Unbound 1.23.0rc1 pre-release
Wouter Wijngaards
wouter at nlnetlabs.nl
Thu Apr 10 07:41:21 UTC 2025
Hi Andreas,
For error reporting, the server has to include the Report-Channel EDNS
option. With the reporting agent that the error reports are sent to. The
server collects the information. NSD does not have the option to do that.
I fixed the issue, so that the server prints 'doh' and 'dot' for
connections. It printed dot instead of doh, and did not print dot for
dot connections. Thank you for testing and finding the issue!
Best regards, Wouter
On 4/9/25 22:58, A. Schulze via Unbound-users wrote:
>
>
> Am 09.04.25 um 21:25 schrieb A. Schulze via Unbound-users:
>>> Unbound 1.23.0rc1 pre-release is available:
>
> maybe not new...
>
> I've configured:
>
> <usual setup>
> interface: ::@443
> https-port: 443
> http-endpoint: "/doh-test"
> tls-service-pem: "/path/to/cert+intermediate.pem"
> tls-service-key: "/path/to/key.pem"
>
>
> Then I do a query:
> # kdig @unbound.example. hostname.bind. txt ch +https=/doh-test +short
> "unbound.example"
>
>
> But the log say "dot" !
> Apr 09 22:48:01 unbound[1:0] reply: 2001:db8::2 hostname.bind. TXT CH
> NOERROR 0.000000 1 75 on dot :: 443
>
> I would expect "doh/http/https" but not "dot"
>
> Oh, btw:
> compiled with openssl-3.5.0, both (dot and doh) support the new pq key
> exchange out of the box.
>
> # /usr/local/bin/openssl version
> OpenSSL 3.5.0 8 Apr 2025 (Library: OpenSSL 3.5.0 8 Apr 2025)
>
> # /usr/local/bin/openssl3 s_client -connect unbound.example:443 <
> /dev/null 2>&1 | grep group
> Negotiated TLS1.3 group: X25519MLKEM768
>
> # openssl3 s_client -connect unbound.dev.somaf.de:853 < /dev/null 2>&1 |
> grep group
> Negotiated TLS1.3 group: X25519MLKEM768
>
> nice :-)
>
>
> Andreas
>
More information about the Unbound-users
mailing list