Re: [Fwd: Re: request for info: unbound via https / tls]

[ummeegge <ummeegge@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2702 bytes --]

Hi Michael,

Am Montag, den 10.12.2018, 00:21 +0000 schrieb Michael Tremer:

> I am not sure what you are looking for. 
Mainly for testing people which take also a look over the changes in 
unbound initscript. Since the 'update_forwarders()' function from
unbound init will currently not be used if custom forwarders are in
usage.
'update_forwarders()' includes really a lot of other functions and it
was/is not that easy to check for all possible side affects if this
function will be bypassed and substituded by another one (cue: DNSSEC,
EDNS, ...). All changes causing the unbound initscript can be found in
here -->
https://gitlab.com/ummeegge/dot-for-ipfire/commits/master/unbound
.

Another point i am currently looking for is the question, if unbound is
the best possibility for DoT ? If you take look into the current
implementation status -->
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status
unbound misses also some other DoT related features.
Am building currently GetDNS and Stubby just to get there also a better 
inside of the differences.

Also, integrating DoT into webuserinterface is, as before mentioned in
here, a point. Should DoT become it´s own one, or is it a complete new
WUI menu point worth ?

In my humble opinion this DoT topic is still pretty much in a testing
phase not only speaking for myself but also looking around and finding
only two (may three) stable DoT providers speaks, i think, also a
little for itself.

> But I just wanted to say that I am following this conversation.

That´s great.

> 
> So far I think that there are indeed many people interested in DoT.
> However, I have not received any feedback on what I was mailing
> before.
> 
I hope some feedback comes around also since i am currently testing it 
for a couple of weeks now and posted the results/code_changes in the
forum and some also in here.

> I think what is best now is to get this into small patches. What
> needs to be done to get this UI ready so that people can add those
> DNS servers? What will the default behaviour be? How will we make
> sure that the system does not fall back (to unauthenticated DNS)?
> 
That´s the fundamental question, please see the above statements.


> I think that we can leave OpenSSL 1.1.1 aside for this for now,
> because it works perfectly fine with TLS 1.2. We should not mix
> multiple things together when they have no strict dependency
> (although I am really looking forward to see TLS 1.3 in IPFire soon).
> 
OpenSSL-1.1.1 and TLS 1.3 fits perfectly into this topic and i hope i
can install today the new OpenSSL and to test it in my productive
environment.


> Best,
> -Michael
> 
> > Best,
> > 
> > Erik
> > 
> 
>