More information about system if this helps to narrow problem down:
Basic dns resolver with rfc7706 config local root cache. No DoT or DoH.
Hi Tuomo,
Could you check if it still happens without the auth-zone?
Could you also share that part of the configuration file?
Best regards,
-- George
Hi,
Unbound 1.13.0rc2 pre-release is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc2.tar.gz
sha256 63a626a301fe11d4aaf5990f0d46c645d7c99262ead76a9066e3515179f71417
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc2.tar.gz.asc
This RC2 fixes bugs that were reported on the RC1 candidate.
Bug Fixes
- Fix crash when TLS connection is closed prematurely, when
reuse tree comparison is not properly identical to insertion.
- Fix padding of struct regional for 32bit systems.
- with udp-connect ignore connection refused with UDP timeouts.
- Fix udp-connect on FreeBSD, do send calls on connected UDP socket.
- Better fix for reuse tree comparison for is-tls sockets. Where
the tree key identity is preserved after cleanup of the TLS state.
- Fix memory leak for edns client tag opcode config element.
- Attempt fix for libevent state in tcp reuse cases after a packet
is written.
- Fix readagain and writeagain callback functions for comm point
cleanup.
Best regards, Wouter
Well.... at least, it running.
No cores yet. 
25.11.2020 19:31, Wouter Wijngaards via Unbound-users пишет:
On first look running faster with less CPU utilization during warming up.
25.11.2020 21:19, Yuri пишет:
Still no crashes. Seems fixed 
25.11.2020 19:31, Wouter Wijngaards via Unbound-users пишет:
Hi Tuomo,
Could you check if it still happens without the auth-zone?
Could you also share that part of the configuration file?
I'm testing one system without these auth-zones and
two systems with rootcache config. Both servers with auth-zone have
crashed.
But crash wasn't immediate, it happened after some runtime.
I found this new error, logged by 1.13.0rc1 but 1.12.0 never
gave this error, really bad error message btw, doesn't tell ip or
port where it was trying to connect.
unbound[6384]: [6384:1] error: recvfrom 44 failed: Connection refused
# Authority zones
# The data for these zones is kept locally, from a file or downloaded.
# The data can be served to downstream clients, or used instead of the
# upstream (which saves a lookup to the upstream). zonefile: reads from
# file (and writes to it if you also download it), primary: fetches with
# AXFR and IXFR, or url to zonefile.
# This is rfc7706 config
# https://www.dns.icann.org/services/axfr/
auth-zone:
name: "."
for-downstream: no
for-upstream: yes
fallback-enabled: yes
zonefile: /var/lib/unbound/root.zone
primary: 2620:0:2d0:202::132 # lax.xfr.dns.icann.org.
primary: 192.0.32.132 # lax.xfr.dns.icann.org.
primary: 2620:0:2830:202::132 # iad.xfr.dns.icann.org.
primary: 192.0.47.132 # iad.xfr.dns.icann.org.
primary: 2001:7fd::1 # k.root-servers.net.
primary: 193.0.14.129 # k.root-servers.net.
primary: 2001:500:12::d0d # g.root-servers.net.
primary: 192.112.36.4 # g.root-servers.net.
primary: 2001:500:2f::f # f.root-servers.net.
primary: 192.5.5.241 # f.root-servers.net.
primary: 2001:500:2d::d # d.root-servers.net.
primary: 199.7.91.13 # d.root-servers.net.
primary: 2001:500:2::c # c.root-servers.net.
primary: 192.33.4.12 # c.root-servers.net.
primary: 2001:500:200::b # b.root-servers.net.
primary: 199.9.14.201 # b.root-servers.net.
auth-zone:
name: "root-servers.net."
for-downstream: no
for-upstream: yes
fallback-enabled: yes
zonefile: /var/lib/unbound/root-servers.net.zone
primary: 2620:0:2d0:202::132 # lax.xfr.dns.icann.org.
primary: 192.0.32.132 # lax.xfr.dns.icann.org.
primary: 2620:0:2830:202::132 # iad.xfr.dns.icann.org.
primary: 192.0.47.132 # iad.xfr.dns.icann.org.
primary: 2001:7fd::1 # k.root-servers.net.
