10 Kvě
2023
10 Kvě
'23
16:34
Oto:
Third follow-up.
Just for completeness, I re-compiled with:
-Dmanaged_ta=disabled
-Dkeyfile_default=/var/lib/opennic/opennic.keys
-Droot_hints=/var/lib/opennic/db.root
With file content as per the DNSSEC and Local BIND wiki pages.
https://wiki.opennic.org/opennic/t2hints
https://wiki.opennic.org/opennic/dnssec
On restart after fresh install, I see:
kresd[653620]: [taupd ] active refresh failed, update your trust
anchors in "/var/lib/opennic/opennic.keys"
in the systemd status.
Does this mean knot-resolver is trying to manage the ta even though I
explicitly turned that off??
And I still fail to resolve grep.geek with a.root-servers.net responding
NXDOMAIN.
--
Ed V.
On Wed, 10 May 2023 07:46:16 +0200
Oto Šťáva <oto.stava(a)nic.cz> wrote:
Hi, Ed.
This looks to me like Knot Resolver is not pointed to the same
configuration file you are editing since your changes are not taking
effect at all. The 'hints.root()' function really should replace the
default root hints, which it does not seem to be doing in your case.
How exactly are you running Knot Resolver? Are you pointing it to the
correct 'kresd.conf' file?
Also, your first attempt with 'policy' would not work because
'policy.FORWARD' expects the provided addresses to be resolvers, but
the OpenNIC root servers are authoritative.
Using 'hints.root' is correct, BUT it is not enough to only set that.
You will run into SERVFAILs because you also need to set the correct
DNSSEC trust anchors [1], which Knot Resolver verifies. You will need
the correct keys from OpenNIC root servers [2].
[1]
https://knot-resolver.readthedocs.io/en/stable/config-dnssec.html#trust_anc…
[2] https://wiki.opennic.org/opennic/dnssec
On 09. 05. 23 23:05, Ed V. wrote:
Hoping someone can help...
Built Knot Resolver v5.6.0 from source.
It works and resolves correctly for "regular" TLDs.
However, I would like to point it to OpenNIC for resolution
/forwarding so that I can resolve the expanded /alternative TLDs.
Default configuration with:
policy.add(policy.all(
policy.FORWARD(
{'2001:19f0:b001:379:5400:3ff:fe68:1cc6',
'138.197.140.189',
'2600:3c04::f03c:93ff:febd:be27',
'45.61.49.203'})))
and it fails to find "grep.geek" using the standard root zone
/hints:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22871
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;grep.geek. IN A
;; AUTHORITY SECTION:
. 86077 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2023050902 1800 900 604800 86400
So I checked the Documentation site and found "hints.root" which
theoretically will override any other root hints.
Using the OpenNIC root zone file (downloads as "db.root") I set:
hints.root ({
['ns13.opennic.glue.'] = { '2a01:4f8:192:43a5::2',
'144.76.103.143' } })
in kresd.conf.
Still no joy - "grep.geek" is NXDOMAIN from a.root-servers.net
again.
Any thoughts? Things I might have missed along the way?
--
--