Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Vladimír Čunát
@vcunat
Travis Boss
@travisboss
-bash: syntax error near unexpected token'answer.cached''`
I am on version 3.2.1
Vladimír Čunát
@vcunat
3.2.1 is very old and does not have GC.
@travisboss ^^
Petr Špaček
@pspacek
@micah_gitlab Sorry, paste.debian.net says "Entry not found".
Micah
@micah_gitlab
@pspacek oups, it expired, I'll dig it up again
Micah
@micah_gitlab
@pspacek http://paste.debian.net/1137389/ <--- several snippits of different times
Petr Špaček
@pspacek
Well, authoritative server says that "schleuder.squat.net." does not exist.
Mar 27 00:44:31 woodpecker kresd[27805]: [00000.00][plan] plan 'schleuder.squat.net.' type 'A' uid [58878.00]
Mar 27 00:44:31 woodpecker kresd[27805]: [58878.00][iter]   'schleuder.squat.net.' type 'A' new uid was assigned .01, parent uid .00
Mar 27 00:44:31 woodpecker kresd[27805]: [58878.01][cach]   => skipping exact RR: rank 060 (min. 030), new TTL -2400
Mar 27 00:44:31 woodpecker kresd[27805]: [58878.01][cach]   => trying zone: squat.net., NSEC, hash 0
Mar 27 00:44:31 woodpecker kresd[27805]: [58878.01][cach]   => NSEC sname: covered by: squat.net. -> squat.net., new TTL 81165
Mar 27 00:44:31 woodpecker kresd[27805]: [58878.01][cach]   => NSEC wildcard: covered by: squat.net. -> squat.net., new TTL 81165
Mar 27 00:44:31 woodpecker kresd[27805]: [58878.01][cach]   => writing RRsets: +++
Mar 27 00:44:31 woodpecker kresd[27805]: [58878.01][iter]   <= answer received:
Mar 27 00:44:31 woodpecker kresd[27805]: ;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 5842
Mar 27 00:44:31 woodpecker kresd[27805]: ;; Flags: qr aa  QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
Mar 27 00:44:31 woodpecker kresd[27805]: ;; QUESTION SECTION
Mar 27 00:44:31 woodpecker kresd[27805]: schleuder.squat.net.
Micah
@micah_gitlab
@pspacek its strange, because people who are not using knot-resolver are not having problems with this
I agree the authoritative server is saying this... maybe knot is checking it more aggressively and the others (like bind) are not as accurate
you are getting that from the NSEC set, right?
Vladimír Čunát
@vcunat
Yes, aggressive caching still isn't very common.
Petr Špaček
@pspacek
As far as I can tell it was fixed on auth side already.
Vladimír Čunát
@vcunat
Or it might happen "only sometimes" :-)
Petr Špaček
@pspacek
yeah, that unfortunatelly correct.
Micah
@micah_gitlab
it seems it only happens sometimes, I had to run a while loop doing queries every 5 minutes to catch it
i'd like to prove to them that this isn't my nameserver only having this issue, because they don't believe it is their problem. So I am going to re-do that while loop, using cloudflare dns servers... can I just lookup the NSEC record to get that, or should I just look for NXDOMAIN in a regular dig output?
Vladimír Čunát
@vcunat
Packet capture is the surest way to catch these, I suppose.
But these dig-like <= answer received: parts should be enough proof, I think.
Micah
@micah_gitlab
you mean something like tcpdump -i eth0 -s0 -n -v src 1.1.1.1 or dst 1.1.1.1
Vladimír Čunát
@vcunat
Yes, we typically use tcpdump to capture packets.
Micah
@micah_gitlab
is there an option with dns that can get me more details, the results are a little thin
Vladimír Čunát
@vcunat
After an unreleased merge request you can verbose-log just specific requests, even log them whole based on something that happens later in the request.
Micah
@micah_gitlab
This message was deleted
Vladimír Čunát
@vcunat
You can capture to file, which contains everything. (speaking of tcpdump)
Micah
@micah_gitlab

After an unreleased merge request you can verbose-log just specific requests, even log them whole based on something that happens later in the request.

Nice!!

Micah
@micah_gitlab
What configuration do I need to create the tty so I can use kresc ?
Vladimír Čunát
@vcunat
It should be created by default (as packaged) on /run/knot-resolver/control/1.
Micah
@micah_gitlab
yeah, i'm not using the default packaged one, that is why I was wondering
Vladimír Čunát
@vcunat
Generally there's docs ;-)
Micah
@micah_gitlab
yes! I was looking in the docs, aha! its the control socket
thanks, I somehow was looking in the complete wrong place
Vladimír Čunát
@vcunat
In non-interactive mode it was created by default until recently. Now you need a config command (which is added in distro config, so most people haven't noticed).
Micah
@micah_gitlab
unfortunately, here I'm stuck with older knot-resolver (3.2.1 from debian buster), and net.listen('/tmp/kres.control', nil, { kind = 'control' }) doesn't work there
non-interactive mode is -q it seems with this version, but I dont see the socket created
Vladimír Čunát
@vcunat
non-interactive mode is -f 1
in which case it gets created in $(pwd)/tty/$PID
Micah
@micah_gitlab
ah! ok, it was the -f 1 I was missing
Vladimír Čunát
@vcunat
Still, the usual way is was to set it up as systemd socket.
Petr Špaček
@pspacek
@micah_gitlab I guess you know that, but it never hurts to repeat: Version 3.2.1 is not secure as it contains security vulnerabilities, and it is only getting worse over time.
Vladimír Čunát
@vcunat
:+1:
Petr Špaček
@pspacek
New packages for Debian can be found at https://www.knot-resolver.cz/download/
Micah
@micah_gitlab
@pspacek yep! i'm using those typically, but here I have to use this old one, until I can change some people's minds :D
Petr Špaček
@pspacek
Okay, let us wait couple weeks for new CVEs and we will see ...
Micah
@micah_gitlab
:D
Vladimír Čunát
@vcunat
Official Debian unstable has quite a new the latest kresd version, but I don't expect that helps you.
Vladimír Čunát
@vcunat
It took me a bit long, I'm afraid.
@hazaki520: I found issues with caching CNAMEs in some less common cases: (1) when using policy.STUB or (2) when DNSSEC validation is completely disabled. From what you've posted I'm not completely sure if you're one of the two cases; I might've missed some other case.