From nobody Wed Apr 19 22:39:53 2023 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q1whn1JRjz45Kth for ; Wed, 19 Apr 2023 22:39:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q1whm6ctmz3mm9 for ; Wed, 19 Apr 2023 22:39:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1681943992; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Tb5IZRalpXM1j0snGdlmXyepw7L/lKoSvtlQf4k/lPQ=; b=a/FUQHmkeEJAoDUHn9+Rr9NoIBFUeY87oxdnyMSb3Xy84hFrnCd12TW/omrNRTFrWHcacj WYSJei8TXOtq5G0Ylrl14jTer+BGTSGDr3z5KwwdMKoUixSjCbph1OBWS1kZ35yj6Dvg3m /kvUtU12s/4FKyQxzaAO+rsMWMrzwueuSh80OSb4lAIEoljtV72b+8g+8Ps5ziwX993voY r/nsxAeOQlX9AA+QaJGtXeYgvJG+x+d015w7k55FRyUFA4IOQfzO29j788Mslnq16TmUKT OX/gxpPFi/MMsDQH5mj15o9UR769PdiOkOB6Pcit97CVgh6xrTootMot0CdAdQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1681943992; a=rsa-sha256; cv=none; b=OmyyHfGoOXOqyXwxfrp4NfExgNvl2S2gRbsGU+SmoDyZHvhfcgoCR1ThKz6eAnSd3GVrLZ qXAe0bI9CdQ47hL8hnx+Khqla1eCdLSGN2X4/7ygLrI5j3lx27mrsWxUyzooY2KVTKhRlz xGtvRsKMbeWK2qIKepvxlYsj+mvIOQO/J6l2xFAtjK5AY+grbhFW++a8UXjqfz//WJBWcO 8fR0lLGBzzpbLQmuch/o4/jX+Eaml/2gVcRIdt6tdGWTWsvPBGmkmRW/yZ3kn1tIEgYz4z 1y4ssJSoF8yKT/L9GmSp/fj/XdCO8isv23mDSbEVLRPu/kRqJLDpz9nML+z5BQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Q1whm5l6Tz1Bt1 for ; Wed, 19 Apr 2023 22:39:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 33JMdqdP017401 for ; Wed, 19 Apr 2023 22:39:52 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 33JMdqTN017399 for ports-bugs@FreeBSD.org; Wed, 19 Apr 2023 22:39:52 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 270912] dns/unbound: issues with ASLR Date: Wed, 19 Apr 2023 22:39:53 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: freebsd@kumba.dev X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-bugs@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports-bugs@freebsd.org X-BeenThere: freebsd-ports-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D270912 --- Comment #2 from Joshua Kinard --- It appears to be failing in the SSL/TLS handshake to the upstream forwarders after a period of time. Almost seems like a queue is getting backed up somewhere and things start overflowing. I've spent the last hour trying to debug it, thinking it was a problem w/ Quad9 itself. The key error in log files from Unbound is this: > unbound[19]: [19:2] error: SSL_handshake syscall: Connection reset by peer I've turned up the verbosity, but the additional detail does not shed any additional light on why the connection was reset (no SSL errors/reasons, et= c).=20 It seems like everything just works with each connection until it doesn't. I started noticing these issues when my Squid proxy would just start return= ing read errors after launching a browser on one of my desktops. Waiting about ~30s-1m after launching the browser seemed to let the dust settle and then things would seemingly work fine for hours before you'd see things start to hiccup again. Websites that do a *lot* of background chatter, like Twitter, Facebook, etc, seemed to trip the issue up the most because they pile the queries up and seem to overload Unbound, causing the SSL errors to appear. A good way to reproduce is first, silence outbound network traffic on the network, or at least traffic that will hit a particular Unbound DNS server.= =20=20 Edit the config, set verbosity to '2' and restart the daemon. tail -f the = log file and once it's loaded up, find a Windows box, and launch MS Edge. Edge makes a *ton* of queries at once when it loads and on my end, the first few= got resolved fine against Quad9, then the SSL errors would start to appear, cau= sing Unbound to try other forwarders and eventually giving up and returning SERVFAIL. Can confirm, though, that turning ASLR off for the Unbound binary appears to make things smooth again. --=20 You are receiving this mail because: You are the assignee for the bug.=