[knot-resolver-users] knot-resolver 2.4.1 centos 7 aborts

1 Led 2019

Hi Folks,

Pretty new to knot-resolver and I've been searching around but haven't
found anyone with the same error.

I'm running CentOS 7 with knot-resolver 2.4.1 from the EPEL
repository. I believe that my config is only slightly modified from an
example config.

[root@usher knot-resolver]# cat kresd.conf
-- Config file example useable for personal resolver.
-- The goal is to have a validating resolver with tiny memory footprint,
-- while actively tracking and refreshing frequent records to lower
user latency.
-- Refer to manual:
https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration

-- Listen on localhost (default)
-- net = { '127.0.0.1', '::1' }

-- Drop root privileges
-- user('knot-resolver', 'knot-resolver')

-- Auto-maintain root TA
trust_anchors.file = 'root.keys'

-- Load Useful modules
modules = {
        'policy',   -- Block queries to local zones/bad sites
        'hints',    -- Load /etc/hosts and allow custom root hints
        'stats',    -- Track internal statistics
        'predict',  -- Prefetch expiring/frequent records
}

-- Smaller cache size
cache.size = 10 * MB

verbose(true)

policy.add(policy.all(policy.TLS_FORWARD({
  {'9.9.9.9', hostname='dns.quad9.net'},
  {'1.1.1.1', hostname='cloudflare-dns.com'},
  {'149.112.112.112', hostname='dns.quad9.net'},
  {'1.0.0.1', hostname='cloudflare-dns.com'},
})))

When running (either via systemd or at a command line) kresd aborts.
Below are the verbose logs:

[root@usher knot-resolver]# /usr/sbin/kresd
--config=/etc/knot-resolver/kresd.conf --forks=1
[gnutls] (2) Initializing PKCS #11 modules
[gnutls] (2) p11: Initializing module: p11-kit-trust
[gnutls] (3) ASSERT: pkcs11.c:665
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[tls_client] error: hostname 'dns.quad9.net' for address
'9.9.9.9#00853' already was set, ignoring
[tls_client] error: system ca for address '9.9.9.9#00853' already was
set, ignoring
[tls_client] error: hostname 'cloudflare-dns.com' for address
'1.0.0.1#00853' already was set, ignoring
[tls_client] error: system ca for address '1.0.0.1#00853' already was
set, ignoring
[tls_client] error: hostname 'dns.quad9.net' for address
'149.112.112.112#00853' already was set, ignoring
[tls_client] error: system ca for address '149.112.112.112#00853'
already was set, ignoring
[tls_client] error: hostname 'cloudflare-dns.com' for address
'1.1.1.1#00853' already was set, ignoring
[tls_client] error: system ca for address '1.1.1.1#00853' already was
set, ignoring
[    0][plan] plan '.' type 'NS'
[50114][iter]   '.' type 'NS' id was assigned, parent id 0
[50114][plan]   plan '.' type 'DNSKEY'
[26197][iter]     '.' type 'DNSKEY' id was assigned, parent id 50114
[     ][nsre] score 1 for 9.9.9.9; cached RTT: -1
[     ][nsre] score 1 for 1.1.1.1; cached RTT: -1
[     ][nsre] score 1 for 149.112.112.112; cached RTT: -1
[     ][nsre] score 1 for 1.0.0.1; cached RTT: -1
[gnutls] (5) REC[0x55801d4242b0]: Allocating epoch #0
[26197][wrkr]     => connecting to: '9.9.9.9'
[    0][plan] plan '.' type 'NS'
[38655][iter]   '.' type 'NS' id was assigned, parent id 0

[     ][nsre] score 1 for 9.9.9.9; cached RTT: -1

[     ][nsre] score 1 for 1.1.1.1; cached RTT: -1

[     ][nsre] score 1 for 149.112.112.112; cached RTT: -1

[     ][nsre] score 1 for 1.0.0.1; cached RTT: -1

[26197][wrkr]     => connected to '9.9.9.9'

