- knot-resolver-users - lists.nic.cz

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 5.1.3 has been released! Improvements ------------ - capabilities are no longer constrained when running as root (!1012) - cache: add percentage usage to cache.stats() (#580, !1025) - cache: add number of cache entries to cache.stats() (#510, !1028) - aarch64 support again, as some systems still didn't work (!1033) - support building against Knot DNS 3.0 (!1053) Bugfixes -------- - tls: fix compilation to support net.tls_sticket_secret() (!1021) - validator: ignore bogus RRSIGs present in insecure domains (!1022, #587) - build if libsystemd version isn't detected as integer (#592, !1029) - validator: more robust reaction on missing RRSIGs (#390, !1020) - ta_update module: fix broken RFC5011 rollover (!1035) - garbage collector: avoid keeping multiple copies of cache (!1042) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.1.3/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.3.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.3.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.1.3/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

4 roky, 9 měsíců

1
0
0 0

policy.ANSWER AAAA

by None

I am newby in kresd and lua ipv4 format in documentation 127.0.0.1 as "\127\0\0\1" is new for me i meen "fe80::56e6::f188:75d6" as "\fe80\\56e6\f188\75d6" is no right way (no work for me) i will try kres.str2ip('........')

4 roky, 10 měsíců

1
0
0 0

Re: [knot-resolver-users] policy.ANSWER AAAA

by Petr Špaček

On 13. 08. 20 8:35, knot-resolver-users-bounces(a)lists.nic.cz wrote: > how is correct syntax for ipv6 address in policy.ANSWER ? Hello, and thank you for pointing out our insufficient documentation. I've attempted to clarify it in the following change: https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1037/diffs?view=p… Does the text on right side (green part) answer your question? If not, what is unclear? -- Petr Špaček @ CZ.NIC

4 roky, 10 měsíců

1
0
0 0

policy.ANSWER AAAA

by None

how is correct syntax for ipv6 address in policy.ANSWER ?

