LOC records are special. The first octet of a LOC record is a version
number. According to RFC 1876:
VERSION Version number of the representation. This must be zero.
Implementations are required to check this field and make
no assumptions about the format of unrecognized versions.
This means that if a LOC record's VERSION field is not zero, the RR
cannot be presented in the canonical presentation format, but it is
still a valid wire-format RR.
Currently, kdig prints a warning message "can't print whole section" and
a LOC record with a blank RDATA when it attempts to dump a LOC record
with a non-zero VERSION field.
This commit modifies the version check in wire_loc_to_str() to fall back
to the generic presentation format if the VERSION field is not 0. This
particular case is even explicitly described as a use case for the
generic presentation format in RFC 3597:
Using the generic representation for the RDATA of an RR of known type
can also be useful in the case of an RR type where the text format
varies depending on a version, protocol, or similar field (or
several) embedded in the RDATA when such a field has a value for
which no text format is known, e.g., a LOC RR [RFC1876] with a
VERSION other than 0.
---
src/libknot/rrset-dump.c | 95 +++++++++++++++++++++++++-----------------------
1 file changed, 49 insertions(+), 46 deletions(-)
diff --git a/src/libknot/rrset-dump.c b/src/libknot/rrset-dump.c
index c71eae1..ffdd825 100644
--- a/src/libknot/rrset-dump.c
+++ b/src/libknot/rrset-dump.c
@@ -508,6 +508,47 @@ static void wire_len_data_encode_to_str(rrset_dump_params_t *p,
p->ret = 0;
}
+static void wire_unknown_to_str(rrset_dump_params_t *p)
+{
+ int ret;
+ size_t in_len = p->in_max;
+ size_t out_len = 0;
+
+ // Write unknown length header.
+ if (in_len > 0) {
+ ret = snprintf(p->out, p->out_max, "\\# %zu ", in_len);
+ } else {
+ ret = snprintf(p->out, p->out_max, "\\# 0");
+ }
+ if (ret <= 0 || (size_t)ret >= p->out_max) {
+ return;
+ }
+ out_len = ret;
+
+ // Fill in output.
+ p->out += out_len;
+ p->out_max -= out_len;
+ p->total += out_len;
+
+ // Write hex data if any.
+ if (in_len > 0) {
+ // If wrap mode wrap line.
+ if (p->style->wrap) {
+ dump_string(p, BLOCK_INDENT);
+ if (p->ret != 0) {
+ return;
+ }
+ }
+
+ wire_data_encode_to_str(p, &hex_encode, &hex_encode_alloc);
+ if (p->ret != 0) {
+ return;
+ }
+ }
+
+ p->ret = 0;
+}
+
static void wire_text_to_str(rrset_dump_params_t *p)
{
// First byte is string length.
@@ -938,6 +979,14 @@ static void wire_loc_to_str(rrset_dump_params_t *p)
// Read values.
wire_ctx_t wire = wire_ctx_init_const(p->in, p->in_max);
uint8_t version = wire_ctx_read_u8(&wire);
+
+ // Version check.
+ if (version != 0) {
+ wire_unknown_to_str(p);
+ return;
+ }
+
+ // Continue to read values.
uint8_t size_w = wire_ctx_read_u8(&wire);
uint8_t hpre_w = wire_ctx_read_u8(&wire);
uint8_t vpre_w = wire_ctx_read_u8(&wire);
@@ -953,11 +1002,6 @@ static void wire_loc_to_str(rrset_dump_params_t *p)
p->in += wire_ctx_offset(&wire);
p->in_max = wire_ctx_available(&wire);
- // Version check.
- if (version != 0) {
- return;
- }
-
// Latitude calculation.
char lat_mark;
uint32_t lat;
@@ -1210,47 +1254,6 @@ static void wire_tsig_rcode_to_str(rrset_dump_params_t *p)
p->ret = 0;
}
-static void wire_unknown_to_str(rrset_dump_params_t *p)
-{
- int ret;
- size_t in_len = p->in_max;
- size_t out_len = 0;
-
- // Write unknown length header.
