Re: [knot-resolver-users] knot-resolver 2.4.1 centos 7 aborts

Hi Petr, Apologies, I’d only seen the CentOS CZ.NIC repo after I’d sent the email. I've removed the old version of knot-resolver and deleted the directories then installed the one from the CZ.NIC repo: [root@usher ~]# rpm -qi knot-resolver Name        : knot-resolver Version     : 3.2.0 Release     : 1.1 Architecture: x86_64 Install Date: Sun 30 Dec 2018 10:32:50 PM EST Group       : Unspecified Size        : 808110 License     : GPLv3 Signature   : RSA/SHA256, Mon 17 Dec 2018 08:35:45 AM EST, Key ID 74062db36a1f4009 Source RPM  : knot-resolver-3.2.0-1.1.src.rpm Build Date  : Mon 17 Dec 2018 08:35:41 AM EST Build Host  : lamb21 Relocations : (not relocatable) Vendor      : obs://build.opensuse.org/home:CZ-NIC <http://build.opensuse.org/home:CZ-NIC> Even after upgrading it's still aborting (with the same message). Below are both my config and the messages from kresd: -------- Begin kresd.conf -- vim:syntax=lua: -- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration -- Load useful modules modules = {         'hints > iterate',  -- Load /etc/hosts and allow custom root hints         'stats',            -- Track internal statistics         'predict',          -- Prefetch expiring/frequent records } -- See kresd.systemd(7) about configuring network interfaces when using systemd -- Listen on localhost (default) -- net = { '127.0.0.1', '::1' } -- Enable DNSSEC validation trust_anchors.file = 'root.keys' -- Cache size cache.size = 100 * MB -- --tls_bundle='/usr/local/etc/openssl/cert.pem' policy.add(policy.all(policy.TLS_FORWARD({   {'9.9.9.9', hostname='dns.quad9.net <http://dns.quad9.net>'},   {'1.1.1.1', hostname='cloudflare-dns.com <http://cloudflare-dns.com>'},   {'149.112.112.112', hostname='dns.quad9.net <http://dns.quad9.net>'},   {'1.0.0.1', hostname='cloudflare-dns.com <http://cloudflare-dns.com>'}, }))) -------- End kresd.conf [root@usher knot-resolver]# kresd -c /etc/knot-resolver/kresd.conf -v  [ ta ] new state of trust anchors for a domain: .                   3600DS19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 [ ta ] new state of trust anchors for a domain: .                   3600DS19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 .                   3600DS20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D [gnutls] (2) Initializing PKCS #11 modules [gnutls] (2) p11: Initializing module: p11-kit-trust [gnutls] (3) ASSERT: pkcs11.c:665 [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [gnutls] (2) p11: No login requested. [gnutls] (2) p11: No login requested. [gnutls] (3) ASSERT: pkcs11.c:2664 [gnutls] (3) ASSERT: pkcs11.c:2993 [tls_client] imported 151 certs from system store [system] interactive mode [65536.00][iter]   '.' type 'NS' new uid was assigned .01, parent uid .00 [65536.01][cach]   => skipping exact RR: rank 020 (min. 030), new TTL 512841 [65536.01][cach]   => no NSEC* cached for zone: . [65536.01][cach]   => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2 [65536.01][cach]   => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2 [65536.01][plan]   plan '.' type 'DNSKEY' uid [65536.02] [65536.02][iter]     '.' type 'DNSKEY' new uid was assigned .03, parent uid .01 [65536.03][cach]     => no NSEC* cached for zone: . [65536.03][cach]     => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2 [65536.03][cach]     => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2 [     ][nsre] score 21 for 9.9.9.9#00853;cached RTT: -1 [     ][nsre] score 21 for 1.1.1.1#00853;cached RTT: -1 [     ][nsre] score 21 for 149.112.112.112#00853;cached RTT: -1 [     ][nsre] score 21 for 1.0.0.1#00853;cached RTT: -1 [65536.03][resl]     => id: '55621' querying: '9.9.9.9#00853' score: 21 zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'tcp' [gnutls] (5) REC[0x55bac6605e30]: Allocating epoch #0 [65536.03][wrkr]     => connecting to: '9.9.9.9#00853' [00000.00][plan] plan '.' type 'NS' uid [65537.00] [65537.00][iter]   '.' type 'NS' new uid was assigned .01, parent uid .00 [65537.01][cach]   => satisfied by exact RRset: rank 020, new TTL 512841 [65537.01][iter]   <= rcode: NOERROR [65537.01][resl]   AD: request NOT classified as SECURE [65537.01][resl]   finished: 0, queries: 1, mempool: 81952 B [detect_time_skew] No RRSIGs received! You really should configure DNSSEC trust anchor for the