Great that you looked over it, have tested it again and the kdig report differs which looks now like this: ;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP) ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca- bundle.crt' ;; DEBUG: TLS, received certificate hierarchy: ;; DEBUG: #1, CN=rec1.dns.lightningwirelabs.com ;; DEBUG: SHA-256 PIN: ZayzRhKLRWLL7v9QC0uEJEMomE572oNUuF4ocAxDQ7E= ;; DEBUG: #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 ;; DEBUG: SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg= ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, The certificate is NOT trusted. The certificate requires the server to include an OCSP status in its response, but the OCSP status is missing. ;; WARNING: TLS, handshake failed (Error in the certificate.) ;; WARNING: failed to query server 81.3.27.54(a)853(TCP) Exit status: 0 May this is helpful for you. Best, Erik Am Montag, den 10.12.2018, 13:26 +0000 schrieb Michael Tremer: > Hey, > > Thanks for reporting. > > > On 10 Dec 2018, at 12:32, ummeegge wrote: > > > > A question, > > what happens with DoT on Lightningwirelabs --> > > https://www.lightningwirelabs.com/2018/05/03/dns-over-tls-now-available-on-our-resolvers > > ? > > I get there an > > > > $ kdig -d @81.3.27.54 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls- > > host="ns1.lightningwirelabs.com" google.com; > > ;; DEBUG: Querying for owner(google.com.), class(1), type(1), > > server(81.3.27.54), port(853), protocol(TCP) > > ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca- > > bundle.crt' > > ;; WARNING: can't connect to 81.3.27.54(a)853(TCP) > > ;; WARNING: failed to query server 81.3.27.54(a)853(TCP) > > I recently made a change which caused that unbound didn’t listen on > the TLS port any more. > > I fixed that now. > > The correct host name for that server is > rec1.dns.lightningwirelabs.com. > > -Michael > > > . > > > > Best, > > > > Erik > > > >