Hi Petr,

Apologies, I’d only seen the CentOS CZ.NIC repo after I’d sent the email. I've removed the old version of knot-resolver and deleted the directories then installed the one from the CZ.NIC repo:

[root@usher ~]# rpm -qi knot-resolver

Name        : knot-resolver

Version     : 3.2.0

Release     : 1.1

Architecture: x86_64

Install Date: Sun 30 Dec 2018 10:32:50 PM EST

Group       : Unspecified

Size        : 808110

License     : GPLv3

Signature   : RSA/SHA256, Mon 17 Dec 2018 08:35:45 AM EST, Key ID 74062db36a1f4009

Source RPM  : knot-resolver-3.2.0-1.1.src.rpm

Build Date  : Mon 17 Dec 2018 08:35:41 AM EST

Build Host  : lamb21

Relocations : (not relocatable)

Vendor      : obs://build.opensuse.org/home:CZ-NIC


Even after upgrading it's still aborting (with the same message). Below are both my config and the messages from kresd:

-------- Begin kresd.conf

-- vim:syntax=lua:

-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration


-- Load useful modules

modules = {

        'hints > iterate',  -- Load /etc/hosts and allow custom root hints

        'stats',            -- Track internal statistics

        'predict',          -- Prefetch expiring/frequent records

}


-- See kresd.systemd(7) about configuring network interfaces when using systemd

-- Listen on localhost (default)

-- net = { '127.0.0.1', '::1' }


-- Enable DNSSEC validation

trust_anchors.file = 'root.keys'


-- Cache size

cache.size = 100 * MB



--


--tls_bundle='/usr/local/etc/openssl/cert.pem'


policy.add(policy.all(policy.TLS_FORWARD({

  {'9.9.9.9', hostname='dns.quad9.net'},

  {'1.1.1.1', hostname='cloudflare-dns.com'},

  {'149.112.112.112', hostname='dns.quad9.net'},

  {'1.0.0.1', hostname='cloudflare-dns.com'},

})))


-------- End kresd.conf


[root@usher knot-resolver]# kresd -c /etc/knot-resolver/kresd.conf -v 

[ ta ] new state of trust anchors for a domain: .                   3600 DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5


[ ta ] new state of trust anchors for a domain: .                   3600 DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

.                   3600 DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D


[gnutls] (2) Initializing PKCS #11 modules

[gnutls] (2) p11: Initializing module: p11-kit-trust

[gnutls] (3) ASSERT: pkcs11.c:665

[gnutls] (2) p11: No login requested.

[gnutls] (2) p11: No login requested.

[gnutls] (3) ASSERT: pkcs11.c:2664

[gnutls] (3) ASSERT: pkcs11.c:2993

[tls_client] imported 151 certs from system store

[gnutls] (2) p11: No login requested.

[gnutls] (2) p11: No login requested.

[gnutls] (3) ASSERT: pkcs11.c:2664

[gnutls] (3) ASSERT: pkcs11.c:2993

[tls_client] imported 151 certs from system store

[gnutls] (2) p11: No login requested.

[gnutls] (2) p11: No login requested.

[gnutls] (3) ASSERT: pkcs11.c:2664

[gnutls] (3) ASSERT: pkcs11.c:2993

[tls_client] imported 151 certs from system store

[gnutls] (2) p11: No login requested.

[gnutls] (2) p11: No login requested.

[gnutls] (3) ASSERT: pkcs11.c:2664

[gnutls] (3) ASSERT: pkcs11.c:2993

[tls_client] imported 151 certs from system store

[system] interactive mode

> [00000.00][plan] plan '.' type 'NS' uid [65536.00]

[65536.00][iter]   '.' type 'NS' new uid was assigned .01, parent uid .00

[65536.01][cach]   => skipping exact RR: rank 020 (min. 030), new TTL 512841

[65536.01][cach]   => no NSEC* cached for zone: .

[65536.01][cach]   => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2

[65536.01][cach]   => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2

[65536.01][plan]   plan '.' type 'DNSKEY' uid [65536.02]

[65536.02][iter]     '.' type 'DNSKEY' new uid was assigned .03, parent uid .01

[65536.03][cach]     => no NSEC* cached for zone: .

