unbound 1.9.1 - No DNSKEY record for key wolfssl.com. while building chain of trust - why?

Ralph Dolmans ralph at nlnetlabs.nl
Wed Jan 8 12:26:33 UTC 2020


Hi Christian,

Looks like your Unbound is compiled with support for TCP fast open. Your
kernel supports fast open, but it is not enabled in your kernel. Try to
enable it using something like "sysctl -w net.ipv4.tcp_fastopen=3", or
compile Unbound without fast open support (default, ie not using
--enable-tfo-client as ./configure option).

-- Ralph

On 03-01-2020 23:11, Christian 'wiwi' Wittenhorst wrote:
> Dear Ralph.
> Dear List.
> 
> (Platform is CentOS 7, most current)
> 
> I see: "Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error:
> tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)"
> 
> So it looks, as if unbound is unable to do tcp connections. But why?
> 
> Firewall is deactivated.
> 
> [root at rdns0 unbound]# iptables --list
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> dig from the same machine can use tcp to these hosts:
> 
> [root at rdns0 unbound]# dig wolfssl.com dnskey +dnssec @97.74.111.55
> ;; Truncated, retrying in TCP mode.
> 
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> wolfssl.com dnskey
> +dnssec @97.74.111.55
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63791
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1472
> ;; QUESTION SECTION:
> ;wolfssl.com.                   IN      DNSKEY
> 
> ;; ANSWER SECTION:
> wolfssl.com.            3600    IN      DNSKEY  257 3 8
> AwEAAeuDjCM2yxIKeSzzEcWJIqHXCiZPZlAWxLbqP6EzB/tV4YEBpVNx
> gFg9zQPGGgMi1DzskNYMvxyFkTYIFMX1iNULKOSswyPBxPaeR6TJ6PB2
> fL4UGjnLGohlUPraFINVu8KNQOn/nVnTY3cdyZG7CM2pZDInilgT3S3b
> RsPzZKhxbEDUTciH3nNtZ+adOVrAHMUFCqCtdUhBc4UzX3YG0QlvYrpP
> tF7QbUKoX1FCl5xfnkJUUDMdytmSI+GiFZqpFj5SyRaEDORWuCUIRErp
> Jd0rB9ebz61yfV5OYTELSS8NBeIoIqSnJzUNljkSqxrXvYb3LM9+9Loq nHfiIl/OOvM=
> wolfssl.com.            3600    IN      DNSKEY  257 3 8
> AwEAAbibT2uFcRnWZbypTRQari8EA8UtZFCi/itqREiRPra/7A6VjTL6
> vIbrQlAO0bpCKa+2vCKpYzGOt4Bjs5qVf9BiSU1IaAe+JvigAEWkORNQ
> w+1DFZ0ZJCc7TnMoqPp9etOZHtEx/UoTS8dCHDsHa4UMghsDwklZ8tj9
> gFYRdIVULyIpNNO7woj6J1tQqy0/DRd3DCqtaF9HcaD/7VqIvDoDrCs9
> r8tkaFWikxzcEg5G2gyUxmdoq9wzzkgr6FO7jqR+BnSQ+CqaTI4cjUmD
> TaS/AQpHcNSqBQCEep8liD+qo1kwAZ7xhbASeeXqW1LLyp98aKhSlPzd JPE2tm3QL70=
> wolfssl.com.            3600    IN      DNSKEY  256 3 8
> AwEAAcoqW8bT4ywr3Ce+J2629UiJk4X9uIqY1m4kGrSdIPOnn4JnQHj1
> vQ1U/mu5bTEsRK00+vmHs33pPNVxvxh8yMmVjo7cPNaP1IYiOBdMnKJX
> L4fw9muhr4pziyJd7rhvTd74fDNu/cnGjSGEINXHMTmyAa6ZbZUtuY74
> Df+uioDKC93wXbJUfauCvN/6g6s9OKRoA24p4b/I20/ClK85KkTu6k7t
> PnN3cU0IKJxuU1AXihABuF3o2tYcMOJVEbiQLIK7SlfJnk0E5vfBbOkn
> 2EfEWpWZ0RGkkMulK0LMq39yNbX3tQPFrEJABNChxhkgxIGaajaUMOLk 3LgVdsPJ8lU=
> wolfssl.com.            3600    IN      DNSKEY  256 3 8
> AwEAAcLSvxos9ERtEj94msxFNTRASIcBWYLWF5EIhCASDP+qjGptlBNl
> K+o1kmqQ0sSDncbZfAPqupXOjl0NR64fbDG6jVdpLTR3Dcr57eaq9kE0
> 1d6iLj7zoQEINZ9zIk8EmCFLQJmaatsXwYcwter0MkL4CBa33/BsS0F5
> foOHScFW3q8IMIFckLkaGv5deE+oI29gcsBnU2cTkvRPWFBl3AWM8mkr
> HZcYPSQcC/Zpo1cAzHk/xShAtaGRnYlzC3KIZbAhNfp7bW7SuOJ1O7L0
> M0G8Tl1sEkl3M0QbM4EKHQol8vjkXf8gvI/jCVg5nB9MPO88RqjYA7bL IumTJNxH+lE=
> wolfssl.com.            3600    IN      RRSIG   DNSKEY 8 2 3600
> 20200114231625 20191230231625 54187 wolfssl.com.
> XtctZDTBA83dmP1bLWYqhY4DvX7C7K/FiUnEiNQ2ZiY1s5PR/HosHBAR
> 8rvI/V9HZnE4uEK8BqM0FTn/EljA5pkLmlt/QZkSUPzjnsUkebmTge48
> HQDlcUPRRa38aYQlxU9tWDfLA5pquvOzeRNOAX6pNEX0DcJ+j6ChBepe
> 2Zqi1dV/XZDIlsSLNxnQ5fgwXyQTYnWrcFa19s0PQfG38N8VQFkT2wj8
> asrpY5cq39IloHa6/kQ9L8GU8x7ZaIv/tNeaUeoOR24hTuj5/tK4XUuk
> 0TcyBNJTED+Dpr1yKqyfbev/qbyyfLwYlPoilXizaee3L8405HyzKUVP mgqh8Q==
> 
> ;; AUTHORITY SECTION:
> wolfssl.com.            3600    IN      NS      pdns11.domaincontrol.com.
> wolfssl.com.            3600    IN      NS      pdns12.domaincontrol.com.
> wolfssl.com.            3600    IN      RRSIG   NS 8 2 3600
> 20200114231625 20191230231625 58008 wolfssl.com.
> CNK3+5fCh0yDowU9y26j0xAgxVuTvyYzsbqZBoaeGeLCxE4a5jahLukl
> sHQsnKyoLxaXIZgiK+MYEuFP+HdebEZQE4THmp0okCiqWJr1SPW9sllw
> wP+S2qn4TjJUbyyZ0FjZ8aR8QjF6Wep0Pjd48EI3lPOMZOz+ISwDeJVD
> zkK2/yaYnPhl8giEX20VPCA5oXA4wiJ5MFzFJlyTRficeyDq6ZYee+78
> uQdUA9y3BGliws5GD5q+q4MIjHaNev6225NjYV2hkUCrHpV4UQjxHfQV
> 3hsaRs0d9A65svpGhQ4zQ+2nS8MA6hxtVtbkXWRXxUx3pTKQmANkg4qB rkSbtw==
> 
> ;; Query time: 6 msec
> ;; SERVER: 97.74.111.55#53(97.74.111.55)
