2 Led
2019
2 Led
'19
9:27
Hi Herry,
version 2.4.1 is ancient with known problems. Please upgrade to 3.2.0
from out upstream repo:
https://software.opensuse.org//download.html?project=home%3ACZ-NIC%3Aknot-r…
Upgrade should be fine if you do not use your own modules. Please let us
know if upgrade to 3.2.0 from upstream repo works for you and we will
consider bumping package version in EPEL as well.
Petr Špaček @ CZ.NIC
On 01. 01. 19 21:29, Harry Hoffman wrote:
Hi Folks,
Pretty new to knot-resolver and I've been searching around but haven't
found anyone with the same error.
I'm running CentOS 7 with knot-resolver 2.4.1 from the EPEL
repository. I believe that my config is only slightly modified from an
example config.
[root@usher knot-resolver]# cat kresd.conf
-- Config file example useable for personal resolver.
-- The goal is to have a validating resolver with tiny memory footprint,
-- while actively tracking and refreshing frequent records to lower
user latency.
-- Refer to manual:
https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration
-- Listen on localhost (default)
-- net = { '127.0.0.1', '::1' }
-- Drop root privileges
-- user('knot-resolver', 'knot-resolver')
-- Auto-maintain root TA
trust_anchors.file = 'root.keys'
-- Load Useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'hints', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
}
-- Smaller cache size
cache.size = 10 * MB
verbose(true)
policy.add(policy.all(policy.TLS_FORWARD({
{'9.9.9.9', hostname='dns.quad9.net'},
{'1.1.1.1', hostname='cloudflare-dns.com'},
{'149.112.112.112', hostname='dns.quad9.net'},
{'1.0.0.1', hostname='cloudflare-dns.com'},
})))
When running (either via systemd or at a command line) kresd aborts.
Below are the verbose logs:
[root@usher knot-resolver]# /usr/sbin/kresd
--config=/etc/knot-resolver/kresd.conf --forks=1
[gnutls] (2) Initializing PKCS #11 modules
[gnutls] (2) p11: Initializing module: p11-kit-trust
[gnutls] (3) ASSERT: pkcs11.c:665
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[gnutls] (2) p11: No login requested.
[gnutls] (2) p11: No login requested.
[gnutls] (3) ASSERT: pkcs11.c:2664
[gnutls] (3) ASSERT: pkcs11.c:2993
[tls_client] imported 151 certs from system store
[tls_client] error: hostname 'dns.quad9.net' for address
'9.9.9.9#00853' already was set, ignoring
[tls_client] error: system ca for address '9.9.9.9#00853' already was
set, ignoring
[tls_client] error: hostname 'cloudflare-dns.com' for address
'1.0.0.1#00853' already was set, ignoring
[tls_client] error: system ca for address '1.0.0.1#00853' already was
set, ignoring
[tls_client] error: hostname 'dns.quad9.net' for address
'149.112.112.112#00853' already was set, ignoring
[tls_client] error: system ca for address '149.112.112.112#00853'
already was set, ignoring
[tls_client] error: hostname 'cloudflare-dns.com' for address
'1.1.1.1#00853' already was set, ignoring
[tls_client] error: system ca for address '1.1.1.1#00853' already was
set, ignoring
[ 0][plan] plan '.' type 'NS'
[50114][iter] '.' type 'NS' id was assigned, parent id 0
[50114][plan] plan '.' type 'DNSKEY'
[26197][iter] '.' type 'DNSKEY' id was assigned, parent id 50114
[ ][nsre] score 1 for 9.9.9.9; cached RTT: -1
[ ][nsre] score 1 for 1.1.1.1; cached RTT: -1
[ ][nsre] score 1 for 149.112.112.112; cached RTT: -1
[ ][nsre] score 1 for 1.0.0.1; cached RTT: -1
[gnutls] (5) REC[0x55801d4242b0]: Allocating epoch #0
[26197][wrkr] => connecting to: '9.9.9.9'
[ 0][plan] plan '.' type 'NS'
[38655][iter] '.' type 'NS' id was assigned, parent id 0
[ ][nsre] score 1 for 9.9.9.9; cached RTT: -1
[ ][nsre] score 1 for 1.1.1.1; cached RTT: -1
[ ][nsre] score 1 for 149.112.112.112; cached RTT: -1
[ ][nsre] score 1 for 1.0.0.1; cached RTT: -1
[26197][wrkr] => connected to '9.9.9.9'
[gnutls] (3) ASSERT: gnutls_constate.c:586
[gnutls] (5) REC[0x55801d4242b0]: Allocating epoch #1
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_AES_128_GCM_SHA256 (00.9C)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_AES_256_GCM_SHA384 (00.9D)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_AES_128_CBC_SHA1 (00.2F)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_AES_128_CBC_SHA256 (00.3C)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_AES_256_CBC_SHA1 (00.35)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_AES_256_CBC_SHA256 (00.3D)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_CAMELLIA_128_CBC_SHA1 (00.41)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_CAMELLIA_256_CBC_SHA1 (00.84)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
