These are chat archives for CZ-NIC/knot-resolver

4th
Oct 2018
Jonathan Coetzee
@jcoetzee
Oct 04 2018 06:27

I'm running into an issue, I don't know if it's a bug or I'm doing something wrong. Trying to setup a docker container for personal use that will forward queries over DoT to Cloudflare (and other providers). This was working but something changed over the weekend and now forwarding to Cloudflare doesn't seem to work anymore. When I start knot-resolver I get the following output

[priming] cannot resolve address 'e.root-servers.net.', type: 28
[priming] cannot resolve address 'f.root-servers.net.', type: 1
[priming] cannot resolve address 'd.root-servers.net.', type: 1
[priming] cannot resolve address 'd.root-servers.net.', type: 28
[priming] cannot resolve address 'e.root-servers.net.', type: 1
[priming] cannot resolve address 'b.root-servers.net.', type: 28
[priming] cannot resolve address 'c.root-servers.net.', type: 1
[priming] cannot resolve address 'b.root-servers.net.', type: 1
[priming] cannot resolve address 'a.root-servers.net.', type: 28
[priming] cannot resolve address 'm.root-servers.net.', type: 28
[priming] cannot resolve address 'a.root-servers.net.', type: 1
[priming] cannot resolve address 'm.root-servers.net.', type: 1
[priming] cannot resolve address 'l.root-servers.net.', type: 28
[priming] cannot resolve address 'l.root-servers.net.', type: 1
[priming] cannot resolve address 'k.root-servers.net.', type: 28
[priming] cannot resolve address 'k.root-servers.net.', type: 1
[priming] cannot resolve address 'j.root-servers.net.', type: 1
[priming] cannot resolve address 'j.root-servers.net.', type: 28
[priming] cannot resolve address 'i.root-servers.net.', type: 28
[priming] cannot resolve address 'g.root-servers.net.', type: 1
[priming] cannot resolve address 'c.root-servers.net.', type: 28
[priming] cannot resolve address 'g.root-servers.net.', type: 28
[priming] cannot resolve address 'h.root-servers.net.', type: 28
[priming] cannot resolve address 'i.root-servers.net.', type: 1
[priming] cannot resolve address 'f.root-servers.net.', type: 28
[priming] cannot resolve address 'h.root-servers.net.', type: 1
[priming] cannot resolve any root server address, next priming query in 10 seconds

This repeats every 10 seconds.

Starting with -v I can see the following

[priming] cannot resolve address 'e.root-servers.net.', type: 28
[56743][iter]     <= rcode: NOERROR
[56743][resl]     <= server: '1.1.1.1' rtt: >= 0 ms
[56743][resl]     => resuming yielded answer
[56743][vldr]     <= bad NODATA proof
[56743][cach]     => stashed packet: rank 025, TTL 5, DS root-servers.net. (948 B)
[56743][resl]     finished: 0, queries: 3, mempool: 163904 B

For comparison this is what I get when I forward to Quad9 (which works)

[48946][iter]     <= rcode: NOERROR
[48946][vldr]     <= can't prove NODATA due to optout, going insecure
[48946][vldr]     <= DS doesn't exist, going insecure
[48946][vldr]     <= parent: updating DS
[48946][vldr]     <= answer valid, OK
[48946][cach]     => stashed net. SOA, rank 060, 234 B total, incl. 1 RRSIGs
[48946][cach]     => stashed packet: rank 060, TTL 693, DS root-servers.net. (778 B)
[48946][resl]     <= server: '149.112.112.112' rtt: 47 ms
[28196][iter]   'c.root-servers.net.' type 'A' id was assigned, parent id 0
I'm running knot-resolver 3.0.0 (tried master branch as well) and libknot 2.7.2
Vladimír Čunát
@vcunat
Oct 04 2018 07:37
Cloudflare servers reply incorrectly to the DS root-servers.net query, returning DS net instead of non-existence proof for the name below.
Jonathan Coetzee
@jcoetzee
Oct 04 2018 07:41
Is there anything I can do about this? Reach out to them?
Vladimír Čunát
@vcunat
Oct 04 2018 08:02
You could on https://community.cloudflare.com/c/reliability/1111 but I'll ask our contact directly. (They use knot-resolver with their own patches atop, but so far I can't reproduce the problem myself.)
Jonathan Coetzee
@jcoetzee
Oct 04 2018 08:12
Thanks. If it makes any difference, I'd be hitting the Johannesburg, South Africa CF DC.
This was working on Saturday, noticed this behavior on Monday evening.
Vladimír Čunát
@vcunat
Oct 04 2018 08:18
It's probably global. I'm getting the error from Prague instance.
$ kdig @1.1.1.1 CH id.server TXT +short
"PRG"
I can only see it affecting this special name, so I presume your forwarding will still work, except for the priming module probing every ten seconds (annoying, but you can modules.unload('priming')).
Jonathan Coetzee
@jcoetzee
Oct 04 2018 08:21
Yes, noticed that forwarding was still working but wasn't exactly sure why.
Thanks.
What are the implications of disabling priming?
Vladimír Čunát
@vcunat
Oct 04 2018 08:23
None. It's an optimization, basically.
And a useless one in case you forward all traffic.
Jonathan Coetzee
@jcoetzee
Oct 04 2018 08:25
Cool, then I'll disable it.
Vladimír Čunát
@vcunat
Oct 04 2018 16:28
@jcoetzee: they fixed it now. Thanks!