libunbound error: no name verification functionality in ssl library

[cmonty14]

Describe the bug Setup of unbound forwarding using DNS over TLS (DoT) is not working. I'm using this configuration:

❯ cat /etc/unbound/unbound.conf.d/dot.conf 
server:
    tls-service-key: /etc/unbound/unbound_server.key
    tls-service-pem: /etc/unbound/unbound_server.pem

forward-zone:
    name: "."
    forward-ssl-upstream: yes
    # Digitalcourage
    forward-addr: 5.9.164.112@853#dns3.digitalcourage.de
    forward-addr: 2a01:4f8:251:554::2@853#dns3.digitalcourage.de
    # ffmuc.net
    forward-addr: 5.1.66.255@853#dot.ffmuc.net
    forward-addr: 2001:678:e68:f000::@853#dot.ffmuc.net
    forward-addr: 185.150.99.255@853#dot.ffmuc.net
    forward-addr: 2001:678:ed0:f000::@853#dot.ffmuc.net

This is the error message running command sudo unbound-host -C /etc/unbound/unbound.conf -v unbound.net:

❯ sudo unbound-host -C /etc/unbound/unbound.conf -v unbound.net                                                               
[1705752601] libunbound[851167:0] notice: init module 0: validator                                                            
[1705752601] libunbound[851167:0] notice: init module 1: iterator                                                             
[1705752601] libunbound[851167:0] error: no name verification functionality in ssl library, ignored name for 2001:678:ed0:f000
::@853#dot.ffmuc.net                                                                                                          
[1705752601] libunbound[851167:0] error: no name verification functionality in ssl library, ignored name for 185.150.99.255@85
3#dot.ffmuc.net                                                                                                               
[1705752601] libunbound[851167:0] error: no name verification functionality in ssl library, ignored name for 2001:678:e68:f000
::@853#dot.ffmuc.net                                                                                                          
[1705752601] libunbound[851167:0] error: no name verification functionality in ssl library, ignored name for 5.1.66.255@853#do
t.ffmuc.net                                                                                                                   
[1705752601] libunbound[851167:0] error: no name verification functionality in ssl library, ignored name for 2a01:4f8:251:554:
:2@853#dns3.digitalcourage.de
[1705752601] libunbound[851167:0] error: no name verification functionality in ssl library, ignored name for 5.9.164.112@853#d
ns3.digitalcourage.de
[1705752601] libunbound[851167:0] info: resolving unbound.net. A IN
[1705752601] libunbound[851167:0] error: read (in tcp s): Connection reset by peer for 2a01:4f8:251:554::2 port 853
[1705752601] libunbound[851167:0] error: read (in tcp s): Connection reset by peer for 2a01:4f8:251:554::2 port 853
[1705752601] libunbound[851167:0] error: read (in tcp s): Connection reset by peer for 5.9.164.112 port 853
[1705752601] libunbound[851167:0] error: read (in tcp s): Connection reset by peer for 5.9.164.112 port 853
[1705752601] libunbound[851167:0] error: read (in tcp s): Connection reset by peer for 5.9.164.112 port 853
[1705752601] libunbound[851167:0] error: read (in tcp s): Connection reset by peer for 2a01:4f8:251:554::2 port 853
[1705752601] libunbound[851167:0] error: read (in tcp s): Connection reset by peer for 5.9.164.112 port 853
[1705752601] libunbound[851167:0] error: read (in tcp s): Connection reset by peer for 2a01:4f8:251:554::2 port 853
[1705752602] libunbound[851167:0] error: read (in tcp s): Connection reset by peer for 5.9.164.112 port 853
[1705752602] libunbound[851167:0] error: read (in tcp s): Connection reset by peer for 2a01:4f8:251:554::2 port 853
Host unbound.net not found: 2(SERVFAIL). (error)

To reproduce Steps to reproduce the behavior:

1. Create configuration file /etc/unbound/unbound.conf.d/dot.conf
2. Reload unbound: 'sudo unbound-control reload`
3. Verify DNS resolution: sudo unbound-host -C /etc/unbound/unbound.conf -v unbound.net

Expected behavior DNS works w/o errors.

System:

• Unbound version: 1.13.1
• OS: Ubuntu 22.04
• unbound -V output:

  
  Version 1.13.1

Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --with-libevent --with-libnghttp2 --with-pythonmodule --enable-subnet --enable-dnstap --enable-systemd --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --libdir=/usr/lib Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.2 15 Mar 2022 Linked modules: dns64 python subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

[wcawijngaards]

If I compile here with openssl 3.0, it does not complain that there is no name verification, that works fine. Is the output line with the compile version not the same as the unbound-host executable linked ssl library?

Then there is connection reset, and this also does not happen for me, is there a simple outgoing firewall rule that blocks all traffic?

It then fails for me with a certificate failure. The commit adds more details that it prints for the certificate failure, and in this case it prints:

error: ssl handshake failed crypto error:0A000086:SSL routines::certificate verify failed
error: ssl handshake cert error: unable to get local issuer certificate
notice: ssl handshake failed ip4 5.9.164.112 port 853 (len 16)

The new cert error line is added by the commit https://github.com/NLnetLabs/unbound/commit/1f46d5945bc41ceca7687a2f34cd5bfec6832bd9. Is there no cert root for the remote site? With like tls-cert-bundle: "/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt". If I add that configuration, the example works, and prints the DNS resolution.