[65536.03][cach]     => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2

[65536.03][cach]     => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2

[     ][nsre] score 21 for 9.9.9.9#00853; cached RTT: -1

[     ][nsre] score 21 for 1.1.1.1#00853; cached RTT: -1

[     ][nsre] score 21 for 149.112.112.112#00853; cached RTT: -1

[     ][nsre] score 21 for 1.0.0.1#00853; cached RTT: -1

[65536.03][resl]     => id: '55621' querying: '9.9.9.9#00853' score: 21 zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'tcp'

[gnutls] (5) REC[0x55bac6605e30]: Allocating epoch #0

[65536.03][wrkr]     => connecting to: '9.9.9.9#00853'

[00000.00][plan] plan '.' type 'NS' uid [65537.00]

[65537.00][iter]   '.' type 'NS' new uid was assigned .01, parent uid .00

[65537.01][cach]   => satisfied by exact RRset: rank 020, new TTL 512841

[65537.01][iter]   <= rcode: NOERROR

[65537.01][resl]   AD: request NOT classified as SECURE

[65537.01][resl]   finished: 0, queries: 1, mempool: 81952 B

[detect_time_skew] No RRSIGs received! You really should configure DNSSEC trust anchor for the root.

[wrkr]=> connected to '9.9.9.9#00853'

[gnutls] (3) ASSERT: gnutls_constate.c:586

[gnutls] (5) REC[0x55bac6605e30]: Allocating epoch #1

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_128_GCM_SHA256 (00.9C)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_256_GCM_SHA384 (00.9D)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 (00.2F)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 (00.3C)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 (00.35)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256 (00.3D)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 (00.41)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA256 (00.BA)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 (00.84)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA256 (00.C0)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 (00.0A)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_128_GCM_SHA256 (00.9E)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_256_GCM_SHA384 (00.9F)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 (00.33)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 (00.67)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 (00.39)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256 (00.6B)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_128_GCM_SHA256 (00.A2)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_256_GCM_SHA384 (00.A3)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_GCM_SHA256 (C0.80)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_GCM_SHA384 (C0.81)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 (00.32)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256 (00.40)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 (00.38)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256 (00.6A)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 (00.44)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA256 (00.BD)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 (00.87)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA256 (00.C3)

[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 (00.13)

[gnutls] (4) EXT[0x55bac6605e30]: Sending extension STATUS REQUEST (5 bytes)

[gnutls] (4) EXT[0x55bac6605e30]: Sending extension SAFE RENEGOTIATION (1 bytes)

[gnutls] (4) EXT[0x55bac6605e30]: Sending extension SESSION TICKET (0 bytes)

[gnutls] (4) EXT[0x55bac6605e30]: Sending extension SUPPORTED ECC (8 bytes)

[gnutls] (4) EXT[0x55bac6605e30]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)

[gnutls] (4) EXT[0x55bac6605e30]: sent signature algo (4.1) RSA-SHA256

[gnutls] (4) EXT[0x55bac6605e30]: sent signature algo (4.2) DSA-SHA256[00000.00][plan] plan '.' type 'DNSKEY' uid [65538.00]

[65538.00][iter]   '.' type 'DNSKEY' new uid was assigned .01, parent uid .00

[     ][nsre] score 21 for 9.9.9.9#00853; cached RTT: -1

[     ][nsre] score 21 for 1.1.1.1#00853; cached RTT: -1

[     ][nsre] score 21 for 149.112.112.112#00853; cached RTT: -1

[     ][nsre] score 21 for 1.0.0.1#00853; cached RTT: -1

[65538.01][resl]   => id: '44507' querying: '9.9.9.9#00853' score: 21 zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'tcp'

kresd: daemon/worker.c:1179: tcp_task_waiting_connection: Assertion `session_flags(session)->outgoing' failed.

Aborted



Thanks for any help!

Cheers,
Harry



On Wed, Jan 2, 2019 at 3:27 AM Petr Špaček <petr.spacek@nic.cz> wrote:
Hi Herry,

version 2.4.1 is ancient with known problems. Please upgrade to 3.2.0
from out upstream repo:

https://software.opensuse.org//download.html?project=home%3ACZ-NIC%3Aknot-resolver-latest&package=knot-resolver#manualCentOS

Upgrade should be fine if you do not use your own modules. Please let us
know if upgrade to 3.2.0 from upstream repo works for you and we will
consider bumping package version in EPEL as well.

Petr Špaček  @  CZ.NIC