Hi Harry,
we have found the incompatibility with GnuTLS 3.3 and prepared fix which
will be part of upcomming 3.2.1 release.
Test packages with this fix are temporarily available from
Please let us know if it works on your system.
Thank you for your time!
Petr Špaček @ CZ.NIC
On 03. 01. 19 12:29, Petr Špaček wrote:
Hi Harry,
thank you for bug report, we are able to reproduce the problem on CentOS
7. For unknown reason it does not manifest on Fedora or Debian systems,
we will have a look.
You can track status of this issue in
https://gitlab.labs.nic.cz/knot/knot-resolver/issues/438
Thank you once again for your time!
Petr Špaček @ CZ.NIC
On 03. 01. 19 3:22, Harry Hoffman wrote:
> Hi Petr,
>
> Apologies, I’d only seen the CentOS CZ.NIC repo after I’d sent the
> email. I've removed the old version of knot-resolver and deleted the
> directories then installed the one from the CZ.NIC repo:
>
> [root@usher ~]# rpm -qi knot-resolver
>
> Name : knot-resolver
>
> Version : 3.2.0
>
> Release : 1.1
>
> Architecture: x86_64
>
> Install Date: Sun 30 Dec 2018 10:32:50 PM EST
>
> Group : Unspecified
>
> Size : 808110
>
> License : GPLv3
>
> Signature : RSA/SHA256, Mon 17 Dec 2018 08:35:45 AM EST, Key ID
> 74062db36a1f4009
>
> Source RPM : knot-resolver-3.2.0-1.1.src.rpm
>
> Build Date : Mon 17 Dec 2018 08:35:41 AM EST
>
> Build Host : lamb21
>
> Relocations : (not relocatable)
>
> Vendor :
obs://build.opensuse.org/home:CZ-NIC
> <http://build.opensuse.org/home:CZ-NIC>
>
>
> Even after upgrading it's still aborting (with the same message). Below
> are both my config and the messages from kresd:
>
> -------- Begin kresd.conf
>
> -- vim:syntax=lua:
>
> -- Refer to manual:
>
http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
>
>
> -- Load useful modules
>
> modules = {
>
> 'hints > iterate', -- Load /etc/hosts and allow custom root
hints
>
> 'stats', -- Track internal statistics
>
> 'predict', -- Prefetch expiring/frequent records
>
> }
>
>
> -- See kresd.systemd(7) about configuring network interfaces when using
> systemd
>
> -- Listen on localhost (default)
>
> -- net = { '127.0.0.1', '::1' }
>
>
> -- Enable DNSSEC validation
>
> trust_anchors.file = 'root.keys'
>
>
> -- Cache size
>
> cache.size = 100 * MB
>
>
>
> --
>
>
> --tls_bundle='/usr/local/etc/openssl/cert.pem'
>
>
> policy.add(policy.all(policy.TLS_FORWARD({
>
> {'9.9.9.9',
hostname='dns.quad9.net
<http://dns.quad9.net>'},
>
> {'1.1.1.1',
hostname='cloudflare-dns.com
<http://cloudflare-dns.com>'},
>
> {'149.112.112.112',
hostname='dns.quad9.net
<http://dns.quad9.net>'},
>
> {'1.0.0.1',
hostname='cloudflare-dns.com
<http://cloudflare-dns.com>'},
>
> })))
>
>
> -------- End kresd.conf
>
>
> [root@usher knot-resolver]# kresd -c /etc/knot-resolver/kresd.conf -v
>
> [ ta ] new state of trust anchors for a domain: .
> 3600DS19036 8 2
> 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
>
>
> [ ta ] new state of trust anchors for a domain: .
