Unbound 1.19.3rc1 pre-release

RayG rgsub1 at btinternet.com
Fri Mar 8 14:48:39 UTC 2024 

Hi Wouter,

OK certificates re-created:

These were the old ones:
18/11/2017  17:25             1,298 unbound_control.key
18/11/2017  17:25               816 unbound_control.pem
18/11/2017  17:25             1,298 unbound_server.key
18/11/2017  17:25               804 unbound_server.pem

These are the new ones:
08/03/2024  13:49             2,524 unbound_control.key
08/03/2024  13:49             1,468 unbound_control.pem
08/03/2024  13:49             2,524 unbound_server.key
08/03/2024  13:49             1,410 unbound_server.pem

But now I get this message:
C:\Program Files\Unbound>unbound-control reload
error: could not SSL_read
D0540000:error:0A000418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:865:SSL alert number 48

And in the log file I see:
08/03/2024 14:16:40 C:\Program Files\Unbound\unbound.exe[5548:0] notice: failed connection from 127.0.0.1 port 55344
08/03/2024 14:16:40 C:\Program Files\Unbound\unbound.exe[5548:0] error: remote control failed ssl crypto error:0A000086:SSL routines::certificate verify failed

I know that both the Administrator account and the SYSTEM account can see open and read the key & pem files.

Does this help:
https://stackoverflow.com/questions/53104296/unknown-ca-with-self-generated-ca-certificates-and-client-server

RayG

-----Original Message-----
From: Wouter Wijngaards <wouter at nlnetlabs.nl> 
Sent: Friday, March 8, 2024 8:22 AM
To: RayG <rgsub1 at btinternet.com>; unbound-users at lists.nlnetlabs.nl
Subject: Re: Unbound 1.19.3rc1 pre-release

Hi RayG,

That seems to be because the certificate is too small. The OpenSSL version for 1.19.3 is moved to 3.2.1, it was 1.1.x for 1.19.2, there are bugfixes in the 1.19.3 release to make that possible, to move to OpenSSL 3.x. This more recent OpenSSL version also then requires larger certificates.

It is possible to recreate the certificates, by moving them away and then running unbound-control-setup again. I updated that so the same larger length that is also used for eg. Linux is applied. That should work, a fixed version of that unbound-control-setup.cmd script is here. 
It can be downloaded and then used.
https://github.com/NLnetLabs/unbound/blob/master/winrc/unbound-control-setup.cmd

The fix commit is this one.
https://github.com/NLnetLabs/unbound/commit/939baebfe720e06f1c50e6e770024e138a84ff36

It may also be possible to use the option `control-use-cert: no`. Make sure that the control interface is the default, or 127.0.0.1 for safety, and then it does not use a certificate at all, and thus the certificate cannot be too small.

For the unbound-control-setup script "openssl.exe" is needed, it creates the certificates. For people that compile from source code, any openssl version can be used.

