<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<div class="moz-cite-prefix">22.07.2019 20:21, <a class="moz-txt-link-abbreviated" href="mailto:rgsub1@btinternet.com">rgsub1@btinternet.com</a>
пишет:<br>
</div>
<blockquote type="cite"
cite="mid:!&!AAAAAAAAAAAuAAAAAAAAAKBDd+9FwARDm92XJEsqgNgBAMO2jhD3dRHOtM0AqgC7tuYAAAAAAA4AABAAAABtwcE8t3nES6AixLpmUhCoAQAAAAA=@btinternet.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Lucida Console";
panose-1:2 11 6 9 4 5 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Lucida Console";
color:#333333;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;
mso-fareast-language:EN-US;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:windowtext">Hi Yuri,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">OK I see
what was happening now. I can use either <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">tls-cert-bundle:
”<file>”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">or<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">tls-win-cert:
yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">or both</span></p>
</div>
</blockquote>
Either-or. I use first by historical reasons.<br>
<blockquote type="cite"
cite="mid:!&!AAAAAAAAAAAuAAAAAAAAAKBDd+9FwARDm92XJEsqgNgBAMO2jhD3dRHOtM0AqgC7tuYAAAAAAA4AABAAAABtwcE8t3nES6AixLpmUhCoAQAAAAA=@btinternet.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:windowtext"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">So now I can
see:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: SSL connection to cloudflare-dns.com authenticated
ip4 1.0.0.1 port 853 (len 16)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">So it looks
like that bit is working OK but then when I go to:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><a
href="http://1.1.1.1/help" moz-do-not-send="true">http://1.1.1.1/help</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">to check
that DNS over TLS is working it says “NO”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Looking at
the log file further I see this where things appear to be
blacklisted (see below) I have attached the log file and it
is from the start of the unbound service to the end of the
query to <a href="http://1.1.1.1/help"
moz-do-not-send="true">http://1.1.1.1/help</a> I then
stopped the unbound server to flush the log.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Any further
insights would be helpful, thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
resolving
8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
DS IN<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: request has dependency depth of 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
msg from cache lookup ;; ->>HEADER<<- opcode:
QUERY, rcode: NOERROR, id: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">;; flags: qr
rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0 <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">;; QUESTION
SECTION:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
IN DS<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">;; ANSWER
SECTION:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">;; AUTHORITY
SECTION:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">cloudflareresolve.com.
59 IN SOA cloudflareresolve.com.
dns.cloudflare.com. 2018100101 21600 3600 604800 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">cloudflareresolve.com.
59 IN RRSIG SOA 13 2 3600
20190730125237 20190722095237 64088 cloudflareresolve.com.
TQObnCdfCziZUkBWjUaAUFeU0iXbC7QK9tMC59qJqYZa8ntTdOHCmuWgUgRvVtaLK/l3GhNk65Jr+wHzs3Qnhg==
;{id = 64088}<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
60 IN NSEC
\000.8946ae4B-99eC-4925-A951-078129AE2Afe.IS-cF.CLouDFlArerEsoLvE.Com.
A HINFO TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP
OPENPGPKEY SPF<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
60 IN RRSIG NSEC 13 4 3600
20190730135835 20190722105835 64088 cloudflareresolve.com.
