Enabling DoT service?

Wouter Wijngaards wouter at nlnetlabs.nl
Thu Jan 31 09:23:54 UTC 2019 

Hi Havard,

On 1/31/19 9:46 AM, Havard Eidnes via Unbound-users wrote:
>> I've been trying to figure out from reading unbound.conf(5) how
>> to enable my existing unbound server to provide DoT service to
>> the client population.  Then I find this oddity:
>>
>>    tls-service-key: <file>
>>           If  enabled, the server provider TLS service on its TCP sockets.
>>           The clients have to use tls-upstream: yes.  The file is the pri-
>>           vate  key for the TLS session.  The public certificate is in the
>>           tls-service-pem file.  Default is "", turned  off.   Requires  a
>>           restart (a reload is not enough) if changed, because the private
>>           key is read while root permissions are held  and  before  chroot
>>           (if  any).   Normal  DNS  TCP  service is not provided and gives
>>           errors, this service is best run with a different  port:  config
>>           or @port suffixes in the interface config.
>>
>> This baffled me at first.  You mean that after having this configured,
>> unbound would insist on DNS-over-TLS on port 53/TCP?!?
> 
> I have since I wrote the above received private comments from another
> member on this list that this is in fact not the case, indicating that
> the particular sentence "Normal DNS TCP service is not provided and
> gives errors" is *NOT* true for port 53, and there is therefore no
> imperative to run a TLS-serving unbound as a separate process from the
> one serving normal DNS on port 53 for UDP and TCP.
> 
> This, then, appears to be a documentation bug.  Can someone "in the
> know" please confirm?  Why is that sentence there in the first place,
> and what is it attempting to express?  I am genuinely curious and
> would prefer to have this documentation bug fixed.
> 
> Suggested rewording, based at least partly on guesswork on my part:

Thanks for the better documentation.  The previous line I added to tell
people to use the '@port' syntax to provide the TLS service.  The new
wording you suggest is now in the documentation.

Best regards, Wouter

> 
> tls-service-key: <file>
>   If enabled, the server provides TLS service on the TCP ports marked
>   implicitly or explicitly for TLS service with tls-port.  The file
>   must contain the private key for the TLS session, the public
>   certificate is in the tls-service-pem file and it must also be
>   specified if tls-service-key is specified.  The default is "",
>   turned off.  Enabling or disabling this service requires a restart
>   (a reload is not enough), because the key is read while root
>   permissions are held and before chroot (if any).  The ports enabled
>   implicitly or explicitly via tls-port: do not provide normal DNS TCP
>   service.
> 
> Regards,
> 
> - Håvard
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190131/1c4a93ef/attachment.bin>

More information about the Unbound-users mailing list