- knot-resolver-users - lists.nic.cz

Is it possible to disable "aggressive caching" (RFC 8198) ?

by Jiri Masek

Hi, is it somehow possible to disable RFC 8198 - aggressive caching in knot-resolver 6? I cannot find any information about that in docs. Unnamed chatbot is sure that it can be done with "cache.aggressive = false" in LUA script. But since it is undocumented, I would like to confirm that. Regards Jiri Masek

9 hodin, 8 minut

2
3
0 0

dnssec issue with .hsd1.tn.comcast.net

by matthias+cznic＠zu-con.org

Hello, I'm evaluating knot resolver and noticed that domains like c-50-149-161-131.hsd1.tn.comcast.net can't be resolved by knot resolver: $ dig @127.0.0.1 c-50-149-161-131.hsd1.tn.comcast.net a ; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @127.0.0.1 c-50-149-161-131.hsd1.tn.comcast.net a ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20156 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 10 (RRSIGs Missing): (JZAJ) ;; QUESTION SECTION: ;c-50-149-161-131.hsd1.tn.comcast.net. IN A ;; Query time: 484 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Mon May 04 17:07:27 CEST 2026 ;; MSG SIZE rcvd: 75 other recursors are happy with it: $ dig @1.1.1.1 c-50-149-161-131.hsd1.tn.comcast.net a ; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @1.1.1.1 c-50-149-161-131.hsd1.tn.comcast.net a ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11935 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;c-50-149-161-131.hsd1.tn.comcast.net. IN A ;; ANSWER SECTION: c-50-149-161-131.hsd1.tn.comcast.net. 1302 IN A 50.149.161.131 ;; Query time: 8 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP) ;; WHEN: Mon May 04 17:14:30 CEST 2026 ;; MSG SIZE rcvd: 81 delv seems to be happy, too: delv @1.1.1.1 +vtrace c-50-149-161-131.hsd1.tn.comcast.net a [...] ;; validating hsd1.tn.comcast.net/DS: in validator_callback_nsec ;; validating hsd1.tn.comcast.net/DS: looking for relevant NSEC ;; validating hsd1.tn.comcast.net/DS: nsec proves name exists (owner) data=0 ;; validating hsd1.tn.comcast.net/DS: resuming validate_nx ;; validating hsd1.tn.comcast.net/DS: nonexistence proof(s) found ;; validating c-50-149-161-131.hsd1.tn.comcast.net/A: in fetch_callback_ds ;; validating c-50-149-161-131.hsd1.tn.comcast.net/A: marking as answer (fetch_callback_ds) ; unsigned answer c-50-149-161-131.hsd1.tn.comcast.net. 7200 IN A 50.149.161.131 here's the knot resolver debug output: Mai 04 17:22:14 [rules ][64917.00] => view selected action: policy.tags_assign_bitmap(0ULL) Mai 04 17:22:14 [iterat][64917.00] 'c-50-149-161-131.hsd1.tn.comcast.net.' type 'A' new uid was assigned .01, parent uid .00 Mai 04 17:22:14 [resolv][64917.01] => using root hints Mai 04 17:22:14 [iterat][64917.01] 'c-50-149-161-131.hsd1.tn.comcast.net.' type 'A' new uid was assigned .02, parent uid .00 Mai 04 17:22:14 [resolv][64917.02] >< TA: '.' Mai 04 17:22:14 [plan ][64917.02] plan '.' type 'DNSKEY' uid [64917.03] Mai 04 17:22:14 [iterat][64917.03] '.' type 'DNSKEY' new uid was assigned .04, parent uid .02 Mai 04 17:22:14 [select][64917.04] => id: '12737' choosing from addresses: 13 v4 + 13 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO Mai 04 17:22:14 [select][64917.04] => id: '12737' choosing: 'm.root-servers.net.'