These are chat archives for CZ-NIC/knot-resolver

2nd
Aug 2018
edoo
@ookangzheng
Aug 02 2018 03:46 UTC
How can I enable DNSSEC (knot-resolver) and do FORWARD to upstream BIND DNS ( OpenNIC TLD)
Petr Špaček
@pspacek
Aug 02 2018 06:07 UTC
-- Forward all queries (to public resolvers https://www.nic.cz/odvr)
policy.add(policy.all(policy.FORWARD({'2001:678:1::206', '193.29.206.206'})))
edoo
@ookangzheng
Aug 02 2018 06:08 UTC
I followed the instruction. It works with
policy.add(policy.all(policy.FORWARD({‘2001:678:1::206’, '193.29.206.206'})))
But my scenario is
policy.add(policy.all(policy.FORWARD({‘127.0.0.1@54’})))
Port 54 is served by BIND DNS server ( to resolve OpenNIC root)
I can’t dig nx.bit (opennic domain) on this scenario
Petr Špaček
@pspacek
Aug 02 2018 06:10 UTC
I see, just add port using @ sign, e.g. '192.0.2.1@53'
edoo
@ookangzheng
Aug 02 2018 06:11 UTC
I’ve to change policy to
policy.add(policy.all(policy.STUB('127.0.0.1@54'))
Then it works…
While using STUB, no DNSSEC
Petr Špaček
@pspacek
Aug 02 2018 06:11 UTC
STUB does not do DNSSEC validation, FORWARD validates.
edoo
@ookangzheng
Aug 02 2018 06:12 UTC
yap
But on my client side, I use knot-resolver as TLS server
edoo
@ookangzheng
Aug 02 2018 06:12 UTC
I use unbound and do forward to my upstream server
Petr Špaček
@pspacek
Aug 02 2018 06:12 UTC
That's separate configuration unrelated to forwarding/stub mode.
edoo
@ookangzheng
Aug 02 2018 06:13 UTC
Hmm, how can I describe
Petr Špaček
@pspacek
Aug 02 2018 06:13 UTC
So what are you trying to do? Is it forwarding like this?
unbound -> TLS -> kresd -> UDP -> BIND@54?
edoo
@ookangzheng
Aug 02 2018 06:13 UTC
yap
Or can I add OpenNIC TLD in knot-resolver?
I tried with custom hints but not working
Petr Špaček
@pspacek
Aug 02 2018 06:15 UTC
You want kresd to forward everything to BIND, right?
edoo
@ookangzheng
Aug 02 2018 06:15 UTC
yap
Also with dnssec
When I use policy.FORWARD( Unbound cannot connect to my kresd ), failed validate DNSSEC
Petr Špaček
@pspacek
Aug 02 2018 06:16 UTC
First of all you need to find DNSSEC root key for OpenNIC - I do not know if they even support DNSSEC.
edoo
@ookangzheng
Aug 02 2018 06:17 UTC
So can I have multiple root key in knot-resolver?
At same time
Petr Špaček
@pspacek
Aug 02 2018 06:18 UTC
You can, but I do not see how it could help.
You still need to have one of the roots, either the official one or OpenNIC.
edoo
@ookangzheng
Aug 02 2018 06:18 UTC
I configured like that
-- Load useful modules
modules = {
        'hints > iterate',
    'policy > hints',
    'view < cache',
    'serve_stale < cache',
        'workarounds < iterate',
        'predict'
}
modules.list()

-- hints.config({file = '/etc/knot-resolver/opennic.hints'})

hints.root({
    ['ns2.opennic.glue.'] = '161.97.219.84',
    ['ns3.opennic.glue.'] = '104.168.144.17',
    ['ns4.opennic.glue.'] = '163.172.168.171',
    ['ns5.opennic.glue.'] = '94.103.153.176',
    ['ns6.opennic.glue.'] = '207.192.71.13',
    ['ns8.opennic.glue.'] = '178.63.116.152',
    ['ns9.opennic.glue.'] = '174.138.48.29',
    ['ns10.opennic.glue.'] = '188.226.146.136',
    ['ns11.opennic.glue.'] = '45.55.97.204',
    ['ns12.opennic.glue.'] = '79.124.7.81',
})
Or other way to write if request from client is not ICANN tld, then will lookup up on 127.0.0.154
Petr Špaček
@pspacek
Aug 02 2018 06:21 UTC
Well, this adds OpenNIC servers to the set, so I assume it will cause great confusion. kresd will select one of servers from set randomly and bad things will happen when it switches between OpenNIC and ICANN root.
I assume that OpenNIC does not support DNSSEC, is that right?
edoo
@ookangzheng
Aug 02 2018 06:22 UTC
How can I check
I actually switch on DNSSEC on BIND
Petr Špaček
@pspacek
Aug 02 2018 06:23 UTC
Where did you get OpenNIC DNSSEC keys?
edoo
@ookangzheng
Aug 02 2018 06:23 UTC
I follow this step
Petr Špaček
@pspacek
Aug 02 2018 06:28 UTC
This effectively means that BIND is not doing DNSSEC validation, it just trusts whatever you received.
DNSSEC configuration is here https://wiki.opennic.org/opennic/dnssec
edoo
@ookangzheng
Aug 02 2018 06:30 UTC
If I finished this step
Petr Špaček
@pspacek
Aug 02 2018 06:31 UTC
Once you get DNSSEC validation working on BIND, it should be possible use the very same DNSKEY with kresd and then forward everything to BIND.
edoo
@ookangzheng
Aug 02 2018 06:31 UTC
Hmm
I tried this
dig NS . +short
a.root-servers.net.
b.root-servers.net.
c.root-servers.net.
d.root-servers.net.
e.root-servers.net.
f.root-servers.net.
g.root-servers.net.
h.root-servers.net.
i.root-servers.net.
j.root-servers.net.
k.root-servers.net.
l.root-servers.net.
m.root-servers.net.
I expect the result will be like this
ns8.opennic.glue.
ns2.opennic.glue.
ns5.opennic.glue.
ns10.opennic.glue.
ns12.opennic.glue.
ns6.opennic.glue.
ns3.opennic.glue.
ns4.opennic.glue.
ns9.opennic.glue.
Petr Špaček
@pspacek
Aug 02 2018 06:33 UTC
That should be the case if you configured the forwarding correctly.
If you do not have forwarding configured from the very start make sure you flush cache using cache.clear()
edoo
@ookangzheng
Aug 02 2018 06:48 UTC
So my knot-resolver conf will some how look like this
cache.clear()
policy.add(policy.all(policy.FORWARD('127.0.0.1@54')))
policy.add(policy.all(policy.FORWARD(‘::1@54’)))
Petr Špaček
@pspacek
Aug 02 2018 06:54 UTC
Yes, that + trust_anchors.file = 'root.keys'. File root.keys should contain OpenNIC DNSSEC key.
edoo
@ookangzheng
Aug 02 2018 07:09 UTC
My config look like that
modules = {
        'policy',
    'daf '
}
net.tls('/etc/letsencrypt/live/dns.xx.blahdns.com/fullchain.pem','/etc/letsencrypt/live/dns.xx.blahdns.com/privkey.pem')
net.listen('0.0.0.0', 53)
net.listen('::', 53)
net.listen('0.0.0.0', 853)
net.listen('::', 853)
cache.clear()
policy.add(policy.all(policy.FORWARD('127.0.0.1@55')))
policy.add(policy.all(policy.FORWARD('::1@55')))
-- Enable DNSSEC validation
trust_anchors.file = '/etc/knot-resolver/root.key'

