Hey,
well I would actually like to get rid of as much of that shell stuff in that initscript as we can. This is just a bit too much testing and no matter how much we tune that will never be where it should be.
I wrote a little blog post about this today:
https://www.lightningwirelabs.com/2018/05/03/dns-over-tls-now-available-on-o...
There is more to come...
Best, -Michael
On Tue, 2018-05-01 at 12:16 -0500, Paul Simmons wrote:
On Tue, 2018-05-01 at 16:40 +0200, Peter Müller wrote:
Hello,
The unbound init and the cgi scripts use dig 9.11.3, which has no native support for TLS. I'm trying to configure stunnel to act as MITM so that dig can succeed. I hope to restrict unbound to port 853 for listen and send, and use stunnel to listen on port 53 and forward to 853.
as far as I am aware, the knot-utils from CZ.NIC are capable of DNS over TLS. Maybe we should think about moving to them, or wait until bind-utils/dig are updated (not sure if we are running the latest version anyway).
Best regards, Peter Müller
I don't mind continuing with unbound, as it seems to be in active development and is well documented.
Based on my (failing) testing, I'm abandoning using stunnel, and will wait for a version of dig with native TLS support.
Until then, I'm using https://gitlab.com/snippets/1706804 to get around my (only one available) ISP munging DNS.
Best regards, Paul