKdzX2YzXpTePNDuvPAF7EreJoBNS9EabkwvLwo2O16kXu5kK7TIznS2IO4krC/7ILGVZAbq9EhdsIBKInkBavnokBC+qRrvE78wvbMcl/pt92j5AuoPMmv5lOdowxW/U1m8/MgLh1wU07tkZ2HRGRP6pGMefWDqzb3AvHnEp5rzMnpcOlrVQLPDutztZ6kpRMhTHnL+QN3BqYYIFFg/IQn+YvVSyHR/6/8UTawV9kLSYkab3Cbhgb6jYbxlOG8LcXvtTGwq/PfOcZjttBSsar3X7RjyGYM2hAfrGkMf7gk4X4KA==
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.05] <= rcode: NOERROR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.05] <= parent: updating DNSKEY
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.05] <= answer valid, OK
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.03] 'router-default.apps.openshift4.gnome.org.' type 'A' new uid was assigned .06, parent uid .00
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][plan ][07606.06] plan 'org.' type 'DS' uid [07606.07]
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.07] 'org.' type 'DS' new uid was assigned .08, parent uid .06
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.08] => satisfied by exact RRset: rank 060, new TTL 35188
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.08] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 22326
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
org. DS
;; ANSWER SECTION
org. 35188 DS 26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D16E1DE32
org. 35188 RRSIG DS 8 1 86400 1650906000 1649779200 47671 . gt0yxpNr3DEe3vdglp5pAUwx7Mudxs+wrfsn/UY0a8Qu0hbwygtyxBDGkAbpxlXH0tLGTdcHfselrNekixdXHAnoSHZKiyZNX5OEp3wShJoqln/+0Qs6VLgHrACcoUFQEZnXGTer2flE3imPYux6LPaY+vv2KVGcgJCxkMWgjY/2uMsc03h2XcDplQr6ESdeA7gnxA9pxvjIvY793GTgnybGVbAtgSQSCxvxTClpZxsltuxF+ZBGTxeveNtgLEinTQpQUNy6aekL+H/PEsk6R7S/y8Cx8j6OIdg1MEpTr0Sz6wVJPsD7RhQpAjTbMx2V+2j4is/5815kC4HVKHtg4g==
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.08] <= rcode: NOERROR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.08] <= DS: OK
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.08] <= parent: updating DS
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.08] <= answer valid, OK
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.06] 'router-default.apps.openshift4.gnome.org.' type 'A' new uid was assigned .09, parent uid .00
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][plan ][07606.09] plan 'org.' type 'DNSKEY' uid [07606.10]
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.10] 'org.' type 'DNSKEY' new uid was assigned .11, parent uid .09
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.11] => satisfied by exact RRset: rank 060, new TTL 107
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.11] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52529
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
org. DNSKEY
;; ANSWER SECTION
org. 107 DNSKEY 256 3 8 AwEAAa5uc5s6co7l6C0rgiH0om3XgV6pe2aWmtiNL5/gN82xImSB5ovvjRg1TPfcqNq1CCjtafdWTdtrX2f9hzDMJ1vZxzgcyRDYroiC22kaGQHtlLpw73pVHHrTzqjuJ0lPeko0/SDI0iBIqimY2mT3KJTts3gbXywksWjIHcw5FTAV
org. 107 DNSKEY 256 3 8 AwEAAbdHIC3iJRkEm4k0aIcj1Q5JPlyCkazmt0j2wFIXze88D5yTStbMFEjVGhTCNVtKGomSxz89GnnCA+MdkDzlJJofSNigEUoTZp5U6tEgtt61NNrKxz0GnJkW/1yeS5dP27hYCSBp9264feY/7z/wjoZyKfbsoymBrC5EZA6iHxFd
org. 107 DNSKEY 257 3 8 AwEAAexZJ/1wfyNCxNPrTZizaG7UlibGhP+AyogR6bqjptKweEgE4gD8GxRQJkt+Fn5pCoNqzmm1ZnEoKqvm93uOYtbKkYQDGH+W69J66MSKpgIyS+mT/4iaXn+lpb5o99l/sf7lHMa975O/fqN6aPUll4hUbN2T1LHv6HzQuQCtNRJA8jHGwX5q0NMmh2Z+yaG6B9cISerje9l5L+ID2ydJ6zXquYteoIUvX2xzqnXCdHPSvD+oL6R/weW+tztdFS1hok/1z3tn5NzmcaOLll9nXniCozEpLFEGPswyvtphWgCYhI8bBTqhUsIwfIwLSBQTEg2oCX7sS5CbXg44OqwhIW8=
org. 107 RRSIG DNSKEY 8 1 900 1651332155 1649514155 26974 org. dSvEYdnhQOlzIu9rs3M/kjais/ifG51gF4IKE6GEwikhx/tYFrJuUuGzXpqoQcOkdoZXySoUYoMVF3wwUR7aD8EH+D5NQ4CmGLs1lQil6GGE+CKjglZPZrrklIsVhBmD+AZLAC+HIMkOX7vPLrqPz93IqUs+NtIRY15VEvi15JMSydNUIvmxc1HTPaar6r50TxKwfIR92pYDXWqKTe5HQPJ1uj55oyUAwtEISjKM/BdoV5RRjyC+1+i/by9wkGIJLMCkzX/4UnGqBM2jFm66due25GULAMZRYvnhqQvMMc/yyIe3NoeeMh7wqIXqRaHhXNZfjPXNaCOxkPHVeJuYAg==
