[Pkg-dns-devel] Bug#879079: knot-dnsutils: kdig +tls fails to call connect()

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Oct 19 05:44:34 UTC 2017 

Package: knot-dnsutils
Version: 2.6.0-1
Severity: normal
Control: notfound -1 2.5.4-2

I'm trying to use kdig to test DNS-over-TLS.

The command I'm testing is:

    kdig +short +tls -p 853 @199.58.81.218 -t a www.ietf.org

With knot-dnsutils (and libzscanner1, libknot6, libdnssec4) 2.5.4-2,
the command works (it returns the expected data), i see these system
calls at the start of the connection:

socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 3
fcntl(3, F_SETFL, O_RDONLY|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_INET, sin_port=htons(853), sin_addr=inet_addr("199.58.81.218")}, 16) = -1 EINPROGRESS (Operation now in progress)
poll([{fd=3, events=POLLOUT}], 1, 5000) = 1 ([{fd=3, revents=POLLOUT}])
getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\26\3\1\0\377\1\0\0\373\3\3Y\350:\262\345\344\253\261z\320\2\257k\33Yz\20\3550\355%"..., iov_len=260}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 260
recvfrom(3, 0x555d5781a0bb, 5, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable)


But with version 2.6.0-1, the command fails, and i see:

socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 3
fcntl(3, F_SETFL, O_RDONLY|O_NONBLOCK)  = 0
getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\26\3\1\0\377\1\0\0\373\3\3Y\350:\267x\n\"\326\200\210\3575n\335\ni&\255\274\272\32"..., iov_len=260}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = -1 EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=13905, si_uid=1000} ---

I note that there appears to be no attempt to call connect() with the
newer version -- no wonder it's not working!

It seems to work for TCP and UDP, fwiw.  Just not for TLS.

(also, note that the "-p 853" shouldn't even be necessary in the above
command; i'd added it in there to see whether that would help the
testing, but i think it behaves the same way with or without it)

      --dkg


-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages knot-dnsutils depends on:
ii  libc6           2.24-17
ii  libdnssec4      2.6.0-1
ii  libfstrm0       0.3.0-1+b1
ii  libgnutls30     3.5.15-2
ii  libidn2-0       2.0.2-5
ii  libknot6        2.6.0-1
ii  libprotobuf-c1  1.2.1-2
ii  libzscanner1    2.6.0-1

knot-dnsutils recommends no packages.

knot-dnsutils suggests no packages.

-- no debconf information

More information about the pkg-dns-devel mailing list