knot-resolver-users Prosinec 2025

knot-resolver-users@lists.nic.cz

4 participants
4 discussions

by pawmal-knot＠freebsd.lublin.pl

Hello, it seems vanilla kresd (5.7.6-cznic.1~bookworm), when receives NODATA response (NOERROR, all RRs: 0) from remote authoritative server, stores record in cache with TTL=32768. Where is this value coming from/how can we alter it? (Seems hardcoded, not derived from SOA expiry or TTL.) Impact: may get negative ~9h cache for domains delegated to a server randomly returning NODATA Workaround: sacrifice cache hit ratio with cache.max_ttl(low_value) Reproduction: // wait 5-30 minutes while true; do echo 'cache.clear("mr-z01.tm-azurefd.net")' | socat - UNIX-CONNECT:/run/knot-resolver/control/1 >/dev/null; sleep 1; host -vvvvt a mr-z01.tm-azurefd.net 127.0.0.1; curl -s http://localhost:8451/trace/mr-z01.tm-azurefd.net; echo DONE; done 2>&1 | tee -a issue.log Watch log: // captured with cache.min_ttl(77), irrelevant here [cache ][65604.03] => satisfied by exact CNAME: rank 030, new TTL 16 [cache ][65604.05] => satisfied by exact RRset: rank 030, new TTL 16 [cache ][65605.01] => satisfied by exact packet: rank 030, new TTL 32768 <------ auth server return NODATA response (reason unknown) [cache ][65606.01] => satisfied by exact packet: rank 030, new TTL 32768 [cache ][65607.01] => satisfied by exact RRset: rank 030, new TTL 77 [cache ][65608.01] => satisfied by exact RRset: rank 030, new TTL 77 [cache ][65609.01] => satisfied by exact CNAME: rank 030, new TTL 77 [cache ][65609.03] => satisfied by exact CNAME: rank 030, new TTL 11 [cache ][65609.05] => satisfied by exact RRset: rank 030, new TTL 11 [cache ][65610.01] => satisfied by exact CNAME: rank 030, new TTL 77 [cache ][65610.03] => satisfied by exact CNAME: rank 030, new TTL 10 [cache ][65610.05] => satisfied by exact RRset: rank 030, new TTL 10 [cache ][65611.01] => satisfied by exact CNAME: rank 030, new TTL 77 [cache ][65611.03] => satisfied by exact CNAME: rank 030, new TTL 9 [cache ][65611.05] => satisfied by exact RRset: rank 030, new TTL 9 [cache ][65612.01] => satisfied by exact packet: rank 030, new TTL 32768 [cache ][65613.01] => satisfied by exact RRset: rank 030, new TTL 77 [cache ][65614.01] => satisfied by exact RRset: rank 030, new TTL 77 // host Trying "mr-z01.tm-azurefd.net" Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62752 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mr-z01.tm-azurefd.net. IN A Received 39 bytes from 127.0.0.1#53 in 4 ms // kresd trace [iterat][65612.00] 'mr-z01.tm-azurefd.net.' type 'A' new uid was assigned .01, parent uid .00 [cache ][65612.01] => satisfied by exact packet: rank 030, new TTL 32768 [iterat][65612.01] <= answer received: ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 43459 ;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused ;; QUESTION SECTION mr-z01.tm-azurefd.net. A ;; ADDITIONAL SECTION [iterat][65612.01] <= rcode: NOERROR [resolv][65612.01] AD: request NOT classified as SECURE [resolv][65612.01] finished in state: 4, queries: 1, mempool: 81952 B // cache miss trace [iterat][65637.03] <= rcode: NOERROR [cache ][65637.03] => stashed tm2.dns-tm.com. A, rank 030, 20 B total, incl. 0 RRSIGs [iterat][65637.01] 'mr-z01.tm-azurefd.net.' type 'A' new uid was assigned .04, parent uid .00 [select][65637.04] => id: '43668' choosing from addresses: 1 v4 + 0 v6; names to resolve: 2 v4 + 3 v6; force_resolve: 0; NO6: IPv6 is KO [select][65637.04] => id: '43668' choosing: 'tm2.dns-tm.com.'@'150.171.16.240#00053' with timeout 22 ms zone cut: 'tm-azurefd.net.' [resolv][65637.04] => id: '43668' querying: 'tm2.dns-tm.com.'@'150.171.16.240#00053' zone cut: 'tm-azurefd.net.' qname: 'mr-z01.tm-azurefd.net.' qtype: 'A' proto: 'udp' [select][65637.04] => id: '43668' updating: 'tm2.dns-tm.com.'@'150.171.16.240#00053' zone cut: 'tm-azurefd.net.' with rtt 4 to srtt: 2 and variance: 1 [iterat][65637.04] <= answer received: ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 43668 ;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused ;; QUESTION SECTION mr-z01.tm-azurefd.net. A ;; ADDITIONAL SECTION [iterat][65637.04] <= rcode: NOERROR [cache ][65637.04] => stashed packet: rank 030, TTL 32768, A mr-z01.tm-azurefd.net. (62 B) [resolv][65637.04] AD: request NOT classified as SECURE [resolv][65637.04] finished in state: 4, queries: 2, mempool: 81952 B ;; selected from ANSWER sections: ; ranked rrset to_wire false, rank 030 (auth insecure), cached true, qry_uid 3, revalidations 0 tm2.dns-tm.com. 300 A 150.171.16.240