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.11] <= rcode: NOERROR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.11] <= parent: updating DNSKEY
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.11] <= answer valid, OK
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.09] 'router-default.apps.openshift4.gnome.org.' type 'A' new uid was assigned .12, parent uid .00
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][plan ][07606.12] plan 'gnome.org.' type 'DS' uid [07606.13]
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.13] 'gnome.org.' type 'DS' new uid was assigned .14, parent uid .12
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.14] => satisfied by exact RRset: rank 060, new TTL 6809
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.14] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 8461
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
gnome.org. DS
;; ANSWER SECTION
gnome.org. 6809 DS 51496 5 2 F676D322A3E9EE31F1078F38256315214078E46A47064CBDEE76E933739CC8C7
gnome.org. 6809 RRSIG DS 8 2 86400 1651332155 1649514155 10449 org. Fj9K58DnO3WxVDtJKEk1csWU9WgXfrtJ9ZYXIOiPG5KdI5o9WIbrW51DqidP6QVVWGpzvVs8knf0h8AjneROMEBjLehQa+9uZ6bQ/x/DEElp2mW53q43b33I6Rt2rjlbazhjFSt+f9BuWPf3wke4IbRK6/pf57TuGgKYBuVwQwo=
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.14] <= rcode: NOERROR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.14] <= DS: OK
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.14] <= parent: updating DS
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.14] <= answer valid, OK
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.12] 'router-default.apps.openshift4.gnome.org.' type 'A' new uid was assigned .15, parent uid .00
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][plan ][07606.15] plan 'gnome.org.' type 'DNSKEY' uid [07606.16]
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.16] 'gnome.org.' type 'DNSKEY' new uid was assigned .17, parent uid .15
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.17] => satisfied by exact RRset: rank 060, new TTL 264
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.17] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7489
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
gnome.org. DNSKEY
;; ANSWER SECTION
gnome.org. 264 DNSKEY 256 3 5 AwEAAaMI/dz7JwEtjvpr1uCvjs1AvVxiT4dwQGOXzp6r+pQXazhDn6+TlJDh0aEnwFc76ujViKcMruPsS49dtoCAmhBPuI2g+CGyr/PgAfxM4czfak8kKvIdxh1UMQrcIJ/rKJ5eue7fI2BG3plq9oMIPmDEOoPU4ePjIY4M/qrbjcev
gnome.org. 264 DNSKEY 257 3 5 AwEAAbRD7AymDFuKc2iXta7HXZMleMkUMwjOZTsn4f75ZUp0of8TJdlUDtFtqifEBnFcGJU5r+ZVvkBKQ0qDTTjayL54Nz56XGGoIBj6XxbG8Es+VbZCg0RsetDk5EsxLst0egrvOXga27jbsJ+7Me3D5Xp1bkBnQMrXEXQ9C43QfO2KUWJVljo1Bii3fTfnHSLRUsbRn8Puz+orK71qxs3G9mgGR6rmn91brkpfmHKr3S9Rbxq8iDRWDPiCaWkI7qfASdFk4TLV0gSVlA3OxyW9TCkPZStZ5r/WRW2jhUY/kjHERQd4qX5dHAuYrjJSV99P6FfCFXoJ3ty5s3fl1RZaTo8=
gnome.org. 264 RRSIG DNSKEY 5 2 900 1651937377 1649345377 40692 gnome.org. FhZSI3iYe2SLfWAJR7DH4bOTTD4AlkPf9OsFZH6nhBJQEk9H8cRkHUzLUczY41daJwDKxlUnnEkEOa1jS8E8EXm3KSSxkraZv6BLsdhxB6UjbYT6ZrhzbneO1sygYc/6IU70DpryKNa6R9jPLEUEphez9MR6Bf/VREtkYNUnVXU=
gnome.org. 264 RRSIG DNSKEY 5 2 900 1651937377 1649345377 51496 gnome.org. jgJHprIvEOZL5K6sZhGKrjQEsU368ZzMJ/PJhQpeXz47HwfF0AhTycWSwWG8enqpFhl/QY2n2IEnnTtBC3IytvZBd+SfL82lkuGU1eDaSR4pkMiJCTLEitFEMlRj950A2S1RYxVafJAlJR0MrLEcgUYap+V9OVrGjoSnXTIs9XOY0aj0iTNRT5nm1RC533QKCu5PDwQlXbwUWC0LoYM3oHMG5sbliD0Sy2nObYs9cf7BfkLb97iZiJcQKNm5fpDnG4qaLlw0GRrybbHi1QeIJisC4Isg1gdZ2cPDntPVS8T0m6I5Dcsx1IvDubhucJ8U2SMIkSKIZ1Aidl+MslSTLw==
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.17] <= rcode: NOERROR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.17] <= parent: updating DNSKEY
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.17] <= answer valid, OK
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.15] 'router-default.apps.openshift4.gnome.org.' type 'A' new uid was assigned .18, parent uid .00
