Enabling DoT service?

Havard Eidnes he at uninett.no
Thu Jan 31 08:46:33 UTC 2019 

> I've been trying to figure out from reading unbound.conf(5) how
> to enable my existing unbound server to provide DoT service to
> the client population.  Then I find this oddity:
>
>    tls-service-key: <file>
>           If  enabled, the server provider TLS service on its TCP sockets.
>           The clients have to use tls-upstream: yes.  The file is the pri-
>           vate  key for the TLS session.  The public certificate is in the
>           tls-service-pem file.  Default is "", turned  off.   Requires  a
>           restart (a reload is not enough) if changed, because the private
>           key is read while root permissions are held  and  before  chroot
>           (if  any).   Normal  DNS  TCP  service is not provided and gives
>           errors, this service is best run with a different  port:  config
>           or @port suffixes in the interface config.
>
> This baffled me at first.  You mean that after having this configured,
> unbound would insist on DNS-over-TLS on port 53/TCP?!?

I have since I wrote the above received private comments from another
member on this list that this is in fact not the case, indicating that
the particular sentence "Normal DNS TCP service is not provided and
gives errors" is *NOT* true for port 53, and there is therefore no
imperative to run a TLS-serving unbound as a separate process from the
one serving normal DNS on port 53 for UDP and TCP.

This, then, appears to be a documentation bug.  Can someone "in the
know" please confirm?  Why is that sentence there in the first place,
and what is it attempting to express?  I am genuinely curious and
would prefer to have this documentation bug fixed.

Suggested rewording, based at least partly on guesswork on my part:

tls-service-key: <file>
  If enabled, the server provides TLS service on the TCP ports marked
  implicitly or explicitly for TLS service with tls-port.  The file
  must contain the private key for the TLS session, the public
  certificate is in the tls-service-pem file and it must also be
  specified if tls-service-key is specified.  The default is "",
  turned off.  Enabling or disabling this service requires a restart
  (a reload is not enough), because the key is read while root
  permissions are held and before chroot (if any).  The ports enabled
  implicitly or explicitly via tls-port: do not provide normal DNS TCP
  service.

Regards,

- Håvard

More information about the Unbound-users mailing list