-- Cache size
— cache.size = 100 * MB
And root.key does contain OpenNIC DNSSEC key
edoo
@ookangzheng
Aug 02 2018 07:23 UTC
@pspacek not working though :d
Petr Špaček
@pspacek
Aug 02 2018 08:12 UTC
I would like to help you but you have to define "nothing" first. What did you try, what result you expect, and what result you got insted of the expected one?
edoo
@ookangzheng
Aug 02 2018 08:13 UTC
What you mean “nothing”
I’d like to surf ICANN and OpenNIC tld both at same time
Petr Špaček
@pspacek
Aug 02 2018 08:14 UTC
You sad that "nothing works", right? Does it mean that resolver does not even start? If so, what's error message?
edoo
@ookangzheng
Aug 02 2018 08:16 UTC
Screen Shot 2018-08-02 at 16.16.21.png
When I dig nx.bit on localhost -> kresd
It return nothing
When I manually dig nx.bit @::1 -p 55
It return valid result
Petr Špaček
@pspacek
Aug 02 2018 08:17 UTC
What is on port 55? Your previous config has port 54.
edoo
@ookangzheng
Aug 02 2018 08:18 UTC
I just changed to port 55
Port 53 (kresd), Port 55 (BIND)
Petr Špaček
@pspacek
Aug 02 2018 08:21 UTC
please enable verbose log in kresd verbose(true) and paste the verbose log here so we can see what is happening.
edoo
@ookangzheng
Aug 02 2018 08:21 UTC
ok
Where can I see the verbose log
Petr Špaček
@pspacek
Aug 02 2018 08:23 UTC
It should be in system journal as usual.
edoo
@ookangzheng
Aug 02 2018 08:23 UTC
Nothing in journalctl -xe
edoo
@ookangzheng
Aug 02 2018 08:29 UTC
When I dig nx.bit
[ ta ] key: 19036 state: Missing
[ ta ] key: 20326 state: Missing
[ ta ] key: 47089 state: Valid
[ ta ] new state of trust anchors for a domain: .                       172800  DS      19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

[ ta ] new state of trust anchors for a domain: .                       172800  DS      19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
.                       172800  DS      20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

[ ta ] new state of trust anchors for a domain: .                       172800  DS      19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
.                       172800  DS      20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
.                       86400   DS      47089 8 2 6D81988A88BD546E429486CC0A97518F90F9FC6C6C6B7E5BC2788469858C7324

[ ta ] next refresh for . in 12 hours
[    0][plan] plan '_ta-a73d-b7f1-cc6f.' type 'NULL'
[32275][iter]   '_ta-a73d-b7f1-cc6f.' type 'NULL' id was assigned, parent id 0
[32275][cach]   => trying zone: . (first NSEC)
[32275][cach]   => NSEC sname: covered by: . -> aaa., new TTL 3135
[32275][cach]   => NSEC wildcard: covered by: . -> aaa., new TTL 3135
[32275][cach]   => writing RRsets: +++
[32275][iter]   <= rcode: NXDOMAIN
[32275][vldr]   <= answer valid, OK
[    0][resl]   AD: request classified as SECURE
[32275][resl]   finished: 0, queries: 1, mempool: 81952 B
[    0][plan] plan 'nx.bit.' type 'A'
[62591][iter]   'nx.bit.' type 'A' id was assigned, parent id 0
[62591][cach]   => skipping exact RR: rank 021 (min. 030), new TTL 8861
[62591][cach]   => skipping unfit NS RR: rank 021, new TTL -62891
[62591][cach]   => trying zone: . (first NSEC)
[62591][cach]   => NSEC sname: covered by: bio. -> biz., new TTL 15418
[62591][cach]   => NSEC wildcard: covered by: . -> aaa., new TTL 3127
[62591][cach]   => writing RRsets: +++
[62591][iter]   <= rcode: NXDOMAIN
[62591][vldr]   <= answer valid, OK
[    0][resl]   AD: request classified as SECURE
[62591][resl]   finished: 0, queries: 1, mempool: 16400 B
[    0][plan] plan 'nx.bit.' type 'A'
[29011][iter]   'nx.bit.' type 'A' id was assigned, parent id 0
[29011][cach]   => skipping exact RR: rank 021 (min. 030), new TTL 8846
[29011][cach]   => skipping unfit NS RR: rank 021, new TTL -62906
[29011][cach]   => trying zone: . (first NSEC)
[29011][cach]   => NSEC sname: covered by: bio. -> biz., new TTL 15403
Petr Špaček
@pspacek
Aug 02 2018 08:32 UTC
Interesting, let me see.
Please paste complete config here.
edoo
@ookangzheng
Aug 02 2018 08:34 UTC
This is my DNSKEY in /etc/knot-resolver/root.keys
image.png
kresd.conf
-- Load useful modules
modules = {
        'daf',
        'policy',
        'hints',
        'serve_stale < cache',
        'workarounds < iterate',
        'stats',
        'predict'
}
cache.clear()
net.tls('/etc/letsencrypt/live/dns.jp.blahdns.com/fullchain.pem','/etc/letsencrypt/live/dns.jp.blahdns.com/privkey.pem')
--net.listen('0.0.0.0', 52)
net.listen('::', 52)
--net.listen('0.0.0.0', 853)
--net.listen('::', 853)
verbose(true)
 policy.add(policy.all(policy.FORWARD('127.0.0.1@55')))
 policy.add(policy.all(policy.FORWARD('::1@55')))
-- Enable DNSSEC validation
trust_anchors.file = '/etc/knot-resolver/root.keys'