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][plan ][07606.18] plan 'openshift4.gnome.org.' type 'DS' uid [07606.19]
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.19] 'openshift4.gnome.org.' type 'DS' new uid was assigned .20, parent uid .18
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.20] => skipping exact packet: rank 025 (min. 030), new TTL 16
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.20] => trying zone: gnome.org., NSEC, hash 0
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.20] => NSEC sname: covered by: *.openshift.gnome.org. -> *.openshift4.gnome.org., new TTL 2716
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.20] => NSEC sname: empty non-terminal by the same RR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.20] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27790
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
openshift4.gnome.org. DS
;; AUTHORITY SECTION
gnome.org. 16 SOA ns-master.gnome.org. hostmaster.gnome.org. 1649348977 600 900 86400 3600
gnome.org. 16 RRSIG SOA 5 2 900 1651937377 1649345377 40692 gnome.org. D4nUm9bExjX/lUoG+TgMdYuccR7InE2wSzBLR2a4ocU3IqpNvA7seBmll9x706ImEZ1oxtvXTZbozEG7W1c7KIlo+vvSl4yoQgQl37VncHhfW5U6Q69v9o1XRuledjb7l16OtynblHXQkDmZDrT9vwX0BV6eoZ78QG84lBqpaFk=
*.openshift.gnome.org. 2716 NSEC *.openshift4.gnome.org. A AAAA RRSIG NSEC
*.openshift.gnome.org. 2716 RRSIG NSEC 5 3 3600 1651937377 1649345377 40692 gnome.org. j3xWiApwlF6XY64qJnXepFklLWWOHYpQFl1ZBtEhT0THnbMMgwOUmhzvpCbeWJaNRZiqMNGBLo1g+4gaOA3RpzULFjH8GyW0fuzpZ7qwZAgxUsa9/Ii5tj5rtYTv8zZFkqv9xoQVLfwx09r12Sjrpg/aoXnHs0LEbSkCJWC3lAQ=
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.20] <= rcode: NOERROR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.20] <= bogus proof of DS non-existence
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][resolv][07606.00] request failed, answering with empty SERVFAIL
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][resolv][07606.20] finished in state: 8, queries: 6, mempool: 49200 BIt seems when it resolves successfully when forwarding is disabled, it caches the result and continues resolving correctly even when you re-enable forwarding. However as soon as I remove the cache, forwarding then fails again.
kresd.conf:
user('knot-resolver','knot-resolver')
net.listen('127.0.0.1', 53, { kind = 'dns', freebind = true })
net.listen('127.0.0.1', 853, { kind = 'tls', freebind = true })
net.listen('::1', 53, { kind = 'dns', freebind = true })
net.listen('::1', 853, { kind = 'tls', freebind = true })
cache.size = 256*MB
modules = {
'policy',
'view',
'hints > iterate', -- Load /etc/hosts and allow custom root hints
'serve_stale < cache',
'workarounds < iterate',
'stats',
'predict'
}
view:addr('127.0.0.1/8', function (req, qry) return policy.PASS end)
view:addr('::1/128', function (req, qry) return policy.PASS end)
view:addr('0.0.0.0/0', function (req, qry) return policy.DROP end)
policy.add(policy.suffix(policy.DENY, {todname('use-application-dns.net.')}))
policy.add(policy.rpz(policy.DENY, '/var/lib/rpz-downloader/urlhaus.abuse.ch.rpz',true))
policy.add(policy.rpz(policy.DENY, '/var/lib/rpz-downloader/threatfox.abuse.ch.rpz',true))
policy.add(policy.rpz(policy.DENY, '/var/lib/rpz-downloader/cert.pl.rpz',true))
policy.add(policy.pattern(policy.PASS, todname('uribl.com.')))
policy.add(policy.pattern(policy.PASS, todname('zen.spamhaus.org.')))
policy.add(policy.pattern(policy.PASS, todname('dbl.spamhaus.org.')))
policy.add(policy.all(policy.TLS_FORWARD({
{'2620:fe::fe', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt' },
{'2620:fe::fe:9', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt' },
{'9.9.9.9', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt' },
{'149.112.112.112', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt' },
})))
predict.config({ window = 20, period = 72 })