RPZ: is this config correct?
George Thessalonikefs
george at nlnetlabs.nl
Fri Apr 30 08:56:18 UTC 2021
Hi Andreas,
Thanks for the extra information!
The windows issue does not establish the HTTPS handshake IIRC, so no
further data flowing there.
A couple more questions:
- Does this also happen without HTTPS? You mentioned an nginx serving
non-HTTPS content. Could you retry with auth_zone_transfer?
- Do you see that behavior also without docker?
Best regards,
-- George
On 28/04/2021 20:33, A. Schulze via Unbound-users wrote:
>
>
> Am 28.04.21 um 14:13 schrieb George Thessalonikefs via Unbound-users:
>> I can't reproduce what you are experiencing. That configuration with URL zone transferring is working fine on my machine (linux). And it works with or without TLS in place.
>> Although, I didn't use docker so I can't comment if something doesn't work there specifically.
>>
>> What was described previously on the list is an issue with fetching the zone file via URL on windows specifically. I tracked this down to HTTPS specifically but didn't have time to look further on that yet.
>
> Hello George,
>
> the problem here looks similar, fetching via HTTPS fail.
>
> I login into a running container. "unbound-control verbosity 5" and "unbound-control auth_zone_transfer rpz.urlhaus.abuse.ch." start the relevant things...
>
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: auth zone rpz.urlhaus.abuse.ch. transfer next HTTP fetch from 151.101.14.49 started
> unbound_1 | Apr 28 20:14:10 unbound[1:0] info: mesh_run: end 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: cache memory msg=105467 rrset=106995 infra=39527 val=72984 subnet=0
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: svcd callbacks end
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: serviced_delete
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: close of port 28986
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: comm_point_close of 20: event_del
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: close fd 20
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: comm point listen_for_rw 21 0
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: peer certificate:
> unbound_1 | Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2020
> unbound_1 | Validity
> unbound_1 | Not Before: Mar 23 15:34:33 2021 GMT
> unbound_1 | Not After : Apr 24 15:34:32 2022 GMT
> unbound_1 | Subject: CN=*.abuse.ch
> unbound_1 | X509v3 extensions:
> unbound_1 | X509v3 Subject Alternative Name:
> unbound_1 | DNS:*.abuse.ch
> unbound_1 | X509v3 Key Usage: critical
> unbound_1 | Digital Signature, Key Encipherment
> unbound_1 | X509v3 Extended Key Usage:
> unbound_1 | TLS Web Server Authentication, TLS Web Client Authentication
> unbound_1 | X509v3 Subject Key Identifier:
> unbound_1 | E3:9E:17:C0:43:1E:FB:CF:43:B6:CB:B5:FF:C9:DE:AF:08:81:3A:49
> unbound_1 | X509v3 Certificate Policies:
> unbound_1 | Policy: 1.3.6.1.4.1.4146.1.10
> unbound_1 | CPS: https://www.globalsign.com/repository/
> unbound_1 | Policy: 2.23.140.1.2.1
> unbound_1 |
> unbound_1 | X509v3 Basic Constraints:
> unbound_1 | CA:FALSE
> unbound_1 | Authority Information Access:
> unbound_1 | OCSP - URI:http://ocsp.globalsign.com/ca/gsatlasr3dvtlsca2020
> unbound_1 | CA Issuers - URI:http://secure.globalsign.com/cacert/gsatlasr3dvtlsca2020.crt
> unbound_1 |
> unbound_1 | X509v3 Authority Key Identifier:
> unbound_1 | keyid:42:6D:57:2D:4F:1F:26:77:74:A6:27:64:F6:80:FA:8F:48:68:FE:7C
> unbound_1 |
> unbound_1 | X509v3 CRL Distribution Points:
> unbound_1 |
> unbound_1 | Full Name:
> unbound_1 | URI:http://crl.globalsign.com/ca/gsatlasr3dvtlsca2020.crl
> unbound_1 |
> unbound_1 | CT Precertificate SCTs:
> unbound_1 | Signed Certificate Timestamp:
> unbound_1 | Version : v1 (0x0)
> unbound_1 | Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
> unbound_1 | 11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
> unbound_1 | Timestamp : Mar 23 15:34:33.859 2021 GMT
> unbound_1 | Extensions: none
> unbound_1 | Signature : ecdsa-with-SHA256
> unbound_1 | 30:45:02:21:00:99:20:2E:E7:63:02:8B:EE:BB:C7:07:
> unbound_1 | 84:FE:70:AF:BA:CC:77:E8:AD:CA:B2:9A:82:60:85:E6:
> unbound_1 | C6:7D:45:68:13:02:20:2E:3B:FA:16:3D:1C:8A:87:51:
> unbound_1 | 9B:BA:45:58:36:0D:38:D1:8E:F4:D2:22:80:8A:24:F6:
> unbound_1 | 3B:18:B5:64:E9:85:87
> unbound_1 | Signed Certificate Timestamp:
> unbound_1 | Version : v1 (0x0)
> unbound_1 | Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
> unbound_1 | 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
> unbound_1 | Timestamp : Mar 23 15:34:34.022 2021 GMT