- if (in_len > 0) {
- ret = snprintf(p->out, p->out_max, "\\# %zu ", in_len);
- } else {
- ret = snprintf(p->out, p->out_max, "\\# 0");
- }
- if (ret <= 0 || (size_t)ret >= p->out_max) {
- return;
- }
- out_len = ret;
-
- // Fill in output.
- p->out += out_len;
- p->out_max -= out_len;
- p->total += out_len;
-
- // Write hex data if any.
- if (in_len > 0) {
- // If wrap mode wrap line.
- if (p->style->wrap) {
- dump_string(p, BLOCK_INDENT);
- if (p->ret != 0) {
- return;
- }
- }
-
- wire_data_encode_to_str(p, &hex_encode, &hex_encode_alloc);
- if (p->ret != 0) {
- return;
- }
- }
-
- p->ret = 0;
-}
-
static size_t dnskey_len(const uint8_t *rdata,
const size_t rdata_len)
{
--
2.7.0
Hi ..
I'm trying out the dnstap support in Knot, and I seem to have an issue getting it to write to a socket instead of a file. If I give it a file to write to, things seem to work as expected. When I write to a socket, the socket file is not created, and there don't appear to be any errors.
Have I got something wrong?
My very basic config and startup log is included below.
---
server:
rundir: /home/matt/etc/knot
user: matt:staff
listen: 0.0.0.0@5353
log:
- target: /home/matt/etc/knot/logfile
server: info
zone: info
any: info
mod-dnstap:
- id: capture_all
sink: unix:/home/matt/etc/knot/capture.tap
template:
- id: default
storage: /home/matt/etc/knot/zones
kasp-db: /home/matt/etc/knot/kasp
module: mod-dnstap/capture_all
zone:
- domain: myzone.test
dnssec-signing: on
---
2016-02-23T18:09:47 info: Knot DNS 2.1.1 starting
2016-02-23T18:09:47 info: binding to interface '0.0.0.0@5353'
2016-02-23T18:09:47 info: changing GID to '60'
2016-02-23T18:09:47 info: changing UID to '1001'
2016-02-23T18:09:47 info: PID stored in '/home/matt/etc/knot/knot.pid'
2016-02-23T18:09:47 info: changed directory to /
2016-02-23T18:09:47 info: loading 1 zones
2016-02-23T18:09:47 info: [myzone.test] zone will be loaded, serial 0
2016-02-23T18:09:47 info: starting server
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, loaded key, tag 26654, algorithm 8, KSK yes, ZSK no, public no, active no
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, loaded key, tag 7468, algorithm 8, KSK no, ZSK yes, public yes, active yes
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, loaded key, tag 20456, algorithm 8, KSK yes, ZSK no, public yes, active yes
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, signing started
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, zone is up-to-date
2016-02-23T18:09:47 info: [myzone.test] DNSSEC, next signing on 2016-02-29T23:43:54
2016-02-23T18:09:47 info: [myzone.test] loaded, serial 0 -> 2016022209
2016-02-23T18:09:47 info: server started as a daemon, PID 26600
2016-02-23T18:09:47 info: remote control, binding to '/home/matt/etc/knot/knot.sock'
2016-02-23T18:11:07 info: remote control, received command 'stop'
2016-02-23T18:11:07 info: stopping server
2016-02-23T18:11:07 info: updating zone timers database
2016-02-23T18:11:07 info: shutting down
Dear all,
knotc has a zone-check command. Is there a tool which can validate a
zone file directly?
I see that you have a DNS library which can load a zone file very fast
(https://github.com/vavrusa/luajit-kdns). However this is missing the
zone checker/validator.
The stand alone zone check command line tool I was looking for would
also verify DNSSEC signatures. Something like dnssec-verify (BIND).
Daniel
Hello everyone.
Knot DNS 2.1.1 by CZ.NIC Labs has been just declared stable. It mostly
contains bug fixes. The update is highly recommended as some of the
problems are quite critical.
- We have resolved the problem with source address selection for
UDP messages when the server is configured to listen on all
available addresses (i.e., 0.0.0.0 or ::0). Prior to this release
and depending on the networking configuration, the server could
choose a wrong source address.
