Hi Michael,
Am Montag, den 10.12.2018, 00:21 +0000 schrieb Michael Tremer:
I am not sure what you are looking for.
Mainly for testing people which take also a look over the changes in unbound initscript. Since the 'update_forwarders()' function from unbound init will currently not be used if custom forwarders are in usage. 'update_forwarders()' includes really a lot of other functions and it was/is not that easy to check for all possible side affects if this function will be bypassed and substituded by another one (cue: DNSSEC, EDNS, ...). All changes causing the unbound initscript can be found in here --> https://gitlab.com/ummeegge/dot-for-ipfire/commits/master/unbound .
Another point i am currently looking for is the question, if unbound is the best possibility for DoT ? If you take look into the current implementation status --> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status unbound misses also some other DoT related features. Am building currently GetDNS and Stubby just to get there also a better inside of the differences.
Also, integrating DoT into webuserinterface is, as before mentioned in here, a point. Should DoT become it´s own one, or is it a complete new WUI menu point worth ?
In my humble opinion this DoT topic is still pretty much in a testing phase not only speaking for myself but also looking around and finding only two (may three) stable DoT providers speaks, i think, also a little for itself.
But I just wanted to say that I am following this conversation.
That´s great.
So far I think that there are indeed many people interested in DoT. However, I have not received any feedback on what I was mailing before.
I hope some feedback comes around also since i am currently testing it for a couple of weeks now and posted the results/code_changes in the forum and some also in here.
I think what is best now is to get this into small patches. What needs to be done to get this UI ready so that people can add those DNS servers? What will the default behaviour be? How will we make sure that the system does not fall back (to unauthenticated DNS)?
That´s the fundamental question, please see the above statements.
I think that we can leave OpenSSL 1.1.1 aside for this for now, because it works perfectly fine with TLS 1.2. We should not mix multiple things together when they have no strict dependency (although I am really looking forward to see TLS 1.3 in IPFire soon).
OpenSSL-1.1.1 and TLS 1.3 fits perfectly into this topic and i hope i can install today the new OpenSSL and to test it in my productive environment.
Best, -Michael
Best,
Erik