primary: 193.0.14.129 # k.root-servers.net.
primary: 2001:500:12::d0d # g.root-servers.net.
primary: 192.112.36.4 # g.root-servers.net.
primary: 2001:500:2f::f # f.root-servers.net.
primary: 192.5.5.241 # f.root-servers.net.
primary: 2001:500:2d::d # d.root-servers.net.
primary: 199.7.91.13 # d.root-servers.net.
primary: 2001:500:2::c # c.root-servers.net.
primary: 192.33.4.12 # c.root-servers.net.
primary: 2001:500:200::b # b.root-servers.net.
primary: 199.9.14.201 # b.root-servers.net.
auth-zone:
name: "arpa."
for-downstream: no
for-upstream: yes
fallback-enabled: yes
zonefile: /var/lib/unbound/arpa.zone
primary: lax.xfr.dns.icann.org.
primary: iad.xfr.dns.icann.org.
primary: k.root-servers.net.
primary: g.root-servers.net.
primary: f.root-servers.net.
primary: d.root-servers.net.
primary: c.root-servers.net.
primary: b.root-servers.net.
auth-zone:
name: "in-addr.arpa."
for-downstream: no
for-upstream: yes
fallback-enabled: yes
zonefile: /var/lib/unbound/in-addr.arpa.zone
primary: lax.xfr.dns.icann.org.
primary: iad.xfr.dns.icann.org.
auth-zone:
name: "in-addr.arpa."
for-downstream: no
for-upstream: yes
fallback-enabled: yes
zonefile: /var/lib/unbound/in-addr.arpa.zone
primary: lax.xfr.dns.icann.org.
primary: iad.xfr.dns.icann.org.
auth-zone:
name: "ipv4only.arpa."
for-downstream: no
for-upstream: yes
fallback-enabled: yes
zonefile: /var/lib/unbound/ipv4only.arpa.zone
primary: lax.xfr.dns.icann.org.
primary: iad.xfr.dns.icann.org.
auth-zone:
name: "ip6.arpa."
for-downstream: no
for-upstream: yes
fallback-enabled: yes
zonefile: /var/lib/unbound/ip6.arpa.zone
primary: lax.xfr.dns.icann.org.
primary: iad.xfr.dns.icann.org.
auth-zone:
name: "ip6-servers.arpa."
for-downstream: no
for-upstream: yes
fallback-enabled: yes
zonefile: /var/lib/unbound/ip6-servers.arpa.zone
primary: lax.xfr.dns.icann.org.
primary: iad.xfr.dns.icann.org.
Does this help?
#0 SSL_do_handshake (s=0x9c50d9f3b8ee943f) at ssl_lib.c:2776
#1 0x000056377f5db574 in ssl_handshake (c=0x563780eaa640)
at util/netevent.c:1156
#2 0x000056377f5db965 in ssl_handle_read (c=0x563780eaa640)
at util/netevent.c:1275
#3 0x000056377f5dc937 in tcp_more_read_again (c=<optimized out>,
fd=<optimized out>) at util/netevent.c:1936
#4 comm_point_tcp_handle_callback (fd=42, event=<optimized out>,
arg=0x563780eaa640) at util/netevent.c:2024
#5 0x00007fe32d5d39c4 in event_base_loop () from
/lib64/libevent-2.0.so.5 #6 0x000056377f5d91ec in comm_base_dispatch
(b=<optimized out>) at util/netevent.c:246
#7 0x000056377f539819 in worker_work (worker=<optimized out>)
at daemon/worker.c:1941
#8 0x000056377f52e316 in daemon_fork
(daemon=daemon@entry=0x5637802ff060) at daemon/daemon.c:700
#9 0x000056377f529b70 in run_daemon (need_pidfile=1, debug_mode=1,
cmdline_verbose=0, cfgfile=0x56377f5f8ba0
"/etc/unbound/unbound.conf") at daemon/unbound.c:707
#10 main (argc=<optimized out>, argv=<optimized out>) at
daemon/unbound.c:808
Hi Tuomo,
Thanks for the stack trace, does this commit help in fixing the issue:
https://github.com/NLnetLabs/unbound/commit/67a0614db700aa6ed596a3563aff6767c69170fe
It stops the readagain from activating after failed ssl handshake
deletes the data.
