These are chat archives for CZ-NIC/knot-resolver

3rd
Aug 2017
Mike Emigh
@nakame_maiku_twitter
Aug 03 2017 09:41
NS records should be cached, right?
Vladimír Čunát
@vcunat
Aug 03 2017 09:42
Yes.
(at least generally)
Mike Emigh
@nakame_maiku_twitter
Aug 03 2017 09:44
I have predict running (latest from git)
window of 15, and period of 0
and NS google.com is being retrieved about once a minute
Vladimír Čunát
@vcunat
Aug 03 2017 09:44
Yes, I know about this mis-feature.
Mike Emigh
@nakame_maiku_twitter
Aug 03 2017 09:45
should predict be turned off for now?
Vladimír Čunát
@vcunat
Aug 03 2017 09:46
Predict in your config wants to refresh expiring records, so it runs the queries with a flag to disable records reading from cache.
The downside is that this is applied to all records needed for the query and not just those that are about to expire...
Mike Emigh
@nakame_maiku_twitter
Aug 03 2017 09:52
Is there another way to configure it for that not to happen?
Vladimír Čunát
@vcunat
Aug 03 2017 09:52
No, predict is always like this, so far.
Mike Emigh
@nakame_maiku_twitter
Aug 03 2017 11:55
I've tried running this against against multiple knotdns servers that I have: https://www.grc.com/dns/dns.htm
I'm it says it this about transaction ids:
Even though there might be a high maximum potential entropy as measured by the lowest and highest value range above, a large number of duplicate sample values has the effect of wasting that potential entropy and making spoofed reply guessing more successful. Therefore, “Lost Entropy” measures the number of effective bits of entropy lost due to observed duplicate values.
Vladimír Čunát
@vcunat
Aug 03 2017 11:59
@nakame_maiku_twitter: you believe that knot-resolver uses many duplicate IDs? (or that service indicated it?)
Mike Emigh
@nakame_maiku_twitter
Aug 03 2017 11:59
I got nearly the same result from unbound though. Is it simply pulling random values from /dev/random?
Yeah, the scanner indicated it. Just hit the button at the bottom of the page
Vladimír Čunát
@vcunat
Aug 03 2017 12:03
A pseudorandom generator is used.
Even with full randomness, choosing 256 16-bit values will likely contain some repeated value.
Mike Emigh
@nakame_maiku_twitter
Aug 03 2017 12:06
Worth increasing that 256? Is that possible?
Guessing that size is just SEED_SIZE from utils.c?
Vladimír Čunát
@vcunat
Aug 03 2017 12:07
We don't have any such limit. It was just an example for the birthday paradox.
(meaning 256)
@nakame_maiku_twitter: how much lost entropy did the service report to you?
To my local kresd it measured just 0.09 lost bits.
Mike Emigh
@nakame_maiku_twitter
Aug 03 2017 12:09
0.42
and 0.43 on a different server
and 0.42 on a different unbound server
all using freebsd 11
Vladimír Čunát
@vcunat
Aug 03 2017 12:20
That's strange. Kresd uses built-in generator.
Only the seed is taken from the system.
(/dev/urandom typically)
Mike Emigh
@nakame_maiku_twitter
Aug 03 2017 12:32
I've done the test quite a few times, its usually around 0.4, and I've seen it as low as 0.1
for some reason is says DNSSEC is absent though... ?
Vladimír Čunát
@vcunat
Aug 03 2017 12:34
I saw that, but I can't see why.
Vladimír Čunát
@vcunat
Aug 03 2017 13:21
I tried several times in the meantime, but the lost entropy was always 0.06--0.09. Still, I wouldn't consider significant even to lose half a bit (your case).
Mike Emigh
@nakame_maiku_twitter
Aug 03 2017 21:06
would any config options affect this? for example, number of IPs being listened on
or turning ipv6 off