These are chat archives for CZ-NIC/knot-resolver

29th
Mar 2018
Petr Špaček
@pspacek
Mar 29 2018 07:07
I'm testing with kresd 2.2.0 and the example you sent is not valid in this version:
policy.TLS_FORWARD({'9.9.9.9', hostname='dns.quad9.net.', ca_file='/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem'})
/usr/local/lib/kdns_modules/policy.lua:188: TLS_FORWARD target must be a non-empty table (found string at position 1)
What version do you use? Or, what is youe exact configuration?
Petr Špaček
@pspacek
Mar 29 2018 07:14
It expects PEM certs, which is correct in your case. The problem is hostname which contains trailing dot, which is not present in the cert used by Quad9. Unfortunatelly DNS convention and PKI convention differs... It works for me when I use this command:
policy.add(policy.all(policy.TLS_FORWARD({{'9.9.9.9', hostname='dns.quad9.net', ca_file='/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem'}})))
Vladimír Čunát
@vcunat
Mar 29 2018 08:17
Oh, if that is the convention in the cert-world, we could auto-remove the final dots. (I don't know if that's the case.)
Vladimír Čunát
@vcunat
Mar 29 2018 09:14
And gnutls docs don't seem to state any requirements/recommendations around the passed hostname string.
Petr Špaček
@pspacek
Mar 29 2018 09:15
It is almost arbitrary string, so I would avoid magic conversions on our side. I'm updating docs now.
Vladimír Čunát
@vcunat
Mar 29 2018 09:16
I wonder if we could report more precise errors.
Petr Špaček
@pspacek
Mar 29 2018 09:17
Exactly. I'm reading GnuTLS docs now.