Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Andreas Rammhold
@andir
and if I do I turn kresd off before, withdraw anycast annoucements etc..
Peter
@petzah
so for configuration (e.g. adding new options to kresd.conf) you just do systemctl stop kresd.service
Andreas Rammhold
@andir
yes
so (at least I think) no request will be lost but the service restarted
Peter
@petzah
ok, well this will confuse a lot of people
thanks for help :)
Andreas Rammhold
@andir
yw, I saw your ansible repo.. I'll probably give it a try on my private infrastructure :-)
Peter
@petzah
sure, it's not complete and approach is somehow different, also templates have a lot of duplicate code .. but it works for me right now :) fork and enjoy :)
Michal Cichra
@mikz
Hi! I'm working on API Gateway project in OpenResty and recently started focusing on our DNS resolving. Knot Resolver looks great so I was investigating how to use it from OpenResty via FFI.
Have someone else experimented with using it via FFI from OpenResty ? OpenResty is quite sensitive to blocking the event loop.
Michal Cichra
@mikz
But checking the API documentation (http://knot-resolver.readthedocs.io/en/latest/lib.html#apis-in-lua) I feel like that might not be the right approach for OpenResty as that API is really low level and I'm not sure if it would fit the OpenResty pseudo synchronous blocking on io model.
And a different but related question. Would kresd perform query de-duplication when entry is not in the cache? If there are two queries that arrive at the same time, how many queries to the upstream nameservers it is going to perform?
Vladimír Čunát
@vcunat
The kresd process needs to be in control of its (own) event loop. (Though I don't get what exactly you had in mind.)
Petr Špaček
@pspacek
I guess that these APIs are too low-level for you. The good news is that nothing is set in stone and if you can formulate the requirements someone might advise you where to pull strings inside kresd to get the intended result :-)
Michal Cichra
@mikz
I though that I could use the library to perform the DNS resolution over FFI instead of using DNS protocol :) So I'd not have to have the daemon running. But that would be just bonus points :)
Vladimír Čunát
@vcunat
Deduplication is done, but only within each process.
Michal Cichra
@mikz
Awesome. And checked documentation, but can't see it mentioned there so it is probably not supported. Can kresd listen on unix domain socket?
Vladimír Čunát
@vcunat
So if you run multiple processes and send an uncached query to them at once, it won't be OK.
The TTY for control is open either interactively or a named unix socket is created.
But I guess you meant listening for standard DNS queries :-)
Michal Cichra
@mikz
Yeah, that is acceptable. This would be running alongside the API Gateway in a Docker container, so just one process should be enough.
Yep. Listening for queries.
Vladimír Čunát
@vcunat
I think there's no explicit support for that.
Michal Cichra
@mikz
OpenResty cosockets support UDP over unix domain sockets so I was hoping it would be a bit more efficient when running in the same container.
Petr Špaček
@pspacek
... I would start optimizing later, when is actually works :-)
Vladimír Čunát
@vcunat
I would personally expect bottlenecks to be elsewhere.
Some reported performance degradation when running kresd within docker.
CZ-NIC/knot-resolver#28
Michal Cichra
@mikz
Thanks for the info. Will post some report when I do benchmarks comparing to dnsmasq. I expect the de-duplication could help a lot for my use case.
Vladimír Čunát
@vcunat
Looking forward to that :-)
Michal Cichra
@mikz
Morning. Any recommendation how to use knot-resolver on CentOS/RHEL ? I can see just Fedora packages. Checked EPEL, but it is not there either.
Vladimír Čunát
@vcunat
There might be even some basic dependencies missing or not in high enough version, e.g. we require libknot >= 2.3.1 and libuv >= 1.0.
I don't know if there's a better way than to build from source, unless you already use e.g. https://nixos.org/nix
Michal Cichra
@mikz
vcunat: yeah, some are not there at all like lua-sec-compat. I guess there is no plan to build also for CentOS right?
Vladimír Čunát
@vcunat
No lua libraries are required for basic function, except for luajit itself.
There are no such plans at this moment.
(And I know little about CentOS/RHEL myself.)
Johnathon Mohr
@johnathonm_twitter
Hello
Is there a possible port to Windows?
Vladimír Čunát
@vcunat
At one point kresd did work on Windows, reportedly, but I don't know what's the current status. We've seen no demand yet, I think (up to now).
igregr
@igregr
Hello, is there a way, how to dump the entire cache?
Vladimír Čunát
@vcunat
@igregr: not really.
Certainly not the whole contents.
Ondřej Surý
@oerdnj
igregr: but it's a standard lmdb database, so you can write an utility; or use redis/memcached backend and you can work with cache contents directly
you would just need to decode the data
@johnathonm_twitter: with virtualization being so common (even on Windows) there's a little motivation to do a direct Windows port
Vladimír Čunát
@vcunat
The current state what you can get looks like this:
> cache.get('cz')
[c.ns.nic.cz] => {
    [A] => true
    [AAAA] => true
}
[cz] => {
    [NS] => true
    [DNSKEY] => true
    [DS] => true
}
[seznam.cz] => {
    [NS] => true
}
[ans.seznam.cz] => {
    [A] => true
    [AAAA] => true
}
[www.seznam.cz] => {
    [A] => true
}
[hc3bc4rs8r2ai3kioqv5c3ktorkc39h4.cz] => {
    [NSEC3] => true
}
[ams.seznam.cz] => {
    [A] => true
    [AAAA] => true
}
[b.ns.nic.cz] => {
    [A] => true
    [AAAA] => true
}
[a.ns.nic.cz] => {
    [A] => true
    [AAAA] => true
}
[d.ns.nic.cz] => {
    [A] => true
    [AAAA] => true
}
Petr Špaček
@pspacek
I think that igregr would be okay with a Lua snippet which returns the data, AFAIK he does not need to extract the data without kresd.
In other words, he could use kresd's decoding functions in Lua if we can give him hint how to use them.
lanconnected
@lanconnected
Hello, how can I fill in a bug report? We would like to set up knot resolver in a way that only a certain amount of fixed IPs are allowed to ask queries and the rest of the internet wil get dropped. The ACL filter seems straight forward: