Hello Christoph

Thanks for the detailed feedback.  Let me react to some parts now and leave the rest for a bit later.

On 4/28/19 3:53 PM, Christoph wrote:
- kresd writes the cache to disk by default. Is there an easy way to
disable that and to switch to in-memory cache only without workarounds
like a ramdisk? (we didn't find an answer to this in the documentation
[6]) We want to avoid writing any cache data to disk.

Cache resides in a (configurable) directory.  It's up to your OS configuration where that directory is physically located.  I believe it's quite popular to place kresd cache into a Linux tmpfs, as the main benefits of cache in a filesystem tend to be sharing across kresd instances and service restarts (which are a comfortable way of reconfiguration, too).  Perhaps that "option" isn't as obvious as I thought (you're not the first to ask about it).


We haven't found much documentation about logging. We would like to
ensure that no sensitive data (IP addresses, domain names) is written to
the logs. If verbose() is false, is that enough to avoid logging any IP
addresses and domains?

I'm not aware of any docs about this.  By default almost nothing gets logged.  It's intended to be human-readable even if you have lots of traffic to domains broken in various ways; sensitive data in non-verbose log would certainly be considered a bug.  I believe client IPs aren't logged even in verbose mode, though I'm not sure whether that was intentional or just "luck".


- Is the DoH URI configurable? (change /doh to our currently used URI)
or does that require something like
https://knot-resolver.readthedocs.io/en/stable/modules.html#how-to-expose-custom-services-over-http
?
- Is it possible to enable multiple DoH endpoints (URIs)
via a single kresd instance where every endpoint
has a distinct upstream configuration?

I don't think you can configure these easily, at least in 4.0.0.  For real production we expect you to want to use a battle-tested http implementation as a proxy in front, and that setup makes the URL irrelevant, I think.

What do you mean by "upstream configuration"?  In any case we'd be interested in what you're trying to achieve (and why, if you can share that).


- Does kresd 4 (in the client position) support OOOR? [7]

Yes, all of UDP, TCP and TLS have out-of-order queries, and they get pipelined over a single connection whenever going to the same IP (except for UDP :)


- Are there any known kresd munin plugins
that produce graphs similar to unbound's munin plugin? [1]

I'm not aware any, so probably there aren't any.  What I've seen:


- What is the canonical way to report security issues? (if [4] does not
work)

These reCAPTCHA errors were when you tried the "register" tab, right?  I expect you own https://github.com/appliedprivacy so why not prefer the "sign in with GitHub" button?  The captcha seems to work for me, but perhaps you have some unusually aggressive privacy-related setting that makes it (near) unusable.


- Do you run a security bug bounty program?

No.  I personally find that very unlikely in future.  cz.nic is relatively small and not-for-profit (though that might be disputed by some).


--Vladimir