6 dní, 21 hodin

udp/tcp transport fallback strategy

by pawmal-knot＠freebsd.lublin.pl

Hi, it seems kresd 5.7.6 falls back from UDP to TCP transport but never retries over UDP. Impact: udp/53-only services (incorrect but happens in the wild[1]) may become ~permanently (long TTL) unreachable when udp/53 is not 100% reliable. When temporal udp/53 communication error occurs, kresd will fall back to tcp/53, fail to connect, store negative information and return SERVFAIL. Since retries only consider tcp/53 transport, there is no easy way to recover for udp/53-only domains. I believe it would be nice to retry with UDP as well as TCP (other implementations do this) to handle such cases more gently. [iterat][55073123.04] <= rcode: NOERROR [valdtr][55073123.04] <= cached insecure response, going insecure [iterat][55073123.02] 'www.somefooservice.com.' type 'A' new uid was assigned .05, parent uid .00 [select][55073123.05] => id: '37763' choosing from addresses: 0 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK [select][55073123.05] => id: '37763' no suitable transport, zone cut: 'www.somefooservice.com.' [iterat][55073123.05] 'www.somefooservice.com.' type 'A' new uid was assigned .06, parent uid .00 [select][55073123.06] => id: '27070' choosing from addresses: 0 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK [select][55073123.06] => id: '27070' no suitable transport, zone cut: 'www.somefooservice.com.' [resolv][55073123.06] AD: request NOT classified as SECURE [resolv][55073123.06] finished in state: 8, queries: 2, mempool: 81952 B Workaround: cache.max_ttl() - haven't tried cache.clear('FQDN record affected') does NOT work cache.clear('entire TLD affected') does NOT work cache.clear('.') DOES work cache.clear() DOES work [1] It took us some time to reach major mobile device producer and convince them to expose tcp/53 ;) /PM

1 týden, 2 dny

Knot Resolver 6.0.16

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 6.0.16 (early-access) has been released! Improvements: - reduce validation strictness for domain names (#934, !1727) - manager: force a configuration reload via management HTTP API 'api/reload/force' (#939, !1748) - kresctl: reload: added '--force' flag - /fallback: add this feature/module (!1733) - systemd: do not force-fail knot-resolver.service on OOM (!1724) In basically all cases the OOM killer will kill a kresd process and supervisord will just restart it, and everything will keep working. Bugfixes: - /options/query-case-randomization: respect this even on TCP issues (!1732) - prometheus metrics: make the latency histogram cumulative (!1731, GH#117) - fix file permission checks when running as root (!1741) - /network/address-renumbering: fix conversion to Lua configuration (!1739) - manager: avoid uncommon bugs when starting/quitting policy-loader (!1742) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.16/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.16.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.16.tar.xz.asc Documentation: https://www.knot-resolver.cz/documentation/v6.0.16/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

1 týden, 6 dní

Knot Resolver 6.0.17

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 6.0.17 (early-access) has been released! Improvements: - kresctl migrate: new command for migrating the configuration to a newer version (!1672) - manager: basic support for non-Linux systems (macOS, FreeBSD) (!1758) - cache: collect garbage based on usage statistics (!1726) This results in using the cache space better, and in practice it reduces latency especially in case of answers that are *not* fully cached. Incompatible changes: See upgrading guide for incompatible configuration changes: https://www.knot-resolver.cz/documentation/v6.0.17/upgrading.html - Removed options from declarative configuration model (YAML). (!1672, !1754) These are mostly experimental and debugging/testing options that are not useful for general users (remain in Lua): - /dnssec/refresh-time - /dnssec/hold-down-time - /dnssec/time-skew-detection - /dnssec/keep-removed - /local-data/root-fallback-addresses* - /logging/debugging - /max-workers - /network/tls/auto-discovery - /webmgmt - Renamed/moved options in the declarative configuration model (YAML). (!1672) - /cache/garbage-collector -> /cache/garbage-collector/enable - /cache/prefetch/prediction -> /cache/prefetch/prediction/enable - /defer/enabled -> /defer/enable - /dns64: true|false -> /dns64/enable: true|false - /dns64/rev-ttl -> /dns64/reverse-ttl - /dnssec: true|false -> /dnssec/enable: true|false - /dnssec/trust-anchor-sentinel -> /dnssec/sentinel - /dnssec/trust-anchor-signal-query -> /dnssec/signal-query - /logging/dnstap -> /logging/dnstap/enable - /logging/dnssec-bogus -> /dnssec/log-bogus - /monitoring/enabled -> /monitoring/metrics - /monitoring/graphite -> /monitoring/graphite/enable - /network/proxy_protocol -> /network/proxy_protocol/enable - /network/tls/files-watchdog -> /network/tls/watchdog - /rate-limiting -> /rate-limiting/enable - Changed default values in declarative configuration model (YAML). (!1672) - /logging/dnstap/log-queries: true -> false - /logging/dnstap/log-responses: true -> false - /logging/dnstap/log-tcp-rtt: true -> false Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.17/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.17.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.17.tar.xz.asc Documentation: https://www.knot-resolver.cz/documentation/v6.0.17/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

3 týdny, 5 dní

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users Prosinec 2025