> 3600DS19036 8 2
> 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
>
> . 3600DS20326 8 2
> E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
>
>
> [gnutls] (2) Initializing PKCS #11 modules
>
> [gnutls] (2) p11: Initializing module: p11-kit-trust
>
> [gnutls] (3) ASSERT: pkcs11.c:665
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (3) ASSERT: pkcs11.c:2664
>
> [gnutls] (3) ASSERT: pkcs11.c:2993
>
> [tls_client] imported 151 certs from system store
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (3) ASSERT: pkcs11.c:2664
>
> [gnutls] (3) ASSERT: pkcs11.c:2993
>
> [tls_client] imported 151 certs from system store
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (3) ASSERT: pkcs11.c:2664
>
> [gnutls] (3) ASSERT: pkcs11.c:2993
>
> [tls_client] imported 151 certs from system store
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (2) p11: No login requested.
>
> [gnutls] (3) ASSERT: pkcs11.c:2664
>
> [gnutls] (3) ASSERT: pkcs11.c:2993
>
> [tls_client] imported 151 certs from system store
>
> [system] interactive mode
>
>> [00000.00][plan] plan '.' type 'NS' uid [65536.00]
>
> [65536.00][iter] '.' type 'NS' new uid was assigned .01, parent uid
.00
>
> [65536.01][cach] => skipping exact RR: rank 020 (min. 030), new TTL 512841
>
> [65536.01][cach] => no NSEC* cached for zone: .
>
> [65536.01][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789,
> ret -2
>
> [65536.01][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789,
> ret -2
>
> [65536.01][plan] plan '.' type 'DNSKEY' uid [65536.02]
>
> [65536.02][iter] '.' type 'DNSKEY' new uid was assigned .03,
parent
> uid .01
>
> [65536.03][cach] => no NSEC* cached for zone: .
>
> [65536.03][cach] => skipping zone: ., NSEC, hash 0;new TTL
> -123456789, ret -2
>
> [65536.03][cach] => skipping zone: ., NSEC, hash 0;new TTL
> -123456789, ret -2
>
> [ ][nsre] score 21 for 9.9.9.9#00853;cached RTT: -1
>
> [ ][nsre] score 21 for 1.1.1.1#00853;cached RTT: -1
>
> [ ][nsre] score 21 for 149.112.112.112#00853;cached RTT: -1
>
> [ ][nsre] score 21 for 1.0.0.1#00853;cached RTT: -1
>
> [65536.03][resl] => id: '55621' querying: '9.9.9.9#00853'
score: 21
> zone cut: '.' qname: '.' qtype: 'DNSKEY' proto:
'tcp'
>
> [gnutls] (5) REC[0x55bac6605e30]: Allocating epoch #0
>
> [65536.03][wrkr] => connecting to: '9.9.9.9#00853'
>
> [00000.00][plan] plan '.' type 'NS' uid [65537.00]
>
> [65537.00][iter] '.' type 'NS' new uid was assigned .01, parent uid
.00
>
> [65537.01][cach] => satisfied by exact RRset: rank 020, new TTL 512841
>
> [65537.01][iter] <= rcode: NOERROR
>
> [65537.01][resl] AD: request NOT classified as SECURE
>
> [65537.01][resl] finished: 0, queries: 1, mempool: 81952 B
>
> [detect_time_skew] No RRSIGs received! You really should configure
> DNSSEC trust anchor for the root.
