These are chat archives for CZ-NIC/knot-resolver

30th
Oct 2018
Robert Šefr
@robcza
Oct 30 2018 14:15

I have encountered quite a strange behavior with STUB policy action:

  • resolver is configured to STUB the queries to one of the Domain controllers (Active Directory) of domains example.local and example.com
  • Both controllers are on the local network, reachable and work without issues
  • The configuration below works for clients, they can reach all the domain names in both domains
  • After "some time" the STUB to example.local stops working and the resolver tries to do the recursion (verified by tracing the query), answering NXDOMAIN obtaied from the root servers
  • However the domain example.com still works and the queries are STUBbed to the domain controllers
  • On process restart with the same configuration file the STUB for example.local works again
policy.add(policy.suffix(policy.STUB('10.10.20.1', '10.10.20.5'), {todname('example.local')}))
policy.add(policy.suffix(policy.STUB('10.10.20.1', '10.10.20.5'), {todname('example.com')}))

This sudden change in behavior is weird. The resolver configuration is not being changed during runtime. Any idea what to check when this happens again?

Petr Špaček
@pspacek
Oct 30 2018 15:26
Hmm that's weird. First idea is weird interaction with agressive cache but I think it should not happen.
Hard to tell without verbose logs - if you happen to catch the problem please open issue and attach verbose log.
Robert Šefr
@robcza
Oct 30 2018 15:32
@pspacek the trace action from http module will do?
Petr Špaček
@pspacek
Oct 30 2018 15:33
That should be more or less the same as verbose log so yes, we can try that.
edoo
@ookangzheng
Oct 30 2018 16:31

I’ve problem with this

policy.add(policy.suffix(policy.STUB(‘::1@52'), {todname(‘bit')}))

::1@52 is my OpenNIC TLD auth server, and some time after 1 day, i cannot dig .bit or some TLD. I have to restart knot-resolver, why?

Petr Špaček
@pspacek
Oct 30 2018 17:38
Hard to tell without further details - please send us verbose log.
(+ information about version etc.)
Vladimír Čunát
@vcunat
Oct 30 2018 18:36
Root servers provide a proof that the range of names round bit doesn't exist. If such a proof gets into cache, I think it can be used at least in some cases when resolving something from bit. There's currently no real "policy" of handling contradictory information.
For combination with .suffix it might be relatively clear how to define merging of the partially contradictory trees, but .STUB is much more general function.