@'202.12.27.33#00053' with timeout 400 ms zone cut: '.' Mai 04 17:22:14 [resolv][64917.04] => id: '12737' querying: 'm.root-servers.net.'@'202.12.27.33#00053' zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'udp' Mai 04 17:22:14 [select][64917.04] => id: '12737' updating: 'm.root-servers.net.'@'202.12.27.33#00053' zone cut: '.' with rtt 16 to srtt: 16 and variance: 8 Mai 04 17:22:14 [iterat][64917.04] <= rcode: NOERROR Mai 04 17:22:14 [valdtr][64917.04] <= parent: updating DNSKEY Mai 04 17:22:14 [valdtr][64917.04] <= answer valid, OK Mai 04 17:22:14 [cache ][64917.04] => stashed . DNSKEY, rank 060, 1090 B total, incl. 1 RRSIGs Mai 04 17:22:14 [iterat][64917.02] 'c-50-149-161-131.hsd1.tn.comcast.net.' type 'A' new uid was assigned .05, parent uid .00 Mai 04 17:22:14 [select][64917.05] => id: '58885' choosing from addresses: 13 v4 + 13 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO Mai 04 17:22:14 [select][64917.05] => id: '58885' choosing: 'c.root-servers.net.'@'192.33.4.12#00053' with timeout 400 ms zone cut: '.' Mai 04 17:22:14 [resolv][64917.05] => id: '58885' querying: 'c.root-servers.net.'@'192.33.4.12#00053' zone cut: '.' qname: 'net.' qtype: 'NS' proto: 'udp' Mai 04 17:22:14 [iterat][65570.00] '_ta-4f66-9728.' type 'NULL' new uid was assigned .01, parent uid .00 Mai 04 17:22:14 [resolv][65570.01] => using root hints Mai 04 17:22:14 [iterat][65570.01] '_ta-4f66-9728.' type 'NULL' new uid was assigned .02, parent uid .00 Mai 04 17:22:14 [resolv][65570.02] >< TA: '.' Mai 04 17:22:14 [plan ][65570.02] plan '.' type 'DNSKEY' uid [65570.03] Mai 04 17:22:14 [iterat][65570.03] '.' type 'DNSKEY' new uid was assigned .04, parent uid .02 Mai 04 17:22:14 [cache ][65570.04] => satisfied by exact RRset: rank 060, new TTL 86400 Mai 04 17:22:14 [iterat][65570.04] <= rcode: NOERROR Mai 04 17:22:14 [valdtr][65570.04] <= parent: updating DNSKEY Mai 04 17:22:14 [valdtr][65570.04] <= answer valid, OK Mai 04 17:22:14 [iterat][65570.02] '_ta-4f66-9728.' type 'NULL' new uid was assigned .05, parent uid .00 Mai 04 17:22:14 [select][65570.05] => id: '08979' choosing from addresses: 13 v4 + 13 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO Mai 04 17:22:14 [select][65570.05] => id: '08979' choosing: 'j.root-servers.net.'@'192.58.128.30#00053' with timeout 400 ms zone cut: '.' Mai 04 17:22:14 [resolv][65570.05] => id: '08979' querying: 'j.root-servers.net.'@'192.58.128.30#00053' zone cut: '.' qname: '_ta-4f66-9728.' qtype: 'NULL' proto: 'udp' Mai 04 17:22:14 [select][64917.05] => id: '58885' updating: 'c.root-servers.net.'@'192.33.4.12#00053' zone cut: '.' with rtt 7 to srtt: 7 and variance: 3 Mai 04 17:22:14 [iterat][64917.05] <= authority: many glue NSs, skipping the rest Mai 04 17:22:14 [iterat][64917.05] <= loaded 26 glue addresses Mai 04 17:22:14 [iterat][64917.05] <= referral response, follow Mai 04 17:22:14 [valdtr][64917.05] <= DS: OK Mai 04 17:22:14 [valdtr][64917.05] <= answer valid, OK Mai 04 17:22:14 [cache ][64917.05] => stashed net. DS, rank 060, 330 B total, incl. 1 RRSIGs Mai 04 17:22:14 [cache ][64917.05] => stashed net. NS, rank 002, 300 B total, incl. 0 RRSIGs Mai 04 17:22:14 [cache ][64917.05] => stashed also 26 nonauth RRsets Mai 04 17:22:14 [iterat][64917.05] 'c-50-149-161-131.hsd1.tn.comcast.net.' type 'A' new uid was assigned .06, parent uid .00 Mai 04 17:22:14 [plan ][64917.06] plan 'net.' type 'DNSKEY' uid [64917.07] Mai 04 17:22:14 [iterat][64917.07] 'net.' type 'DNSKEY' new uid was assigned .08, parent uid .06 Mai 04 17:22:14 [cache ][64917.08] => no NSEC* cached for zone: net. Mai 04 17:22:14 [cache ][64917.08] => skipping zone: net., NSEC, hash 0;new TTL -123456789, ret -2 Mai 04 17:22:14 [cache ][64917.08] => skipping zone: net., NSEC, hash 0;new TTL -123456789, ret -2 Mai 04 17:22:14 [select][64917.08] => id: '33392' choosing from addresses: 13 v4 + 13 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO Mai 04 17:22:14 [select][64917.08] => id: '33392' choosing: 'k.gtld-servers.net.'@'192.52.178.30#00053' with timeout 400 ms zone cut: 'net.' Mai 04 17:22:14 [resolv][64917.08] => id: '33392' querying: 'k.gtld-servers.net.'@'192.52.178.30#00053' zone cut: 'net.' qname: 'net.' qtype: 'DNSKEY' proto: 'udp' Mai 04 17:22:14 [select][65570.05] => id: '08979' updating: 'j.root-servers.net.'@'192.58.128.30#00053' zone cut: '.' with rtt 7 to srtt: 7 and variance: 3 Mai 04 17:22:14 [iterat][65570.05] <= rcode: NXDOMAIN Mai 04 17:22:14 [valdtr][65570.05] <= answer valid, OK Mai 04 17:22:14 [cache ][65570.05] => stashed . NSEC, rank 060, 310 B total, incl. 1 RRSIGs Mai 04 17:22:14 [cache ][65570.05] => stashed . SOA, rank 060, 358 B total, incl. 1 RRSIGs Mai 04 17:22:14 [cache ][65570.05] => nsec_p stashed for . (new, hash: 0) Mai 04 17:22:14 [resolv][65570.05] AD: request classified as SECURE Mai 04 17:22:14 [resolv][65570.05] finished in state: 4, queries: 2, mempool: 98352 B Mai 04 17:22:14 [select][64917.08] => id: '33392' updating: 'k.gtld-servers.net.'@'192.52.178.30#00053' zone cut: 'net.' with rtt 25 to srtt: 25 and variance: 12 Mai 04 17:22:14 [iterat][64917.08] <= rcode: NOERROR Mai 04 17:22:14 [valdtr][64917.08] <= parent: updating DNSKEY Mai 04 17:22:14 [valdtr][64917.08] <= answer valid, OK Mai 04 17:22:14 [cache ][64917.08] => stashed net. DNSKEY, rank 060, 244 B total, incl. 1 RRSIGs Mai 04 17:22:14 [iterat][64917.06] 'c-50-149-161-131.hsd1.tn.comcast.net.' type 'A' new uid was assigned .09, parent uid .00 Mai 04 17:22:14 [select][64917.09] => id: '14990' choosing from addresses: 13 v4 + 13 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO Mai 04 17:22:14 [select][64917.09] => id: '14990' choosing: 'f.gtld-servers.net.'@'192.35.51.30#00053' with timeout 400 ms zone cut: 'net.' Mai 04 17:22:14 [resolv][64917.09] => id: '14990' querying: 'f.gtld-servers.net.'@'192.35.51.30#00053' zone cut: 'net.' qname: 'comcast.net.' qtype: 'NS' proto: 'udp' Mai 04 17:22:14 [select][64917.09] => id: '14990' updating: 'f.gtld-servers.net.'@'192.35.51.30#00053' zone cut: 'net.' with rtt 8 to srtt: 8 and variance: 4 Mai 04 17:22:14 [iterat][64917.09] <= loaded 10 glue addresses Mai 04 17:22:14 [iterat][64917.09] <= referral response, follow Mai 04 17:22:14 [valdtr][64917.09] <= DS: OK Mai 04 17:22:14 [valdtr][64917.09] <= answer valid, OK Mai 04 17:22:14 [cache ][64917.09] => stashed comcast.net. DS, rank 060, 168 B total, incl. 1 RRSIGs Mai 04 17:22:14 [cache ][64917.09] => stashed comcast.net. NS, rank 002, 124 B total, incl. 0 RRSIGs Mai 04 17:22:14 [cache ][64917.09] => stashed also 10 nonauth RRsets Mai 04 17:22:14 [iterat][64917.09] 'c-50-149-161-131.hsd1.tn.comcast.net.' type 'A' new uid was assigned .10, parent uid .00 Mai 04 17:22:14 [plan ][64917.10] plan 'comcast.net.' type 'DNSKEY' uid [64917.11] Mai 04 17:22:14 [iterat][64917.11] 'comcast.net.' type 'DNSKEY' new uid was assigned .12, parent uid .10 Mai 04 17:22:14 [cache ][64917.12] => no NSEC* cached for zone: comcast.net. Mai 04 17:22:14 [cache ][64917.12] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2 Mai 04 17:22:14 [cache ][64917.12] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2 Mai 04 17:22:14 [select][64917.12] => id: '06051' choosing from addresses: 5 v4 + 5 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO Mai 04 17:22:14 [select][64917.12] => id: '06051' choosing: 'dns101.comcast.net.'@'69.252.250.103#00053' with timeout 400 ms zone cut: 'comcast.net.' Mai 04 17:22:14 [resolv][64917.12] => id: '06051' querying: 'dns101.comcast.net.'@'69.252.250.103#00053' zone cut: 'comcast.net.' qname: 'comcast.net.' qtype: 'DNSKEY' proto: 'udp' Mai 04 17:22:14 [select][64917.12] => id: '06051' updating: 'dns101.comcast.net.'@'69.252.250.103#00053' zone cut: 'comcast.net.' with rtt 115 to srtt: 115 and variance: 57 Mai 04 17:22:14 [iterat][64917.12] <= rcode: NOERROR Mai 04 17:22:14 [valdtr][64917.12] <= parent: updating DNSKEY Mai 04 17:22:14 [valdtr][64917.12] <= answer valid, OK Mai 04 17:22:14 [cache ][64917.12] => stashed comcast.net. DNSKEY, rank 060, 870 B total, incl. 2 RRSIGs Mai 04 17:22:14 [iterat][64917.10] 'c-50-149-161-131.hsd1.tn.comcast.net.' type 'A' new uid was assigned .13, parent uid .00 Mai 04 17:22:14 [select][64917.13] => id: '54966' choosing from addresses: 5 v4 + 5 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO Mai 04 17:22:14 [select][64917.13] => id: '54966' choosing: 'dns105.comcast.net.'@'68.87.72.244#00053' with timeout 400 ms zone cut: 'comcast.net.' Mai 04 17:22:14 [resolv][64917.13] => id: '54966' querying: 'dns105.comcast.net.'@'68.87.72.244#00053' zone cut: 'comcast.net.' qname: 'tn.comcast.net.' qtype: 'NS' proto: 'udp' Mai 04 17:22:14 [select][64917.13] => id: '54966' updating: 'dns105.comcast.net.'@'68.87.72.244#00053' zone cut: 'comcast.net.' with rtt 142 to srtt: 142 and variance: 71 Mai 04 17:22:14 [iterat][64917.13] <= rcode: NOERROR Mai 04 17:22:14 [iterat][64917.13] <= retrying with non-minimized name Mai 04 17:22:14 [iterat][64917.13] 'c-50-149-161-131.hsd1.tn.comcast.net.' type 'A' new uid was assigned .14, parent uid .00 Mai 04 17:22:14 [select][64917.14] => id: '27279' choosing from addresses: 5 v4 + 5 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO Mai 04 17:22:14 [select][64917.14] => id: '27279' choosing: 'dns103.comcast.net.'@'68.87.76.228#00053' with timeout 400 ms zone cut: 'comcast.net.' Mai 04 17:22:14 [resolv][64917.14] => id: '27279' querying: 'dns103.comcast.net.'@'68.87.76.228#00053' zone cut: 'comcast.net.' qname: 'c-50-149-161-131.hsd1.tn.comcast.net.' qtype: 'A' proto: 'udp' Mai 04 17:22:15 [select][64917.14] => id: '27279' updating: 'dns103.comcast.net.'