Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Jörg Thalheim
@Mic92
On the long run I want to have my own server, shared with some other folks. But it would be good to have a working example, people can use, in the nixos example section
I tried pinning 9.9.9.9 to the letsencrypt root ca, but apparently I am missing something.
just using https://letsencrypt.org/certs/isrgrootx1.pem.txt is not enough
Jörg Thalheim
@Mic92
But at least knowing that pin_sha256 follows a standard, is helpful
Vladimír Čunát
@vcunat
Well, I had tested the above config with the bundle.
They use root x3
Ah, not root x3.
Well, I'm no expert on TLS. This is what I get
$ openssl s_client -connect dns.quad9.net:853
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = dns.quad9.net
verify return:1
Vladimír Čunát
@vcunat
It's possible knot-resolver has some issue when there are multiple trust paths "to choose from". By default, dns.quad9.net chooses to send this one, because this root is commonly trusted by browsers, and using it works in kresd https://www.identrust.com/certificates/trustid/root-download-x3.html (with added -- BEG/END CERT -- lines).
to track this.
jrun
@257
Feb 21 11:39:50 asusp7p55lx kresd[27678]: /usr/lib/kdns_modules/hints.so: undefined symbol: engine_hint_root_file
i see that there was a discussion about this on the gitter when building and running on fedora but not sure if it's related here.
dunno if it's related but there is something unusual about building knot-resolver; PREFIX passed in compile phase is not honnered in install phase.
Vladimír Čunát
@vcunat
You need to pass the same PREFIX to both phases.
It's just makefiles, it doesn't save settings somewhere :-)
jrun
@257
as a work around i'm passing PREFIX twice although that doesn't solve the prblem with LIBDIR which unlike ETCDIR and MODULEDIR is not put to gether in the initial Makefile.
Vladimír Čunát
@vcunat
Assuming you have exactly same kresd and libkres version, what version gives this problem?
(the missing symbol)
jrun
@257
2.1.0
vcunat: not sure about the libkres actually. is that from knot?
let me check
Vladimír Čunát
@vcunat
No, from knot-resolver itself.
jrun
@257
2.6.4
2.6.4 is the knot version, nvm.
Vladimír Čunát
@vcunat
But this is actually about hints.so and kresd. These problems should be gone on 2.1.0, if both are from this version.
jrun
@257
vcunat: they are from the same version. would building off the git help? i guess i have to anyway for any possible fix, i'm assuming it's a bug...
Vladimír Čunát
@vcunat
We had this exact bug in 1.5.2 and 2.0.0, but resolved it in 1.5.3 and 2.1.0 (couldn't reproduce it anymore).
What's your system? Do you pass any CFLAGS, LDFLAGS, etc?
jrun
@257
gentoo, wait for the ebuild post which should be easy to read (shell like) and i will be here to explain if there is any need for it.
i'm just rewritten to build off the tags on github.
Vladimír Čunát
@vcunat
OK, I think I can still read ebuilds.
You can test the presence of the symbol even without running, via
$ nm -D path/to/kresd | grep engine_hint_root_file
000000000000a980 T engine_hint_root_file
nm finds not hint_root actually
or wait...
sorry wait.
yeah, that symbol is not there
this is the correct ebuild, it builds off v2.1.0 or whatever the actuall ebuild is called:
jrun
@257
here is the list of files installed:
and libkres.pc:
Vladimír Čunát
@vcunat
I would certainly feel safer if the same set of variables was passed to both build an installation. It's enough to have them as environment variables, as make picks them automatically.
jrun
@257
vcunat: i'm trying without ${EPREFIX} at the build phase, is that what you mean?
vcunat: and still the same problem.
hmm, wait. i forgot about LDFLAGS at install phase.