root. [wrkr]=> connected to '9.9.9.9#00853' [gnutls] (3) ASSERT: gnutls_constate.c:586 [gnutls] (5) REC[0x55bac6605e30]: Allocating epoch #1 [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_AES_256_GCM_SHA384 (C0.30) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA1 (C0.13) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA256 (C0.27) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA1 (C0.14) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_128_GCM_SHA256 (00.9C) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_256_GCM_SHA384 (00.9D) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_128_GCM_SHA256 (C0.7A) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_256_GCM_SHA384 (C0.7B) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 (00.2F) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 (00.3C) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 (00.35) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256 (00.3D) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 (00.41) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA256 (00.BA <http://00.BA>) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 (00.84) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA256 (00.C0) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 (00.0A) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_128_GCM_SHA256 (00.9E) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_256_GCM_SHA384 (00.9F) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 (00.33) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 (00.67) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 (00.39) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256 (00.6B) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE <http://00.BE>) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 (00.16) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_128_GCM_SHA256 (00.A2) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_256_GCM_SHA384 (00.A3) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_GCM_SHA256 (C0.80) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_GCM_SHA384 (C0.81) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 (00.32) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256 (00.40) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 (00.38) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256 (00.6A) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 (00.44) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA256 (00.BD <http://00.BD>) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 (00.87) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA256 (00.C3) [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 (00.13) [gnutls] (4) EXT[0x55bac6605e30]: Sending extension STATUS REQUEST (5 bytes) [gnutls] (4) EXT[0x55bac6605e30]: Sending extension SAFE RENEGOTIATION (1 bytes) [gnutls] (4) EXT[0x55bac6605e30]: Sending extension SESSION TICKET (0 bytes) [gnutls] (4) EXT[0x55bac6605e30]: Sending extension SUPPORTED ECC (8 bytes) [gnutls] (4) EXT[0x55bac6605e30]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes) [gnutls] (4) EXT[0x55bac6605e30]: sent signature algo (4.1) RSA-SHA256 [gnutls] (4) EXT[0x55bac6605e30]: sent signature algo (4.2) DSA-SHA256[00000.00][plan] plan '.' type 'DNSKEY' uid [65538.00] [65538.00][iter]   '.' type 'DNSKEY' new uid was assigned .01, parent uid .00 [     ][nsre] score 21 for 9.9.9.9#00853;cached RTT: -1 [     ][nsre] score 21 for 1.1.1.1#00853;cached RTT: -1 [     ][nsre] score 21 for 149.112.112.112#00853;cached RTT: -1 [     ][nsre] score 21 for 1.0.0.1#00853;cached RTT: -1 [65538.01][resl]   => id: '44507' querying: '9.9.9.9#00853' score: 21 zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'tcp' kresd: daemon/worker.c:1179: tcp_task_waiting_connection: Assertion `session_flags(session)->outgoing' failed. Aborted Thanks for any help! Cheers, Harry On Wed, Jan 2, 2019 at 3:27 AM Petr Špaček &lt;petr.spacek(a)nic.cz <mailto:petr.spacek@nic.cz>> wrote: Hi Herry, version 2.4.1 is ancient with known problems. Please upgrade to 3.2.0 from out upstream repo: https://software.opensuse.org//download.html?project=home%3ACZ-NIC%3Aknot-r… Upgrade should be fine if you do not use your own modules. Please let us know if upgrade to 3.2.0 from upstream repo works for you and we will consider bumping package version in EPEL as well. Petr Špaček  @  CZ.NIC