@'68.87.76.228#00053' zone cut: 'comcast.net.' with rtt 180 to srtt: 180 and variance: 90 Mai 04 17:22:15 [iterat][64917.14] <= rcode: NOERROR Mai 04 17:22:15 [valdtr][64917.14] >< cut changed, needs revalidation Mai 04 17:22:15 [resolv][64917.14] => resuming yielded answer Mai 04 17:22:15 [valdtr][64917.14] >< no valid RRSIGs found: c-50-149-161-131.hsd1.tn.comcast.net. A (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC) Mai 04 17:22:15 [plan ][64917.14] plan 'tn.comcast.net.' type 'DS' uid [64917.15] Mai 04 17:22:15 [iterat][64917.15] 'tn.comcast.net.' type 'DS' new uid was assigned .16, parent uid .14 Mai 04 17:22:15 [cache ][64917.16] => no NSEC* cached for zone: comcast.net. Mai 04 17:22:15 [cache ][64917.16] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2 Mai 04 17:22:15 [cache ][64917.16] => skipping zone: comcast.net., NSEC, hash 0;new TTL -123456789, ret -2 Mai 04 17:22:15 [select][64917.16] => id: '58255' choosing from addresses: 5 v4 + 5 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO Mai 04 17:22:15 [select][64917.16] => id: '58255' choosing: 'dns104.comcast.net.'@'68.87.68.244#00053' with timeout 400 ms zone cut: 'comcast.net.' Mai 04 17:22:15 [resolv][64917.16] => id: '58255' querying: 'dns104.comcast.net.'@'68.87.68.244#00053' zone cut: 'comcast.net.' qname: 'tn.comcast.net.' qtype: 'DS' proto: 'udp' Mai 04 17:22:15 [select][64917.16] => id: '58255' updating: 'dns104.comcast.net.'@'68.87.68.244#00053' zone cut: 'comcast.net.' with rtt 149 to srtt: 149 and variance: 74 Mai 04 17:22:15 [iterat][64917.16] <= rcode: NOERROR Mai 04 17:22:15 [valdtr][64917.16] <= parent: updating DS Mai 04 17:22:15 [valdtr][64917.16] <= answer valid, OK Mai 04 17:22:15 [cache ][64917.16] => stashed tmwtwabv02w-cisco-cbmr.comcast.net. NSEC, rank 060, 212 B total, incl. 1 RRSIGs Mai 04 17:22:15 [cache ][64917.16] => stashed comcast.net. SOA, rank 060, 248 B total, incl. 1 RRSIGs Mai 04 17:22:15 [cache ][64917.16] => nsec_p stashed for comcast.net. (new, hash: 0) Mai 04 17:22:15 [resolv][64917.14] => resuming yielded answer Mai 04 17:22:15 [valdtr][64917.14] >< no valid RRSIGs found: c-50-149-161-131.hsd1.tn.comcast.net. A (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC) Mai 04 17:22:15 [plan ][64917.14] plan 'tn.comcast.net.' type 'DS' uid [64917.17] Mai 04 17:22:15 [iterat][64917.17] 'tn.comcast.net.' type 'DS' new uid was assigned .18, parent uid .14 Mai 04 17:22:15 [cache ][64917.18] => trying zone: comcast.net., NSEC, hash 0 Mai 04 17:22:15 [cache ][64917.18] => NSEC sname: covered by: tmwtwabv02w-cisco-cbmr.comcast.net. -> andrsn01.tn.comcast.net., new TTL 900 Mai 04 17:22:15 [cache ][64917.18] => NSEC sname: empty non-terminal by the same RR Mai 04 17:22:15 [iterat][64917.18] <= rcode: NOERROR Mai 04 17:22:15 [valdtr][64917.18] <= parent: updating DS Mai 04 17:22:15 [valdtr][64917.18] <= answer valid, OK Mai 04 17:22:15 [resolv][64917.14] => resuming yielded answer Mai 04 17:22:15 [valdtr][64917.14] >< no valid RRSIGs found: c-50-149-161-131.hsd1.tn.comcast.net. A (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC) Mai 04 17:22:15 [valdtr][64917.14] <= continuous revalidation, fails Mai 04 17:22:15 [cache ][64917.14] => stashed c-50-149-161-131.hsd1.tn.comcast.net. A, rank 027, 20 B total, incl. 0 RRSIGs Mai 04 17:22:15 [cache ][64917.14] => not overwriting A c-50-149-161-131.hsd1.tn.comcast.net. Mai 04 17:22:15 [resolv][64917.00] request failed, answering with empty SERVFAIL Mai 04 17:22:15 [resolv][64917.14] finished in state: 8, queries: 5, mempool: 98400 B I'm wondering what's wrong here and if it's possible to mitigate that. Best regards, Matthias