RSA_3DES_EDE_CBC_SHA1 (00.0A)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_AES_128_GCM_SHA256 (00.9E)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_AES_256_GCM_SHA384 (00.9F)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_AES_128_CBC_SHA1 (00.33)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_AES_128_CBC_SHA256 (00.67)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_AES_256_CBC_SHA1 (00.39)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_AES_256_CBC_SHA256 (00.6B)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_AES_128_GCM_SHA256 (00.A2)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_AES_256_GCM_SHA384 (00.A3)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_CAMELLIA_128_GCM_SHA256 (C0.80)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_CAMELLIA_256_GCM_SHA384 (C0.81)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_AES_128_CBC_SHA1 (00.32)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_AES_128_CBC_SHA256 (00.40)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_AES_256_CBC_SHA1 (00.38)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_AES_256_CBC_SHA256 (00.6A)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_CAMELLIA_128_CBC_SHA1 (00.44)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_CAMELLIA_128_CBC_SHA256 (00.BD)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_CAMELLIA_256_CBC_SHA1 (00.87)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_CAMELLIA_256_CBC_SHA256 (00.C3)
[gnutls] (4) HSK[0x55801d4242b0]: Keeping ciphersuite:
DHE_DSS_3DES_EDE_CBC_SHA1 (00.13)
[gnutls] (4) EXT[0x55801d4242b0]: Sending extension STATUS REQUEST (5 bytes)
[gnutls] (4) EXT[0x55801d4242b0]: Sending extension SAFE RENEGOTIATION (1 bytes)
[gnutls] (4) EXT[0x55801d4242b0]: Sending extension SESSION TICKET (0 bytes)
[gnutls] (4) EXT[0x55801d4242b0]: Sending extension SUPPORTED ECC (8 bytes)
[gnutls] (4) EXT[0x55801d4242b0]: Sending extension SUPPORTED ECC
POINT FORMATS (2 bytes)
[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (4.1) RSA-SHA256
[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (4.2) DSA-SHA256
[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (4.3) ECDSA-SHA256
[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (5.1) RSA-SHA384
[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (5.3) ECDSA-SHA384
[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (6.1) RSA-SHA512
[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (6.3) ECDSA-SHA512
[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (3.1) RSA-SHA224
[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (3.2) DSA-SHA224
[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (3.3) ECDSA-SHA224
[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (2.1) RSA-SHA1
[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (2.2) DSA-SHA1
[gnutls] (4) EXT[0x55801d4242b0]: sent signature algo (2.3) ECDSA-SHA1
[gnutls] (4) EXT[0x55801d4242b0]: Sending extension SIGNATURE
ALGORITHMS (28 bytes)
[gnutls] (4) HSK[0x55801d4242b0]: CLIENT HELLO was queued [227 bytes]
[gnutls] (5) REC[0x55801d4242b0]: Preparing Packet Handshake(22) with
length: 227 and min pad: 0
[gnutls] (5) REC[0x55801d4242b0]: Sent Packet[1] Handshake(22) in
epoch 0 and length: 232
[ 0][wrkr] [tls_client] push 232 <0x55801d3f4400>
[gnutls] (3) ASSERT: gnutls_buffers.c:1139
[gnutls] (2) The pull function has been replaced but not the pull
timeout.[gnutls] (3) ASSERT: gnutls_buffers.c:731
[gnutls] (3) ASSERT: gnutls_buffers.c:332
[gnutls] (3) ASSERT: gnutls_buffers.c:572
[gnutls] (3) ASSERT: gnutls_record.c:1063
[gnutls] (3) ASSERT: gnutls_record.c:1184
[gnutls] (3) ASSERT: gnutls_buffers.c:1393
[gnutls] (3) ASSERT: gnutls_handshake.c:1440
[gnutls] (3) ASSERT: gnutls_handshake.c:2739
[tls_client] handshake failed (Error in the pull function.)
[ 0][resl] AD: request NOT classified as SECURE
[26197][resl] finished: 0, queries: 0, mempool: 81952 B
[priming] cannot resolve '.' NS, next priming query in 10 seconds
[ 0][resl] AD: request NOT classified as SECURE
[38655][resl] finished: 0, queries: 0, mempool: 81952 B
[detect_time_skew] cannot resolve '.' NS
[gnutls] (5) REC[0x55801d4242b0]: Start of epoch cleanup
[gnutls] (5) REC[0x55801d4242b0]: End of epoch cleanup
[gnutls] (5) REC[0x55801d4242b0]: Epoch #0 freed
[gnutls] (5) REC[0x55801d4242b0]: Epoch #1 freed
[ 0][plan] plan '.' type 'DNSKEY'
[35791][iter] '.' type 'DNSKEY' id was assigned, parent id 0
[ ][nsre] score 1 for 9.9.9.9; cached RTT: -1
[ ][nsre] score 1 for 1.1.1.1; cached RTT: -1
[ ][nsre] score 1 for 149.112.112.112; cached RTT: -1
[ ][nsre] score 1 for 1.0.0.1; cached RTT: -1
kresd: daemon/worker.c:1691: qr_task_step: Assertion `session->outgoing' failed.
Aborted