From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [Fwd: Re: request for info: unbound via https / tls] Date: Mon, 10 Dec 2018 13:37:20 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9100510791931153161==" List-Id: --===============9100510791931153161== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hey, > On 10 Dec 2018, at 12:14, ummeegge wrote: >=20 > Hi Michael, >=20 > Am Montag, den 10.12.2018, 00:21 +0000 schrieb Michael Tremer: >=20 >> I am not sure what you are looking for.=20 > Mainly for testing people which take also a look over the changes in=20 > unbound initscript. Since the 'update_forwarders()' function from > unbound init will currently not be used if custom forwarders are in > usage. > 'update_forwarders()' includes really a lot of other functions and it > was/is not that easy to check for all possible side affects if this > function will be bypassed and substituded by another one (cue: DNSSEC, > EDNS, ...). All changes causing the unbound initscript can be found in > here --> > https://gitlab.com/ummeegge/dot-for-ipfire/commits/master/unbound > . >=20 > Another point i am currently looking for is the question, if unbound is > the best possibility for DoT ? If you take look into the current > implementation status --> > https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status > unbound misses also some other DoT related features. > Am building currently GetDNS and Stubby just to get there also a better=20 > inside of the differences. Those are just stub resolvers and no proxies. Out of the proxies unbound migh= t not have the most ticks looking at the TLS features, but I do not see that = as a problem. None of them are a must and unbound is under development. I am = sure those will come. > Also, integrating DoT into webuserinterface is, as before mentioned in > here, a point. Should DoT become it=C2=B4s own one, or is it a complete new > WUI menu point worth ? This is essential. I do not think that it should add another CGI, because we already have a DNS = CGI script that we can use and extend. > In my humble opinion this DoT topic is still pretty much in a testing > phase not only speaking for myself but also looking around and finding > only two (may three) stable DoT providers speaks, i think, also a > little for itself. Yes, I agree. It is a new =E2=80=9Cfeature=E2=80=9D that was used to market C= loudflare=E2=80=99s DNS. Showing that they =E2=80=9Ccare" about privacy. However, I think that this is not beta software any more, we can run this on = larger scale and it solves a problem that existed before and is a nice soluti= on to it, too. If IPFire wants to be bleeding-edge that we have to have this feature at some= point. >> But I just wanted to say that I am following this conversation. >=20 > That=C2=B4s great. >=20 >>=20 >> So far I think that there are indeed many people interested in DoT. >> However, I have not received any feedback on what I was mailing >> before. >>=20 > I hope some feedback comes around also since i am currently testing it=20 > for a couple of weeks now and posted the results/code_changes in the > forum and some also in here. Yeah, I am not sure what I should be testing now. There is a bunch of softwar= e packages and there is a bunch of changes to scripts. This isn=E2=80=99t rea= lly ready for testing yet is it? I guess we should think about a strategy about which features we want to have= in a first alpha stage and then have those agreed, implemented and then sent= out in one package for testing. That makes it a lot easier. So I am thinking about this: * Make unbound ready for DNS-over-TLS (I believe that that is almost the case) * Change the scripts that write forwarders.conf. I do not think that we shoul= d perform DNSSEC checks on the DNS-over-TLS resolvers. * Extend the CGI that we can enter the IP addresses and host names What else do we need? >=20 >> I think what is best now is to get this into small patches. What >> needs to be done to get this UI ready so that people can add those >> DNS servers? What will the default behaviour be? How will we make >> sure that the system does not fall back (to unauthenticated DNS)? >>=20 > That=C2=B4s the fundamental question, please see the above statements. >=20 >=20 >> I think that we can leave OpenSSL 1.1.1 aside for this for now, >> because it works perfectly fine with TLS 1.2. We should not mix >> multiple things together when they have no strict dependency >> (although I am really looking forward to see TLS 1.3 in IPFire soon). >>=20 > OpenSSL-1.1.1 and TLS 1.3 fits perfectly into this topic and i hope i > can install today the new OpenSSL and to test it in my productive > environment. So far we don=E2=80=99t have OpenSSL 1.1.1. I think focussing on one at a tim= e allows to develop this quicker. I am not even sure if any of the resolvers support TLS 1.3 today. Best, -Michael >=20 >=20 >> Best, >> -Michael >>=20 >>> Best, >>>=20 >>> Erik >>>=20 >>=20 >>=20 >=20 --===============9100510791931153161==--