- knot-resolver-users - lists.nic.cz

Knot Resolver 6.20: persistent SERVFAIL after temporary authority unreachability

by m.maslowski12＠gmail.com

Hi, I reported an issue in Knot Resolver 6.20 that is causing some problems for me. After a short outage of authoritative servers, the resolver returns SERVFAIL + EDE 22 (No Reachable Authority) and keeps this state for a few minutes even after connectivity is restored. Also, after switching to TCP, it does not go back to UDP. You can find the full description and steps to reproduce here: → https://gitlab.nic.cz/knot/knot-resolver/-/issues/949 Has anyone else seen this issue ? Do you have any better workaround than clearing the cache ?

6 dní, 22 hodin

1
0
0 0

Checking for updated Root KSK

by Ulrich Wisser

Hi, I am trying to make a small tutorial for different resolvers on how to check that the Root KSK is updated. How can I check that for Knot resolver? Kind regards from sunny Stockholm Ulrich

1 týden, 1 den

2
3
0 0

log-bogus does not work in 6.2.0 ?

by Jiri Masek

Hi, I am testing new version of knot-resolver - 6.2.0 and it seem that log-bogus option is not working. When I set: logging: level: info dnssec: # Log DNSSEC failures log-bogus: true And issue query to www.dnssec-failed.org it does not log error. On old recursor where I have 6.0.15 it does log: Mar 16 14:37:02 resolver1 kresd[3453]: [dnssec] validation failure: dnssec-failed.org. DNSKEY Is there somethink I missed? Or it is a bug? If I get it, only thing changed should be this (in 6.0.17): /logging/dnssec-bogus -> /dnssec/log-bogus Regards, Jiri Masek

2 týdny, 1 den

1
0
0 0

Ingesting RPZs

by Giles Crawford

Hi All, Just wondering how you guys are ingesting RPZ feeds into Knot Resolver. While Knot doesn't natively support zone transfers at this time, it can import the zone files, and then kick the zone if the file changes, so that's what I'm doing. I'm doing the zone transfers (10 zones from ioc2rpz) using BIND for now, and then writing the zone files to storage that Knot Resolver can read. I know that dns4eu uses Knot Resolver for their protective recursor service, so I'd be curious to know how they're doing this. Could be that they're using a custom version of Knot that's zone transfer capable. For context, I run Knot Resolver behind dnsdist, and they're complimentary, offering huge flexibility. Would be great to see rpz-passthru support in the BIND format too (forgive me if that's already possible) so that a traditional white-list-first tiered approach can be followed. (Super impressed with Knot resolver, so hats off to all at CZ). Cheers, GC

1 měsíc, 3 týdny

2
5
0 0

SERVFAIL with Internal Resolver

by Darren Rambaud

Hi knot-resolver-users -- I am looking to install a DNS resolver for my local network and `knot-resolver` seemed to fit the bill. Network is setup like this: VLAN 1 Gateway IP 10.0.0.5 Search Domain Name internal.example.com <http://internal.example.com/> VLAN 2 Gateway IP 10.0.1.1 Search Domain Name research.internal.example.com <http://research.example.com/> ... At the moment, `knot-resolver` deployed to a single server (10.0.1.6) with this configuration: ``` forward: - options: authoritative: true dnssec: false servers: - 10.0.0.5 subtree: - internal.example.com - options: authoritative: true dnssec: false servers: - 10.0.1.1 subtree: - research.internal.example.com logging: level: info network: listen: - freebind: false interface: - 127.0.0.1 - 10.0.1.6 kind: dns port: 53 workers: 1 ``` On another machine (10.0.0.100), public queries resolve correctly: ``` # dig @10.0.1.6 knot-resolver.cz ; <<>> DiG 9.20.17 <<>> @10.0.2.6 knot-resolver.cz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34301 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;knot-resolver.cz. IN A ;; ANSWER SECTION: knot-resolver.cz. 1800 IN A 217.31.204.96 ;; Query time: 1281 msec ;; SERVER: 10.0.1.6#53(10.0.1.6) (UDP) ;; WHEN: Fri Jan 30 16:19:23 CST 2026 ;; MSG SIZE rcvd: 61 # nslookup knot-resolver.cz 10.0.1.6 Server: 10.0.1.6 Address: 10.0.1.6#53 Non-authoritative answer: Name: knot-resolver.cz Address: 217.31.204.96 Name: knot-resolver.cz Address: 2001:1488:800:400::2:96 ``` Queries within internal network return the correct assigned IP address however report `SERVFAIL`: ``` # nslookup m1.research.internal.example.com 10.0.2.6 Server: 10.0.1.6 Address: 10.0.1.6#53 Non-authoritative answer: Name: m1.research.internal.example.com Address: 10.0.2.6 ;; Got SERVFAIL reply from 10.0.1.6 ** server can't find m1.research.internal.example.com: SERVFAIL ``` Replacing `10.0.2.6` with `10.0.0.5` (gateway IP that normally acts as resolver) does not return `SERVFAIL`: ``` # nslookup obnoxious.research.in.rambaud.dev 10.0.0.5 Server: 10.0.0.5 Address: 10.0.0.5#53 Name: m1.research.internal.example.com Address: 10.0.2.6 ``` Is the SERVFAIL something I should worry about here? Or is there a misconfiguration on my end with `knot-resolver`? Darren

1 měsíc, 3 týdny

3
2
0 0

Knot Resolver 6.2.0

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 6.2.0 has been released! Improvements: - DNS-over-QUIC (DoQ) is available for serving (beta, !1747) Bugfixes: - fix UDP answers without sendmmsg, e.g. on non-Linux (!1795) - fix /logging/groups in python 3.8 (!1799) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v6.2.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.2.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.2.0.tar.xz.asc Documentation: https://www.knot-resolver.cz/documentation/v6.2.0/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

