Package: systemd Version: 243-8 On an amd64 system running sid,
with the following settings reported by resolvectl:
DNSOverTLS setting: opportunistic
DNSSEC setting: allow-downgrade
DNSSEC supported: no
Current DNS Server: 199.58.81.218
DNS Servers: 199.58.81.218
2001:470:1c:76d::53
The TLS connections don't work for some reason (the host above is
dns.cmrg.net, which only offers DNS-over-TLS).
/etc/resolv.conf is a symlink to /lib/systemd/resolv.conf
I attached ltrace to the systemd-resolved process, while trying to
elicit a domain name with "ping" and saw this interaction with GnuTLS:
3437 20:49:39 gnutls_init(0x7ffcfe82eae8, 266, 16, 608)
= 0
3437 20:49:39 gnutls_priority_set_direct(0x55f47918c140, 0x55f4772712b8, 0, 0)
= 0
3437 20:49:39 gnutls_credentials_set(0x55f47918c140, 1, 0x55f478eb0140, 0)
= 0
3437 20:49:39 gnutls_handshake_set_timeout(0x55f47918c140, 0xffffffff, 0,
0x55f47918a930) = 0x9c40
3437 20:49:39 gnutls_transport_set_ptr2(0x55f47918c140, 19, 0x55f47918a680,
0x55f47918a930) = 0x9c40
3437 20:49:39 gnutls_transport_set_vec_push_function(0x55f47918c140,
0x55f47723cc80, 0x55f47918a680, 0x55f47918a930) = 0x9c40
3437 20:49:39 gnutls_handshake(0x55f47918c140, 0x55f47723cc80, 0x55f47918a680,
0x55f47918a930 <unfinished ...>
3437 20:49:39 sendmsg(19, 0x7ffcfe82e630, 0x20000000, 1)
= -1
3437 20:49:39 __errno_location()
= 0x7fc6d84bbac0
3437 20:49:39 __errno_location()
= 0x7fc6d84bbac0
3437 20:49:39 <... gnutls_handshake resumed> )
= 0xffffffe4
3437 20:49:39 gnutls_error_is_fatal(0xffffffe4, 0, -128, 0)
= 0
0xffffffe4 is -55, which is GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER,
according to:
https://gnutls.org/manual/gnutls.html#Error-codes
I'm attaching a pcap for all the traffic on port 853 from the above
attempt. I don't see any obviously illegal parameters there.
In further debugging, i tried using gnutls-cli to connect directly to
it, and that worked fine:
$ gnutls-cli --sni-hostname=dns.cmrg.net --verify-hostname=dns.cmrg.net
199.58.81.218:853
Processed 128 CA certificate(s).
Resolving '199.58.81.218:853'...
Connecting to '199.58.81.218:853'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `CN=dns.cmrg.net', issuer `CN=Let's Encrypt Authority X3,O=Let's
Encrypt,C=US', serial 0x03a4d7448cc89c9444776bbf992fe74a4252, RSA key 2048
bits, signed using RSA-SHA256, activated `2019-11-01 06:00:16 UTC', expires
`2020-01-30 06:00:16 UTC',
pin-sha256="3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo="
Public Key ID:
sha1:44be3735f2f6cf668b6143335d8189250a7c5cd3
sha256:dc8387492e3c28e73fce590a1ad238e9af5363d3cf283546844dd6d994b8259a
Public Key PIN:
pin-sha256:3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
- Certificate[1] info:
- subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST
Root CA X3,O=Digital Signature Trust Co.', serial
0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256,
activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC',
pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is trusted.
- Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
- Handshake was completed
- Simple Client Mode:
I'm attaching a pcap from the gnutls-cli connection as well.
Note from the pcaps that the gnutls-cli connection manages to negotiate
TLS 1.3, while the systemd-resolved connection only manages to elicit a
TLS 1.2 response from the server for some reason.
I'm seeing this error in systemd-resolved with libgnutls30 3.6.10-5, but
I also tried this while rolling back to older versions of libgnutls30 --
version 3.6.7-4 from buster, for example -- and it didn't fix the
problem.
So i think the issue is something to do with the way that libgnutls is
being initialized in this version of systemd.
I do not see this misbehavior on a comparable VM running debian buster
(with systemd 241-7~deb10u2). on the buster VM, the nameservice
works fine with systemd-resolved.
let me know if you want me to try some other debugging step.
--dkg
systemd-resolved.pcapng
Description: Binary data
gnutls-cli.pcapng
Description: Binary data
signature.asc
Description: PGP signature
