Hey,

well I would actually like to get rid of as much of that shell stuff in that
initscript as we can. This is just a bit too much testing and no matter how much
we tune that will never be where it should be.

I wrote a little blog post about this today:

  https://www.lightningwirelabs.com/2018/05/03/dns-over-tls-now-available-on-our-resolvers

There is more to come...

Best,
-Michael

On Tue, 2018-05-01 at 12:16 -0500, Paul Simmons wrote:
> On Tue, 2018-05-01 at 16:40 +0200, Peter Müller wrote:
> > Hello,
> > 
> > > 
> > > The unbound init and the cgi scripts use dig 9.11.3, which has no
> > > native support for TLS.  I'm trying to configure stunnel to act as
> > > MITM
> > > so that dig can succeed.  I hope to restrict unbound to port 853
> > > for
> > > listen and send, and use stunnel to listen on port 53 and forward
> > > to
> > > 853.
> > 
> > as far as I am aware, the knot-utils from CZ.NIC are capable of
> > DNS over TLS. Maybe we should think about moving to them, or wait
> > until bind-utils/dig are updated (not sure if we are running the
> > latest
> > version anyway).
> > 
> > Best regards,
> > Peter Müller
> > 
> 
> I don't mind continuing with unbound, as it seems to be in active
> development and is well documented.
> 
> Based on my (failing) testing, I'm abandoning using stunnel, and will
> wait for a version of dig with native TLS support.
> 
> Until then, I'm using https://gitlab.com/snippets/1706804 to get around
> my (only one available) ISP munging DNS.
> 
> Best regards,
> Paul