Recursion in STUB zone
Hello, I'm trying to find a working setup for following scenario:
CZFree is (still) using own DNS root infrastructure (including root zone, dnssec) over private (10.0.0.0/8) addresses. Members of this community has its own DNS servers (ie. Klfree, Pilsfree, etc). On our primary DNS recursor, I'd like to be able resolve (using recursion) normal Internet addresses, our private addresses (in domain .klfree.czf) and also private adresses of other czfree members (about 50 NS bound together in .czf zone with NS referencing members DNS servers). Recursion is also needed for the czfree part, because there are many distributed authoritative servers all around the members.
Our primary recursive resolving DNS server uses bind
in "hybrid setup" (allowed recursion, slave for our private zone, slave for "fake-root" .czf zone) and everything works fine. For czfree zones it checks the slave-root .czf zone and continues using recursion.
Secondary/backup is running knot-resolver
(answers user queries, currently debian 5.5.1-cznic.1 ) and knot
(slave for our private zones - and also for .czf zone). Here, I'm unable to find any way, how to get it works.
Original setup of the knot-resolver is/was to forward everything "local" on the knot
(running on localhost - port 5301)
internalDomains = policy.todnames({'klfree.czf', 'klfree.net', '10.in-addr.arpa', 'czf' })
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), internalDomains))
policy.add(policy.suffix(policy.STUB('127.0.0.1@5301'),internalDomains))
This works for our internal zone klfree.czf
(because here knot is authoritative). But problem is, that knot
doesn't support recursion, nor knot-resolver
does it in STUB forward mode. When resolving address like www.praha12.czf
, knot answers only with NS records (because no recursion), and knot-resolver
returns this to client (again without the questioned address resolved. So this doesn't work well.
My next try was to use two instances of knot-resolver
:
- main: copy of original setup
- czf: fake-root recursive resolver for just for the
.czf
zone.
Here I tried to use hints.root()
to force the second instance to be a .czf-only recursive resolver. But again without success. Even when I setup hints.root like this:
> hints.root()
{
['a.root-servers.net.'] = {
'10.27.0.68',
},
['b.root-servers.net.'] = {
'10.253.32.129',
},
['c.root-servers.net.'] = {
'10.27.0.68',
},
['d.root-servers.net.'] = {
'10.253.32.129',
},
['e.root-servers.net.'] = {
'10.27.0.68',
},
['f.root-servers.net.'] = {
'10.253.32.129',
},
['g.root-servers.net.'] = {
'10.27.0.68',
},
['h.root-servers.net.'] = {
'10.253.32.129',
},
['i.root-servers.net.'] = {
'10.27.0.68',
},
['j.root-servers.net.'] = {
'10.253.32.129',
},
['k.root-servers.net.'] = {
'10.253.32.129',
},
['l.root-servers.net.'] = {
'10.27.0.68',
},
['m.root-servers.net.'] = {
'10.253.32.129',
},
}
Knot-resolver
uses hardcoded (?) root servers and ignores this setting at all.
root@dns-recursive2:/etc/knot-resolver# dig @localhost -p 6663 a.root-servers.net
; <<>> DiG 9.16.37-Debian <<>> @localhost -p 6663 a.root-servers.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20770
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;a.root-servers.net. IN A
;; ANSWER SECTION:
a.root-servers.net. 171361 IN A 198.41.0.4
;; Query time: 0 msec
;; SERVER: 127.0.0.1#6663(127.0.0.1)
;; WHEN: Fri Apr 21 23:10:47 CEST 2023
;; MSG SIZE rcvd: 63
My current test setup of kresd.conf
(czf instance part):
elseif string.match(systemd_instance, '^czf') then
modules.unload('priming')
net.listen('127.0.0.1', 6663, { kind = 'dns' })
modules = {
'hints > iterate', -- Load /etc/hosts and allow custom root hints
}
cache.size = 50 * MB
hints.root_file("/etc/knot-resolver/czf.zone")
policy.add(policy.suffix(policy.PASS, {todname('10.in-addr.arpa')}))
policy.add(policy.suffix(policy.PASS, {todname('.czf')}))
log_level('debug')
else
panic("Unknown instance of kresd!")
end
Even with priming
module disabled, and hints.root() returning addresses of our internal czf-root servers, server asks Internet root for answers.
Any "hints" how to deal with "root_hints" or how to "forward with recursion" to solve this riddle ?
Thanks in advance
Jan