10 Kvě
2023
10 Kvě
'23
7:46
Hi, Ed.
This looks to me like Knot Resolver is not pointed to the same
configuration file you are editing since your changes are not taking
effect at all. The 'hints.root()' function really should replace the
default root hints, which it does not seem to be doing in your case. How
exactly are you running Knot Resolver? Are you pointing it to the
correct 'kresd.conf' file?
Also, your first attempt with 'policy' would not work because
'policy.FORWARD' expects the provided addresses to be resolvers, but the
OpenNIC root servers are authoritative.
Using 'hints.root' is correct, BUT it is not enough to only set that.
You will run into SERVFAILs because you also need to set the correct
DNSSEC trust anchors [1], which Knot Resolver verifies. You will need
the correct keys from OpenNIC root servers [2].
[1]
https://knot-resolver.readthedocs.io/en/stable/config-dnssec.html#trust_anc…
[2] https://wiki.opennic.org/opennic/dnssec
On 09. 05. 23 23:05, Ed V. wrote:
Hoping someone can help...
Built Knot Resolver v5.6.0 from source.
It works and resolves correctly for "regular" TLDs.
However, I would like to point it to OpenNIC for resolution /forwarding
so that I can resolve the expanded /alternative TLDs.
Default configuration with:
policy.add(policy.all(
policy.FORWARD(
{'2001:19f0:b001:379:5400:3ff:fe68:1cc6',
'138.197.140.189',
'2600:3c04::f03c:93ff:febd:be27',
'45.61.49.203'})))
and it fails to find "grep.geek" using the standard root zone /hints:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22871
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;grep.geek. IN A
;; AUTHORITY SECTION:
. 86077 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2023050902 1800 900 604800 86400
So I checked the Documentation site and found "hints.root" which
theoretically will override any other root hints.
Using the OpenNIC root zone file (downloads as "db.root") I set:
hints.root ({
['ns13.opennic.glue.'] = { '2a01:4f8:192:43a5::2',
'144.76.103.143' }
})
in kresd.conf.
Still no joy - "grep.geek" is NXDOMAIN from a.root-servers.net again.
Any thoughts? Things I might have missed along the way?
--