-- Cache size
-- cache.size = 100 * MB

-- Block all queries with QNAME = example.com
daf.add 'qname = oportunidadesim.com.br deny'

-- daf.add 'src = 0.0.0.0/0 forward 127.0.0.1@55'
-- daf.add 'src = ::/0 forward ::1@55'

-- Disallow ANY queries
policy.add(function (req, query)
        if query.stype == kres.type.ANY then
                return policy.DROP
        end
end)

--policy.add(function (req, query)
--    if query.stype == kres.type.TXT then
--               return policy.DROP
--        end 
--end)

-- Prefetch learning (20-minute blocks over 24 hours)
— predict.config (20, 72)
I temporary listen to port 52, too many connection come to port 53~~
Petr Špaček
@pspacek
Aug 02 2018 08:38 UTC
I'm confused. Are you sure you killed old kresd instances and restarted it with new config? Please check ps -eF | grep kresd, there should be only one instance running.
edoo
@ookangzheng
Aug 02 2018 08:39 UTC
I installed via apt-get on Ubuntu, I don’t know how to start the service
Petr Špaček
@pspacek
Aug 02 2018 08:40 UTC
The log you posted indicates that cache was not cleared and that does not make sense if your config contains cache.clear(). Having multiple kresd instances would explain that.
edoo
@ookangzheng
Aug 02 2018 08:40 UTC
So I manually start the kresd service with this cmd
/usr/sbin/kresd -q -v -c /etc/knot-resolver/kresd.conf
Petr Špaček
@pspacek
Aug 02 2018 08:40 UTC
I see, that might explain it. Please post output from the ps command.
edoo
@ookangzheng
Aug 02 2018 08:41 UTC
  PID TTY          TIME CMD
31747 pts/3    00:00:00 bash
31789 pts/3    00:00:00 ps
~# ps -eF | grep kresd
root     31588 31587  0 47331 25640   0 16:38 pts/1    00:00:00 /usr/sbin/kresd -q -v -c /etc/knot-resolver/kresd.conf
root     31759 31747  0  3675  1032   0 16:39 pts/3    00:00:00 grep --color=auto kresd
Petr Špaček
@pspacek
Aug 02 2018 08:42 UTC
Okay, so stop this process, make sure it disappeared from output of ps and start it again.
I think it should work after that.
edoo
@ookangzheng
Aug 02 2018 08:43 UTC
I killed and output ps
  PID TTY          TIME CMD
31747 pts/3    00:00:00 bash
31804 pts/3    00:00:00 ps
I still have one process running ?
ps -eF | grep kresd
root     31808 31747  0  3675  1092   0 16:44 pts/3    00:00:00 grep —color=auto kresd
Petr Špaček
@pspacek
Aug 02 2018 08:45 UTC
This is fine, start it again.
edoo
@ookangzheng
Aug 02 2018 08:46 UTC
Process already started
~# ps
  PID TTY          TIME CMD
31747 pts/3    00:00:00 bash
31826 pts/3    00:00:00 ps
Petr Špaček
@pspacek
Aug 02 2018 08:47 UTC
You need to run ps -eF to see all processes, plain ps will not tell you what you need.
This is getting complicated. Please familiarize yourself with ps and other utilities first, I would recommend article https://www.binarytides.com/linux-ps-command/
edoo
@ookangzheng
Aug 02 2018 08:49 UTC
okok
~# ps -ef | grep kresd
root     31825 31824  0 16:46 pts/1    00:00:01 /usr/sbin/kresd -v -c /etc/knot-resolver/kresd.conf
root     31860 31747  0 16:50 pts/3    00:00:00 grep —color=auto kresd
So I see the process ID is different
Means start with fresh process?
Petr Špaček
@pspacek
Aug 02 2018 08:54 UTC
Yes, that's good.
So please retry, it should work now.
edoo
@ookangzheng
Aug 02 2018 08:55 UTC
Nope. Still
