From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: [Fwd: Re: request for info: unbound via https / tls] Date: Mon, 10 Dec 2018 15:37:40 +0100 Message-ID: <9b77b351ee0c81390c9814acd845d231dfb2ab94.camel@ipfire.org> In-Reply-To: <3715CBEA-98D0-4F9B-93CE-958F51F1E62C@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6507416376962951850==" List-Id: --===============6507416376962951850== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Great that you looked over it, have tested it again and the kdig report differs which looks now like this: ;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP) ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca- bundle.crt' ;; DEBUG: TLS, received certificate hierarchy: ;; DEBUG: #1, CN=3Drec1.dns.lightningwirelabs.com ;; DEBUG: SHA-256 PIN: ZayzRhKLRWLL7v9QC0uEJEMomE572oNUuF4ocAxDQ7E=3D ;; DEBUG: #2, C=3DUS,O=3DLet's Encrypt,CN=3DLet's Encrypt Authority X3 ;; DEBUG: SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=3D ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, The certificate is NOT trusted. The certificate requires the server to include an OCSP status in its response, but the OCSP status is missing.=20 ;; WARNING: TLS, handshake failed (Error in the certificate.) ;; WARNING: failed to query server 81.3.27.54(a)853(TCP) Exit status: 0 May this is helpful for you. Best, Erik Am Montag, den 10.12.2018, 13:26 +0000 schrieb Michael Tremer: > Hey, >=20 > Thanks for reporting. >=20 > > On 10 Dec 2018, at 12:32, ummeegge wrote: > >=20 > > A question, > > what happens with DoT on Lightningwirelabs --> > >=20 https://www.lightningwirelabs.com/2018/05/03/dns-over-tls-now-available-on-ou= r-resolvers > > ? > > I get there an > >=20 > > $ kdig -d @81.3.27.54 +tls-ca=3D/etc/ssl/certs/ca-bundle.crt +tls- > > host=3D"ns1.lightningwirelabs.com" google.com; > > ;; DEBUG: Querying for owner(google.com.), class(1), type(1), > > server(81.3.27.54), port(853), protocol(TCP) > > ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca- > > bundle.crt' > > ;; WARNING: can't connect to 81.3.27.54(a)853(TCP) > > ;; WARNING: failed to query server 81.3.27.54(a)853(TCP) >=20 > I recently made a change which caused that unbound didn=E2=80=99t listen on > the TLS port any more. >=20 > I fixed that now. >=20 > The correct host name for that server is > rec1.dns.lightningwirelabs.com. >=20 > -Michael >=20 > > . > >=20 > > Best, > >=20 > > Erik > >=20 >=20 >=20 --===============6507416376962951850==--