- Duplicate private keys can be now imported into the KASP database.
This is practical if you have the same signing key in the legacy
format and share the key between multiple domains. Prior to this
release, sharing the key was possible only with some hacks.
- We have resolved a problem with duplicate NSEC record which had
been returned for Wildcard No Data answers. In the new version, the
record is inserted into the response only once.
- We have fixed a possible server crash, which could happen during
an incoming zone transfer when a server reload is requested.
- The fix of a crash with many configured interfaces and threads was
included in the previous release. However the fix was incomplete. We
have found another related problems which are addressed in the new
version.
Thank you for the feedback and bug reports. And we are looking forward
to hear back from you. :-)
The sources are available on our server as usual.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/raw/v2.1.1/NEWS
Sources:
https://secure.nic.cz/files/knot-dns/knot-2.1.1.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-dns/knot-2.1.1.tar.xz.asc
Best Regards,
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW: https://labs.nic.czhttps://www.nic.cz
Hello folks.
CZ.NIC Labs just released Knot DNS 1.6.7. This patch release contains
only a few improvements. Upgrade is not necessary but advised.
- The server newly logs the change in the zone serial after IXFR
transfers. Prior to this release, information about serial was logged
only for AXFR transfers. This modification unifies the logging
behavior.
- We have added the 'timer-db' configuration option, which allows
relocation of zone timer database. This is useful if you run multiple
daemon instances sharing the same zone storage directory.
- The RRL implementation newly supports zero value for the
'rate-limit-slip' option. With this setting, all responses for a flow
exceeding the configured limit will be dropped.
- The documentation for RRL was extended to include information about
expected operational impact of various settings.
As you can see, the changes are rather small. We will continue in this
trend with the LTS version of Knot DNS. If you run Knot DNS 1.6 and look
for a new features and improvements, please consider an early upgrade to
Knot DNS 2.x.
The sources are available on our server as usual.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/raw/1.6/NEWS
Source archives:
https://secure.nic.cz/files/knot-dns/knot-1.6.7.tar.xzhttps://secure.nic.cz/files/knot-dns/knot-1.6.7.tar.gz
GPG signatures:
https://secure.nic.cz/files/knot-dns/knot-1.6.7.tar.xz.aschttps://secure.nic.cz/files/knot-dns/knot-1.6.7.tar.gz.asc
Best Regards,
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW: https://labs.nic.czhttps://www.nic.cz
Hello list,
this is just a quick note that we plan to do an ordinary bug fix release
of Knot DNS 1.6.7 and Knot DNS 2.1.1 the next week.
As for 2.1.1, we did some changes in the networking code and we want to
make sure that everything is working correctly. If you can help us with
testing we would be very happy. The tarball with sources for testing is
available on our server:
https://secure.nic.cz/files/knot-dns/knot-2.1.1-test.tar.xz
Thank you.
Cheers,
Jan
Hi,
I’m trying to compile Knot 2.1, but it fails. Here is the error part:
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../src -include
../../src/config.h -I./shared -I./lib -I./lib/dnssec -I../../src
-I/usr/include/p11-kit-1 -fvisibility=hidden -D_FORTIFY_SOURCE=2
-march=native -O2 -pipe -fstack-protector-strong -fstack-check -Wall
-Werror=format-security -Werror=implicit -fpredictive-commoning -MT
lib/event/action/libdnssec_la-initial_key.lo -MD -MP -MF
lib/event/action/.deps/libdnssec_la-initial_key.Tpo -c
lib/event/action/initial_key.c -fPIC -DPIC -o
lib/event/action/.libs/libdnssec_la-initial_key.o
lib/binary.c: In function 'base64_decode_raw':
lib/binary.c:47:2: warning: statement with no effect [-Wunused-value]
nettle_len dst_size = dst_max_size;
^
lib/binary.c:47:13: error: expected ';' before 'dst_size'
nettle_len dst_size = dst_max_size;
^
lib/binary.c:48:50: error: 'dst_size' undeclared (first use in this
function)
int result = nettle_base64_decode_update(&ctx, &dst_size, dst,
src_len, src);
^
lib/binary.c:48:50: note: each undeclared identifier is reported only
once for each function it appears in
lib/binary.c:54:1: warning: control reaches end of non-void function
[-Wreturn-type]
}
^
I suppose this has to do with the flags used on my system (Arch Linux) ?
