Skip to content

Recursion in STUB zone

Hello, I'm trying to find a working setup for following scenario:

CZFree is (still) using own DNS root infrastructure (including root zone, dnssec) over private (10.0.0.0/8) addresses. Members of this community has its own DNS servers (ie. Klfree, Pilsfree, etc). On our primary DNS recursor, I'd like to be able resolve (using recursion) normal Internet addresses, our private addresses (in domain .klfree.czf) and also private adresses of other czfree members (about 50 NS bound together in .czf zone with NS referencing members DNS servers). Recursion is also needed for the czfree part, because there are many distributed authoritative servers all around the members.

Our primary recursive resolving DNS server uses bind in "hybrid setup" (allowed recursion, slave for our private zone, slave for "fake-root" .czf zone) and everything works fine. For czfree zones it checks the slave-root .czf zone and continues using recursion.

Secondary/backup is running knot-resolver (answers user queries, currently debian 5.5.1-cznic.1 ) and knot (slave for our private zones - and also for .czf zone). Here, I'm unable to find any way, how to get it works.

Original setup of the knot-resolver is/was to forward everything "local" on the knot (running on localhost - port 5301)

internalDomains = policy.todnames({'klfree.czf', 'klfree.net', '10.in-addr.arpa', 'czf' })
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}),   internalDomains))
policy.add(policy.suffix(policy.STUB('127.0.0.1@5301'),internalDomains))

This works for our internal zone klfree.czf (because here knot is authoritative). But problem is, that knot doesn't support recursion, nor knot-resolver does it in STUB forward mode. When resolving address like www.praha12.czf, knot answers only with NS records (because no recursion), and knot-resolver returns this to client (again without the questioned address resolved. So this doesn't work well.

My next try was to use two instances of knot-resolver:

  • main: copy of original setup
  • czf: fake-root recursive resolver for just for the .czf zone.

Here I tried to use hints.root() to force the second instance to be a .czf-only recursive resolver. But again without success. Even when I setup hints.root like this:

> hints.root()
{
    ['a.root-servers.net.'] = {
        '10.27.0.68',
    },
    ['b.root-servers.net.'] = {
        '10.253.32.129',
    },
    ['c.root-servers.net.'] = {
        '10.27.0.68',
    },
    ['d.root-servers.net.'] = {
        '10.253.32.129',
    },
    ['e.root-servers.net.'] = {
        '10.27.0.68',
    },
    ['f.root-servers.net.'] = {
        '10.253.32.129',
    },
    ['g.root-servers.net.'] = {
        '10.27.0.68',
    },
    ['h.root-servers.net.'] = {
        '10.253.32.129',
    },
    ['i.root-servers.net.'] = {
        '10.27.0.68',
    },
    ['j.root-servers.net.'] = {
        '10.253.32.129',
    },
    ['k.root-servers.net.'] = {
        '10.253.32.129',
    },
    ['l.root-servers.net.'] = {
        '10.27.0.68',
    },
    ['m.root-servers.net.'] = {
        '10.253.32.129',
    },
}

Knot-resolver uses hardcoded (?) root servers and ignores this setting at all.

root@dns-recursive2:/etc/knot-resolver# dig @localhost -p 6663  a.root-servers.net

; <<>> DiG 9.16.37-Debian <<>> @localhost -p 6663 a.root-servers.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20770
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;a.root-servers.net.		IN	A

;; ANSWER SECTION:
a.root-servers.net.	171361	IN	A	198.41.0.4

;; Query time: 0 msec
;; SERVER: 127.0.0.1#6663(127.0.0.1)
;; WHEN: Fri Apr 21 23:10:47 CEST 2023
;; MSG SIZE  rcvd: 63

My current test setup of kresd.conf (czf instance part):

elseif string.match(systemd_instance, '^czf') then
    modules.unload('priming')
    net.listen('127.0.0.1', 6663, { kind = 'dns' })
    modules = {
    	'hints > iterate',  -- Load /etc/hosts and allow custom root hints
    }	
    cache.size = 50 * MB

    hints.root_file("/etc/knot-resolver/czf.zone")
    policy.add(policy.suffix(policy.PASS, {todname('10.in-addr.arpa')}))
    policy.add(policy.suffix(policy.PASS, {todname('.czf')}))

    log_level('debug')
else
    panic("Unknown instance of kresd!")
end

Even with priming module disabled, and hints.root() returning addresses of our internal czf-root servers, server asks Internet root for answers. 😞 Am I missing some crutial point?

Any "hints" how to deal with "root_hints" or how to "forward with recursion" to solve this riddle ?

Thanks in advance

Jan

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information