-
-
Notifications
You must be signed in to change notification settings - Fork 350
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNS over TLS: error: SSL_handshake syscall: No route to host #673
Comments
Fixed the issue in the commit. Thanks for the report! I think that the code does wait for the socket to become ready. It becomes ready with an error, and this error comes up when the system calls in the TLS handshake interact with the socket. The errors from that are not filtered like the connect failures from tcp. Hence the log messages. The patch fixes that by squelching the error from the logs, it is visible at high verbosity values. This also fixes it for a number of other error outputs, like host down and permission denied. |
I acknowledge it fixed the error. Thanks! But I think it might write some kind of error, if I try using just IPv6 addresses and they are not usable. When I comment out IPv4 addresses, it never says the error were no route to host. I think that would be still useful if no other IP worked. Could it perhaps save last error and print at least single error when no address were reachable? Maybe also with summary of number of addresses tried.
|
It might be quite useful when analysing unbound logs and it had temporary resolution problems, because default route were not available for some time. Now it would never report such condition. Which is better for unbound-host, but I think not for unbound. |
* nlnet/master: - Fix some lint type warnings. - Fix ede test to not use default pidfile, and use local interface. - Fix to silence test for ede error output to the console from the test setup script. - Fix typos in config_set_option for the 'num-threads' and 'ede-serve-expired' options. - Fix NLnetLabs#678: [FR] modify behaviour of unbound-control rpz_enable zone, by updating unbound-control's documentation. - For NLnetLabs#677: Added tls-system-cert to config parser and documentation. - Changelog note for NLnetLabs#677. Allow using system certificates not only on Windows - Fix NLnetLabs#417: prefetch and ECS causing cache corruption when used together. - Fix NLnetLabs#673: DNS over TLS: error: SSL_handshake syscall: No route to host. - Fix Python build in non-source directory; based on patch by Michael Tokarev. Changelog entry for NLnetLabs#604: Add the basic EDE (RFC8914) cases Add the basic EDE (RFC8914) cases (NLnetLabs#604) - Fix NLnetLabs#670: SERVFAIL problems with unbound 1.15.0 running on OpenBSD 7.1.
Describe the bug
TLS channel does not wait for readiness of socket. Even if it never reaches connected state, TLS channel setup is tried on it.
To reproduce
Steps to reproduce the behavior:
unbound-host -C cloudflare.conf nlnetlabs.nl
Expected behavior
It should not even attempt any action on IPv6 sockets until its socket is ready to write. That should ensure connection were successful. TLS and TCP are stateful protocols and such state should be tried first. That would ensure TLS setup errors would not appear even in network without real IPv6 connectivity, but with local IPv6 addresses.
System:
unbound -V
output:Additional information
Add any other information that you may have gathered about the issue here.
The text was updated successfully, but these errors were encountered: