Re: [Fwd: Re: request for info: unbound via https / tls]

[ummeegge <ummeegge@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2260 bytes --]

Hi all,
have build knot but needed also

  # Begin knot deps
  lfsmake2 libmaxminddb
  lfsmake2 libedit
  lfsmake2 userspace
  lfsmake2 knot
  # End knot

to build kdig properly. By the usage of e.g.

kdig -d @145.100.185.18 +tls-host=dnsovertls3.sinodun.com ipfire.org

i get an

;; DEBUG: Querying for owner(ipfire.org.), class(1), type(1),
server(145.100.185.18), port(853), protocol(TCP)
;; WARNING: TLS, failed to import system certificates
(GNUTLS_E_UNIMPLEMENTED_FEATURE)
;; WARNING: failed to query server 145.100.185.18(a)853(TCP)

. So it seems that 'gnutls_x509_trust_list_add_trust_file{dir}()' is
not able to find the system certificates. May a

--with-default-trust-store-dir=/etc/ssl/certs

in configure of GnuTLS might help there...

As a beside one, some tests causing DoT happens in here -->
https://forum.ipfire.org/viewtopic.php?f=50&t=21954

whereby Dot runs currently without problems but the focus is in there relies
on the initscript of unbound to make DoT usable over on IPFire.

Have compiled meanwhile also ldns whereby drill is also a possibility 
for other views and there is also a DoT patch for ldns -->

https://portal.sinodun.com/stash/projects/TDNS/repos/dns-over-tls_patches/browse/ldns-1.6.17_dns-over-tls.patch

https://tools.ietf.org/html/draft-ietf-dprive-dns-over-tls-09#section-8.2

but the versions are outdated even unbound needs also to be patched.
May NLnet Labs did there already something to support that but i haven´t found it yet.

Some infos from here.

Best,

Erik
 

Am Dienstag, den 01.05.2018, 16:40 +0200 schrieb Peter Müller:
> Hello,
> 
> > 
> > The unbound init and the cgi scripts use dig 9.11.3, which has no
> > native support for TLS.  I'm trying to configure stunnel to act as
> > MITM
> > so that dig can succeed.  I hope to restrict unbound to port 853
> > for
> > listen and send, and use stunnel to listen on port 53 and forward
> > to
> > 853.
> 
> as far as I am aware, the knot-utils from CZ.NIC are capable of
> DNS over TLS. Maybe we should think about moving to them, or wait
> until bind-utils/dig are updated (not sure if we are running the
> latest
> version anyway).
> 
> Best regards,
> Peter Müller
>