> unbound_1 | Extensions: none
> unbound_1 | Signature : ecdsa-with-SHA256
> unbound_1 | 30:46:02:21:00:97:1F:A1:2A:0E:08:0C:2D:6F:14:3A:
> unbound_1 | 30:50:C6:C4:37:7E:55:8A:B1:83:9B:E3:7F:8E:EA:41:
> unbound_1 | 53:CF:88:E4:19:02:21:00:E6:9D:17:2E:CE:A0:93:C8:
> unbound_1 | 54:04:61:2C:AC:56:B7:6E:CE:DA:FB:73:34:F4:EE:5D:
> unbound_1 | 76:EE:9B:A1:E6:25:D0:CF
> unbound_1 | Signed Certificate Timestamp:
> unbound_1 | Version : v1 (0x0)
> unbound_1 | Log ID : 55:81:D4:C2:16:90:36:01:4A:EA:0B:9B:57:3C:53:F0:
> unbound_1 | C0:E4:38:78:70:25:08:17:2F:A3:AA:1D:07:13:D3:0C
> unbound_1 | Timestamp : Mar 23 15:34:34.059 2021 GMT
> unbound_1 | Extensions: none
> unbound_1 | Signature : ecdsa-with-SHA256
> unbound_1 | 30:45:02:21:00:D5:AC:D7:20:A0:D4:7A:A3:9D:3A:7A:
> unbound_1 | A7:67:06:D6:19:A8:DE:B4:E8:BC:E7:00:C0:4F:76:B9:
> unbound_1 | C8:42:C0:16:81:02:20:62:91:72:CA:FB:B5:51:15:4E:
> unbound_1 | 94:8E:1D:3A:98:2A:2C:30:AF:60:FA:0A:D4:BC:0B:E0:
> unbound_1 | 72:3A:F1:00:D6:20:28
> unbound_1 |
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: SSL connection to *.abuse.ch authenticated ip4 151.101.14.49 port 443 (len 16)
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: comm point listen_for_rw 21 1
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: comm point stop listening 21
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: comm point start listening 21 (-1 msec)
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: startlistening 21 mode r
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: HTTP/1.1 200 OK
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Connection: keep-alive
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Content-Length: 138924
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Server: Apache
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Strict-Transport-Security: max-age=15768000 ; includeSubDomains
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Expect-CT: enforce, max-age=86400
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Referrer-Policy: strict-origin-when-cross-origin
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https://syndication.twitter.com:443; object-src 'none'
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Cross-Origin-Opener-Policy: same-origin; report-to="default"
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Cross-Origin-Resource-Policy: same-site
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Last-Modified: Wed, 28 Apr 2021 18:10:05 GMT
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: ETag: "21eac-5c10c49cbaab3"
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Cache-Control: max-age=300
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Expires: Wed, 28 Apr 2021 18:16:51 GMT
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: X-Content-Type-Options: nosniff
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: X-Frame-Options: sameorigin
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: X-XSS-Protection: 1; mode=block
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Content-Type: text/plain
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Via: 1.1 varnish, 1.1 varnish
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Accept-Ranges: bytes
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Date: Wed, 28 Apr 2021 18:14:10 GMT
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Age: 138
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: X-Served-By: cache-lhr7352-LHR, cache-fra19165-FRA
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: X-Cache: HIT, HIT
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: X-Cache-Hits: 1, 1
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: X-Timer: S1619633650.192137,VS0,VE1
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header: Vary: Accept-Encoding
> unbound_1 | Apr 28 20:14:10 unbound[1:0] debug: http header:
> unbound_1 | Apr 28 20:14:20 unbound[1:0] debug: xfr stopped, connection timeout to urlhaus.abuse.ch
> unbound_1 | Apr 28 20:14:20 unbound[1:0] debug: comm_point_close of 21: event_del
> unbound_1 | Apr 28 20:14:20 unbound[1:0] debug: close fd 21
> unbound_1 | Apr 28 20:14:20 unbound[1:0] debug: auth zone rpz.urlhaus.abuse.ch. transfer failed, wait
>
> So just after 10s the transfer time out. Attached a trace. It show some data are arriving but then the connection somehow get out of state/sync and errors happen.
> This don't happen when I run "wget" as separate process parallel to unbound but in the same container.
>
> Andreas
>
More information about the Unbound-users
mailing list