Re: [Fwd: Re: request for info: unbound via https / tls]

[Paul Simmons <mbatranch@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3633 bytes --]

On Mon, 2018-12-10 at 13:14 +0100, ummeegge wrote:
> Hi Michael,
> 
> Am Montag, den 10.12.2018, 00:21 +0000 schrieb Michael Tremer:
> 
> > I am not sure what you are looking for. 
> 
> Mainly for testing people which take also a look over the changes in 
> unbound initscript. Since the 'update_forwarders()' function from
> unbound init will currently not be used if custom forwarders are in
> usage.
> 'update_forwarders()' includes really a lot of other functions and it
> was/is not that easy to check for all possible side affects if this
> function will be bypassed and substituded by another one (cue:
> DNSSEC,
> EDNS, ...). All changes causing the unbound initscript can be found
> in
> here -->
> https://gitlab.com/ummeegge/dot-for-ipfire/commits/master/unbound
> .
> 
> Another point i am currently looking for is the question, if unbound
> is
> the best possibility for DoT ? If you take look into the current
> implementation status -->
> 
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status
> unbound misses also some other DoT related features.
> Am building currently GetDNS and Stubby just to get there also a
> better 
> inside of the differences.
> 
> Also, integrating DoT into webuserinterface is, as before mentioned
> in
> here, a point. Should DoT become it´s own one, or is it a complete
> new
> WUI menu point worth ?
> 
> In my humble opinion this DoT topic is still pretty much in a testing
> phase not only speaking for myself but also looking around and
> finding
> only two (may three) stable DoT providers speaks, i think, also a
> little for itself.
> 
> > But I just wanted to say that I am following this conversation.
> 
> That´s great.
> 
> > 
> > So far I think that there are indeed many people interested in DoT.
> > However, I have not received any feedback on what I was mailing
> > before.
> > 
> 
> I hope some feedback comes around also since i am currently testing
> it 
> for a couple of weeks now and posted the results/code_changes in the
> forum and some also in here.
> 
> > I think what is best now is to get this into small patches. What
> > needs to be done to get this UI ready so that people can add those
> > DNS servers? What will the default behaviour be? How will we make
> > sure that the system does not fall back (to unauthenticated DNS)?
> > 
> 
> That´s the fundamental question, please see the above statements.
> 
> 
> > I think that we can leave OpenSSL 1.1.1 aside for this for now,
> > because it works perfectly fine with TLS 1.2. We should not mix
> > multiple things together when they have no strict dependency
> > (although I am really looking forward to see TLS 1.3 in IPFire
> > soon).
> > 
> 
> OpenSSL-1.1.1 and TLS 1.3 fits perfectly into this topic and i hope i
> can install today the new OpenSSL and to test it in my productive
> environment.
> 
> 
> > Best,
> > -Michael
> > 
> > > Best,
> > > 
> > > Erik
> > > 
> > 
> > 
> 
> 

Greetings, Erik.

I am VERY pleased that you are pursuing DoT.

I have a test environment prepared, and hope to test your changes on
top of Core125 in the next few days.

I started this thread because my (one and only available) ISP mangles
DNS on port 53, preventing DNSSEC with IPFire.  I want to use my IPFire
machine without applying https://gitlab.com/snippets/1706804 on each
update.

Please continue with your pursuits and development. I will schedule
down time to test.

Thanks, and best regards,
Paul

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is it such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?