Re: [knot-resolver-users] knot-resolver 2.4.1 centos 7 aborts

4 Led 2019

Thanks, Petr!
I’ll get it installed and report back to you.
Cheers,
Harry
On Fri, Jan 4, 2019 at 8:02 AM Petr Špaček &lt;petr.spacek(a)nic.cz&gt; wrote:
...
  Hi Harry,
 we have found the incompatibility with GnuTLS 3.3 and prepared fix which
 will be part of upcomming 3.2.1 release.
 Test packages with this fix are temporarily available from
 https://build.opensuse.org/package/show/home:CZ-NIC:knot-resolver-testing/k…
 Please let us know if it works on your system.
 Thank you for your time!
 Petr Špaček  @  CZ.NIC
 On 03. 01. 19 12:29, Petr Špaček wrote:
  Hi Harry,
 thank you for bug report, we are able to reproduce the problem on CentOS
 7. For unknown reason it does not manifest on Fedora or Debian systems,
 we will have a look.
 You can track status of this issue in
 https://gitlab.labs.nic.cz/knot/knot-resolver/issues/438
 Thank you once again for your time!
 Petr Špaček  @  CZ.NIC
 On 03. 01. 19 3:22, Harry Hoffman wrote:
> Hi Petr,
>
> Apologies, I’d only seen the CentOS CZ.NIC repo after I’d sent the
> email. I've removed the old version of knot-resolver and deleted the
> directories then installed the one from the CZ.NIC repo:
>
> [root@usher ~]# rpm -qi knot-resolver
>
> Name        : knot-resolver
>
> Version     : 3.2.0
>
> Release     : 1.1
>
> Architecture: x86_64
>
> Install Date: Sun 30 Dec 2018 10:32:50 PM EST
>
> Group       : Unspecified
>
> Size        : 808110
>
> License     : GPLv3
>
> Signature   : RSA/SHA256, Mon 17 Dec 2018 08:35:45 AM EST, Key ID
> 74062db36a1f4009
>
> Source RPM  : knot-resolver-3.2.0-1.1.src.rpm
>
> Build Date  : Mon 17 Dec 2018 08:35:41 AM EST
>
> Build Host  : lamb21
>
> Relocations : (not relocatable)
>
> Vendor      : obs://build.opensuse.org/home:CZ-NIC
> <http://build.opensuse.org/home:CZ-NIC>
>
>
> Even after upgrading it's still aborting (with the same message). Below
> are both my config and the messages from kresd:
>
> -------- Begin kresd.conf
>
> -- vim:syntax=lua:
>
> -- Refer to manual:
> 
 http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
 >
>
> -- Load useful modules
>
> modules = {
>
>         'hints > iterate',  -- Load /etc/hosts and allow custom root
 hints
 
         'stats',            -- Track internal statistics
         'predict',          -- Prefetch expiring/frequent records
 }
 -- See kresd.systemd(7) about configuring network interfaces when using
 systemd
 -- Listen on localhost (default)
 -- net = { '127.0.0.1', '::1' }
 -- Enable DNSSEC validation
 trust_anchors.file = 'root.keys'
 -- Cache size
 cache.size = 100 * MB
 --
 --tls_bundle='/usr/local/etc/openssl/cert.pem'
 policy.add(policy.all(policy.TLS_FORWARD({
   {'9.9.9.9', hostname='dns.quad9.net <http://dns.quad9.net>'},
   {'1.1.1.1', hostname='cloudflare-dns.com <http://cloudflare-dns.com
'},