1EhhluR/cdwni2q9HCdPmAazhlq/rwiOPAWytdeR8pPcNLjlpwphAoULC0tZ2BSZw2UC3P6vlgTHruBL+jpTRQ==
;{id = 64088}<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">;;
ADDITIONAL SECTION:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">;; MSG SIZE
rcvd: 462<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: msg ttl is 60, prefetch ttl 54<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: returning answer from cache.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: iter_handle processing q with state FINISHED RESPONSE
STATE<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
finishing processing for
8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
DS IN<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: mesh_run: iterator module exit state is
module_finished<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: validator[module 0] operate:
extstate:module_wait_module event:module_event_moddone<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
validator operate: query
8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
DS IN<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: validator: nextmodule returned<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: not validating response, is valrec(validation
recursion lookup)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: mesh_run: validator module exit state is
module_finished<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
validator: inform_super, sub is
8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
DS IN<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
super is
8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
A IN<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
NSEC RRset for the referral proved not a delegation point<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: validator[module 0] operate:
extstate:module_wait_subquery event:module_event_pass<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
validator operate: query
8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
A IN<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: val handle processing q with state VAL_FINDKEY_STATE<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
validator: FindKey
8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
A IN<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: Cannot retrieve DS for signature<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: val handle processing q with state VAL_FINISHED_STATE<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: validation failed, blacklist and retry to fetch data<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: blacklist ip4 1.1.1.1 port 853 (len 16)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: blacklist ip4 1.0.0.1 port 853 (len 16)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: blacklist cache<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: blacklist ip6 2606:4700:4700::1001 port 853 (len 28)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: blacklist add ip6 2606:4700:4700::1111 port 853 (len
28)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: blacklist add ip6 2606:4700:4700::1111 port 853 (len
28)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: pass back to next module<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: mesh_run: validator module exit state is
module_restart_next<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">22/07/2019
14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
debug: iterator[module 1] operate: extstate:module_finished
event:module_event_pass<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:EN-GB"
lang="EN-US">From:</span></b><span
style="color:windowtext;mso-fareast-language:EN-GB"
lang="EN-US"> Yuri <a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><yvoinov@gmail.com></a> <br>
<b>Sent:</b> 22 July 2019 13:41<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:rgsub1@btinternet.com">rgsub1@btinternet.com</a>;
<a class="moz-txt-link-abbreviated" href="mailto:unbound-users@nlnetlabs.nl">unbound-users@nlnetlabs.nl</a><br>
<b>Subject:</b> Re: Using DNS over TLS on windows<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">22.07.2019 18:38, <a
href="mailto:rgsub1@btinternet.com" moz-do-not-send="true">rgsub1@btinternet.com</a>
пишет:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:windowtext">Hi Yuri,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">Thanks for
the config file very useful, but I still have the issue
of:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"> </span><o:p></o:p></p>
