Hello, please can anyone explain me why am I getting those lines in log:
kresd[6004]: [tls_client] failed to verify peer certificate: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded.
It happens mostly everytime router is rebooted or upgraded. The only way how to solve it is to run:
/etc/init.d/resolver restart then logs are free of errors and resolver works fine.
Main resolver config:
config resolver 'kresd'
option rundir '/tmp/kresd'
option log_stderr '1'
option log_stdout '1'
option forks '1'
option keep_cache '1'
option include_config '/etc/kresd/custom.conf'
config resolver 'common'
option port '53'
option keyfile '/etc/root.keys'
option verbose '0'
option msg_buffer_size '4096'
option msg_cache_size '50M'
option net_ipv6 '0'
option net_ipv4 '1'
option prefered_resolver 'kresd'
option prefetch 'yes'
option static_domains '1'
option dynamic_domains '0'
option ignore_root_key '0'
option forward_upstream '0'
and kresd (/etc/kresd/custom.conf):
-- Network settings
net = {
'127.0.0.1',
--LAN
'192.168.1.1'
}
-- Cache setting
cache.size = 20 * MB
-- Local records
hints.config('/etc/hosts')
hints['turris'] = '192.168.1.1'
-- Because of DNS flagday 2020
net.bufsize(1232)
-- Forward queries to another DNS providers over TLS.
require 'math'
math.randomseed(os.time())
tls_bundle='/etc/ssl/certs/ca-certificates.crt'
dns_providers = {
{ -- CZ.NIC
{'193.17.47.1', hostname='odvr.nic.cz', ca_file=tls_bundle},
{'185.43.135.1', hostname='odvr.nic.cz', ca_file=tls_bundle},
{'2001:148f:ffff::1', hostname='odvr.nic.cz', ca_file=tls_bundle},
{'2001:148f:fffe::1', hostname='odvr.nic.cz', ca_file=tls_bundle},
},
{ -- UncensoredDNS
{'89.233.43.71', hostname='unicast.censurfridns.dk', ca_file=tls_bundle},
{'2a01:3a0:53:53::0', hostname='unicast.censurfridns.dk', ca_file=tls_bundle},
}
}
-- Blacklist is being automatically regenarated.
policy.add(policy.rpz(policy.DENY, '/etc/kresd/blacklist.rpz'))
policy.add(policy.all(policy.TLS_FORWARD(dns_providers[math.random(1, #dns_providers)])))