Enabling DoT service?
Havard Eidnes
he at uninett.no
Mon Jan 28 09:50:25 UTC 2019
Hi,
yes, I'm late to the party...
I've been trying to figure out from reading unbound.conf(5) how
to enable my existing unbound server to provide DoT service to
the client population. Then I find this oddity:
tls-service-key: <file>
If enabled, the server provider TLS service on its TCP sockets.
The clients have to use tls-upstream: yes. The file is the pri-
vate key for the TLS session. The public certificate is in the
tls-service-pem file. Default is "", turned off. Requires a
restart (a reload is not enough) if changed, because the private
key is read while root permissions are held and before chroot
(if any). Normal DNS TCP service is not provided and gives
errors, this service is best run with a different port: config
or @port suffixes in the interface config.
This baffled me at first. You mean that after having this configured,
unbound would insist on DNS-over-TLS on port 53/TCP?!? How else am I
supposed to read this if that's not the case?
Then, on second thought, it strikes me that perhaps the deployment
model is supposed to be that you run a *separate* unbound server to
provide the DNS-over-TLS service, with interface: ... at 853 for all the
addressses it's supposed to listen on, so that the already existing
unbound server isn't unduly burneded by a growing population of TCP-
based clients, and can be left running as is?
Best regards,
- Håvard
More information about the Unbound-users
mailing list