<p class="MsoNormal">tls-cert-bundle:
"C:\Squid\etc\squid\ca-bundle.crt"<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I do not have the file:
"C:\Squid\etc\squid\ca-bundle.crt" on my system.<o:p></o:p></p>
</blockquote>
<p>Sure. This is my system-specific. :)<o:p></o:p></p>
<p>In you case, you can download Mozilla's CA bundle from<o:p></o:p></p>
<p><a
href="https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt"
moz-do-not-send="true">https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt</a><o:p></o:p></p>
<p>and use it on similar manner (just specify correct
path-to-file) on your setup.<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">So my original question was were do I get
that or a suitable file from?<o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="color:windowtext;mso-fareast-language:EN-GB">Regards</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="color:windowtext;mso-fareast-language:EN-GB">Ray</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:EN-GB"
lang="EN-US">From:</span></b><span
style="color:windowtext;mso-fareast-language:EN-GB"
lang="EN-US"> Yuri <a href="mailto:yvoinov@gmail.com"
moz-do-not-send="true"><yvoinov@gmail.com></a>
<br>
<b>Sent:</b> 21 July 2019 19:51<br>
<b>To:</b> <a
href="mailto:unbound-users@nlnetlabs.nl"
moz-do-not-send="true">unbound-users@nlnetlabs.nl</a><br>
<b>Subject:</b> Re: Using DNS over TLS on windows</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p>Just an example from working Windows setup:<o:p></o:p></p>
<p># Unbound configuration file on windows.<br>
# See example.conf for more settings and syntax<br>
<br>
server:<br>
# verbosity level 0-4 of logging<br>
verbosity: 0<br>
<br>
# if you want to log to a file use<br>
# logfile: "C:\unbound.log"<br>
<br>
# on Windows, this setting makes reports go into the
Application log<br>
# found in ControlPanels - System tasks - Logs <br>
use-syslog: yes<br>
log-time-ascii: yes<br>
num-threads: 4<br>
cache-max-ttl: 14400<br>
cache-min-ttl: 900<br>
cache-max-negative-ttl: 60<br>
infra-host-ttl: 60<br>
# root-hints: "C:\Program Files\Unbound\named.root"<br>
hide-identity: yes<br>
hide-version: yes<br>
hide-trustanchor: yes<br>
<br>
do-ip6: no<br>
<br>
tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"<br>
tls-win-cert: yes<br>
tcp-upstream: yes<br>
<br>
harden-short-bufsize: yes<br>
harden-large-queries: yes<br>
harden-below-nxdomain: yes<br>
harden-algo-downgrade: yes<br>
# 1.5.7 feature. Yes recommended.<br>
# From 1.7.2 yes is default<br>
#qname-minimisation: yes<br>
aggressive-nsec: yes<br>
<br>
# select from the fastest servers this many times out of
1000. 0 means<br>
# the fast server select is disabled. prefetches are not
sped up.<br>
# fast-server-permil: 0<br>
fast-server-permil: 100<br>
# the number of servers that will be used in the fast
server selection.<br>
# fast-server-num: 3<br>
fast-server-num: 4<br>
<br>
unwanted-reply-threshold: 10000000<br>
do-not-query-localhost: no<br>
prefetch: yes<br>
prefetch-key: yes<br>
rrset-roundrobin: yes<br>
minimal-responses: yes<br>
<br>
access-control: 0.0.0.0/0 refuse<br>
access-control: 127.0.0.0/8 allow_snoop<br>
access-control: ::0/0 refuse<br>
access-control: ::1 allow<br>
access-control: ::ffff:127.0.0.1 allow<br>
<br>
#include: "C:\Program Files\Unbound\unbound_local" <br>
include: "C:\Program Files\Unbound\unbound_ad_servers" <br>
<br>
# Remote control config section. <br>
remote-control:<br>
# Enable remote control with unbound-control(8) here.<br>
# set up the keys and certificates with
unbound-control-setup.<br>
control-enable: yes<br>
control-use-cert: no<br>
<br>
forward-zone:<br>
name: "."<br>
# forward-addr: <a href="mailto:208.67.222.222@53"
moz-do-not-send="true">208.67.222.222@53</a><br>
# forward-addr: <a href="mailto:208.67.220.220@53"
moz-do-not-send="true">208.67.220.220@53</a><br>
forward-addr: <a
href="mailto:1.1.1.1@853#cloudflare-dns.com"
moz-do-not-send="true">1.1.1.1@853#cloudflare-dns.com</a><br>
forward-addr: <a
href="mailto:1.0.0.1@853#cloudflare-dns.com"
moz-do-not-send="true">1.0.0.1@853#cloudflare-dns.com</a><br>
forward-addr: <a href="mailto:9.9.9.9@853#dns.quad9.net"
moz-do-not-send="true">9.9.9.9@853#dns.quad9.net</a><br>
forward-addr: <a
href="mailto:149.112.112.112@853#dns.quad9.net"
moz-do-not-send="true">149.112.112.112@853#dns.quad9.net</a><br>
forward-addr: <a
href="mailto:145.100.185.15@443#dnsovertls.sinodun.com"
moz-do-not-send="true">145.100.185.15@443#dnsovertls.sinodun.com</a><br>
forward-addr: <a
href="mailto:145.100.185.16@443#dnsovertls1.sinodun.com"
moz-do-not-send="true">145.100.185.16@443#dnsovertls1.sinodun.com</a><br>
forward-addr: <a
href="mailto:185.49.141.37@853#getdnsapi.net"
moz-do-not-send="true">185.49.141.37@853#getdnsapi.net</a><br>
forward-addr: <a
href="mailto:89.233.43.71@853#unicast.censurfridns.dk"
moz-do-not-send="true">89.233.43.71@853#unicast.censurfridns.dk</a><br>
forward-addr: <a
href="mailto:158.64.1.29@853#kaitain.restena.lu"
moz-do-not-send="true">158.64.1.29@853#kaitain.restena.lu</a><br>
forward-addr: <a
href="mailto:145.100.185.18@853#dnsovertls3.sinodun.com"
moz-do-not-send="true">145.100.185.18@853#dnsovertls3.sinodun.com</a><br>
forward-addr: <a
href="mailto:145.100.185.17@853#dnsovertls2.sinodun.com"
moz-do-not-send="true">145.100.185.17@853#dnsovertls2.sinodun.com</a><br>
forward-addr: <a
href="mailto:199.58.81.218@853#dns.cmrg.net"
moz-do-not-send="true">199.58.81.218@853#dns.cmrg.net</a><br>
forward-addr: <a
href="mailto:94.130.110.185@853#ns1.dnsprivacy.at"
moz-do-not-send="true">94.130.110.185@853#ns1.dnsprivacy.at</a><br>
forward-addr: <a
href="mailto:94.130.110.178@853#ns2.dnsprivacy.at"
moz-do-not-send="true">94.130.110.178@853#ns2.dnsprivacy.at</a><br>
forward-addr: <a
href="mailto:99.192.182.200@853#iana.tenta.io"
moz-do-not-send="true">99.192.182.200@853#iana.tenta.io</a><br>
forward-addr: <a
href="mailto:99.192.182.201@853#iana.tenta.io"
moz-do-not-send="true">99.192.182.201@853#iana.tenta.io</a><br>
forward-addr: <a
href="mailto:99.192.182.100@853#opennic.tenta.io"
moz-do-not-send="true">99.192.182.100@853#opennic.tenta.io</a><br>
forward-addr: <a
href="mailto:99.192.182.101@853#opennic.tenta.io"
moz-do-not-send="true">99.192.182.101@853#opennic.tenta.io</a>
<br>
forward-tls-upstream: yes<br>
<br>
# OpenDNS is NOT DNSSEC enabled<br>
server: auto-trust-anchor-file: "C:\Program
Files\Unbound\root.key"<br>
###<o:p></o:p></p>
<div>
<p class="MsoNormal">21.07.2019 21:37, RayG via
Unbound-users пишет:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN">I have configured things so far but I get
these errors and I think the reason is the
“tls-cert-bundle” setting.</span></code><o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN"> </span></code><o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN">16:10:16 C:\Program
Files\Unbound\unbound.exe[1740:0] error: ssl handshake
failed crypto error:1416F086:SSL
routines:tls_process_server_certificate:certificate
verify failed</span></code><o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN">21/07/2019</span></code><o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN"> </span></code><o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN">So to get this working I have to enable this
setting:</span></code><o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN"> </span></code><o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN">tls-cert-bundle:
/etc/ssl/certs/ca-certificates.crt</span></code><o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN"> </span></code><o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN">That example would seem OK for a UNIX
install but where/how do I configure this for windows?</span></code><o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN"> </span></code><o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN">Can I use the windows certificate store? If
so what would the entry read.</span></code><o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN"> </span></code><o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN">Thanks</span></code><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-GB">Regards</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-GB">Ray</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN"> </span></code><o:p></o:p></p>
<p class="MsoNormal"><code><span style="font-size:10.0pt"
lang="EN"> </span></code><o:p></o:p></p>
</blockquote>
<pre>-- <o:p></o:p></pre>
<pre>"C++ seems like a language suitable for firing other people's legs."<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>*****************************<o:p></o:p></pre>
<pre>* C++20 : Bug to the future *<o:p></o:p></pre>
<pre>*****************************<o:p></o:p></pre>
</blockquote>
<pre>-- <o:p></o:p></pre>
<pre>"C++ seems like a language suitable for firing other people's legs."<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>*****************************<o:p></o:p></pre>
<pre>* C++20 : Bug to the future *<o:p></o:p></pre>
<pre>*****************************<o:p></o:p></pre>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************</pre>
</body>
</html>