Greetings. My kresd config file is:

net.listen('192.241.207.161', 5364)
trust_anchors.file = 'root.keys'
modules.load('ta_sentinel')

I wanted to test this with a zone I set up at this-is-signed.com. However, I'm getting a positive result back for both the is-ta and the not-ta records (it is properly giving me the SERVFAIL for the bogus record).

Have I configured Knot Resolver incorrectly? For Knot 2.2.1, do I need a different form for the names in order to get the kskroll-sentinel effect to kick in? From the DNSOP WG mailing list traffic, I thought I needed the 4f66 tag, but could have misinterpreted that.

--Paul Hoffman



# dig @192.241.207.161 -p 5364 kskroll-sentinel-is-ta-4f66.this-is-signed.com a

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.241.207.161 -p 5364 kskroll-sentinel-is-ta-4f66.this-is-signed.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36153
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;kskroll-sentinel-is-ta-4f66.this-is-signed.com.    IN A

;; ANSWER SECTION:
kskroll-sentinel-is-ta-4f66.this-is-signed.com.    60 IN CNAME this-is-signed.com.
this-is-signed.com.    60    IN    A    192.241.207.161

;; Query time: 283 msec
;; SERVER: 192.241.207.161#5364(192.241.207.161)
;; WHEN: Sun Feb 25 00:09:54 UTC 2018
;; MSG SIZE  rcvd: 105

# dig @192.241.207.161 -p 5364 kskroll-sentinel-not-ta-4f66.this-is-signed.com a

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.241.207.161 -p 5364 kskroll-sentinel-not-ta-4f66.this-is-signed.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14466
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;kskroll-sentinel-not-ta-4f66.this-is-signed.com. IN A

;; ANSWER SECTION:
kskroll-sentinel-not-ta-4f66.this-is-signed.com. 60 IN CNAME this-is-signed.com.
this-is-signed.com.    54    IN    A    192.241.207.161

;; Query time: 5 msec
;; SERVER: 192.241.207.161#5364(192.241.207.161)
;; WHEN: Sun Feb 25 00:10:00 UTC 2018
;; MSG SIZE  rcvd: 106

# dig @192.241.207.161 -p 5364 bogus.this-is-signed.com a

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.241.207.161 -p 5364 bogus.this-is-signed.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20810
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bogus.this-is-signed.com.    IN    A

;; Query time: 9 msec
;; SERVER: 192.241.207.161#5364(192.241.207.161)
;; WHEN: Sun Feb 25 00:10:08 UTC 2018
;; MSG SIZE  rcvd: 42