Thanks,
Bruno
Hi,
I’ve installed knot 2.0.2 on one of my server.
It’s configured with three IPv6 and I manage their reliability with some
source-specifi routing:
alarig@bulbizarre ~ $ ip -6 route list | grep default
default from 2001:470:1f13:138:715d:2fa0:b591:532f via fe80::20d:b9ff:fe3a:1fa1 dev eth0 metric 1024
default from 2a00:5881:4008:400::1 dev tun0 metric 1024
default from 2a01:240:fe00:82af:764f:b47e:d131:85e4 via fe80::20d:b9ff:fe3a:1fa1 dev eth0 metric 1024
default via fe80::20d:b9ff:fe3a:1fa1 dev eth0 metric 4
It works fine as I can ping those three IP from the same machine at the
same moment.
But, knot don’t take care of this and answer with the “nearest” IPv6
(like the IP source is calculated when you have several ones).
bulbizarre ~ # tcpdump -i any host mc.swordarmor.fr
23:13:07.276493 IP6 2001:41d0:a:27e4::1.52203 > florizarre.swordarmor.fr.domain: 59831+ SOA? swordarmor.fr. (31)
23:13:07.276647 IP6 bulbizarre.swordarmor.fr.domain > 2001:41d0:a:27e4::1.52203: 59831*- 1/0/0 SOA (86)
You can see that knot answer with 2001:470:1f13:138:715d:2fa0:b591:532f, which
is the one chosen if I’m the initiator of the connection.
Indeed, it works with my IRCd:
23:14:17.684155 IP6 2001:41d0:a:27e4::1.36490 > florizarre.swordarmor.fr.6697: Flags [P.], seq 53:106, ack 106, win 331, options [nop,nop,TS val 4047617704 ecr 1587664633], length 53
23:14:17.684301 IP6 florizarre.swordarmor.fr.6697 > 2001:41d0:a:27e4::1.36490: Flags [P.], seq 106:211, ack 106, win 240, options [nop,nop,TS val 1587724598 ecr 4047617704], length 105
23:14:22.555891 IP6 2001:41d0:a:27e4::1.34822 > bulbizarre.swordarmor.fr.6697: Flags [P.], seq 1:62, ack 61, win 331, options [nop,nop,TS val 4047618922 ecr 1587729432], length 61
23:14:22.555928 IP6 bulbizarre.swordarmor.fr.6697 > 2001:41d0:a:27e4::1.34822: Flags [.], ack 62, win 274, options [nop,nop,TS val 1587729469 ecr 4047618922], length 0
Is it a known bug?
--
alarig
Hi,
I did a "apt-get upgrade" on my Knot node.
The package update fails with "Failed to initialize default key store
(unknown error -13)."
Can anyone tell me what that means?
root@localhost:~# knotd --version
knotd (Knot DNS), version 2.1.0
root@localhost:~# ps aux | grep knot
knot 30048 0.0 0.6 1245236 6400 ? Ssl 16:08 0:00
/usr/sbin/knotd -d -c /etc/knot/knot.conf
root@localhost:~# /etc/init.d/knot restart
* Restarting Knot DNS server knotd
[ OK ]
root@localhost:~# ps aux | grep knot
knot 30115 0.0 0.6 1245224 6200 ? Ssl 16:09 0:00
/usr/sbin/knotd -d -c /etc/knot/knot.conf
root@localhost:~# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Setting up knot (2.1.0-2+trusty+2) ...
* Starting Knot DNS server knotd
[ OK ]
Failed to initialize default key store (unknown error -13).
dpkg: error processing package knot (--configure):
subprocess installed post-installation script returned error exit
status 1
Errors were encountered while processing:
knot
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@localhost:~# ps aux | grep knot
knot 30115 0.0 0.6 1245236 6360 ? Ssl 16:09 0:00
/usr/sbin/knotd -d -c /etc/knot/knot.conf
Kind regards,
Volker