> ;; WHEN: Fri Jan 03 23:05:28 CET 2020
> ;; MSG SIZE  rcvd: 1798
> 
> 
> unbound.conf is:
> 
> server:
>         verbosity: 5
> 
>         num-threads: 8
> 
>         so-reuseport: yes  # no change
> 
>         username: "unbound"
> 
>         pidfile: "/var/run/unbound.pid"
> 
>         outgoing-interface: 85.158.27.148 # no change
>         do-ip6: no
> 
>         interface: 127.0.0.1
>         #interface: 127.0.0.1 at 853
> 
> 
>         interface: 0.0.0.0
>         interface: ::0
> 
>         #interface: 0.0.0.0 at 853
>         #interface: ::0 at 853
> 
>         access-control: 127.0.0.1 allow
>         access-control: ::1 allow
> 
>         access-control: 46.234.32.0/19 allow
>         access-control: 81.94.112.0/20 allow
>         access-control: 85.158.24.0/21 allow
>         access-control: 109.233.176.0/21 allow
>         access-control: 82.136.38.0/27 allow
>         access-control: 64.71.160.96/27 allow
>         access-control: 91.232.37.0/24 allow
>         access-control: 87.245.215.224/29 allow
>         access-control: 217.11.218.80/28 allow
>         access-control: 172.18.0.0/21 allow
>         access-control: 2001:4b20:2000::/29 allow
> 
>         access-control: 0.0.0.0/0 deny
>         access-control: ::0 deny
> 
>         root-hints: "/etc/opt/as34288/unbound/root.hints"
>         auto-trust-anchor-file:
> "/etc/opt/as34288/unbound/trust-anchor/root.key"
> 
>         # cache timeouts
>         cache-min-ttl: 60
>         cache-max-ttl: 900
>         cache-max-negative-ttl: 60
> 
>         # rotate rrsets
>         rrset-roundrobin: yes
> 
>         val-log-level: 2
> 
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 0vRDCD
> mod1  wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 1RDdc mod0
> rep wolfssl.com. A IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: iterator
> operate: query wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> processQueryTargets: wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> DelegationPoint<wolfssl.com.>: 2 names (0 missing), 4 addrs (4 result, 0
> avail) cacheNS
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> pdns12.domaincontrol.com. * A AAAA
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> pdns11.domaincontrol.com. * A AAAA
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: sending
> query: wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: mesh_run:
> end 2 recursion states (1 with reply, 0 detached), 2 waiting replies, 0
> recursion replies sent, 0 replies
> dropped, 0 states jostled out
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 0vRDCD
> mod1  wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 1RDdc mod0
> rep wolfssl.com. A IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: iterator
> operate: query wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> processQueryTargets: wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> DelegationPoint<wolfssl.com.>: 2 names (0 missing), 4 addrs (4 result, 0
> avail) cacheNS
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> pdns12.domaincontrol.com. * A AAAA
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> pdns11.domaincontrol.com. * A AAAA
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: sending
> query: wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: mesh_run:
> end 2 recursion states (1 with reply, 0 detached), 2 waiting replies, 0
> recursion replies sent, 0 replies
> dropped, 0 states jostled out
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 0vRDCD
> mod1  wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 1RDdc mod0
> rep wolfssl.com. A IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: iterator
> operate: query wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> processQueryTargets: wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> DelegationPoint<wolfssl.com.>: 2 names (0 missing), 4 addrs (4 result, 0
> avail) cacheNS
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> pdns12.domaincontrol.com. * A AAAA
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:45 rdns0.edu-zg.io systemd[1]: Stopping AS34288 unbound
> rDNS Server...
> Jan 03 22:53:45 rdns0.edu-zg.io systemd[1]: as34288.unbound.service:
> control process exited, code=exited status=1
> 
> 
> Best regards
> 
>     Christian



More information about the Unbound-users mailing list