Knot DNS is not resolving properly

tumido · November 24, 2016, 12:52am

Hi devs,

for me the knot DNS is causing troubles for some domains. I’m not sure why, if you can point me to some logs/configs I would be glad.

First domain that I’m facing the issue is the “www.vutbr.cz” (just “vutbr.cz” is resolving fine):

$ dig www.vutbr.cz
; <<>> DiG 9.10.4-P4-RedHat-9.10.4-2.P4.fc24 <<>> www.vutbr.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 240
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.vutbr.cz.                  IN      A

;; Query time: 16 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Nov 24 01:46:12 CET 2016
;; MSG SIZE  rcvd: 41

Vs. using Google’s NS:

$ dig @8.8.8.8 www.vutbr.cz
                                                                                                                                                                                                                    
; <<>> DiG 9.10.4-P4-RedHat-9.10.4-2.P4.fc24 <<>> @8.8.8.8 www.vutbr.cz                                                                                                                                                 
; (1 server found)                                                                                                                                                                                                      
;; global options: +cmd                                                                                                                                                                                                 
;; Got answer:                                                                                                                                                                                                          
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23029                                                                                                                                                               
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1                                                                                                                                                 
                                                                                                                                                                                                                    
;; OPT PSEUDOSECTION:                                                                                                                                                                                                   
; EDNS: version: 0, flags:; udp: 512                                                                                                                                                                                    
;; QUESTION SECTION:
;www.vutbr.cz.                  IN      A

;; ANSWER SECTION:
www.vutbr.cz.           98      IN      CNAME   piranha.ro.vutbr.cz.
piranha.ro.vutbr.cz.    3398    IN      A       147.229.2.90

;; Query time: 32 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Nov 24 01:48:39 CET 2016
;; MSG SIZE  rcvd: 82

I have not done any adjustments to Knot what so ever.

Ondrej_Caletka · November 24, 2016, 9:11am

Try turning off DNS forwarding in the Foris interface. What you observe is a common symptom of upstream DNS resolver not supporting DNSSEC properly.

tumido · November 24, 2016, 3:39pm

Thanks, for update!

Actually it was switched off already. I’ve tried to turn it on and it started to cooperate and behaves properly now. So. The issue is that without forwarding it’s not working and when it’s enabled it does. Is this expected behavior?

Cheers

Ondrej_Caletka · November 24, 2016, 3:45pm

No, it should be the other way around. When DNS forwarding is disabled, it should work properly, unless your ISP do some strange redirections for UDP/53 packets.

When forwarding is enabled, the upstream DNS server has to serve all DNSSEC data properly. Known working upstream DNS servers are Google Public DNS or CZ.NIC ODVRs.

tumido · November 24, 2016, 4:53pm

As being said, it works for me when forwarding is enabled but when I disable it, I’m not getting any response. Just for some domain names though. For others it works fine.

Forwarding enabled -> works fine.
Disabled forwarding -> facing issues. The dig outputs shown in the original post were produced when the forwarding was disabled.

I don’t get it.

vcunat · January 3, 2017, 3:22pm

I’m sorry, this was a bug in knot-resolver. It’s fixed now (but not even in master yet).