30 Říj
2025
30 Říj
'25
12:54
Dear Knot Resolver users,
Knot Resolver 6.0.16 (early-access) has been released!
Improvements:
- reduce validation strictness for domain names (#934, !1727)
- manager: force a configuration reload via management HTTP API
'api/reload/force' (#939, !1748)
- kresctl: reload: added '--force' flag
- /fallback: add this feature/module (!1733)
- systemd: do not force-fail knot-resolver.service on OOM (!1724)
In basically all cases the OOM killer will kill a kresd process
and supervisord will just restart it, and everything will keep working.
Bugfixes:
- /options/query-case-randomization: respect this even on TCP issues (!1732)
- prometheus metrics: make the latency histogram cumulative (!1731, GH#117)
- fix file permission checks when running as root (!1741)
- /network/address-renumbering: fix conversion to Lua configuration (!1739)
- manager: avoid uncommon bugs when starting/quitting policy-loader (!1742)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.16/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.16.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.16.tar.xz.asc
Documentation:
https://www.knot-resolver.cz/documentation/v6.0.16/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
29 Lis
29 Lis
14:47
New subject: [Knot Resolver 6.0.16] is there a way to force DNS64 synthesis for specific domains that have native AAAA records?
Hi,
I'm running Knot Resolver 6.0.16 with DNS64 enabled for specific views (only when
queries come from certain IPv6 addresses, using the default 64:ff9b::/96 prefix). It works
perfectly for IPv4-only domains, but I need to force DNS64 synthesis for a specific domain
(security.ubuntu.com) that has native AAAA records.
My use case: security.ubuntu.com has AAAA records, but Ubuntu's apt caching system is
often broken and tries to fallback to IPv4. On IPv6-only systems, this fails. I need to
force DNS64 to synthesize AAAA from A records for this specific domain, bypassing the
existing AAAA records.
What we've tried:
- Using policy.DENY to block AAAA queries → returns NXDOMAIN instead of NODATA, DNS64
doesn't trigger
- Creating custom actions to return NODATA → DNS64 never sees it because policy responses
bypass the DNS64 layer
- Manually creating A sub-queries with DNS64_MARK flag → causes assertion failures or the
original AAAA query resolves normally in parallel
- Using kres.YIELD → crashes with "assertion failed in answer_finalize"
The core issue: DNS64 only activates when it observes a genuine NODATA response from
upstream servers, but we can't seem to intercept and redirect AAAA queries through
DNS64's synthesis mechanism for specific domains.
Is there a supported way to:
1. Force DNS64 synthesis for specific domains even when AAAA records exist? Ideally from
the yaml config.
2. Call DNS64's synthesis function directly from Lua?
3. Or any other approach to achieve this?
Thanks in advance!
15 Pro
15 Pro
10:28
New subject: is there a way to force DNS64 synthesis for specific domains that have native AAAA records?
Hello, I'm sorry for the delay.
On 29/11/2025 14.47, oui.mages_0w--- via knot-resolver-users wrote:
Is there a supported way to:
1. Force DNS64 synthesis for specific domains even when AAAA records exist? Ideally from
the yaml config.
2. Call DNS64's synthesis function directly from Lua?
3. Or any other approach to achieve this?
This feedback was quite intriguing, but the situation is not simple.
So far the local-data engine hasn't been able to express that a
particular name+type combination should be answered with NODATA, but
with this question I realized that there's no real reason not to have
that. The insides for that were merged as !1761 and included in release
6.0.17.
Unfortunately, so far I'm not perfectly sure how to expose this in
configuration. For start we will probably include something like
https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1771
which will _at least_ allow you to write
lua:
policy-script: |
assert(C.kr_rule_local_data_ins(
kres.rrset(kres.str2dname('security.ubuntu.com.'),
kres.type.AAAA, nil, C.KR_RULE_TTL_DEFAULT),
nil, 0, C.KR_RULE_OPTS_DEFAULT
) == 0)
After you get this, the DNS64 code will see the NODATA and it will
inject the synthetized AAAA in its place.
--Vladimir
8 Led
8 Led
18:07
New subject: is there a way to force DNS64 synthesis for specific domains that have native AAAA records?
On 15/12/2025 10.28, Vladimír Čunát via knot-resolver-users wrote:
lua:
policy-script: |
assert(C.kr_rule_local_data_ins(
kres.rrset(kres.str2dname('security.ubuntu.com.'),
kres.type.AAAA, nil, C.KR_RULE_TTL_DEFAULT),
nil, 0, C.KR_RULE_OPTS_DEFAULT
) == 0)
So in 6.1.0 you can do this.
12 Led
12 Led
0:11
New subject: is there a way to force DNS64 synthesis for specific domains that have native AAAA records?
Thank you, it does work.
However, I cannot use it in my production environment as this returns NODATA globally (all
views) for security.ubuntu.com.
I have several views not using dns64 for which the AAAA record should be the existing
original answer.
So for now, unless there is a way to attach the policy-script to a specific view declared
in my config.yaml, I still need to use this method based on the IPs rather than the fqdn:
dns64:
enable: true
exclude-subnets: [2620:2d:4002:1::102/128, 2620:2d:4000:1::103/128,
2620:2d:4000:1::101/128, 2620:2d:4002:1::101/128, 2620:2d:4002:1::103/128,
2a06:bc80:0:1000::16/128, 2a06:bc80:0:1000::18/128, 2a06:bc80:0:1000::17/128,
2620:2d:4000:1::102/128]
A setting like exclude-domains: [] would be ideal.
Regards,
Gabriel
Le 8 janv. 2026 à 18:07, Vladimír Čunát via
knot-resolver-users <knot-resolver-users(a)lists.nic.cz> a écrit :
On 15/12/2025 10.28, Vladimír Čunát via knot-resolver-users wrote:
lua:
policy-script: |
assert(C.kr_rule_local_data_ins(
kres.rrset(kres.str2dname('security.ubuntu.com.'), kres.type.AAAA, nil,
C.KR_RULE_TTL_DEFAULT),
nil, 0, C.KR_RULE_OPTS_DEFAULT
) == 0)
So in 6.1.0 you can do this.
--
16
days inactive
89
days old
knot-resolver-users@lists.nic.cz
4 comments
3 participants
participants (3)
-
Aleš Mrázek -
oui.mages_0w@icloud.com -
Vladimír Čunát