   {'149.112.112.112', hostname='dns.quad9.net
<http://dns.quad9.net>'},
   {'1.0.0.1', hostname='cloudflare-dns.com <http://cloudflare-dns.com
'},
>
> })))
>
>
> -------- End kresd.conf
>
>
> [root@usher knot-resolver]# kresd -c /etc/knot-resolver/kresd.conf -v
>
> [ ta ] new state of trust anchors for a domain: .
> 3600DS19036 8 2
> 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
>
>
> [ ta ] new state of trust anchors for a domain: .
> 3600DS19036 8 2
> 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
>
> .                   3600DS20326 8 2
> E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
>
>
> [gnutls] (2) Initializing PKCS #11 modules
>
> [gnutls] (2) p11: Initializing module: p11-kit-trust
>
> [gnutls] (3) ASSERT: pkcs11.c:665
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (3) ASSERT: pkcs11.c:2664
>
> [gnutls] (3) ASSERT: pkcs11.c:2993
>
> [tls_client] imported 151 certs from system store
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (3) ASSERT: pkcs11.c:2664
>
> [gnutls] (3) ASSERT: pkcs11.c:2993
>
> [tls_client] imported 151 certs from system store
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (3) ASSERT: pkcs11.c:2664
>
> [gnutls] (3) ASSERT: pkcs11.c:2993
>
> [tls_client] imported 151 certs from system store
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (3) ASSERT: pkcs11.c:2664
>
> [gnutls] (3) ASSERT: pkcs11.c:2993
>
> [tls_client] imported 151 certs from system store
>
> [system] interactive mode
>
>> [00000.00][plan] plan '.' type 'NS' uid [65536.00]
>
> [65536.00][iter]   '.' type 'NS' new uid was assigned .01, parent uid
 .00
 >
> [65536.01][cach]   => skipping exact RR: rank 020 (min. 030), new TTL 
512841
 >
> [65536.01][cach]   => no NSEC* cached for zone: .
>
> [65536.01][cach]   => skipping zone: ., NSEC, hash 0;new TTL -123456789,
> ret -2
>
> [65536.01][cach]   => skipping zone: ., NSEC, hash 0;new TTL -123456789,
> ret -2
>
> [65536.01][plan]   plan '.' type 'DNSKEY' uid [65536.02]
>
> [65536.02][iter]     '.' type 'DNSKEY' new uid was assigned .03,
parent
> uid .01
>
> [65536.03][cach]     => no NSEC* cached for zone: .
>
> [65536.03][cach]     => skipping zone: ., NSEC, hash 0;new TTL
> -123456789, ret -2
>
> [65536.03][cach]     => skipping zone: ., NSEC, hash 0;new TTL
> -123456789, ret -2
>
> [     ][nsre] score 21 for 9.9.9.9#00853;cached RTT: -1
>
> [     ][nsre] score 21 for 1.1.1.1#00853;cached RTT: -1
>
> [     ][nsre] score 21 for 149.112.112.112#00853;cached RTT: -1
>
> [     ][nsre] score 21 for 1.0.0.1#00853;cached RTT: -1
>
> [65536.03][resl]     => id: '55621' querying: '9.9.9.9#00853'
score: 21
> zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'tcp'
>
> [gnutls] (5) REC[0x55bac6605e30]: Allocating epoch #0
>
> [65536.03][wrkr]     => connecting to: '9.9.9.9#00853'
>
> [00000.00][plan] plan '.' type 'NS' uid [65537.00]
>
> [65537.00][iter]   '.' type 'NS' new uid was assigned .01, parent uid
 .00
 >
> [65537.01][cach]   => satisfied by exact RRset: rank 020, new TTL 512841
>
> [65537.01][iter]   <= rcode: NOERROR
>
> [65537.01][resl]   AD: request NOT classified as SECURE
>
> [65537.01][resl]   finished: 0, queries: 1, mempool: 81952 B
>
> [detect_time_skew] No RRSIGs received! You really should configure
> DNSSEC trust anchor for the root.
>
> [wrkr]=> connected to '9.9.9.9#00853'
>
> [gnutls] (3) ASSERT: gnutls_constate.c:586
>
> [gnutls] (5) REC[0x55bac6605e30]: Allocating epoch #1
