<<Navigation(children,1)>>
----
= Knot Resolver =
Ubuntu 16.04ではKnot DNS (libknot)をインストールして、ほぼ動いた。[[/ubuntu]]
 [[DNS/KnotDNS]]
<<TableOfContents()>>
https://www.knot-dns.cz/download/

https://knot-resolver.readthedocs.io/en/stable/

https://knot-resolver.readthedocs.io/en/stable/config-overview.html

https://knot-resolver.readthedocs.io/en/stable/quickstart-config.html

Building from sources
https://knot-resolver.readthedocs.io/en/latest/build.html

== Mandatory domain blocking ==

Some jurisdictions mandate blocking access to certain domains. This can be achieved using following policy rule:
{{{
policy.add(
      policy.suffix(policy.DENY,
              policy.todnames({'example.com.', 'blocked.example.net.'})))
}}}

== 版 ==
[[/3.2.0]]  [[/5.1.2]]

[[DNS/実装/KnotDNSresolver]]

https://twitter.com/KnotDNS/status/988385821052030976

Knot Resolver 2.3.0 has been released!
 It is a security release that fixes CVE-2018-1110. https://lists.nic.cz/pipermail/knot-re
----
[[/NEWS]] より  [[/lib/layer/interate.c]]

https://lists.nic.cz/pipermail/knot-dns-users/2017-October/001239.html
Knot Resolver experimental release
  negative answers from validated NSEC (NXDOMAIN, NODATA)
    caching doesn't yet work for various cases:
    * negative answers without NSEC (i.e. with NSEC3 or insecure)

https://www.knot-resolver.cz/   http://knot-resolver.readthedocs.io/en/latest/index.html

https://gitlab.labs.nic.cz/knot/resolver  

users: https://lists.nic.cz/pipermail/knot-dns-users/

<<MonthCalendar(,,,,,False)>>

GitHub:  https://github.com/CZ-NIC/knot-resolver
  コピー用： https://github.com/CZ-NIC/knot-resolver.git

daemon/worker: deduplicate outbound queries 

web command center (Golang module) sample: http://resolver.vavrusa.com/

== make ==
http://knot-resolver.readthedocs.io/en/latest/build.html#platform-considerations
　　Building project;

Building from sources
{{{
The Knot DNS Resolver depends on the the Knot DNS library, recent version of libuv, and LuaJIT.

$ make info # See what's missing

When you have all the dependencies ready, you can build and install.

$ make PREFIX="/usr/local"
$ make install PREFIX="/usr/local"
}}}


knot-resolver-master/ で make infoを実行する。

前提：
{{{
Dependencies
------------
[no] libknot (lib)
[no] LuaJIT (daemon)
[no] libuv (daemon)
}}}

http://knot-resolver.readthedocs.org/en/latest/build.html

https://gitlab.labs.nic.cz/labs/knot  [[DNS/Knot-DNS]]  libknotを含んでいる。

https://github.com/libuv/libuv [[/libuv]]

[[/LuaJIT]]

64bit環境でのmakeは完了か。[[/install-log]]

ldconfigもやっておく。

== conf ==

[[/config]]

{{{
/usr/local/bin/kresd: error while loading shared libraries: libluajit-5.1.so.2:
 cannot open shared object file: No such file or directory
}}}

ldconfigで解消した。-- ToshinoriMaeno <<DateTime(2015-11-28T14:34:38+0900)>>

== CNAME  ==
[[/CNAMEpatch]]  done. Thanks.

[[/CNAMEpoison]]

== TCP query ==
[[/TCPquery]] patch for non-minimized query

[[/TCPonly]] patch

-- ToshinoriMaeno <<DateTime(2015-10-22T23:33:25+0900)>>

== NODATA processing ==
for minimized query answer  [[/vavrusa]]  

[[/patch1]]

[/d.qmail.jp]]  [[/nodata]]

[[/min_ttl-patch]]

== Authority Section ==
Accepting the authority section data is risky.  (cache poisoning)
   How Knot resolver works.

https://github.com/CZ-NIC/knot-resolver/commit/a2b9d06ddb930e9183ec30f6e8d33daec89a4516
{{{
lib/cache: more granular control for rank check on insertion

for pktcache same or better rank is required (because it’s a direct answer)
for rrcache better rank is required (unless doing write-through)

for both cases, no cache rank check is needed when inserting secure data

security note: this mitigates possible non-auth NS hijacking
}}}

{{{
enum kr_cache_rank {
	KR_RANK_BAD       = 0,  /* BAD cache, do not use. */ 
	KR_RANK_INSECURE  = 1,  /* Entry is DNSSEC insecure (e.g. RRSIG not exists). */
	KR_RANK_NONAUTH   = 8,  /* Entry from authority section (i.e. parent-side) */
	KR_RANK_AUTH      = 16, /* Entry from answer (authoritative data) */
	KR_RANK_SECURE    = 256,  /* Entry is DNSSEC valid (e.g. RRSIG exists). */
};

}}}

== rrcache.c ==
{{{
 /* Cache authority only if chasing referral/cname chain */
        if (!is_auth || qry != TAIL(req->rplan.pending)) {
                ret = stash_authority(qry, pkt, &stash, &req->pool);
        }
}}}

委譲された側の（権威）サーバが付けてくるNSレコード(Authority Section)は捨てられる。
　その方が安全だ。　-- ToshinoriMaeno <<DateTime(2015-10-25T09:02:02+0900)>>

==  To do ==
poison in delegation response [[/delegation]]

[[/d.qmail.jp]] poisoning [[/d.qmail.jp/2]] [[/d.qmail.jp/3]]


-- ToshinoriMaeno <<DateTime(2015-10-24T15:49:23+0900)>>