1 měsíc, 3 týdny

1
0
0 0

Re: is there a way to force DNS64 synthesis for specific domains that have native AAAA records?

by Vladimír Čunát

On 12/01/2026 00.11, * wrote: > However, I cannot use it in my production environment as this returns > NODATA globally (all views) for security.ubuntu.com. > I have several views not using dns64 for which the AAAA record should > be the existing original answer. While on Lua level it's not ergonomic, tags are supported in these APIs, so you can do a tiny change, e.g.: lua: policy-script: | assert(C.kr_rule_local_data_ins( kres.rrset(kres.str2dname('security.ubuntu.com.'), kres.type.AAAA, nil, C.KR_RULE_TTL_DEFAULT), nil, policy.get_tagset({'myTag'}), C.KR_RULE_OPTS_DEFAULT ) == 0) and then you just need to add myTag to the views where you want to apply this rule (in YAML). You can read more about tags and views in the docs, around page https://www.knot-resolver.cz/documentation/latest/config-policy-new.html

2 měsíce, 2 týdny

3
2
0 0

Knot Resolver 6.0.16

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 6.0.16 (early-access) has been released! Improvements: - reduce validation strictness for domain names (#934, !1727) - manager: force a configuration reload via management HTTP API 'api/reload/force' (#939, !1748) - kresctl: reload: added '--force' flag - /fallback: add this feature/module (!1733) - systemd: do not force-fail knot-resolver.service on OOM (!1724) In basically all cases the OOM killer will kill a kresd process and supervisord will just restart it, and everything will keep working. Bugfixes: - /options/query-case-randomization: respect this even on TCP issues (!1732) - prometheus metrics: make the latency histogram cumulative (!1731, GH#117) - fix file permission checks when running as root (!1741) - /network/address-renumbering: fix conversion to Lua configuration (!1739) - manager: avoid uncommon bugs when starting/quitting policy-loader (!1742) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.16/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.16.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.16.tar.xz.asc Documentation: https://www.knot-resolver.cz/documentation/v6.0.16/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

2 měsíce, 2 týdny

3
4
0 0

Knot Resolver 6.0.17

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 6.0.17 (early-access) has been released! Improvements: - kresctl migrate: new command for migrating the configuration to a newer version (!1672) - manager: basic support for non-Linux systems (macOS, FreeBSD) (!1758) - cache: collect garbage based on usage statistics (!1726) This results in using the cache space better, and in practice it reduces latency especially in case of answers that are *not* fully cached. Incompatible changes: See upgrading guide for incompatible configuration changes: https://www.knot-resolver.cz/documentation/v6.0.17/upgrading.html - Removed options from declarative configuration model (YAML). (!1672, !1754) These are mostly experimental and debugging/testing options that are not useful for general users (remain in Lua): - /dnssec/refresh-time - /dnssec/hold-down-time - /dnssec/time-skew-detection - /dnssec/keep-removed - /local-data/root-fallback-addresses* - /logging/debugging - /max-workers - /network/tls/auto-discovery - /webmgmt - Renamed/moved options in the declarative configuration model (YAML). (!1672) - /cache/garbage-collector -> /cache/garbage-collector/enable - /cache/prefetch/prediction -> /cache/prefetch/prediction/enable - /defer/enabled -> /defer/enable - /dns64: true|false -> /dns64/enable: true|false - /dns64/rev-ttl -> /dns64/reverse-ttl - /dnssec: true|false -> /dnssec/enable: true|false - /dnssec/trust-anchor-sentinel -> /dnssec/sentinel - /dnssec/trust-anchor-signal-query -> /dnssec/signal-query - /logging/dnstap -> /logging/dnstap/enable - /logging/dnssec-bogus -> /dnssec/log-bogus - /monitoring/enabled -> /monitoring/metrics - /monitoring/graphite -> /monitoring/graphite/enable - /network/proxy_protocol -> /network/proxy_protocol/enable - /network/tls/files-watchdog -> /network/tls/watchdog - /rate-limiting -> /rate-limiting/enable - Changed default values in declarative configuration model (YAML). (!1672) - /logging/dnstap/log-queries: true -> false - /logging/dnstap/log-responses: true -> false - /logging/dnstap/log-tcp-rtt: true -> false Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.17/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.17.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.17.tar.xz.asc Documentation: https://www.knot-resolver.cz/documentation/v6.0.17/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

2 měsíce, 3 týdny

5
8
0 0

Knot Resolver 6.1.0 (stable)

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 6.1.0, the first officially stable version 6, has been released! As of this release, version 6 is preferred over version 5. Improvements: - logging: improved logging groups (!1768) - support libdnssec merged into libknot, as planned for knot >= 3.6 (!1769) - support cmocka 2.0.0 (!1772) - avoid AD=1 in reply if ANSWER+AUTHORITY are empty (#914, !1780) - defer: enabled by default in declarative configuration (!1785) - /defer/enable: false -> true - datamodel: lua: added Lua scripts for policy-loader (!1771) Bugfixes: - reload did not apply changes to /fallback (!1763) - fix config.cache.clear test on apple silicon (!1766) - cache: fix wrong TTL in some cases, typically 32768 (!1774) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v6.1.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.1.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.1.0.tar.xz.asc Documentation: https://www.knot-resolver.cz/documentation/v6.1.0/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

2 měsíce, 3 týdny

1
0
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users