Enabling DoT service?

Havard Eidnes he at uninett.no
Mon Jan 28 09:50:25 UTC 2019


yes, I'm late to the party...

I've been trying to figure out from reading unbound.conf(5) how
to enable my existing unbound server to provide DoT service to
the client population.  Then I find this oddity:

   tls-service-key: <file>
          If  enabled, the server provider TLS service on its TCP sockets.
          The clients have to use tls-upstream: yes.  The file is the pri-
          vate  key for the TLS session.  The public certificate is in the
          tls-service-pem file.  Default is "", turned  off.   Requires  a
          restart (a reload is not enough) if changed, because the private
          key is read while root permissions are held  and  before  chroot
          (if  any).   Normal  DNS  TCP  service is not provided and gives
          errors, this service is best run with a different  port:  config
          or @port suffixes in the interface config.

This baffled me at first.  You mean that after having this configured,
unbound would insist on DNS-over-TLS on port 53/TCP?!?  How else am I
supposed to read this if that's not the case?

Then, on second thought, it strikes me that perhaps the deployment
model is supposed to be that you run a *separate* unbound server to
provide the DNS-over-TLS service, with interface: ... at 853 for all the
addressses it's supposed to listen on, so that the already existing
unbound server isn't unduly burneded by a growing population of TCP-
based clients, and can be left running as is?

Best regards,

- Håvard

More information about the Unbound-users mailing list