Upstream released new version. See https://blog.powerdns.com/2018/03/30/dnsdist-1-3-0-released/ for more details.
This update has been submitted for testing by ruben.
This update has been pushed to testing.
I tried to enable the new (as of 1.3.0) DNS-over-TLS functionality, and it seems to crash dnsdist as soon as it receives a query over TLS.
If started with -v (verbose) I get:
Got TCP connection from 192.0.2.1:54742 /usr/include/c++/8/bits/stl_vector.h:932: std::vector<_Tp, _Alloc>::reference std::vector<_Tp, _Alloc>::operator [with _Tp = char; _Alloc = std::allocator<char>; std::vector<_Tp, _Alloc>::reference = char&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed. Aborted (core dumped)
When running with same config as I had for 1.2.1, or if not sending any queries to it over TLS, it appears to work alright.
Pardon the butchered log output I posted previously (accidental markdown interpretation of log contents), the crash I get when receiving a query over TLS is:
Got TCP connection from 192.0.2.1:54742 /usr/include/c++/8/bits/stl_vector.h:932: std::vector<_Tp, _Alloc>::reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) [with _Tp = char; _Alloc = std::allocator<char>; std::vector<_Tp, _Alloc>::reference = char&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed. Aborted (core dumped)
Thanks, that's good to know, I didn't test it myself yet. Do you have a config I can try?
Based on the error, I assume it's some GCC 8 issue similar to https://github.com/PowerDNS/pdns/issues/6669
Minimal setup:
$ openssl req -newkey rsa:2048 -nodes -keyout dnsdist.key -x509 -days 365 -out dnsdist.pem $ openssl rsa -pubout -outform der -in dnsdist.key | openssl dgst -binary -sha256 | openssl base64 # for use in eg stubby $ cat /etc/dnsdist/dnsdist.conf addLocal("127.0.99.1") addTLSLocal('127.0.99.1', '/etc/dnsdist/dnsdist.pem', '/etc/dnsdist/dnsdist.key') newServer({address='8.8.8.8:53'}) $ $ cat /etc/stubby/stubby.yml resolution_type: GETDNS_RESOLUTION_STUB dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private: 1 round_robin_upstreams: 1 idle_timeout: 10000 listen_addresses: - 127.0.0.1 - 0::1 upstream_recursive_servers: - address_data: 127.0.99.1 tls_auth_name: "CN-entered-when-generating-cert" tls_pubkey_pinset: - digest: "sha256" value: base64-value-from-second-openssl-cmd $
Crash (as per above) triggered by query to stubby:
$ dig @127.0.0.1 example.com ; <<>> DiG 9.11.3-RedHat-9.11.3-6.fc28 <<>> @127.0.0.1 example.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31331 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;example.com. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jun 05 21:16:43 CEST 2018 ;; MSG SIZE rcvd: 29 $
Actually, it appears any TCP query (DoT or not) triggers it, I just ran into it first with DoT. Which means that a much simpler config does the job.
Great, reproduced and reported upstream at https://github.com/PowerDNS/pdns/issues/6712
This update has been obsoleted by dnsdist-1.3.0-2.fc28.
Please login to add feedback.
Confirm request to re-trigger tests.
This update has been submitted for testing by ruben.
This update has been pushed to testing.
I tried to enable the new (as of 1.3.0) DNS-over-TLS functionality, and it seems to crash dnsdist as soon as it receives a query over TLS.
If started with -v (verbose) I get:
Got TCP connection from 192.0.2.1:54742 /usr/include/c++/8/bits/stl_vector.h:932: std::vector<_Tp, _Alloc>::reference std::vector<_Tp, _Alloc>::operator [with _Tp = char; _Alloc = std::allocator<char>; std::vector<_Tp, _Alloc>::reference = char&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed. Aborted (core dumped)
When running with same config as I had for 1.2.1, or if not sending any queries to it over TLS, it appears to work alright.
Pardon the butchered log output I posted previously (accidental markdown interpretation of log contents), the crash I get when receiving a query over TLS is:
Thanks, that's good to know, I didn't test it myself yet. Do you have a config I can try?
Based on the error, I assume it's some GCC 8 issue similar to https://github.com/PowerDNS/pdns/issues/6669
Minimal setup:
Crash (as per above) triggered by query to stubby:
Actually, it appears any TCP query (DoT or not) triggers it, I just ran into it first with DoT. Which means that a much simpler config does the job.
Great, reproduced and reported upstream at https://github.com/PowerDNS/pdns/issues/6712
This update has been obsoleted by dnsdist-1.3.0-2.fc28.