2 dny, 3 hodiny

3
2
0 0

Re: is there a way to force DNS64 synthesis for specific domains that have native AAAA records?

by Vladimír Čunát

On 12/01/2026 00.11, * wrote: > However, I cannot use it in my production environment as this returns > NODATA globally (all views) for security.ubuntu.com. > I have several views not using dns64 for which the AAAA record should > be the existing original answer. While on Lua level it's not ergonomic, tags are supported in these APIs, so you can do a tiny change, e.g.: lua: policy-script: | assert(C.kr_rule_local_data_ins( kres.rrset(kres.str2dname('security.ubuntu.com.'), kres.type.AAAA, nil, C.KR_RULE_TTL_DEFAULT), nil, policy.get_tagset({'myTag'}), C.KR_RULE_OPTS_DEFAULT ) == 0) and then you just need to add myTag to the views where you want to apply this rule (in YAML). You can read more about tags and views in the docs, around page https://www.knot-resolver.cz/documentation/latest/config-policy-new.html

1 měsíc

3
3
0 0

Knot Resolver 6.3.0

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 6.3.0 has been released! Improvements: - /local-data/rpz: support *.some.name. CNAME block.page. (!1808) - /local-data/rpz: print line number in the RPZ on error (!1823) - /local-data/nodata: also apply to `rpz:` and `records:` (!1812) - reply BADVERS on unsupported EDNS versions (#404, !1599) - make DoH cache-control header respect our cache's TTL limits (!1819) Bugfixes: - don't loop on reload in case policy-loader can't succeed (#950, !1824) - reduce excessive caching of some uncommon failed answers (!1819) - /local-data: fix `redirect` rules and *.localhost since v6.0.13 (!1817) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v6.3.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.3.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.3.0.tar.xz.asc Documentation: https://www.knot-resolver.cz/documentation/v6.3.0/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

