Package: knot-resolver Version: 3.2.1-3 Severity: normal Dear Maintainer,
This version of Knot Resolver, which is in both Buster as in Sid, has a bug in session resumption support with TLSv1.3. This is upstream bug https://gitlab.labs.nic.cz/knot/knot-resolver/issues/489 which has been fixed in upstream 4.2.0. This bug can be easily reproduced with TLS_FORWARD to 1.1.1.1 since 2 days because Cloudflare enabled TLSv1.3 then. You need this in the configuration file: policy.add(policy.all(policy.TLS_FORWARD({ { '1.1.1.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/ca-certificates.crt' }, }))) Then any DNS lookup not yet cached by Knot will fail and these messages are logged: kresd[8129]: [tls_client] TLS handshake with 1.1.1.1#00853 has completed kresd[8129]: [tls_client] TLS session has not resumed kresd[8129]: [gnutls] (5) REC[0x55868f25e580]: Preparing Packet Application Data(23) with length: 41 and min pad: 0 kresd[8129]: [gnutls] (5) REC[0x55868f25e580]: Sent Packet[1] Application Data(23) in epoch 2 and length: 63 kresd[8129]: [gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589 kresd[8129]: [gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1775 kresd[8129]: [gnutls] (5) REC[0x55868f25e580]: SSL 3.3 Application Data packet received. Epoch 2, length: 445 kresd[8129]: [gnutls] (5) REC[0x55868f25e580]: Expected Packet Application Data(23) kresd[8129]: [gnutls] (5) REC[0x55868f25e580]: Received Packet Application Data(23) with length: 445 kresd[8129]: [gnutls] (5) REC[0x55868f25e580]: Decrypted Packet[0] Handshake(22) with length: 428 kresd[8129]: [gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1168 kresd[8129]: [gnutls] (4) HSK[0x55868f25e580]: NEW SESSION TICKET (4) was received. Length 210[424], frag offset 0, frag length: 210, sequence: 0 kresd[8129]: [gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1429 kresd[8129]: [gnutls] (4) HSK[0x55868f25e580]: parsing session ticket message kresd[8129]: [gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1168 kresd[8129]: [gnutls] (4) HSK[0x55868f25e580]: NEW SESSION TICKET (4) was received. Length 210[210], frag offset 0, frag length: 210, sequence: 0 kresd[8129]: [gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1429 kresd[8129]: [gnutls] (4) HSK[0x55868f25e580]: parsing session ticket message kresd[8129]: [gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1577 kresd[8129]: [gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1775 kresd[8129]: [io] => connection to '1.1.1.1#00853': error processing TLS data, close For Buster this patch could be cherry picked: https://gitlab.labs.nic.cz/knot/knot-resolver/commit/9d42f93d591e1f581a4287a141f0af4276ebb1fb See also https://community.cloudflare.com/t/dns-over-tls-broken-with-knot-resolver-since-today/142319 -- System Information: Debian Release: 10.2 APT prefers stable APT policy: (700, 'stable'), (650, 'proposed-updates'), (600, 'oldstable'), (550, 'oldstable-proposed-updates'), (500, 'oldoldstable'), (500, 'testing'), (200, 'unstable'), (160, 'experimental'), (110, 'disco') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-6-amd64 (SMP w/24 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages knot-resolver depends on: ii adduser 3.118 ii dns-root-data 2019031302 ii libc6 2.28-10 ii libdnssec6 2.7.6-2 ii libedit2 3.1-20181209-1 ii libgcc1 1:8.3.0-6 ii libgnutls30 3.6.7-4 ii libknot8 2.7.6-2 ii liblmdb0 0.9.22-1 ii libluajit-5.1-2 2.1.0~beta3+dfsg-5.1 ii libstdc++6 8.3.0-6 ii libsystemd0 241-7~deb10u2 ii libuv1 1.24.1-1 ii libzscanner2 2.7.6-2 ii lua-sec 0.7-1 ii lua-socket 3.0~rc1+git+ac3201d-4 Versions of packages knot-resolver recommends: pn knot-resolver-module-http <none> pn lua-basexx <none> knot-resolver suggests no packages. -- Configuration Files: /etc/knot-resolver/kresd.conf changed [not included] -- no debconf information
