partial problem resolving kernel-error.de

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue May 30 07:43:38 UTC 2017 

Hi Andreas,

The failure you see is in the code for TCP FASTOPEN.  It was enabled
when you gave the configure option --enable-tfo-client.

We cannot do r = sendmsg(fd, &msg, MSG_FASTOPEN); to perform a TCP
FASTOPEN on the tcp connection.  It returns the errno that you see printed.

That cheap VM has tcp fastopen issues.  Do you think MSG_FASTOPEN is
broken in that linux kernel or the hoster broke it (i.e. blocked in
Firewall?).

Best regards, Wouter

On 30/05/17 09:21, A. Schulze via Unbound-users wrote:
> Hello,
> 
> the Domain use huge keys: https://zonemaster.net/test/f8b42c485139ea99
> Also DNSViz http://dnsviz.net/d/kernel-error.de/dnssec/ show warnings.
> 
> But most of my unbound-host resolve without problems except instances on
> "cheap hosted virtual machines"
> As far as I can tell all unbound servers are configured identical:
> 
> server:
>  chroot: /etc/unbound
>  minimal-responses: yes
>  harden-below-nxdomain: yes
>  harden-referral-path: yes
>  harden-glue: yes
>  outgoing-tcp-mss: 1220
>  qname-minimisation: yes
>  tcp-mss: 1220
>  use-caps-for-id: yes
>  val-log-level: 2
>  auto-trust-anchor-file: trust/root-rfc5011.anchor
>  # do-ip4: yes
>  # do-ip6: yes
> 
> "verbosity: 2" flood log errors when I "dig @$resolver kernel-error.de.
> dnskey +dnssec"
> 2017-05-30 00:03:24.413773500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 5.9.24.235
> 2017-05-30 00:03:24.419315500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 5.9.24.235
> 2017-05-30 00:03:24.419584500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 2001:310:6000:f::1fc7:1
> 2017-05-30 00:03:24.424685500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 2a01:4f8:150:1095::53
> 2017-05-30 00:03:24.430201500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 5.9.24.235
> 2017-05-30 00:03:24.432426500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 2001:310:6000:f::1fc7:1
> 2017-05-30 00:03:24.435559500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 2a01:4f8:161:3ec::53
> 2017-05-30 00:03:24.441102500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 5.9.24.235
> 2017-05-30 00:03:24.446647500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 2a01:4f8:161:3ec::53
> 2017-05-30 00:03:24.452158500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 2a01:4f8:161:3ec::53
> 2017-05-30 00:03:24.457540500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 2a01:4f8:161:3ec::53
> 2017-05-30 00:03:24.691478500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 203.137.119.119
> 2017-05-30 00:03:24.698210500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 2001:310:6000:f::1fc7:1
> 2017-05-30 00:03:24.731290500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 2001:310:6000:f::1fc7:1
> 2017-05-30 00:03:24.950555500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 203.137.119.119
> 2017-05-30 00:03:24.953444500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 203.137.119.119
> 2017-05-30 00:03:24.992109500 [1496095404] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 2001:310:6000:f::1fc7:1
> 2017-05-30 00:03:25.202152500 [1496095405] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 2001:310:6000:f::1fc7:1
> 2017-05-30 00:03:25.229939500 [1496095405] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 203.137.119.119
> 2017-05-30 00:03:25.253539500 [1496095405] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 203.137.119.119
> 2017-05-30 00:03:25.462916500 [1496095405] unbound[4398:0] error: tcp
> sendmsg: Broken pipe for 203.137.119.119
> 
> Bonus: only my own unbound-1.6.2 @cheap hosted virtual machines can't
> resolve,
> Debian Jessie Distribution unbound + bind work "@cheap hosted virtual
> machines" :-/
> 
> Ideas?
> 
> The owner of kernel-error.de will change it's domain in the next time.
> I ask him to freeze the configuration some days until I understand why
> my resolver fail.
> 
> Thanks,
> Andreas


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20170530/3ad04094/attachment.bin>

More information about the Unbound-users mailing list