>
> [wrkr]=> connected to '9.9.9.9#00853'
>
> [gnutls] (3) ASSERT: gnutls_constate.c:586
>
> [gnutls] (5) REC[0x55bac6605e30]: Allocating epoch #1
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_AES_128_GCM_SHA256 (00.9C)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_AES_256_GCM_SHA384 (00.9D)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_AES_128_CBC_SHA1 (00.2F)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_AES_128_CBC_SHA256 (00.3C)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_AES_256_CBC_SHA1 (00.35)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_AES_256_CBC_SHA256 (00.3D)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_CAMELLIA_128_CBC_SHA1 (00.41)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_CAMELLIA_128_CBC_SHA256 (00.BA <http://00.BA>)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_CAMELLIA_256_CBC_SHA1 (00.84)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> RSA_3DES_EDE_CBC_SHA1 (00.0A)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_AES_128_GCM_SHA256 (00.9E)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_AES_256_GCM_SHA384 (00.9F)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_AES_128_CBC_SHA1 (00.33)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_AES_128_CBC_SHA256 (00.67)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_AES_256_CBC_SHA1 (00.39)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_AES_256_CBC_SHA256 (00.6B)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE <http://00.BE>)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_AES_128_GCM_SHA256 (00.A2)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_AES_256_GCM_SHA384 (00.A3)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_CAMELLIA_128_GCM_SHA256 (C0.80)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_CAMELLIA_256_GCM_SHA384 (C0.81)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_AES_128_CBC_SHA1 (00.32)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_AES_128_CBC_SHA256 (00.40)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_AES_256_CBC_SHA1 (00.38)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_AES_256_CBC_SHA256 (00.6A)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_CAMELLIA_128_CBC_SHA1 (00.44)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_CAMELLIA_128_CBC_SHA256 (00.BD <http://00.BD>)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_CAMELLIA_256_CBC_SHA1 (00.87)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_CAMELLIA_256_CBC_SHA256 (00.C3)
>
> [gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite:
> DHE_DSS_3DES_EDE_CBC_SHA1 (00.13)
>
> [gnutls] (4) EXT[0x55bac6605e30]: Sending extension STATUS REQUEST (5 bytes)
>
> [gnutls] (4) EXT[0x55bac6605e30]: Sending extension SAFE RENEGOTIATION
> (1 bytes)
>
> [gnutls] (4) EXT[0x55bac6605e30]: Sending extension SESSION TICKET (0 bytes)
>
> [gnutls] (4) EXT[0x55bac6605e30]: Sending extension SUPPORTED ECC (8 bytes)
>
> [gnutls] (4) EXT[0x55bac6605e30]: Sending extension SUPPORTED ECC POINT
> FORMATS (2 bytes)
>
> [gnutls] (4) EXT[0x55bac6605e30]: sent signature algo (4.1) RSA-SHA256
>
> [gnutls] (4) EXT[0x55bac6605e30]: sent signature algo (4.2)
> DSA-SHA256[00000.00][plan] plan '.' type 'DNSKEY' uid [65538.00]
>
> [65538.00][iter] '.' type 'DNSKEY' new uid was assigned .01,
parent
> uid .00
>
> [ ][nsre] score 21 for 9.9.9.9#00853;cached RTT: -1
>
> [ ][nsre] score 21 for 1.1.1.1#00853;cached RTT: -1
>
> [ ][nsre] score 21 for 149.112.112.112#00853;cached RTT: -1
>
> [ ][nsre] score 21 for 1.0.0.1#00853;cached RTT: -1
>
> [65538.01][resl] => id: '44507' querying: '9.9.9.9#00853' score:
21
> zone cut: '.' qname: '.' qtype: 'DNSKEY' proto:
'tcp'
>
> kresd: daemon/worker.c:1179: tcp_task_waiting_connection: Assertion
> `session_flags(session)->outgoing' failed.
>
> Aborted
>
>
>
> Thanks for any help!
>
> Cheers,
> Harry
>
>
>
> On Wed, Jan 2, 2019 at 3:27 AM Petr Špaček <petr.spacek(a)nic.cz
> <mailto:petr.spacek@nic.cz>> wrote:
>
> Hi Herry,
>
> version 2.4.1 is ancient with known problems. Please upgrade to 3.2.0
> from out upstream repo:
>
>
https://software.opensuse.org//download.html?project=home%3ACZ-NIC%3Aknot-r…
>
> Upgrade should be fine if you do not use your own modules. Please let us
> know if upgrade to 3.2.0 from upstream repo works for you and we will
> consider bumping package version in EPEL as well.
>
> Petr Špaček @ CZ.NIC