[root@usher ~]# rpm -qi knot-resolver
Name : knot-resolver
Version : 3.2.0
Release : 1.1
Architecture: x86_64
Install Date: Sun 30 Dec 2018 10:32:50 PM EST
Group : Unspecified
Size : 808110
License : GPLv3
Signature : RSA/SHA256, Mon 17 Dec 2018 08:35:45 AM EST, Key ID 74062db36a1f4009
Source RPM : knot-resolver-3.2.0-1.1.src.rpm
Build Date : Mon 17 Dec 2018 08:35:41 AM EST
Build Host : lamb21
Relocations : (not relocatable)
Vendor : obs://build.opensuse.org/home:CZ-NIC
-- vim:syntax=lua:
-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
-- Load useful modules
modules = {
'hints > iterate', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
}
-- See kresd.systemd(7) about configuring network interfaces when using systemd
-- Listen on localhost (default)
-- net = { '127.0.0.1', '::1' }
-- Enable DNSSEC validation
trust_anchors.file = 'root.keys'
-- Cache size
cache.size = 100 * MB
--
--tls_bundle='/usr/local/etc/openssl/cert.pem'
policy.add(policy.all(policy.TLS_FORWARD({
{'9.9.9.9', hostname='dns.quad9.net'},
{'1.1.1.1', hostname='cloudflare-dns.com'},
{'149.112.112.112', hostname='dns.quad9.net'},
{'1.0.0.1', hostname='cloudflare-dns.com'},
})))
-------- End kresd.conf
[root@usher knot-resolver]# kresd -c /etc/knot-resolver/kresd.conf -v
[ ta ] new state of trust anchors for a domain: . 3600 DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
[ ta ] new state of trust anchors for a domain: . 3600 DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
. 3600 DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
[gnutls] (2) Initializing PKCS #11 modules
[gnutls] (2) p11: Initializing module: p11-kit-trust
[gnutls] (3) ASSERT: pkcs11.c:665
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[system] interactive mode
> [00000.00][plan] plan '.' type 'NS' uid [65536.00]
[65536.00][iter] '.' type 'NS' new uid was assigned .01, parent uid .00
[65536.01][cach] => skipping exact RR: rank 020 (min. 030), new TTL 512841
[65536.01][cach] => no NSEC* cached for zone: .
[65536.01][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[65536.01][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[65536.01][plan] plan '.' type 'DNSKEY' uid [65536.02]
[65536.02][iter] '.' type 'DNSKEY' new uid was assigned .03, parent uid .01
[65536.03][cach] => no NSEC* cached for zone: .
[65536.03][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[65536.03][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[ ][nsre] score 21 for 9.9.9.9#00853; cached RTT: -1
[ ][nsre] score 21 for 1.1.1.1#00853; cached RTT: -1
[ ][nsre] score 21 for 149.112.112.112#00853; cached RTT: -1
[ ][nsre] score 21 for 1.0.0.1#00853; cached RTT: -1
[65536.03][resl] => id: '55621' querying: '9.9.9.9#00853' score: 21 zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'tcp'
[gnutls] (5) REC[0x55bac6605e30]: Allocating epoch #0
[65536.03][wrkr] => connecting to: '9.9.9.9#00853'
[00000.00][plan] plan '.' type 'NS' uid [65537.00]
[65537.00][iter] '.' type 'NS' new uid was assigned .01, parent uid .00
[65537.01][cach] => satisfied by exact RRset: rank 020, new TTL 512841
[65537.01][iter] <= rcode: NOERROR
[65537.01][resl] AD: request NOT classified as SECURE
[65537.01][resl] finished: 0, queries: 1, mempool: 81952 B
[detect_time_skew] No RRSIGs received! You really should configure DNSSEC trust anchor for the root.
[wrkr]=> connected to '9.9.9.9#00853'
[gnutls] (3) ASSERT: gnutls_constate.c:586
[gnutls] (5) REC[0x55bac6605e30]: Allocating epoch #1
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_128_GCM_SHA256 (00.9C)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_256_GCM_SHA384 (00.9D)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 (00.2F)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 (00.3C)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 (00.35)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256 (00.3D)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 (00.41)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 (00.84)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 (00.0A)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_128_GCM_SHA256 (00.9E)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_256_GCM_SHA384 (00.9F)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 (00.33)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 (00.67)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 (00.39)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256 (00.6B)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_128_GCM_SHA256 (00.A2)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_256_GCM_SHA384 (00.A3)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_GCM_SHA256 (C0.80)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_GCM_SHA384 (C0.81)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 (00.32)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256 (00.40)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 (00.38)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256 (00.6A)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 (00.44)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA256 (00.BD)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 (00.87)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA256 (00.C3)
[gnutls] (4) HSK[0x55bac6605e30]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 (00.13)
[gnutls] (4) EXT[0x55bac6605e30]: Sending extension STATUS REQUEST (5 bytes)
[gnutls] (4) EXT[0x55bac6605e30]: Sending extension SAFE RENEGOTIATION (1 bytes)
[gnutls] (4) EXT[0x55bac6605e30]: Sending extension SESSION TICKET (0 bytes)
[gnutls] (4) EXT[0x55bac6605e30]: Sending extension SUPPORTED ECC (8 bytes)
[gnutls] (4) EXT[0x55bac6605e30]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)
[gnutls] (4) EXT[0x55bac6605e30]: sent signature algo (4.1) RSA-SHA256
[gnutls] (4) EXT[0x55bac6605e30]: sent signature algo (4.2) DSA-SHA256[00000.00][plan] plan '.' type 'DNSKEY' uid [65538.00]
[65538.00][iter] '.' type 'DNSKEY' new uid was assigned .01, parent uid .00
[ ][nsre] score 21 for 9.9.9.9#00853; cached RTT: -1
[ ][nsre] score 21 for 1.1.1.1#00853; cached RTT: -1
[ ][nsre] score 21 for 149.112.112.112#00853; cached RTT: -1
[ ][nsre] score 21 for 1.0.0.1#00853; cached RTT: -1
[65538.01][resl] => id: '44507' querying: '9.9.9.9#00853' score: 21 zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'tcp'
kresd: daemon/worker.c:1179: tcp_task_waiting_connection: Assertion `session_flags(session)->outgoing' failed.
Aborted
Hi Herry,
version 2.4.1 is ancient with known problems. Please upgrade to 3.2.0
from out upstream repo:
https://software.opensuse.org//download.html?project=home%3ACZ-NIC%3Aknot-resolver-latest&package=knot-resolver#manualCentOS
Upgrade should be fine if you do not use your own modules. Please let us
know if upgrade to 3.2.0 from upstream repo works for you and we will
consider bumping package version in EPEL as well.
Petr Špaček @ CZ.NIC