unbound 1.9.1 - No DNSKEY record for key wolfssl.com. while building chain of trust - why?
Ralph Dolmans
ralph at nlnetlabs.nl
Wed Jan 8 12:26:33 UTC 2020
Hi Christian,
Looks like your Unbound is compiled with support for TCP fast open. Your
kernel supports fast open, but it is not enabled in your kernel. Try to
enable it using something like "sysctl -w net.ipv4.tcp_fastopen=3", or
compile Unbound without fast open support (default, ie not using
--enable-tfo-client as ./configure option).
-- Ralph
On 03-01-2020 23:11, Christian 'wiwi' Wittenhorst wrote:
> Dear Ralph.
> Dear List.
>
> (Platform is CentOS 7, most current)
>
> I see: "Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error:
> tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)"
>
> So it looks, as if unbound is unable to do tcp connections. But why?
>
> Firewall is deactivated.
>
> [root at rdns0 unbound]# iptables --list
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> dig from the same machine can use tcp to these hosts:
>
> [root at rdns0 unbound]# dig wolfssl.com dnskey +dnssec @97.74.111.55
> ;; Truncated, retrying in TCP mode.
>
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> wolfssl.com dnskey
> +dnssec @97.74.111.55
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63791
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1472
> ;; QUESTION SECTION:
> ;wolfssl.com. IN DNSKEY
>
> ;; ANSWER SECTION:
> wolfssl.com. 3600 IN DNSKEY 257 3 8
> AwEAAeuDjCM2yxIKeSzzEcWJIqHXCiZPZlAWxLbqP6EzB/tV4YEBpVNx
> gFg9zQPGGgMi1DzskNYMvxyFkTYIFMX1iNULKOSswyPBxPaeR6TJ6PB2
> fL4UGjnLGohlUPraFINVu8KNQOn/nVnTY3cdyZG7CM2pZDInilgT3S3b
> RsPzZKhxbEDUTciH3nNtZ+adOVrAHMUFCqCtdUhBc4UzX3YG0QlvYrpP
> tF7QbUKoX1FCl5xfnkJUUDMdytmSI+GiFZqpFj5SyRaEDORWuCUIRErp
> Jd0rB9ebz61yfV5OYTELSS8NBeIoIqSnJzUNljkSqxrXvYb3LM9+9Loq nHfiIl/OOvM=
> wolfssl.com. 3600 IN DNSKEY 257 3 8
> AwEAAbibT2uFcRnWZbypTRQari8EA8UtZFCi/itqREiRPra/7A6VjTL6
> vIbrQlAO0bpCKa+2vCKpYzGOt4Bjs5qVf9BiSU1IaAe+JvigAEWkORNQ
> w+1DFZ0ZJCc7TnMoqPp9etOZHtEx/UoTS8dCHDsHa4UMghsDwklZ8tj9
> gFYRdIVULyIpNNO7woj6J1tQqy0/DRd3DCqtaF9HcaD/7VqIvDoDrCs9
> r8tkaFWikxzcEg5G2gyUxmdoq9wzzkgr6FO7jqR+BnSQ+CqaTI4cjUmD
> TaS/AQpHcNSqBQCEep8liD+qo1kwAZ7xhbASeeXqW1LLyp98aKhSlPzd JPE2tm3QL70=
> wolfssl.com. 3600 IN DNSKEY 256 3 8
> AwEAAcoqW8bT4ywr3Ce+J2629UiJk4X9uIqY1m4kGrSdIPOnn4JnQHj1
> vQ1U/mu5bTEsRK00+vmHs33pPNVxvxh8yMmVjo7cPNaP1IYiOBdMnKJX
> L4fw9muhr4pziyJd7rhvTd74fDNu/cnGjSGEINXHMTmyAa6ZbZUtuY74
> Df+uioDKC93wXbJUfauCvN/6g6s9OKRoA24p4b/I20/ClK85KkTu6k7t
> PnN3cU0IKJxuU1AXihABuF3o2tYcMOJVEbiQLIK7SlfJnk0E5vfBbOkn
> 2EfEWpWZ0RGkkMulK0LMq39yNbX3tQPFrEJABNChxhkgxIGaajaUMOLk 3LgVdsPJ8lU=
> wolfssl.com. 3600 IN DNSKEY 256 3 8
> AwEAAcLSvxos9ERtEj94msxFNTRASIcBWYLWF5EIhCASDP+qjGptlBNl
> K+o1kmqQ0sSDncbZfAPqupXOjl0NR64fbDG6jVdpLTR3Dcr57eaq9kE0
> 1d6iLj7zoQEINZ9zIk8EmCFLQJmaatsXwYcwter0MkL4CBa33/BsS0F5
> foOHScFW3q8IMIFckLkaGv5deE+oI29gcsBnU2cTkvRPWFBl3AWM8mkr
> HZcYPSQcC/Zpo1cAzHk/xShAtaGRnYlzC3KIZbAhNfp7bW7SuOJ1O7L0
> M0G8Tl1sEkl3M0QbM4EKHQol8vjkXf8gvI/jCVg5nB9MPO88RqjYA7bL IumTJNxH+lE=
> wolfssl.com. 3600 IN RRSIG DNSKEY 8 2 3600
> 20200114231625 20191230231625 54187 wolfssl.com.
