obsolete

dnsdist-1.3.0-1.fc28

FEDORA-2018-908399dcfc created by ruben 6 years ago for Fedora 28

Upstream released new version. See https://blog.powerdns.com/2018/03/30/dnsdist-1-3-0-released/ for more details.

This update has been submitted for testing by ruben.

6 years ago

This update has been pushed to testing.

6 years ago

I tried to enable the new (as of 1.3.0) DNS-over-TLS functionality, and it seems to crash dnsdist as soon as it receives a query over TLS.

If started with -v (verbose) I get:

Got TCP connection from 192.0.2.1:54742 /usr/include/c++/8/bits/stl_vector.h:932: std::vector<_Tp, _Alloc>::reference std::vector<_Tp, _Alloc>::operator [with _Tp = char; _Alloc = std::allocator<char>; std::vector<_Tp, _Alloc>::reference = char&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed. Aborted (core dumped)

When running with same config as I had for 1.2.1, or if not sending any queries to it over TLS, it appears to work alright.

Pardon the butchered log output I posted previously (accidental markdown interpretation of log contents), the crash I get when receiving a query over TLS is:

Got TCP connection from 192.0.2.1:54742
/usr/include/c++/8/bits/stl_vector.h:932: std::vector<_Tp, _Alloc>::reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) [with _Tp = char; _Alloc = std::allocator<char>; std::vector<_Tp, _Alloc>::reference = char&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed.
Aborted (core dumped)

Thanks, that's good to know, I didn't test it myself yet. Do you have a config I can try?

Based on the error, I assume it's some GCC 8 issue similar to https://github.com/PowerDNS/pdns/issues/6669

Minimal setup:

$ openssl req -newkey rsa:2048 -nodes -keyout dnsdist.key -x509 -days 365 -out dnsdist.pem
$ openssl rsa -pubout -outform der -in dnsdist.key | openssl dgst -binary -sha256 | openssl base64  # for use in eg stubby

$ cat /etc/dnsdist/dnsdist.conf
addLocal("127.0.99.1")
addTLSLocal('127.0.99.1', '/etc/dnsdist/dnsdist.pem', '/etc/dnsdist/dnsdist.key')
newServer({address='8.8.8.8:53'})
$

$ cat /etc/stubby/stubby.yml
resolution_type: GETDNS_RESOLUTION_STUB

dns_transport_list:
  - GETDNS_TRANSPORT_TLS

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

tls_query_padding_blocksize: 128

edns_client_subnet_private: 1

round_robin_upstreams: 1

idle_timeout: 10000

listen_addresses:
  - 127.0.0.1
  - 0::1

upstream_recursive_servers:
  - address_data: 127.0.99.1
    tls_auth_name: "CN-entered-when-generating-cert"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: base64-value-from-second-openssl-cmd

$

Crash (as per above) triggered by query to stubby:

$ dig @127.0.0.1 example.com

; <<>> DiG 9.11.3-RedHat-9.11.3-6.fc28 <<>> @127.0.0.1 example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31331
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;example.com.                   IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 05 21:16:43 CEST 2018
;; MSG SIZE  rcvd: 29

$

Actually, it appears any TCP query (DoT or not) triggers it, I just ran into it first with DoT. Which means that a much simpler config does the job.

Great, reproduced and reported upstream at https://github.com/PowerDNS/pdns/issues/6712

This update has been obsoleted by dnsdist-1.3.0-2.fc28.

6 years ago

Please login to add feedback.

Metadata
Type
enhancement
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
6 years ago
in testing
6 years ago
BZ#1409154 dnsdist-1.3.0 is available
0
0

Automated Test Results