DNS over TLS repeated error: GNUTLS_E_AGAIN (-28)
Hello,
I started using the DNS over TLS and I am facing some issues. Queries seem to fail a lot of times especially on the first try. For example Temporary failure resolving 'cdn-fastly.deb.debian.org'
. There is an error that keeps being spammed in the log a lot:
[gnutls] (5) REC[0x556bfb5e98a0]: Preparing Packet Application Data(23) with length: 41 and min pad: 0
.
.
.
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_writev_emu]:464
[gnutls] (2) WRITE: -1 returned from 0x556bfb55e290, errno: 11
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_send_tlen_int]:555
[tls] gnutls_record_uncork: too many sequential non-fatal errors (101), last error is: GNUTLS_E_AGAIN (-28)
[tls] gnutls_record_uncork didn't send all data: GNUTLS_E_SUCCESS (0)
The three lines starting with ASSERT, WRITE get spammed, so here is the full log https://psb1.org/paste/4a35b1ae/2632c9f1ef31f4fb
The resolver is available live at:
pin_sha256="UXGqCMdLvdkVB3sIxfb41G5gIn8lR8zjOMj13czd/V8="
node3.psb1.org. has IPv4 address 81.2.239.149
node3.psb1.org. has IPv6 address 2001:15e8:110:795::1
Both servers are Knot DNS Resolver, version 2.0.0
. Running on the Debian buster/sid with Linux 4.14.13-1
. My libknot is 2.6.4-1
. My libgnutls is 3.6.1-1
. And are built from source.
My setup consists of two Knot Resolvers where one is doing the resolving and the second one is just forwarding to the first. First server's config (the resolver):
-- load modules
modules = {
"policy",
"view",
"version",
"stats",
"daf",
predict = {
-- 15 minutes sampling window
window = 15,
-- track last 31 days
period = 31 * 24 * (60 / 15)
},
hints = "/etc/knot-resolver/hosts/compiled.hosts",
http = {
host = "xxxx.xxxx.xxx",
port = 8053,
cert = false,
-- key = "/mnt/xxxx/xxxxxxxx.key",
-- cert = "/mnt/xxxx/xxxxxxxx.cer",
geoip = "/etc/knot-resolver/GeoLite2-City_20180102/GeoLite2-City.mmdb"
}
}
-- init tls
net.tls(
"/mnt/xxxx/xxxxxxxx.cer",
"/mnt/xxxx/xxxxxxxx.key"
)
-- setup cache
cache.storage = "lmdb:///var/cache/knot-resolver"
cache.size = 100 * MB
-- set mode
mode("normal")
-- setup trust anchors for DNSSEC
trust_anchors.file = "/var/cache/knot-resolver/root.key"
Second server's config (the forwarder):
-- load modules
modules = {
"policy",
"view",
"version",
"stats",
"daf",
predict = {
-- 15 minutes sampling window
window = 15,
-- track last 31 days
period = 31 * 24 * (60 / 15)
}
}
-- setup policies
policy.add(policy.all(policy.TLS_FORWARD({{ "81.2.239.149", pin_sha256="UXGqCMdLvdkVB3sIxfb41G5gIn8lR8zjOMj13czd/V8=" }})))
-- init tls
net.tls(
"/mnt/xxxx/xxxxxxxx.cer",
"/mnt/xxxx/xxxxxxxx.key"
)
-- setup cache
cache.storage = "lmdb:///var/cache/knot-resolver"
cache.size = 100 * MB
-- set mode
mode("normal")
-- setup trust anchors for DNSSEC
trust_anchors.file = "/var/cache/knot-resolver/root.key"
Thank you in advance for looking into this.