Petr Špaček
@pspacek
Aug 02 2018 08:55 UTC
Please post the fresh verbose log.
edoo
@ookangzheng
Aug 02 2018 08:55 UTC
I started the process inside other screen screen -S knot
Petr Špaček
@pspacek
Aug 02 2018 09:00 UTC
This is weird, the cache is still not flushed....
edoo
@ookangzheng
Aug 02 2018 09:00 UTC
Should I restart my server?
Petr Špaček
@pspacek
Aug 02 2018 09:00 UTC
Try to stop it and remove data.mdb file and start it again.
I need to go out for a while, will be back in 3 hours. See you later!
edoo
@ookangzheng
Aug 02 2018 09:01 UTC
Okok Thanks
Robert Šefr
@robcza
Aug 02 2018 11:03 UTC
@pspacek regarding the empty root.keys https://gitlab.labs.nic.cz/knot/knot-resolver/issues/389 I understand you explanation and makes sense.
However the reason to open the issue in the first place is, that we randomly encounter a situation, when the root.keys files ends empty while running multiple kresd processes. We are not sure about the reason, but already happened several times on different instances. We think it is a result of multiple processing working with the same file in parallel.
If it happens, all the processes fails start (if restarted manually or after crash with a supervisor) and it leads to a service outage
Vladimír Čunát
@vcunat
Aug 02 2018 11:31 UTC
Oh, that's important information!
@robcza: as a workaround for now, you can use the file in read-only mode (e.g. -K instead of -k). Root KSKs are still very slow to change. The first roll is half-happening after several years.
Petr Špaček
@pspacek
Aug 02 2018 11:35 UTC
@robcza Oh yes, that's very different issue! Please open new one for this and we will have a look.
Robert Šefr
@robcza
Aug 02 2018 11:40 UTC
@pspacek will do
@vcunat will consider, at this moment we get rid of root.keys and cache files, if we detect a problem with resolver startup, we have already encountered both and this approach works, though it is quite aggressive
Vladimír Čunát
@vcunat
Aug 02 2018 11:41 UTC
In the meantime, I reopened the old issue and changed the title :-)
edoo
@ookangzheng
Aug 02 2018 11:55 UTC
@pspacek still not working
Petr Špaček
@pspacek
Aug 02 2018 12:09 UTC
Do you have verbose log after deleting data.mdb file & restart?
edoo
@ookangzheng
Aug 02 2018 12:11 UTC
Yap, reboot my server, deleted data.mdb, reinstall knot-resolver again
Petr Špaček
@pspacek
Aug 02 2018 12:20 UTC
Just deletion of data.mdb and restart would be certainly enough. Do you have the verbose log?
edoo
@ookangzheng
Aug 02 2018 13:10 UTC
suddenly it works!
I don’t know what happened
@pspacek I’m very appreciate for your help
Petr Špaček
@pspacek
Aug 02 2018 14:16 UTC
You are welcome.
edoo
@ookangzheng
Aug 02 2018 14:29 UTC
@pspacek How can I start the kresd service with cmd service kresd start
Which keyword or document I can find on site?
Petr Špaček
@pspacek
Aug 02 2018 14:30 UTC
@ookangzheng It very much depends on your distribution and version. Recent packages have documentation in man kresd.systemd, try to run this command and see if you have the man page installed.
edoo
@ookangzheng
Aug 02 2018 14:31 UTC
Hmm okay.. I’m new bie at Linux
edoo
@ookangzheng
Aug 02 2018 15:18 UTC
@pspacek is there anyway to write like
If (dnsrequest.dnssec validate failed) then
   policy.STUB(‘127.0.0.1@55’)
End)