The error you spotted in the logs is also ignored now and that is
already committed in the code repo.
Best regards, Wouter
Now I upgraded to 1.13.0rc2 and haven't sen warnings or crashes after
that.
I test post rc2 commits after running some time with rc2.
1.13.0rc2 seem to be stable. But I still build it with post 1.13.0rc2
changes and now running it.
Hi Wouter,
rc2 build and works on some lab systems.
preparing my buildsystem I need the extra package 'curl' to test DoH.
Is there a DoH client available as part of unbound source?
Andreas
Andreas, I've uses Firefox as DoH client on my infrastructure
Seems it works. (But I'd be prefer DoT client instead, of course )
27.11.2020 4:10, A. Schulze via Unbound-users пишет:
I've uses Firefox as DoH client on my infrastructure
I'm focused on automated testing...
just found ~unbound-source/testcode/dohclient.c
looks like I found what I was looking for
# make dohlient
# ./dohclient -s 9.9.9.9 -p 443 -P -e /dns-query nlnetlabs.nl. A IN
cool!
and finally: a compile time warning:
services/listen_dnsport.c: In function 'http2_submit_dns_response':
eservices/listen_dnsport.c:2211:41: warning: format '%u' expects argument of type 'unsigned int', but argument 4 has type 'size_t' {aka 'long unsigned int'} [-Wformat=]
2211 | snprintf(rlen_str, sizeof(rlen_str), "%u", rlen);
> ~^ ~~~~
> > >
> > size_t {aka long unsigned int}
> unsigned int
> %lu
Andreas
Hi Andreas,
I've uses Firefox as DoH client on my infrastructure
I'm focused on automated testing...
just found ~unbound-source/testcode/dohclient.c
looks like I found what I was looking for# make dohlient
# ./dohclient -s 9.9.9.9 -p 443 -P -e /dns-query nlnetlabs.nl. A IN
Yes that is a test client, a bit like streamtcp.
cool!
and finally: a compile time warning:
Fixed! Thanks for the report, that warning does not show up for me, but
it does for you. Good to fix.
Best regards, Wouter
Hi,
Unbound 1.13.0rc3 pre-release is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc3.tar.gz
sha256 7702fc832337a71a1cbd8026e2f2784daff3313c098021e80f479c67affb546f
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc3.tar.gz.asc
This RC3 fixes a bug that was reported on the RC2 candidate, the fix to
initialize the rbtree structure for stream reuse. Also compile warnings
are fixed and in depth fixes at cleanup time.
Bug Fixes
- Fix to omit UDP receive errors from log, if verbosity low.
These happen because of udp-connect.
- For #352: contrib/metrics.awk for Prometheus style metrics output.
- Fix that after failed read, the readagain cannot activate.
- Clear readagain upon decommission of pending tcp structure.
- Fix compile warning for type cast in http2_submit_dns_response.
- Fix when use free buffer to initialize rbtree for stream reuse.
- Fix compile warnings for windows.
- Fix compile warnings in rpz initialization.
- Fix contrib/metrics.awk for FreeBSD awk compatibility.
Best regards, Wouter
Runs ok.
27.11.2020 21:03, Wouter Wijngaards via Unbound-users пишет:
Hi,
Unbound 1.13.0rc4 pre-release is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc4.tar.gz
sha256 b7cfb0fe0f138970271d9e037913350a0ca03a66ead6e6f77cc0ca02f7245aa3
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc4.tar.gz.asc
This RC4 fixes a bug that was reported on the RC3 candidate, an
assertion failure for upstream TLS and a double callback.
Bug Fixes
- Fix assertion failure on double callback when iterator loses
interest in query at head of line that then has the tcp stream
not kept for reuse.
Best regards, Wouter
Runs ok.
30.11.2020 18:32, Wouter Wijngaards via Unbound-users пишет:
Hi Wouter,
"This RC4 fixes a bug that was reported on the RC3 candidate, an assertion failure for upstream TLS and a double callback."
I can confirm I cannot recreate the above in RC4 and so far all is OK.
RayG