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_AES_128_GCM_SHA256 (00.9C)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_AES_256_GCM_SHA384 (00.9D)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_AES_128_CBC_SHA1 (00.2F)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_AES_128_CBC_SHA256 (00.3C)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_AES_256_CBC_SHA1 (00.35)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_AES_256_CBC_SHA256 (00.3D)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_CAMELLIA_128_CBC_SHA1 (00.41)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_CAMELLIA_128_CBC_SHA256 (00.BA <http://00.BA>)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_CAMELLIA_256_CBC_SHA1 (00.84)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_3DES_EDE_CBC_SHA1 (00.0A)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_AES_128_GCM_SHA256 (00.9E)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_AES_256_GCM_SHA384 (00.9F)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_AES_128_CBC_SHA1 (00.33)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_AES_128_CBC_SHA256 (00.67)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_AES_256_CBC_SHA1 (00.39)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_AES_256_CBC_SHA256 (00.6B)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE <http://00.BE>)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_AES_128_GCM_SHA256 (00.A2)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_AES_256_GCM_SHA384 (00.A3)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_CAMELLIA_128_GCM_SHA256 (C0.80)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_CAMELLIA_256_GCM_SHA384 (C0.81)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_AES_128_CBC_SHA1 (00.32)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_AES_128_CBC_SHA256 (00.40)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_AES_256_CBC_SHA1 (00.38)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_AES_256_CBC_SHA256 (00.6A)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_CAMELLIA_128_CBC_SHA1 (00.44)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_CAMELLIA_128_CBC_SHA256 (00.BD <http://00.BD>)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_CAMELLIA_256_CBC_SHA1 (00.87)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_CAMELLIA_256_CBC_SHA256 (00.C3)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_3DES_EDE_CBC_SHA1 (00.13)
>
> [gnutls] (4) EXT[0x55bac6605e30]: Sending extension STATUS REQUEST (5  bytes)
 >
> [gnutls] (4) EXT[0x55bac6605e30]: Sending extension SAFE RENEGOTIATION
> (1 bytes)
>
> [gnutls] (4) EXT[0x55bac6605e30]: Sending extension SESSION TICKET (0  bytes)
 >
> [gnutls] (4) EXT[0x55bac6605e30]: Sending extension SUPPORTED ECC (8  bytes)
 >
> [gnutls] (4) EXT[0x55bac6605e30]: Sending extension SUPPORTED ECC POINT
> FORMATS (2 bytes)
>
> [gnutls] (4) EXT[0x55bac6605e30]: sent signature algo (4.1) RSA-SHA256
>
> [gnutls] (4) EXT[0x55bac6605e30]: sent signature algo (4.2)
> DSA-SHA256[00000.00][plan] plan '.' type 'DNSKEY' uid [65538.00]
>
> [65538.00][iter]   '.' type 'DNSKEY' new uid was assigned .01, parent
> uid .00
>
> [     ][nsre] score 21 for 9.9.9.9#00853;cached RTT: -1
>
> [     ][nsre] score 21 for 1.1.1.1#00853;cached RTT: -1
>
> [     ][nsre] score 21 for 149.112.112.112#00853;cached RTT: -1
>
> [     ][nsre] score 21 for 1.0.0.1#00853;cached RTT: -1
>
> [65538.01][resl]   => id: '44507' querying: '9.9.9.9#00853' score:
21
> zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'tcp'
>
> kresd: daemon/worker.c:1179: tcp_task_waiting_connection: Assertion
> `session_flags(session)->outgoing' failed.
>
> Aborted
>
>
>
> Thanks for any help!
>
> Cheers,
> Harry
>
>
>
> On Wed, Jan 2, 2019 at 3:27 AM Petr Špaček &lt;petr.spacek(a)nic.cz
> <mailto:petr.spacek@nic.cz>> wrote:
>
>     Hi Herry,
>
>     version 2.4.1 is ancient with known problems. Please upgrade to  3.2.0
 >     from out upstream repo:
>
> 
https://software.opensuse.org//download.html?project=home%3ACZ-NIC%3Aknot-r…
 >
>     Upgrade should be fine if you do not use your own modules. Please  let us
 >     know if upgrade to 3.2.0 from upstream
repo works for you and we  will
 >     consider bumping package version in EPEL
as well.
>
>     Petr Špaček  @  CZ.NIC 
 --
 https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-resolver-users

2025

2024

2023

2022

2021

2020

2019

2018

Re: [knot-resolver-users] knot-resolver 2.4.1 centos 7 aborts