4 roky, 10 měsíců

1
0
0 0

cache size / full / kresd crash

by Petr Kyselák

Hello all, I have a question regarding cache size and it’s using. We are running knot-resolver on RaspberryPI 4 (as secondary cache). Previously we had 256MB cache as tmpfs and hit issue that process crashed due to “No space left on device (workdir '/var/lib/knot-resolver')” I doubled the site to 512MB, but same issue occurs. My question is why it crash even from the logs the usage of cache is about 80 percent (same in the case with 256MB). I taught that kres-cache-gc is taking care about its size and it does not allow to full the cache and prevent writing to it in the way that main process crash. Should we increase the cache size or we hit a some bug? Any other suggestion what could cause that cache is full and not “cleared”? Thank you for tip and have a nice day. Petr Kyselak Config: /etc/fstab tmpfs /var/cache/knot-resolver tmpfs rw,size=512m,uid=knot-resolver,gid=knot-resolver,nosuid,nodev,noexec,mode=0700 0 00 -- Cache size cache.size = cache.fssize() - 10*MB Logs: Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Cache analyzed in 1.41 secs, 1038386 records, limit category is 100. Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: 0 records to be deleted using 0.00 MBytes of temporary memory, 0 records skipped due to memory limit. Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Deleted 0 records (0 already gone) types Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: It took 0.00 secs, 0 transactions (OK) Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Usage: 81.32% (428077056 / 526385152) Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Cache analyzed in 1.41 secs, 1038420 records, limit category is 100. Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: 0 records to be deleted using 0.00 MBytes of temporary memory, 0 records skipped due to memory limit. Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Deleted 0 records (0 already gone) types Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: It took 0.00 secs, 0 transactions (OK) Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Usage: 81.32% (428077056 / 526385152) Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Cache analyzed in 1.41 secs, 1038420 records, limit category is 100. Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: 0 records to be deleted using 0.00 MBytes of temporary memory, 0 records skipped due to memory limit. Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Deleted 0 records (0 already gone) types Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: It took 0.00 secs, 0 transactions (OK) Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Usage: 81.32% (428077056 / 526385152) Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Cache analyzed in 1.41 secs, 1038421 records, limit category is 100. Jun 4 16:32:32 dns-cache-2 kresd[672]: [cache] MDB_BAD_TXN, probably overfull Jun 4 16:32:32 dns-cache-2 kresd[672]: [cache] clearing error, falling back Jun 4 16:32:32 dns-cache-2 kresd[672]: [cache] MDB_BAD_TXN, probably overfull Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably overfull Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing error, falling back Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably overfull Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing failed to get ./.cachelock; retry later Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull, ret = -17 Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably overfull Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing error, falling back Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably overfull Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing failed to get ./.cachelock; retry later Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull, ret = -17 Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably overfull Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing error, falling back Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably overfull Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing failed to get ./.cachelock; retry later Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull, ret = -17 … Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)1.service: Main process exited, code=killed, status=11/SEGV Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing failed to get ./.cachelock; retry later Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull, ret = -17 Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably overfull Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing error, falling back Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably overfull Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing failed to get ./.cachelock; retry later Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull, ret = -17 … Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)1.service: Failed with result 'signal'. … Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)2.service: Main process exited, code=killed, status=11/SEGV Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing failed to get ./.cachelock; retry later Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull, ret = -17 Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably overfull Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing error, falling back … Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)2.service: Failed with result 'signal'. Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull, ret = -17 Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably overfull Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing error, falling back … Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably overfull Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull, ret = -28 Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)1.service: Service RestartSec=100ms expired, scheduling restart. Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)1.service: Scheduled restart job, restart counter is at 1. Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)2.service: Service RestartSec=100ms expired, scheduling restart. Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)2.service: Scheduled restart job, restart counter is at 1. Jun 4 16:32:32 dns-cache-2 kresd[30052]: [system] error while loading config: /usr/lib/knot-resolver/sandbox.lua:400: can't open cache path '/var/cache/knot-resolver'; working directory '/var/lib/knot-resolver'; No space left on device (workdir '/var/lib/knot-resolver') Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)1.service: Main process exited, code=exited, status=1/FAILURE Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)1.service: Failed with result 'exit-code'. Jun 4 16:32:32 dns-cache-2 kresd[30051]: [system] error while loading config: /usr/lib/knot-resolver/sandbox.lua:400: can't open cache path '/var/cache/knot-resolver'; working directory '/var/lib/knot-resolver'; No space left on device (workdir '/var/lib/knot-resolver') Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)2.service: Main process exited, code=exited, status=1/FAILURE Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)2.service: Failed with result 'exit-code'.

4 roky, 12 měsíců

3
7
0 0

Knot Resolver 5.1.2

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 5.1.2 has been released! Bugfixes -------- - hints module: NODATA answers also for non-address queries (!1005) - tls: send alert to peer if handshake fails (!1007) - cache: fix interaction between LMDB locks and preallocation (!1013) - cache garbage collector: fix flushing of messages to logs (!1009) - cache garbage collector: fix insufficient GC on 32-bit systems (!1009) - graphite module: do not block resolver on TCP failures (!1014) - policy.rpz various fixes (!1016): $ORIGIN issues, precision of warnings, allow answering with multi-RR sets Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.1.2/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.2.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.2.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.1.2/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

4 roky, 12 měsíců

1
0
0 0

Configure knot-resolver to serve LAN?

by pioruns2019＠gmx.com

Hello all, I am trying to configure my local PC (always on server), to serve DNS resolving all other computers in my LAN. I installed and enabled the service. I've attempted configuration. Knot-resolver correctly resolves DNS querier on localhost machine, but fails to reply to queries from other LAN machines. Can someone please share configuration which I should use to have LAN resolving? I've tried various net.listen(), net() in config file, to no avail. I've studied this page https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-net_server.h… but I have no idea which option I should put in config to enable my server PC (192.168.1.44) to allow all PCs in LAN (192.168.1.xxx) to use knot-resolver. I'd appreciate if someone with knowledge would help a newbie like me. Thank you! pioruns

