On Mon, 2018-12-10 at 13:14 +0100, ummeegge wrote: > Hi Michael, > > Am Montag, den 10.12.2018, 00:21 +0000 schrieb Michael Tremer: > > > I am not sure what you are looking for. > > Mainly for testing people which take also a look over the changes in > unbound initscript. Since the 'update_forwarders()' function from > unbound init will currently not be used if custom forwarders are in > usage. > 'update_forwarders()' includes really a lot of other functions and it > was/is not that easy to check for all possible side affects if this > function will be bypassed and substituded by another one (cue: > DNSSEC, > EDNS, ...). All changes causing the unbound initscript can be found > in > here --> > https://gitlab.com/ummeegge/dot-for-ipfire/commits/master/unbound > . > > Another point i am currently looking for is the question, if unbound > is > the best possibility for DoT ? If you take look into the current > implementation status --> > https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status > unbound misses also some other DoT related features. > Am building currently GetDNS and Stubby just to get there also a > better > inside of the differences. > > Also, integrating DoT into webuserinterface is, as before mentioned > in > here, a point. Should DoT become it´s own one, or is it a complete > new > WUI menu point worth ? > > In my humble opinion this DoT topic is still pretty much in a testing > phase not only speaking for myself but also looking around and > finding > only two (may three) stable DoT providers speaks, i think, also a > little for itself. > > > But I just wanted to say that I am following this conversation. > > That´s great. > > > > > So far I think that there are indeed many people interested in DoT. > > However, I have not received any feedback on what I was mailing > > before. > > > > I hope some feedback comes around also since i am currently testing > it > for a couple of weeks now and posted the results/code_changes in the > forum and some also in here. > > > I think what is best now is to get this into small patches. What > > needs to be done to get this UI ready so that people can add those > > DNS servers? What will the default behaviour be? How will we make > > sure that the system does not fall back (to unauthenticated DNS)? > > > > That´s the fundamental question, please see the above statements. > > > > I think that we can leave OpenSSL 1.1.1 aside for this for now, > > because it works perfectly fine with TLS 1.2. We should not mix > > multiple things together when they have no strict dependency > > (although I am really looking forward to see TLS 1.3 in IPFire > > soon). > > > > OpenSSL-1.1.1 and TLS 1.3 fits perfectly into this topic and i hope i > can install today the new OpenSSL and to test it in my productive > environment. > > > > Best, > > -Michael > > > > > Best, > > > > > > Erik > > > > > > > > > Greetings, Erik. I am VERY pleased that you are pursuing DoT. I have a test environment prepared, and hope to test your changes on top of Core125 in the next few days. I started this thread because my (one and only available) ISP mangles DNS on port 53, preventing DNSSEC with IPFire. I want to use my IPFire machine without applying https://gitlab.com/snippets/1706804 on each update. Please continue with your pursuits and development. I will schedule down time to test. Thanks, and best regards, Paul -- A: Because it messes up the order in which people normally read text. Q: Why is it such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?