[Pkg-dns-devel] Bug#857578: knot-resolver: The package should not override blindly the config of trust anchors

Stephane Bortzmeyer stephane at bortzmeyer.org
Sun Mar 12 20:45:40 UTC 2017 

Package: knot-resolver
Version: 1.2.4-1
Severity: normal

Dear Maintainer,

I tried an alternative root and therefore set up trust_anchors.config
to use the key of this alternative root.

But, by default, the daemon is launched with
--keyfile=/usr/share/dns/root.key and therefore uses the IANA key ->
SERVFAIL

I edited /etc/default/kresd, and fixed the problem, but I do not see
why there are two configuration files, /etc/knot-resolver/kresd.conf
and /etc/default/kresd. IMHO, the choices made by the sysadmin in
/etc/knot-resolver/kresd.conf should be respected.

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.3-x86_64-linode76 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages knot-resolver depends on:
ii  adduser            3.115
ii  dns-root-data      2015052300+h+1
ii  libc6              2.24-9
ii  libdnssec2         2.4.0-3
ii  libgnutls30        3.5.8-3
ii  libhiredis0.13     0.13.3-2
ii  libknot5           2.4.0-3
ii  liblmdb0           0.9.18-5
ii  libluajit-5.1-2    2.0.4+dfsg-1+b1
ii  libmemcached11     1.0.18-4.1
ii  libmemcachedutil2  1.0.18-4.1
ii  libnettle6         3.3-1+b1
ii  libsystemd0        232-18
ii  libuv1             1.9.1-3
ii  libzscanner1       2.4.0-3
ii  lua-sec            0.6-3
ii  lua-socket         3.0~rc1+git+ac3201d-3

Versions of packages knot-resolver recommends:
ii  knot-resolver-module-http  1.2.0-1

knot-resolver suggests no packages.

-- Configuration Files:
/etc/default/kresd changed:
KRESD_ARGS="--config=/etc/knot-resolver/kresd.conf --verbose --forks=1 /run/knot-resolver/cache"
DAEMON_ARGS="--addr=127.0.0.1#53 --addr=::1#53 $KRESD_ARGS"

/etc/knot-resolver/kresd.conf changed:
-- -*- mode: lua -*-
modules = {
   'hints' -- Add other modules, if necessary
   }
net = { '127.0.0.1' }
-- Knot uses a specific format for the hints so we cannot use the official Yeti hints file.
hints.root({
           ['bii.dns-lab.net.'] = '240c:f:1:22::6',
	   ['yeti-ns.tisf.net.'] = '2001:559:8000::6',
	   ['yeti-ns.wide.ad.jp.'] = '2001:200:1d9::35',
	   ['yeti-ns.as59715.net.'] = '2a02:cdc5:9715:0:185:5:203:53',
			         ['dahu1.yeti.eu.org.'] = '2001:4b98:dc2:45:216:3eff:fe4b:8c5b',
				       ['ns-yeti.bondis.org.'] = '2a02:2810:0:405::250',
				             ['yeti-ns.ix.ru.'] = '2001:6d0:6d06::53',
					           ['yeti.bofh.priv.at.'] = '2a01:4f8:161:6106:1::10',
						         ['yeti.ipv6.ernet.in.'] = '2001:e30:1c1e:1::333',
							       ['yeti-dns01.dnsworkshop.org.'] = '2001:1608:10:167:32e::53',
							             ['yeti-ns.conit.co.'] = '2607:ff28:2:10::47:a010',
								           ['yeti.aquaray.com.'] = '2a02:ec0:200::1',
									         ['dahu2.yeti.eu.org.'] = '2001:67c:217c:6::2',
										       ['yeti-ns.switch.ch.'] = '2001:620:0:ff::29'
})
trust_anchors.config('/etc/knot-resolver/yeti-root.key')


-- no debconf information

More information about the pkg-dns-devel mailing list