These are chat archives for CZ-NIC/knot-resolver

24th
Oct 2017
Mike Emigh
@nakame_maiku_twitter
Oct 24 2017 12:42
is it possible to disable 0x20 globally or as part of a forward policy?
Vladimír Čunát
@vcunat
Oct 24 2017 12:42
yes
It's a query flag that you can set via policies (based on usual policy conditions).
Petr Špaček
@pspacek
Oct 24 2017 12:45
It is important to say that if 0x20 breaks anything, it is preferable to fix the broken thing because it apparently does not follow DNS standards.
Mike Emigh
@nakame_maiku_twitter
Oct 24 2017 12:46
i dont disagree, just thought that if policy.FORWARD was used, then query would be sent on as-is
Vladimír Čunát
@vcunat
Oct 24 2017 12:46
You need action policy.FLAGS('NO_0x20')
Note that you need to have the rule with this action before FORWARD, as forwarding is a "terminal" action.
Petr Špaček
@pspacek
Oct 24 2017 12:47
The reason for this behavior is that 0x20 is protection against fake answers so it equally applicable to forwarding.
If you really have to disable it, mainly because the brokenness is beyond your control and the responsible party does not respond to your messages, you might want to take some inspiration from https://gitlab.labs.nic.cz/knot/knot-resolver/blob/master/modules/workarounds/workarounds.lua#L6
Vladimír Čunát
@vcunat
Oct 24 2017 12:48
Oh, it's all-caps, so NO_0X20 instead.
Yes, it's a part of protection against the famous Kaminsky-style attacks.