Best regards, Wouter

On 07/03/2024 15:30, RayG wrote:
> Just trying out 1.19.3rc1 and got this error when I run my PowerShell configuration script.
> 
> =====
> unbound-checkconf: no errors in C:\Program Files\Unbound\service.conf
> error: Error setting up SSL_CTX client cert 
> 38570000:error:0A00018F:SSL routines:SSL_CTX_use_certificate:ee key too small:ssl/ssl_rsa.c:239:
> 
> Failed to reload the server please restart it manually:
> =====
> 
> 
> The script at the end of setting up all the various files to reload the server is:
> 
> =====
> @echo off
> cd "C:\Program Files\Unbound"
> C:
> "C:\Program Files\Unbound\unbound-checkconf.exe"
> if %errorlevel% neq 0 goto invalid
> "C:\Program Files\Unbound\unbound-control.exe" reload if %errorlevel% 
> neq 0 goto noreload echo.
> echo Server reloaded
> "ipconfig" /flushdns
> goto end
> :noreload
> echo.
> echo Failed to reload the server please restart it manually:
> goto end
> :invalid
> echo.
> echo Please check the configuration is valid:
> :end
> echo.
> pause
> =====
> 
> Restarting the Unbound service manually via Computer Management worked OK.
> 
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] info: service stopped (unbound 1.19.3rc1).
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] 
> info: server stats for thread 0: 435 queries, 49 answers from cache, 
> 386 recursions, 10 prefetch, 0 rejected by ip ratelimiting
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] 
> info: server stats for thread 0: requestlist max 10 avg 1.34848 
> exceeded 0 jostled 0
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] 
> info: average recursion processing time 0.129783 sec
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] 
> info: histogram of recursion processing times
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] 
> info: [25%]=0.0384748 median[50%]=0.0796232 [75%]=0.151052
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] info: lower(secs) upper(secs) recursions
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] info:    0.000000    0.000001 9
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] info:    0.004096    0.008192 1
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] info:    0.008192    0.016384 24
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] info:    0.016384    0.032768 47
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] info:    0.032768    0.065536 89
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] info:    0.065536    0.131072 107
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] info:    0.131072    0.262144 82
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] info:    0.262144    0.524288 15
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] info:    0.524288    1.000000 6
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] info:    1.000000    2.000000 2
> 07/03/2024 14:22:38 C:\Program Files\Unbound\unbound.exe[23324:0] info:    2.000000    4.000000 4
> 07/03/2024 14:22:40 C:\Program Files\Unbound\unbound.exe[7536:0] 
> notice: init module 0: respip
> 07/03/2024 14:22:40 C:\Program Files\Unbound\unbound.exe[7536:0] 
> notice: init module 1: validator
> 07/03/2024 14:22:40 C:\Program Files\Unbound\unbound.exe[7536:0] 
> notice: init module 2: iterator
> 07/03/2024 14:22:40 C:\Program Files\Unbound\unbound.exe[7536:0] info: start of service (unbound 1.19.3rc1).
> 
> -----Original Message-----
> From: Wouter Wijngaards <wouter at nlnetlabs.nl>
> Sent: Thursday, March 7, 2024 11:09 AM
> To: maintainers at lists.nlnetlabs.nl; unbound-users at lists.nlnetlabs.nl
> Subject: Unbound 1.19.3rc1 pre-release
> 
> Hi,
> 
> Unbound 1.19.3rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.19.3rc1.tar.gz
> sha256 
> 9445dbb3a79c8155c6d25b72e6a0f85e1dc3b63f794e6b1f7a02d14588d905be
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.19.3rc1.tar.gz
> 
> This is the maintainer's pre-release of Unbound 1.19.3rc1.
> 
> This release has a number of bug fixes. The CNAME synthesized for a DNAME record uses the original TTL, of the DNAME record, and that means it can be cached for the TTL, instead of 0.
> 
> There is a fix that when a message was stored in cache, but one of the RRsets was not updated due to cache policy, it now restricts the message TTL if the cache version of the RRset has a shorter TTL. It avoids a bug where the message is not expired, but its contents is expired.
> 
> For dnstap, it logs type DoH and DoT correctly, if that is used for the message.
> 
> The b.root-servers.net address is updated in the default root hints.
> 
> When performing retries for failed sends, a retry at a smaller UDP size is now not performed when that attempt is not actually smaller, and at defaults, since the flag day changes, it is the same size. This makes it skip the step, it is useless because there is no reduction in size.
> 
> Clients with a valid DNS Cookie will bypass the ratelimit, if one is set. The value from ip-ratelimit-cookie is used for these queries.
> 
> Furthermore there is a fix to make correct EDE Prohibited answers for access control denials, and a fix for EDNS client subnet scope zero answers.
> 
> Features:
> - Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as
>     per RFC 6672.
> 
> Bug Fixes:
> - Fix unit test parse of origin syntax.
> - Use 127.0.0.1 explicitly in tests to avoid delays and errors on
>     newer systems.
> - Fix #964: config.h.in~ backup file in release tar balls.
> - Merge #968: Replace the obsolescent fgrep with grep -F in tests.
> - Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
> - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
> - Fix dnstap that assertion failed on logging other than UDP and TCP
>     traffic. It lists it as TCP traffic.
> - Fix to sync the tests script file common.sh.
> - iana portlist update.
> - Updated IPv4 and IPv6 address for b.root-servers.net in root hints.
> - Update test script file common.sh.
> - Fix tests to use new common.sh functions, wait_logfile and
>     kill_from_pidfile.
> - Fix #974: doc: default number of outgoing ports without libevent.
> - Merge #975: Fixed some syntax errors in rpl files.
> - Fix root_zonemd unit test, it checks that the root ZONEMD verifies,
>     now that the root has a valid ZONEMD.
> - Update example.conf with cookie options.
> - Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors
>     for non-HTTP/2 DoH clients.
> - Merge #985: Add DoH and DoT to dnstap message.
> - Fix #983: Sha1 runtime insecure change was incomplete.
> - Remove unneeded newlines and improve indentation in remote control
>     code.
> - Merge #987: skip edns frag retry if advertised udp payload size is
>     not smaller.
> - Fix unit test for #987 change in udp1xxx retry packet send.
> - Merge #988: Fix NLnetLabs#981: dump_cache truncates large records.
> - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
> - Fix to link with libssp for libcrypto and getaddrinfo check for
>     only header. Also update crosscompile to remove ssp for 32bit.
> - Merge #993: Update b.root-servers.net also in example config file.
> - Update workflow for ports to use newer openssl on windows compile.
> - Fix warning for windres on resource files due to redefinition.
> - Fix for #997: Print details for SSL certificate failure.
> - Update error printout for duplicate trust anchors to include the
>     trust anchor name (relates to #920).
> - Update message TTL when using cached RRSETs. It could result in
>     non-expired messages with expired RRSETs (non-usable messages by
>     Unbound).
> - Merge #999: Search for protobuf-c with pkg-config.
> - Fix #1006: Can't find protobuf-c package since #999.
> - Fix documentation for access-control in the unbound.conf man page.
> - Merge #1010: Mention REFUSED has the TC bit set with unmatched
>     allow_cookie acl in the manpage. It also fixes the code to match the
>     documentation about clients with a valid cookie that bypass the
>     ratelimit regardless of the allow_cookie acl.
> - Document the suspend argument for process_ds_response().
> - Move github workflows to use checkoutv4.
> - Fix edns subnet replies for scope zero answers to not get stored
>     in the global cache, and in cachedb, when the upstream replies
>     without an EDNS record.
> - Fix for #1022: Fix ede prohibited in access control refused answers.
> 
> Best regards, Wouter
> 
>

More information about the Unbound-users mailing list