5 let

3
5
0 0

Dynamic configuration reload

by Pierrick CHOVELON

Hi all, Is there a way to reload dynamically the knot-resolver configuration without stopping knot-resolver ? e.g I have to add this in the config file extraTrees = policy.todnames({'foo.example.net'}) policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), extraTrees)) policy.add(policy.suffix(policy.FORWARD({'192.168.0.15'}), extraTrees)) Is there a sort of CLI command to take it in account ? Regards ______________________________ *Pierrick CHOVELON I *Ingénieur système *Advanced Software I IT* +33 4 77 43 27 05 pierrick.chovelon(a)savoye.com *SAVOYE - 8, rue de la Richelandière - 42100 - Saint-Etienne - France* *Savoye recrute ! <https://careers.savoye.com/#!/fr/index> - *www.savoye.com

5 let, 1 měsíc

2
2
0 0

Knot Resolver 5.1.1

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 5.1.1 has been released! This is a security release and all users are are advised to upgrade immediately to get mitigation for CVE-2020-12667. Release notes: Security -------- - fix CVE-2020-12667: mitigation for NXNSAttack DNS protocol vulnerability Bugfixes -------- - control sockets: recognize newline as command boundary More information about the vulnerability: https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-… Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v5.1.1/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.1.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.1.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.1.1/ Early notification: The upcoming major version will contain reworked hints/policy/prefill/rebinding/view modules and related functionalities. Please participate in the following survey to ensure we do not forget about your particular use-case: https://www.knot-resolver.cz/survey/ It will help us to improve Knot Resolver. Thank you! -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

5 let, 1 měsíc

1
0
0 0

Knot Resolver 5.1.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 5.1.0 has been released! We also have two important announcements: 1) Ubuntu and Debian repositories Ubuntu and Debian users have to manually set up the upstream repository once again by following the instructions at: https://www.knot-resolver.cz/download/ We apologize for the inconvenience, tests are now in place to prevent this from happening again. 2) The upcoming major version will contain reworked hints/policy/prefill/rebinding/view modules and related functionalities. Please participate in the following survey to ensure we do not forget about your particular use-case: https://www.knot-resolver.cz/survey/ It will help us to improve Knot Resolver. Thank you! Our upstream repositories now also provide packages for CentOS 8, Ubuntu 20.04 and Fedora 32. And finally, the release notes for version 5.1.0: Improvements ------------ - cache garbage collector: reduce filesystem operations when idle (!946) - policy.DEBUG_ALWAYS and policy.DEBUG_IF for limited verbose logging (!957) - daemon: improve TCP query latency under heavy TCP load (!968) - add policy.ANSWER action (!964, #192) - policy.rpz support fake A/AAAA (!964, #194) Bugfixes -------- - cache: missing filesystem support for pre-allocation is no longer fatal (#549) - lua: policy.rpz() no longer watches the file when watch is set to false (!954) - fix a strict aliasing problem that might've lead to "miscompilation" (!962) - fix handling of DNAMEs, especially signed ones (#234, !965) - lua resolve(): correctly include EDNS0 in the virtual packet (!963) Custom modules might have been confused by that. - do not leak bogus data into SERVFAIL answers (#396) - improve random Lua number generator initialization (!979) - cache: fix CNAME caching when validation is disabled (#472, !974) - cache: fix CNAME caching in policy.STUB mode (!974) - prefill: fix crash caused by race condition with resolver startup (!983) - webmgmt: use javascript scheme detection for websockets' protocol (#546) - daf module: fix del(), deny(), drop(), tc(), pass() functions (#553, !966) - policy and daf modules: expose initial query when evaluating postrules (#556) - cache: fix some cases of caching answers over 4 KiB (!976) - docs: support sphinx 3.0.0+ (!978) Incompatible changes -------------------- - minor changes in module API; see upgrading guide: https://knot-resolver.readthedocs.io/en/stable/upgrading.html Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v5.1.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.1.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

5 let, 2 měsíce

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users