From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Simmons To: development@lists.ipfire.org Subject: Re: [Fwd: Re: request for info: unbound via https / tls] Date: Sun, 02 Dec 2018 14:23:12 -0600 Message-ID: In-Reply-To: <2a8665dc77d64d42818cc8a1b3ec92a3090a9403.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4197644457368258310==" List-Id: --===============4197644457368258310== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Sun, 2018-12-02 at 20:10 +0100, ummeegge wrote: > Hi all, > have build knot but needed also >=20 > # Begin knot deps > lfsmake2 libmaxminddb > lfsmake2 libedit > lfsmake2 userspace > lfsmake2 knot > # End knot >=20 > to build kdig properly. By the usage of e.g. >=20 > kdig -d @145.100.185.18 +tls-host=3Ddnsovertls3.sinodun.com ipfire.org >=20 > i get an >=20 > ;; DEBUG: Querying for owner(ipfire.org.), class(1), type(1), > server(145.100.185.18), port(853), protocol(TCP) > ;; WARNING: TLS, failed to import system certificates > (GNUTLS_E_UNIMPLEMENTED_FEATURE) > ;; WARNING: failed to query server 145.100.185.18(a)853(TCP) >=20 > . So it seems that 'gnutls_x509_trust_list_add_trust_file{dir}()' is > not able to find the system certificates. May a >=20 > --with-default-trust-store-dir=3D/etc/ssl/certs >=20 > in configure of GnuTLS might help there... >=20 > As a beside one, some tests causing DoT happens in here --> > https://forum.ipfire.org/viewtopic.php?f=3D50&t=3D21954 >=20 > whereby Dot runs currently without problems but the focus is in there > relies > on the initscript of unbound to make DoT usable over on IPFire. >=20 > Have compiled meanwhile also ldns whereby drill is also a > possibility=20 > for other views and there is also a DoT patch for ldns --> >=20 >=20 https://portal.sinodun.com/stash/projects/TDNS/repos/dns-over-tls_patches/bro= wse/ldns-1.6.17_dns-over-tls.patch >=20 >=20 https://tools.ietf.org/html/draft-ietf-dprive-dns-over-tls-09#section-8.2 >=20 > but the versions are outdated even unbound needs also to be patched. > May NLnet Labs did there already something to support that but i > haven=C2=B4t found it yet. >=20 > Some infos from here. >=20 > Best, >=20 > Erik > =20 >=20 > Am Dienstag, den 01.05.2018, 16:40 +0200 schrieb Peter M=C3=BCller: > > Hello, > >=20 > > >=20 > > > The unbound init and the cgi scripts use dig 9.11.3, which has no > > > native support for TLS. I'm trying to configure stunnel to act > > > as > > > MITM > > > so that dig can succeed. I hope to restrict unbound to port 853 > > > for > > > listen and send, and use stunnel to listen on port 53 and forward > > > to > > > 853. > >=20 > > as far as I am aware, the knot-utils from CZ.NIC are capable of > > DNS over TLS. Maybe we should think about moving to them, or wait > > until bind-utils/dig are updated (not sure if we are running the > > latest > > version anyway). > >=20 > > Best regards, > > Peter M=C3=BCller > >=20 >=20 >=20 Hello, Erik. My "admin-foo" has weakened over the years, and my "developer-foo" is even worse. Thank you for pursuing DoT on IPFire, as I hope it will circumvent my ISPs mangling of DNS queries, and allow easier upgrade to current releases. Best regards, Paul --=20 I would if I could, but I can't so I won't. --===============4197644457368258310==--