These are chat archives for CZ-NIC/knot-resolver

24th
Jan 2018
dvdfabian
@dvdfabian
Jan 24 2018 11:48

Hello, rebuilt from the tar.xz archive and deployed. The daemon starts and is resolving external domains. Thanks for a quick fix. However, I have a problem with hints.add_hosts(). There are a couple of domains in the referenced host file and the first one (just for monitoring purposes) returns

;; AUTHORITY SECTION: blocked. 900 IN SOA blocked. nobody.invalid. 0 3600 900 604800 900
It has been working before the update.

the other domains in the host file work, just this one cannot be resolved, this is the content of static_reocrds.txt
85.162.162.162           dns.test
2A07:1F40:1F40:1F40::0   dns.test
...other records...
Petr Špaček
@pspacek
Jan 24 2018 11:53
I can see it. This is because you domain test. is special as mandated by https://tools.ietf.org/html/rfc6761#section-6.2 . To override this, you can add policy.PASS to override this behavior.
policy.add(policy.suffix(policy.PASS, {todname('test.')}))
Older versions did not follow RFC 6761 but newer versions now do what standard asks for.
(In BIND jargon it is "automatic empty domain".)
Petr Špaček
@pspacek
Jan 24 2018 11:59
Maybe we can add an TXT record into ADDITIONAL section explaining why the query was blocked. What do you think?
Vladimír Čunát
@vcunat
Jan 24 2018 11:59
Hmm, yes.
I understand that users would often expect that hints module will take priority over policy, but it's not so currently.
Petr Špaček
@pspacek
Jan 24 2018 12:01
Yeah, but RFC 6761 is more generic. An explanatory message will cover cases where hints are not in picture at all and so on.
But certainly we need to think about hints/policy interactions in more depth.
(Even though I would prefer to avoid this use of hints altogether. After all, it is functionality from authoritative server!)
Vladimír Čunát
@vcunat
Jan 24 2018 12:04
Yes, I meant that as two orthogonal things. Currently RFC 6761 domains and some others are handled by generic policy.DENY.
That could be generalized similarly to policy.DENY('explanation')
Petr Špaček
@pspacek
Jan 24 2018 12:06
Yes, that's what I'm thinking about right now :-)
dvdfabian
@dvdfabian
Jan 24 2018 12:08
perfect, with the policy added, everything works as expected