[gnutls] (3) ASSERT: gnutls_constate.c:586

[gnutls] (5) REC[0x55801d4242b0]: Allocating epoch #1

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_AES_128_GCM_SHA256 (00.9C)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_AES_256_GCM_SHA384 (00.9D)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_AES_128_CBC_SHA1 (00.2F)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_AES_128_CBC_SHA256 (00.3C)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_AES_256_CBC_SHA1 (00.35)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_AES_256_CBC_SHA256 (00.3D)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_CAMELLIA_128_CBC_SHA1 (00.41)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_CAMELLIA_128_CBC_SHA256 (00.BA)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_CAMELLIA_256_CBC_SHA1 (00.84)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_CAMELLIA_256_CBC_SHA256 (00.C0)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_3DES_EDE_CBC_SHA1 (00.0A)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_AES_128_GCM_SHA256 (00.9E)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_AES_256_GCM_SHA384 (00.9F)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_AES_128_CBC_SHA1 (00.33)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_AES_128_CBC_SHA256 (00.67)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_AES_256_CBC_SHA1 (00.39)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_AES_256_CBC_SHA256 (00.6B)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_AES_128_GCM_SHA256 (00.A2)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_AES_256_GCM_SHA384 (00.A3)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_CAMELLIA_128_GCM_SHA256 (C0.80)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_CAMELLIA_256_GCM_SHA384 (C0.81)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_AES_128_CBC_SHA1 (00.32)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_AES_128_CBC_SHA256 (00.40)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_AES_256_CBC_SHA1 (00.38)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_AES_256_CBC_SHA256 (00.6A)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_CAMELLIA_128_CBC_SHA1 (00.44)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_CAMELLIA_128_CBC_SHA256 (00.BD)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_CAMELLIA_256_CBC_SHA1 (00.87)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_CAMELLIA_256_CBC_SHA256 (00.C3)

[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_3DES_EDE_CBC_SHA1 (00.13)

[gnutls] (4) EXT[0x55801d4242b0]: Sending extension STATUS REQUEST (5 bytes)

[gnutls] (4) EXT[0x55801d4242b0]: Sending extension SAFE RENEGOTIATION (1 bytes)

[gnutls] (4) EXT[0x55801d4242b0]: Sending extension SESSION TICKET (0 bytes)

[gnutls] (4) EXT[0x55801d4242b0]: Sending extension SUPPORTED ECC (8 bytes)

[gnutls] (4) EXT[0x55801d4242b0]: Sending extension SUPPORTED ECC
POINT FORMATS (2 bytes)

[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (4.1) RSA-SHA256

[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (4.2) DSA-SHA256

[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (4.3) ECDSA-SHA256

[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (5.1) RSA-SHA384

[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (5.3) ECDSA-SHA384

[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (6.1) RSA-SHA512

[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (6.3) ECDSA-SHA512

[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (3.1) RSA-SHA224

[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (3.2) DSA-SHA224

[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (3.3) ECDSA-SHA224

[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (2.1) RSA-SHA1

[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (2.2) DSA-SHA1

[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (2.3) ECDSA-SHA1

[gnutls] (4) EXT[0x55801d4242b0]: Sending extension SIGNATURE
ALGORITHMS (28 bytes)

[gnutls] (4) HSK[0x55801d4242b0]: CLIENT HELLO was queued [227 bytes]

[gnutls] (5) REC[0x55801d4242b0]: Preparing Packet Handshake(22) with
length: 227 and min pad: 0

[gnutls] (5) REC[0x55801d4242b0]: Sent Packet[1] Handshake(22) in
epoch 0 and length: 232

[    0][wrkr] [tls_client] push 232 <0x55801d3f4400>

[gnutls] (3) ASSERT: gnutls_buffers.c:1139

[gnutls] (2) The pull function has been replaced but not the pull
timeout.[gnutls] (3) ASSERT: gnutls_buffers.c:731

[gnutls] (3) ASSERT: gnutls_buffers.c:332

[gnutls] (3) ASSERT: gnutls_buffers.c:572

[gnutls] (3) ASSERT: gnutls_record.c:1063

[gnutls] (3) ASSERT: gnutls_record.c:1184

[gnutls] (3) ASSERT: gnutls_buffers.c:1393

[gnutls] (3) ASSERT: gnutls_handshake.c:1440

[gnutls] (3) ASSERT: gnutls_handshake.c:2739

[tls_client] handshake failed (Error in the pull function.)

[    0][resl]   AD: request NOT classified as SECURE

[26197][resl]     finished: 0, queries: 0, mempool: 81952 B

[priming] cannot resolve '.' NS, next priming query in 10 seconds

[    0][resl]   AD: request NOT classified as SECURE

[38655][resl]   finished: 0, queries: 0, mempool: 81952 B

[detect_time_skew] cannot resolve '.' NS

[gnutls] (5) REC[0x55801d4242b0]: Start of epoch cleanup

[gnutls] (5) REC[0x55801d4242b0]: End of epoch cleanup

[gnutls] (5) REC[0x55801d4242b0]: Epoch #0 freed

[gnutls] (5) REC[0x55801d4242b0]: Epoch #1 freed

[    0][plan] plan '.' type 'DNSKEY'

[35791][iter]   '.' type 'DNSKEY' id was assigned, parent id 0

[     ][nsre] score 1 for 9.9.9.9; cached RTT: -1

[     ][nsre] score 1 for 1.1.1.1; cached RTT: -1

[     ][nsre] score 1 for 149.112.112.112; cached RTT: -1

[     ][nsre] score 1 for 1.0.0.1; cached RTT: -1

kresd: daemon/worker.c:1691: qr_task_step: Assertion `session->outgoing' failed.

Aborted

2024

2023

2022

2021

2020

2019

2018

[knot-resolver-users] knot-resolver 2.4.1 centos 7 aborts