[knot-resolver-users] non-disk cache and safe logging

Hi, we are a non-profit running privacy enhancing services for the public, among those services are also public DNS resolvers supporting DoH and DoT. We started the process to migrate our DoH/DoT endpoints to kresd 4 replacing our temporary setup using doh-httpproxy/unbound. Here are a few questions that came up, the first ones about caching and safe logging are the most important ones. - kresd writes the cache to disk by default. Is there an easy way to disable that and to switch to in-memory cache only without workarounds like a ramdisk? (we didn't find an answer to this in the documentation [6]) We want to avoid writing any cache data to disk. We haven't found much documentation about logging. We would like to ensure that no sensitive data (IP addresses, domain names) is written to the logs. If verbose() is false, is that enough to avoid logging any IP addresses and domains? - Is the DoH URI configurable? (change /doh to our currently used URI) or does that require something like https://knot-resolver.readthedocs.io/en/stable/modules.html#how-to-expose-c… ? - Is it possible to enable multiple DoH endpoints (URIs) via a single kresd instance where every endpoint has a distinct upstream configuration? - Does kresd 4 (in the client position) support OOOR? [7] - Are there any known kresd munin plugins that produce graphs similar to unbound's munin plugin? [1] - Does kresd need a reload/restart after the TLS certificate got renewed (by letsencrypt)? - Is there a recommended way to configure the interaction between certbot and kresd? (the defaults would not work since kresd - starting as knot-resolver user will not be able to read certificates owned by root) - What is the canonical way to report security issues? (if [4] does not work) - Do you run a security bug bounty program? thanks! Christoph The documentation under [5] does not cover all fields in the output of "worker.stats()", it would be great if those missing fields could be added to the documentation. [2] links to https:// rocks.moonscript.org but the certificate is for https://luarocks.org [3] gives this example: ``` error occured here (config filename:lineno is at the bottom, if config is involved): stack traceback: [C]: in function 'get' /usr/lib/knot-resolver/sandbox.lua:265: in function '__index' [string "return table_print(print(cache.storage))"]:1: in main chunk ERROR: Function not implemented ``` the document probably meant? "print(cache.current_storage)" After solving about 20 reCAPTCHAs and errors like the following we gave up trying to submit issues via [4]. "There was an error with the reCAPTCHA. Please solve the reCAPTCHA again." [1] https://angristan.xyz/configure-unbound-plugin-munin/ [2] https://knot-resolver.readthedocs.io/en/stable/daemon.html [3] https://knot-resolver.readthedocs.io/en/stable/daemon.html#envvar-cache.cur… [4] https://gitlab.labs.nic.cz/knot/knot-resolver/issues [5] https://knot-resolver.readthedocs.io/en/stable/daemon.html#c.worker.stats [6] https://knot-resolver.readthedocs.io/en/stable/daemon.html#cache-configurat… [7] https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status#DN…