From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Simmons <mbatranch@gmail.com>
To: development@lists.ipfire.org
Subject: Re: [Fwd: Re: request for info: unbound via https / tls]
Date: Tue, 01 May 2018 12:16:29 -0500
Message-ID: <1525194989.28527.7.camel@gmail.com>
In-Reply-To: <45075a10-3447-480e-dcc5-4878242e6a82@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6906046545289083608=="
List-Id: <development.lists.ipfire.org>

--===============6906046545289083608==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

On Tue, 2018-05-01 at 16:40 +0200, Peter Müller wrote:
> Hello,
> 
> > 
> > The unbound init and the cgi scripts use dig 9.11.3, which has no
> > native support for TLS.  I'm trying to configure stunnel to act as
> > MITM
> > so that dig can succeed.  I hope to restrict unbound to port 853
> > for
> > listen and send, and use stunnel to listen on port 53 and forward
> > to
> > 853.
> 
> as far as I am aware, the knot-utils from CZ.NIC are capable of
> DNS over TLS. Maybe we should think about moving to them, or wait
> until bind-utils/dig are updated (not sure if we are running the
> latest
> version anyway).
> 
> Best regards,
> Peter Müller
> 

I don't mind continuing with unbound, as it seems to be in active
development and is well documented.

Based on my (failing) testing, I'm abandoning using stunnel, and will
wait for a version of dig with native TLS support.

Until then, I'm using https://gitlab.com/snippets/1706804 to get around
my (only one available) ISP munging DNS.

Best regards,
Paul

--===============6906046545289083608==--