[Pkg-dns-devel] Bug#857578: knot-resolver: The package should not override blindly the config of trust anchors
Stephane Bortzmeyer
stephane at bortzmeyer.org
Sun Mar 12 20:45:40 UTC 2017
Package: knot-resolver
Version: 1.2.4-1
Severity: normal
Dear Maintainer,
I tried an alternative root and therefore set up trust_anchors.config
to use the key of this alternative root.
But, by default, the daemon is launched with
--keyfile=/usr/share/dns/root.key and therefore uses the IANA key ->
SERVFAIL
I edited /etc/default/kresd, and fixed the problem, but I do not see
why there are two configuration files, /etc/knot-resolver/kresd.conf
and /etc/default/kresd. IMHO, the choices made by the sysadmin in
/etc/knot-resolver/kresd.conf should be respected.
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.8.3-x86_64-linode76 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages knot-resolver depends on:
ii adduser 3.115
ii dns-root-data 2015052300+h+1
ii libc6 2.24-9
ii libdnssec2 2.4.0-3
ii libgnutls30 3.5.8-3
ii libhiredis0.13 0.13.3-2
ii libknot5 2.4.0-3
ii liblmdb0 0.9.18-5
ii libluajit-5.1-2 2.0.4+dfsg-1+b1
ii libmemcached11 1.0.18-4.1
ii libmemcachedutil2 1.0.18-4.1
ii libnettle6 3.3-1+b1
ii libsystemd0 232-18
ii libuv1 1.9.1-3
ii libzscanner1 2.4.0-3
ii lua-sec 0.6-3
ii lua-socket 3.0~rc1+git+ac3201d-3
Versions of packages knot-resolver recommends:
ii knot-resolver-module-http 1.2.0-1
knot-resolver suggests no packages.
-- Configuration Files:
/etc/default/kresd changed:
KRESD_ARGS="--config=/etc/knot-resolver/kresd.conf --verbose --forks=1 /run/knot-resolver/cache"
DAEMON_ARGS="--addr=127.0.0.1#53 --addr=::1#53 $KRESD_ARGS"
/etc/knot-resolver/kresd.conf changed:
-- -*- mode: lua -*-
modules = {
'hints' -- Add other modules, if necessary
}
net = { '127.0.0.1' }
-- Knot uses a specific format for the hints so we cannot use the official Yeti hints file.
hints.root({
['bii.dns-lab.net.'] = '240c:f:1:22::6',
['yeti-ns.tisf.net.'] = '2001:559:8000::6',
['yeti-ns.wide.ad.jp.'] = '2001:200:1d9::35',
['yeti-ns.as59715.net.'] = '2a02:cdc5:9715:0:185:5:203:53',
['dahu1.yeti.eu.org.'] = '2001:4b98:dc2:45:216:3eff:fe4b:8c5b',
['ns-yeti.bondis.org.'] = '2a02:2810:0:405::250',
['yeti-ns.ix.ru.'] = '2001:6d0:6d06::53',
['yeti.bofh.priv.at.'] = '2a01:4f8:161:6106:1::10',
['yeti.ipv6.ernet.in.'] = '2001:e30:1c1e:1::333',
['yeti-dns01.dnsworkshop.org.'] = '2001:1608:10:167:32e::53',
['yeti-ns.conit.co.'] = '2607:ff28:2:10::47:a010',
['yeti.aquaray.com.'] = '2a02:ec0:200::1',
['dahu2.yeti.eu.org.'] = '2001:67c:217c:6::2',
['yeti-ns.switch.ch.'] = '2001:620:0:ff::29'
})
trust_anchors.config('/etc/knot-resolver/yeti-root.key')
-- no debconf information
More information about the pkg-dns-devel
mailing list