Re: [Fwd: Re: request for info: unbound via https / tls]

[Paul Simmons <mbatranch@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2814 bytes --]

On Sun, 2018-12-02 at 20:10 +0100, ummeegge wrote:
> Hi all,
> have build knot but needed also
> 
>   # Begin knot deps
>   lfsmake2 libmaxminddb
>   lfsmake2 libedit
>   lfsmake2 userspace
>   lfsmake2 knot
>   # End knot
> 
> to build kdig properly. By the usage of e.g.
> 
> kdig -d @145.100.185.18 +tls-host=dnsovertls3.sinodun.com ipfire.org
> 
> i get an
> 
> ;; DEBUG: Querying for owner(ipfire.org.), class(1), type(1),
> server(145.100.185.18), port(853), protocol(TCP)
> ;; WARNING: TLS, failed to import system certificates
> (GNUTLS_E_UNIMPLEMENTED_FEATURE)
> ;; WARNING: failed to query server 145.100.185.18(a)853(TCP)
> 
> . So it seems that 'gnutls_x509_trust_list_add_trust_file{dir}()' is
> not able to find the system certificates. May a
> 
> --with-default-trust-store-dir=/etc/ssl/certs
> 
> in configure of GnuTLS might help there...
> 
> As a beside one, some tests causing DoT happens in here -->
> https://forum.ipfire.org/viewtopic.php?f=50&t=21954
> 
> whereby Dot runs currently without problems but the focus is in there
> relies
> on the initscript of unbound to make DoT usable over on IPFire.
> 
> Have compiled meanwhile also ldns whereby drill is also a
> possibility 
> for other views and there is also a DoT patch for ldns -->
> 
> 
https://portal.sinodun.com/stash/projects/TDNS/repos/dns-over-tls_patches/browse/ldns-1.6.17_dns-over-tls.patch
> 
> 
https://tools.ietf.org/html/draft-ietf-dprive-dns-over-tls-09#section-8.2
> 
> but the versions are outdated even unbound needs also to be patched.
> May NLnet Labs did there already something to support that but i
> haven´t found it yet.
> 
> Some infos from here.
> 
> Best,
> 
> Erik
>  
> 
> Am Dienstag, den 01.05.2018, 16:40 +0200 schrieb Peter Müller:
> > Hello,
> > 
> > > 
> > > The unbound init and the cgi scripts use dig 9.11.3, which has no
> > > native support for TLS.  I'm trying to configure stunnel to act
> > > as
> > > MITM
> > > so that dig can succeed.  I hope to restrict unbound to port 853
> > > for
> > > listen and send, and use stunnel to listen on port 53 and forward
> > > to
> > > 853.
> > 
> > as far as I am aware, the knot-utils from CZ.NIC are capable of
> > DNS over TLS. Maybe we should think about moving to them, or wait
> > until bind-utils/dig are updated (not sure if we are running the
> > latest
> > version anyway).
> > 
> > Best regards,
> > Peter Müller
> > 
> 
> 

Hello, Erik.  My "admin-foo" has weakened over the years, and my
"developer-foo" is even worse.

Thank you for pursuing DoT on IPFire, as I hope it will circumvent my
ISPs mangling of DNS queries, and allow easier upgrade to current
releases.

Best regards,
Paul
-- 
I would if I could, but I can't so I won't.