Change the hints root of kresd

bortzmeyer 2016-11-04 20:49:33 UTC #1

I'm trying to change the hints root of the DNS resolver kresd to use another root. I know how to do it with a regular kresd but not with the way the Turris Omnia configures its software. This makes really difficult to have custom setup https://discourse.labs.nic.cz/t/knot-resolver-configuration-improvement-in-omnia/934

I tried the trick in https://discourse.labs.nic.cz/t/adding-custom-records-to-the-dns/1176 It works fine to configure many things in kresd but not the hints root. The console command hints.root() shows my alternative root servers but a dig NS . still show the traditional ones. cache.clear() changes nothing.

Any bright idea?

vcunat 2017-02-13 09:45:55 UTC #2

I might be way too late, but at least for reference:

I suppose you figured out how to add custom kresd config; if not, 1) - 2) of https://forum.turris.cz/t/knot-resolver-and-rpz/2023/26 shows one way that should work reliably.
See documentation on a config command that shows or changes the root hints. (The root is treated in a special way.)

bortzmeyer 2017-03-12 19:39:33 UTC #3

Thanks, it now works. I modified /etc/config/resolver:

config resolver 'common'
        ...
        option keyfile '/etc/kresd/yeti-root.keys'

config resolver 'kresd'
        ...
        option include_config '/etc/kresd/custom.conf'

And then custom.conf contains:

hints.root({
        ['bii.dns-lab.net.'] = '240c:f:1:22::6',
        ['yeti-ns.tisf.net .'] = '2001:4f8:3:1006::1:4',
        ['yeti-ns.wide.ad.jp.'] = '2001:200:1d9::35',
        ['yeti-ns.as59715.net.'] = '2a02:cdc5:9715:0:185:5:203:53',
        ['dahu1.yeti.eu.org.'] = '2001:4b98:dc2:45:216:3eff:fe4b:8c5b',
        ['ns-yeti.bondis.org.'] = '2a02:2810:0:405::250',
        ['yeti-ns.ix.ru .'] = '2001:6d0:6d06::53',
        ['yeti.bofh.priv.at.'] = '2a01:4f8:161:6106:1::10',
        ['yeti.ipv6.ernet.in.'] = '2001:e30:1c1e:1::333',
        ['yeti-dns01.dnsworkshop.org.'] = '2001:1608:10:167:32e::53',
        ['yeti-ns.conit.co.'] = '2604:6600:2000:11::4854:a010',
        ['dahu2.yeti.eu.org.'] = '2001:67c:217c:6::2',
        ['yeti.aquaray.com.'] = '2a02:ec0:200::1',
        ['yeti-ns.switch.ch.'] = '2001:620:0:ff::29',
        ['yeti-ns.lab.nic.cl.'] = '2001:1398:1:21::8001',
        ['yeti-ns1.dns-lab.net.'] = '2001:da8:a3:a027::6',
        ['yeti-ns2.dns-lab.net.'] = '2001:da8:268:4200::6',
        ['yeti-ns3.dns-lab.net.'] = '2400:a980:30ff::6',
        ['ca978112ca1bbdcafac231b39a23dc.yeti-dns.net.'] = '2c0f:f530::6',
        ['yeti-ns.datev.net.'] = '2a00:e50:f15c:1000::1:53',
        ['3f79bb7b435b05321651daefd374cd.yeti-dns.net.'] = '2401:c900:1401:3b:c::6',
        ['xn--r2bi1c.xn--h2bv6c0a.xn--h2brj9c.'] = '2001:e30:1c1e:10::333',
        ['yeti1.ipv6.ernet.in.'] = '2001:e30:187d::333',
        ['yeti-dns02.dnsworkshop.org.'] = '2001:19f0:0:1133::53',
        ['yeti.mind-dns.nl.'] = '2a02:990:100:b01::53:0'
})

With that, everything works fine, I now use the Yeti root:

root@turris:~# dig NS .

; <<>> DiG 9.9.8-P4 <<>> NS .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53922
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 25, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			80756	IN	NS	bii.dns-lab.net.
.			80756	IN	NS	yeti.bofh.priv.at.
.			80756	IN	NS	yeti.ipv6.ernet.in.
.			80756	IN	NS	yeti.aquaray.com.
.			80756	IN	NS	yeti.mind-dns.nl.
.			80756	IN	NS	dahu1.yeti.eu.org.
.			80756	IN	NS	dahu2.yeti.eu.org.
.			80756	IN	NS	yeti1.ipv6.ernet.in.
.			80756	IN	NS	ns-yeti.bondis.org.
.			80756	IN	NS	yeti-ns.ix.ru.
.			80756	IN	NS	yeti-ns.lab.nic.cl.
.			80756	IN	NS	yeti-ns.tisf.net.
.			80756	IN	NS	yeti-ns.wide.ad.jp.
.			80756	IN	NS	yeti-ns.conit.co.
.			80756	IN	NS	yeti-ns.datev.net.
.			80756	IN	NS	yeti-ns.switch.ch.
.			80756	IN	NS	yeti-ns.as59715.net.
.			80756	IN	NS	yeti-ns1.dns-lab.net.
.			80756	IN	NS	yeti-ns2.dns-lab.net.
.			80756	IN	NS	yeti-ns3.dns-lab.net.
.			80756	IN	NS	xn--r2bi1c.xn--h2bv6c0a.xn--h2brj9c.
.			80756	IN	NS	yeti-dns01.dnsworkshop.org.
.			80756	IN	NS	yeti-dns02.dnsworkshop.org.
.			80756	IN	NS	3f79bb7b435b05321651daefd374cd.yeti-dns.net.
.			80756	IN	NS	ca978112ca1bbdcafac231b39a23dc.yeti-dns.net.

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 12 19:39:16 UTC 2017
;; MSG SIZE  rcvd: 810