1 měsíc, 1 týden

1
0
0 0

policy-loader endless loop when using more than one rpz

by Frederik Himpe

Hello, I'm using this config.yaml with Knot Resolver 6 (on Debian 13): workers: auto network: listen: - interface: 127.0.0.1@53 logging: level: info options: violators-workarounds: true cache: size-max: 100M prefetch: expiring: true dnssec: log-bogus: true local-data: rpz: - file: /var/lib/rpz/urlhaus.abuse.ch.rpz - file: /var/lib/rpz/threatfox.abuse.ch.rpz lua: script: | policy.add(policy.suffix(policy.DENY, {todname('use-application-dns.net.')})) policy.add(policy.suffix(policy.PASS, policy.todnames({ 'uribl.com', 'zen.spamhaus.org', 'dbl.spamhaus.org', 'list.dnswl.org', 'sa-trusted.bondedsender.org', 'sa-accredit.habeas.com', 'bl.score.senderscore.com', 'dnsbl-1.uceprotect.net', 'dnsbl-2.uceprotect.net', 'dnsbl-3.uceprotect.net' }))) policy.add(policy.all(policy.TLS_FORWARD({ {'9.9.9.9', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt' }, {'149.112.112.112', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt' }, }))) This results in this endless loop in the logs: Apr 10 11:56:49 supervisord[56300]: captured stdio output from policy-loader[56777] (stderr): [system] config 'policy-loader.conf' (workdir '/run/knot-resolver'): No such file or directory Apr 10 11:56:49 supervisord[56300]: success: policy-loader entered RUNNING state, process has stayed up for > than 0 seconds (startsecs) Apr 10 11:56:49 supervisord[56300]: exited: policy-loader (exit status 1; not expected) Apr 10 11:56:49 supervisord[56300]: spawned: 'policy-loader' with pid 56778 Apr 10 11:56:49 supervisord[56300]: captured stdio output from policy-loader[56778] (stderr): [system] config 'policy-loader.conf' (workdir '/run/knot-resolver'): No such file or directory Apr 10 11:56:49 supervisord[56300]: success: policy-loader entered RUNNING state, process has stayed up for > than 0 seconds (startsecs) Apr 10 11:56:50 supervisord[56300]: exited: policy-loader (exit status 1; not expected) When using only one rpz file, thus removing the whole line - file: /var/lib/rpz/threatfox.abuse.ch.rpz it works fine. What am I doing wrong here? -- Frederik Himpe <frederik(a)frehi.be>

1 měsíc, 3 týdny

2
3
0 0

Knot Resolver 6.20: persistent SERVFAIL after temporary authority unreachability

by m.maslowski12＠gmail.com

Hi, I reported an issue in Knot Resolver 6.20 that is causing some problems for me. After a short outage of authoritative servers, the resolver returns SERVFAIL + EDE 22 (No Reachable Authority) and keeps this state for a few minutes even after connectivity is restored. Also, after switching to TCP, it does not go back to UDP. You can find the full description and steps to reproduce here: → https://gitlab.nic.cz/knot/knot-resolver/-/issues/949 Has anyone else seen this issue ? Do you have any better workaround than clearing the cache ?

2 měsíce, 1 týden

1
0
0 0

Checking for updated Root KSK

by Ulrich Wisser

Hi, I am trying to make a small tutorial for different resolvers on how to check that the Root KSK is updated. How can I check that for Knot resolver? Kind regards from sunny Stockholm Ulrich

2 měsíce, 2 týdny

2
3
0 0

log-bogus does not work in 6.2.0 ?

by Jiri Masek

Hi, I am testing new version of knot-resolver - 6.2.0 and it seem that log-bogus option is not working. When I set: logging: level: info dnssec: # Log DNSSEC failures log-bogus: true And issue query to www.dnssec-failed.org it does not log error. On old recursor where I have 6.0.15 it does log: Mar 16 14:37:02 resolver1 kresd[3453]: [dnssec] validation failure: dnssec-failed.org. DNSKEY Is there somethink I missed? Or it is a bug? If I get it, only thing changed should be this (in 6.0.17): /logging/dnssec-bogus -> /dnssec/log-bogus Regards, Jiri Masek

2 měsíce, 3 týdny

1
0
0 0

Ingesting RPZs

by Giles Crawford

Hi All, Just wondering how you guys are ingesting RPZ feeds into Knot Resolver. While Knot doesn't natively support zone transfers at this time, it can import the zone files, and then kick the zone if the file changes, so that's what I'm doing. I'm doing the zone transfers (10 zones from ioc2rpz) using BIND for now, and then writing the zone files to storage that Knot Resolver can read. I know that dns4eu uses Knot Resolver for their protective recursor service, so I'd be curious to know how they're doing this. Could be that they're using a custom version of Knot that's zone transfer capable. For context, I run Knot Resolver behind dnsdist, and they're complimentary, offering huge flexibility. Would be great to see rpz-passthru support in the BIND format too (forgive me if that's already possible) so that a traditional white-list-first tiered approach can be followed. (Super impressed with Knot resolver, so hats off to all at CZ). Cheers, GC

4 měsíce

2
5
0 0

SERVFAIL with Internal Resolver

by Darren Rambaud

Hi knot-resolver-users -- I am looking to install a DNS resolver for my local network and `knot-resolver` seemed to fit the bill. Network is setup like this: VLAN 1 Gateway IP 10.0.0.5 Search Domain Name internal.example.com <http://internal.example.com/> VLAN 2 Gateway IP 10.0.1.1 Search Domain Name research.internal.example.com <http://research.example.com/> ... At the moment, `knot-resolver` deployed to a single server (10.0.1.6) with this configuration: ``` forward: - options: authoritative: true dnssec: false servers: - 10.0.0.5 subtree: - internal.example.com - options: authoritative: true dnssec: false servers: - 10.0.1.1 subtree: - research.internal.example.com logging: level: info network: listen: - freebind: false interface: - 127.0.0.1 - 10.0.1.6 kind: dns port: 53 workers: 1 ``` On another machine (10.0.0.100), public queries resolve correctly: ``` # dig @10.0.1.6 knot-resolver.cz ; <<>> DiG 9.20.17 <<>> @10.0.2.6 knot-resolver.cz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34301 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;knot-resolver.cz. IN A ;; ANSWER SECTION: knot-resolver.cz. 1800 IN A 217.31.204.96 ;; Query time: 1281 msec ;; SERVER: 10.0.1.6#53(10.0.1.6) (UDP) ;; WHEN: Fri Jan 30 16:19:23 CST 2026 ;; MSG SIZE rcvd: 61 # nslookup knot-resolver.cz 10.0.1.6 Server: 10.0.1.6 Address: 10.0.1.6#53 Non-authoritative answer: Name: knot-resolver.cz Address: 217.31.204.96 Name: knot-resolver.cz Address: 2001:1488:800:400::2:96 ``` Queries within internal network return the correct assigned IP address however report `SERVFAIL`: ``` # nslookup m1.research.internal.example.com 10.0.2.6 Server: 10.0.1.6 Address: 10.0.1.6#53 Non-authoritative answer: Name: m1.research.internal.example.com Address: 10.0.2.6 ;; Got SERVFAIL reply from 10.0.1.6 ** server can't find m1.research.internal.example.com: SERVFAIL ``` Replacing `10.0.2.6` with `10.0.0.5` (gateway IP that normally acts as resolver) does not return `SERVFAIL`: ``` # nslookup obnoxious.research.in.rambaud.dev 10.0.0.5 Server: 10.0.0.5 Address: 10.0.0.5#53 Name: m1.research.internal.example.com Address: 10.0.2.6 ``` Is the SERVFAIL something I should worry about here? Or is there a misconfiguration on my end with `knot-resolver`? Darren

4 měsíce

3
2
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users