search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.17k stars 361 forks source link

Unbound error spam after openssl 3 update #812

Closed brand1970 closed 1 year ago

brand1970 commented 1 year ago

Describe the bug Unbound error spam after openssl 3 update (could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading.)

To reproduce Steps to reproduce the behavior:

  1. I use DNS over TLS

Expected behavior So since openssl 3.0.7 came out, "unbound" has been spamming the journal with errors : ...could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading. My Archlinux system is fully up to date.

System:

Additional information journalctl -b -u unbound.service

Dec 23 10:56:00 arch-pc systemd[1]: Starting Validating, recursive, and caching DNS resolver... Dec 23 10:56:01 arch-pc unbound[1108]: [1108:0] notice: init module 0: subnetcache Dec 23 10:56:01 arch-pc unbound[1108]: [1108:0] notice: init module 1: validator Dec 23 10:56:01 arch-pc unbound[1108]: [1108:0] notice: init module 2: iterator Dec 23 10:56:01 arch-pc unbound[1108]: [1108:0] info: start of service (unbound 1.17.0). Dec 23 10:56:01 arch-pc systemd[1]: Started Validating, recursive, and caching DNS resolver. Dec 23 10:56:03 arch-pc systemd[1]: Reloading Validating, recursive, and caching DNS resolver... Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] info: service stopped (unbound 1.17.0). Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0 Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] notice: Restart of unbound 1.17.0. Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] notice: init module 0: subnetcache Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] notice: init module 1: validator Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] notice: init module 2: iterator Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] info: start of service (unbound 1.17.0). Dec 23 10:56:03 arch-pc systemd[1]: Reloaded Validating, recursive, and caching DNS resolver. Dec 23 10:56:06 arch-pc unbound[1108]: [1108:0] info: generate keytag query _ta-4f66. NULL IN Dec 23 10:57:28 arch-pc unbound[1108]: [1108:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Dec 23 10:59:59 arch-pc unbound[1108]: [1108:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Dec 23 11:05:22 arch-pc unbound[1108]: [1108:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Dec 23 11:09:57 arch-pc unbound[1108]: [1108:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Dec 23 11:18:50 arch-pc unbound[1108]: [1108:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Dec 23 11:18:50 arch-pc unbound[1108]: [1108:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Dec 23 11:21:01 arch-pc unbound[1108]: [1108:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading

APCBoston commented 1 year ago

I'm also seeing this on Ubuntu 22.01, even after upgrading from Unbound-1.13 (packaged with the distro) to Unbound-1.17.0

glitsj16 commented 1 year ago

Same as OP, still an issue on unbound 1.17.1 on Arch Linux.

$ unbound -V
Version 1.17.1

Configure line: --prefix=/usr --sysconfdir=/etc --localstatedir=/var --sbindir=/usr/bin --disable-rpath --enable-dnscrypt --enable-dnstap --enable-pie --enable-relro-now --enable-subnet --enable-systemd --enable-tfo-client --enable-tfo-server --enable-cachedb --with-libhiredis --with-conf-file=/etc/unbound/unbound.conf --with-pidfile=/run/unbound.pid --with-rootkey-file=/etc/trusted-key.key --with-libevent --with-libnghttp2 --with-pyunbound
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.7 1 Nov 2022
Linked modules: dns64 cachedb subnetcache respip validator iterator
DNSCrypt feature available
TCP Fastopen feature available
quantum77 commented 1 year ago

Same here. Up-to-date CentOS Stream 9.1, Unbound 1.16.2, OpenSSL 3.0.7. Using DNS-over-TLS.

Oddly it doesn't happen on the unbound server, but does on the clients.

What can we do? This is still Unassigned. Are any devs left?

JayBrown commented 1 year ago

Same here (on the server, DoT):

unbound[806]: [806:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading

Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-67-generic x86_64) OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) unbound: Version 1.13.1

Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --with-libevent --with-libnghttp2 --with-pythonmodule --enable-subnet --enable-dnstap --enable-systemd --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --libdir=/usr/lib
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.2 15 Mar 2022
Linked modules: dns64 python subnetcache respip validator iterator