From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: [Fwd: Re: request for info: unbound via https / tls] Date: Mon, 10 Dec 2018 13:14:02 +0100 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1587332964451313494==" List-Id: --===============1587332964451313494== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hi Michael, Am Montag, den 10.12.2018, 00:21 +0000 schrieb Michael Tremer: > I am not sure what you are looking for. Mainly for testing people which take also a look over the changes in unbound initscript. Since the 'update_forwarders()' function from unbound init will currently not be used if custom forwarders are in usage. 'update_forwarders()' includes really a lot of other functions and it was/is not that easy to check for all possible side affects if this function will be bypassed and substituded by another one (cue: DNSSEC, EDNS, ...). All changes causing the unbound initscript can be found in here --> https://gitlab.com/ummeegge/dot-for-ipfire/commits/master/unbound . Another point i am currently looking for is the question, if unbound is the best possibility for DoT ? If you take look into the current implementation status --> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status unbound misses also some other DoT related features. Am building currently GetDNS and Stubby just to get there also a better inside of the differences. Also, integrating DoT into webuserinterface is, as before mentioned in here, a point. Should DoT become it´s own one, or is it a complete new WUI menu point worth ? In my humble opinion this DoT topic is still pretty much in a testing phase not only speaking for myself but also looking around and finding only two (may three) stable DoT providers speaks, i think, also a little for itself. > But I just wanted to say that I am following this conversation. That´s great. > > So far I think that there are indeed many people interested in DoT. > However, I have not received any feedback on what I was mailing > before. > I hope some feedback comes around also since i am currently testing it for a couple of weeks now and posted the results/code_changes in the forum and some also in here. > I think what is best now is to get this into small patches. What > needs to be done to get this UI ready so that people can add those > DNS servers? What will the default behaviour be? How will we make > sure that the system does not fall back (to unauthenticated DNS)? > That´s the fundamental question, please see the above statements. > I think that we can leave OpenSSL 1.1.1 aside for this for now, > because it works perfectly fine with TLS 1.2. We should not mix > multiple things together when they have no strict dependency > (although I am really looking forward to see TLS 1.3 in IPFire soon). > OpenSSL-1.1.1 and TLS 1.3 fits perfectly into this topic and i hope i can install today the new OpenSSL and to test it in my productive environment. > Best, > -Michael > > > Best, > > > > Erik > > > > --===============1587332964451313494==--