Enabling DoT service?
wouter at nlnetlabs.nl
Thu Jan 31 09:23:54 UTC 2019
On 1/31/19 9:46 AM, Havard Eidnes via Unbound-users wrote:
>> I've been trying to figure out from reading unbound.conf(5) how
>> to enable my existing unbound server to provide DoT service to
>> the client population. Then I find this oddity:
>> tls-service-key: <file>
>> If enabled, the server provider TLS service on its TCP sockets.
>> The clients have to use tls-upstream: yes. The file is the pri-
>> vate key for the TLS session. The public certificate is in the
>> tls-service-pem file. Default is "", turned off. Requires a
>> restart (a reload is not enough) if changed, because the private
>> key is read while root permissions are held and before chroot
>> (if any). Normal DNS TCP service is not provided and gives
>> errors, this service is best run with a different port: config
>> or @port suffixes in the interface config.
>> This baffled me at first. You mean that after having this configured,
>> unbound would insist on DNS-over-TLS on port 53/TCP?!?
> I have since I wrote the above received private comments from another
> member on this list that this is in fact not the case, indicating that
> the particular sentence "Normal DNS TCP service is not provided and
> gives errors" is *NOT* true for port 53, and there is therefore no
> imperative to run a TLS-serving unbound as a separate process from the
> one serving normal DNS on port 53 for UDP and TCP.
> This, then, appears to be a documentation bug. Can someone "in the
> know" please confirm? Why is that sentence there in the first place,
> and what is it attempting to express? I am genuinely curious and
> would prefer to have this documentation bug fixed.
> Suggested rewording, based at least partly on guesswork on my part:
Thanks for the better documentation. The previous line I added to tell
people to use the '@port' syntax to provide the TLS service. The new
wording you suggest is now in the documentation.
Best regards, Wouter
> tls-service-key: <file>
> If enabled, the server provides TLS service on the TCP ports marked
> implicitly or explicitly for TLS service with tls-port. The file
> must contain the private key for the TLS session, the public
> certificate is in the tls-service-pem file and it must also be
> specified if tls-service-key is specified. The default is "",
> turned off. Enabling or disabling this service requires a restart
> (a reload is not enough), because the key is read while root
> permissions are held and before chroot (if any). The ports enabled
> implicitly or explicitly via tls-port: do not provide normal DNS TCP
> - Håvard
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Unbound-users