> XtctZDTBA83dmP1bLWYqhY4DvX7C7K/FiUnEiNQ2ZiY1s5PR/HosHBAR
> 8rvI/V9HZnE4uEK8BqM0FTn/EljA5pkLmlt/QZkSUPzjnsUkebmTge48
> HQDlcUPRRa38aYQlxU9tWDfLA5pquvOzeRNOAX6pNEX0DcJ+j6ChBepe
> 2Zqi1dV/XZDIlsSLNxnQ5fgwXyQTYnWrcFa19s0PQfG38N8VQFkT2wj8
> asrpY5cq39IloHa6/kQ9L8GU8x7ZaIv/tNeaUeoOR24hTuj5/tK4XUuk
> 0TcyBNJTED+Dpr1yKqyfbev/qbyyfLwYlPoilXizaee3L8405HyzKUVP mgqh8Q==
>
> ;; AUTHORITY SECTION:
> wolfssl.com. 3600 IN NS pdns11.domaincontrol.com.
> wolfssl.com. 3600 IN NS pdns12.domaincontrol.com.
> wolfssl.com. 3600 IN RRSIG NS 8 2 3600
> 20200114231625 20191230231625 58008 wolfssl.com.
> CNK3+5fCh0yDowU9y26j0xAgxVuTvyYzsbqZBoaeGeLCxE4a5jahLukl
> sHQsnKyoLxaXIZgiK+MYEuFP+HdebEZQE4THmp0okCiqWJr1SPW9sllw
> wP+S2qn4TjJUbyyZ0FjZ8aR8QjF6Wep0Pjd48EI3lPOMZOz+ISwDeJVD
> zkK2/yaYnPhl8giEX20VPCA5oXA4wiJ5MFzFJlyTRficeyDq6ZYee+78
> uQdUA9y3BGliws5GD5q+q4MIjHaNev6225NjYV2hkUCrHpV4UQjxHfQV
> 3hsaRs0d9A65svpGhQ4zQ+2nS8MA6hxtVtbkXWRXxUx3pTKQmANkg4qB rkSbtw==
>
> ;; Query time: 6 msec
> ;; SERVER: 97.74.111.55#53(97.74.111.55)
> ;; WHEN: Fri Jan 03 23:05:28 CET 2020
> ;; MSG SIZE rcvd: 1798
>
>
> unbound.conf is:
>
> server:
> verbosity: 5
>
> num-threads: 8
>
> so-reuseport: yes # no change
>
> username: "unbound"
>
> pidfile: "/var/run/unbound.pid"
>
> outgoing-interface: 85.158.27.148 # no change
> do-ip6: no
>
> interface: 127.0.0.1
> #interface: 127.0.0.1 at 853
>
>
> interface: 0.0.0.0
> interface: ::0
>
> #interface: 0.0.0.0 at 853
> #interface: ::0 at 853
>
> access-control: 127.0.0.1 allow
> access-control: ::1 allow
>
> access-control: 46.234.32.0/19 allow
> access-control: 81.94.112.0/20 allow
> access-control: 85.158.24.0/21 allow
> access-control: 109.233.176.0/21 allow
> access-control: 82.136.38.0/27 allow
> access-control: 64.71.160.96/27 allow
> access-control: 91.232.37.0/24 allow
> access-control: 87.245.215.224/29 allow
> access-control: 217.11.218.80/28 allow
> access-control: 172.18.0.0/21 allow
> access-control: 2001:4b20:2000::/29 allow
>
> access-control: 0.0.0.0/0 deny
> access-control: ::0 deny
>
> root-hints: "/etc/opt/as34288/unbound/root.hints"
> auto-trust-anchor-file:
> "/etc/opt/as34288/unbound/trust-anchor/root.key"
>
> # cache timeouts
> cache-min-ttl: 60
> cache-max-ttl: 900
> cache-max-negative-ttl: 60
>
> # rotate rrsets
> rrset-roundrobin: yes
>
> val-log-level: 2
>
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 0vRDCD
> mod1 wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 1RDdc mod0
> rep wolfssl.com. A IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: iterator
> operate: query wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> processQueryTargets: wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> DelegationPoint<wolfssl.com.>: 2 names (0 missing), 4 addrs (4 result, 0
> avail) cacheNS
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> pdns12.domaincontrol.com. * A AAAA
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> pdns11.domaincontrol.com. * A AAAA
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: sending
> query: wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: mesh_run:
> end 2 recursion states (1 with reply, 0 detached), 2 waiting replies, 0
> recursion replies sent, 0 replies
> dropped, 0 states jostled out
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 0vRDCD
> mod1 wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 1RDdc mod0
> rep wolfssl.com. A IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: iterator
> operate: query wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> processQueryTargets: wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> DelegationPoint<wolfssl.com.>: 2 names (0 missing), 4 addrs (4 result, 0
> avail) cacheNS
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> pdns12.domaincontrol.com. * A AAAA
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> pdns11.domaincontrol.com. * A AAAA
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: sending
> query: wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: mesh_run:
> end 2 recursion states (1 with reply, 0 detached), 2 waiting replies, 0
> recursion replies sent, 0 replies
> dropped, 0 states jostled out
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 0vRDCD
> mod1 wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 1RDdc mod0
> rep wolfssl.com. A IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: iterator
> operate: query wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> processQueryTargets: wolfssl.com. DNSKEY IN
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> DelegationPoint<wolfssl.com.>: 2 names (0 missing), 4 addrs (4 result, 0
> avail) cacheNS
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info:
> pdns12.domaincontrol.com. * A AAAA
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
> Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp
> sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
> Jan 03 22:53:45 rdns0.edu-zg.io systemd[1]: Stopping AS34288 unbound
> rDNS Server...
> Jan 03 22:53:45 rdns0.edu-zg.io systemd[1]: as34288.unbound.service:
> control process exited, code=exited status=1
>
>
> Best regards
>
> Christian
More information about the Unbound-users
mailing list