Unbound 1.15.0rc1 pre-release
Wouter Wijngaards
wouter at nlnetlabs.nl
Mon Feb 7 08:33:41 UTC 2022
Hi Andreas,
On 05/02/22 20:22, A. Schulze via Unbound-users wrote:
>
>
> Am 03.02.22 um 10:21 schrieb Wouter Wijngaards via Unbound-users:
>> Unbound 1.15.0rc1 pre-release is available:
>
> Hello,
>
> there is a strange plaintext vs TLS confusion...
There is a fix in
https://github.com/NLnetLabs/unbound/commit/5f724da8c57c5a6bf1d589b6651daec2dc39a9d1
The TCP interface got TLS because that was configured, that should be
fixed in the commit.
Best regards, Wouter
>
> I start with this config:
>
> server:
> chroot: ""
> logfile: ""
> ip-address: 127.0.0.1 at 1025
>
> # unbound -c config
>
> # kdig -p 1025 @127.0.0.1 version.bind. txt ch +short +notcp
> "unbound 1.15.0rc1"
> # kdig -p 1025 @127.0.0.1 version.bind. txt ch +short +tcp
> "unbound 1.15.0rc1"
>
> -> unbound answer Do53 on UDP and TCP
>
> Now I add DoT on port 1026:
>
> # pkill unbound
> # openssl ecparam -rand /dev/urandom -genkey -name secp384r1 -out /tmp/key
> # openssl req -batch -rand /dev/urandom -x509 -key /tmp/key -out /tmp/cert -days 1 -subj '/CN=localhost' -addext subjectAltName=DNS:localhost
> # cat <<EOF >> config
> interface: 127.0.0.1 at 1026
> tls-port: 1026
> tls-service-pem: /tmp/cert
> tls-service-key: /tmp/key
> EOF
>
> # unbound -c config
>
> # kdig -p 1026 @127.0.0.1 version.bind. txt ch +short +tls
> "unbound 1.15.0rc1"
>
> -> DoT on port 1026/tcp works
>
> # kdig -p 1025 @127.0.0.1 version.bind. txt ch +short +notcp
> "unbound 1.15.0rc1"
>
> -> Do53 on port 1025/tcp work
>
> # kdig -p 1025 @127.0.0.1 version.bind. txt ch +short +tcp
> ;; WARNING: can't receive reply from 127.0.0.1 at 1025(TCP)
> ;; ERROR: failed to query server 127.0.0.1 at 1025(TCP)
>
> -> Do53 on port 1025/tcp fail!
>
> # kdig -p 1025 @127.0.0.1 version.bind. txt ch +short +tls
> "unbound 1.15.0rc1"
>
> -> unexpected: TLS is active on Port 1025!
>
> Andreas
>
More information about the Unbound-users
mailing list