Hey,

Could you try that again? I removed the OCSP must-staple flag from the certificate.

-Michael

> On 10 Dec 2018, at 14:37, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Great that you looked over it, have tested it again and the kdig report
> differs which looks now like this:
> 
> ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
> server(81.3.27.54), port(853), protocol(TCP)
> ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-
> bundle.crt'
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
> ;; DEBUG:      SHA-256 PIN:
> ZayzRhKLRWLL7v9QC0uEJEMomE572oNUuF4ocAxDQ7E=
> ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
> ;; DEBUG:      SHA-256 PIN:
> YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is NOT trusted. The certificate requires
> the server to include an OCSP status in its response, but the OCSP
> status is missing. 
> ;; WARNING: TLS, handshake failed (Error in the certificate.)
> ;; WARNING: failed to query server 81.3.27.54(a)853(TCP)
> 
> Exit status: 0
> 
> May this is helpful for you.
> 
> Best,
> 
> Erik
> 
> Am Montag, den 10.12.2018, 13:26 +0000 schrieb Michael Tremer:
>> Hey,
>> 
>> Thanks for reporting.
>> 
>>> On 10 Dec 2018, at 12:32, ummeegge <ummeegge(a)ipfire.org> wrote:
>>> 
>>> A question,
>>> what happens with DoT on Lightningwirelabs -->
>>> 
> https://www.lightningwirelabs.com/2018/05/03/dns-over-tls-now-available-on-our-resolvers
>>> ?
>>> I get there an
>>> 
>>> $ kdig -d @81.3.27.54 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-
>>> host="ns1.lightningwirelabs.com" google.com;
>>> ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
>>> server(81.3.27.54), port(853), protocol(TCP)
>>> ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-
>>> bundle.crt'
>>> ;; WARNING: can't connect to 81.3.27.54(a)853(TCP)
>>> ;; WARNING: failed to query server 81.3.27.54(a)853(TCP)
>> 
>> I recently made a change which caused that unbound didn’t listen on
>> the TLS port any more.
>> 
>> I fixed that now.
>> 
>> The correct host name for that server is
>> rec1.dns.lightningwirelabs.com.
>> 
>> -Michael
>> 
>>> .
>>> 
>>> Best,
>>> 
>>> Erik
>>> 
>> 
>> 
>