On Sun, 2018-12-02 at 20:10 +0100, ummeegge wrote:
Hi all, have build knot but needed also
# Begin knot deps lfsmake2 libmaxminddb lfsmake2 libedit lfsmake2 userspace lfsmake2 knot # End knot
to build kdig properly. By the usage of e.g.
kdig -d @145.100.185.18 +tls-host=dnsovertls3.sinodun.com ipfire.org
i get an
;; DEBUG: Querying for owner(ipfire.org.), class(1), type(1), server(145.100.185.18), port(853), protocol(TCP) ;; WARNING: TLS, failed to import system certificates (GNUTLS_E_UNIMPLEMENTED_FEATURE) ;; WARNING: failed to query server 145.100.185.18@853(TCP)
. So it seems that 'gnutls_x509_trust_list_add_trust_file{dir}()' is not able to find the system certificates. May a
--with-default-trust-store-dir=/etc/ssl/certs
in configure of GnuTLS might help there...
As a beside one, some tests causing DoT happens in here --> https://forum.ipfire.org/viewtopic.php?f=50&t=21954
whereby Dot runs currently without problems but the focus is in there relies on the initscript of unbound to make DoT usable over on IPFire.
Have compiled meanwhile also ldns whereby drill is also a possibility for other views and there is also a DoT patch for ldns -->
https://portal.sinodun.com/stash/projects/TDNS/repos/dns-over-tls_patches/br...
https://tools.ietf.org/html/draft-ietf-dprive-dns-over-tls-09#section-8.2
but the versions are outdated even unbound needs also to be patched. May NLnet Labs did there already something to support that but i haven´t found it yet.
Some infos from here.
Best,
Erik
Am Dienstag, den 01.05.2018, 16:40 +0200 schrieb Peter Müller:
Hello,
The unbound init and the cgi scripts use dig 9.11.3, which has no native support for TLS. I'm trying to configure stunnel to act as MITM so that dig can succeed. I hope to restrict unbound to port 853 for listen and send, and use stunnel to listen on port 53 and forward to 853.
as far as I am aware, the knot-utils from CZ.NIC are capable of DNS over TLS. Maybe we should think about moving to them, or wait until bind-utils/dig are updated (not sure if we are running the latest version anyway).
Best regards, Peter Müller
Hello, Erik. My "admin-foo" has weakened over the years, and my "developer-foo" is even worse.
Thank you for pursuing DoT on IPFire, as I hope it will circumvent my ISPs mangling of DNS queries, and allow easier upgrade to current releases.
Best regards, Paul