Your message dated Fri, 7 Nov 2025 08:33:34 +0300 with message-id <[email protected]> and subject line Re: With https-port set to 853, DoT is served. In contrast to the manual page has caused the Debian Bug report #1115875, regarding With https-port set to 853, DoT, rather then DoH, is served. In contrast to the manual page to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1115875: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115875 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: unbound Version: 1.22.0-2 Severity: normal Forwarding dot (dns over tls) by port 853 and serving doh (dns over https) is working. Unless https-port is set to 853. How to reproduce? 1. Have an appropriate certificate, and the follwoing configuration file: # cat /etc/unbound/unbound.conf.d/listening_doh_at_port_854_and_forwarding_dot_at_port_853.conf server: chroot: "" directory: "/etc/unbound" do-daemonize: no interface: lo@53 interface: lo@854 https-port: 854 tls-service-key: "doh.key" tls-service-pem: "doh.pem" tls-system-cert: yes forward-zone: forward-addr: 9.9.9.9@853#dns.quad9.net forward-addr: 1.1.1.1@853#cloudflare-dns.com forward-tcp-upstream: yes forward-tls-upstream: yes name: "." 2. Restart unbound. 3. Test. For example with $ dig @localhost -p 854 +https cnn.com a it is working. 4. But when changing the configuration file to have interface: lo@853 https-port: 853 and restarting unbound, unbound fails. $ dig @localhost -p 853 +https cnn.com a ;; communications error to ::1#853: timed out ;; communications error to ::1#853: timed out ;; communications error to ::1#853: timed out ;; communications error to 127.0.0.1#853: timed out ; <<>> DiG 9.20.11-4-Debian <<>> @localhost -p 853 +https cnn.com a ; (2 servers found) ;; global options: +cmd ;; no servers could be reached It is not a network issue because the results are consistent over time. Resolution succeeds with the 854 settings, and fails with the 853 settings. In addition, with both the 853 and 854 setting, the above configuration file can do only dot forwarding. And that, for example $ dig @localhost cnn.com a is always working.
--- End Message ---
--- Begin Message ---On Mon, 22 Sep 2025 12:57:28 +0000 [email protected] wrote:retitle 115875 With https-port set to 853, DoT, rather then DoH, is served. In contrast to the manual page thanks When the configuration file shown earlier reads interface: lo@853 https-port: 853 the command $ dig @localhost +tls -p 853 debian.orgsucceeds, despite various places in the unbound.conf(5) manual page stating dns over https should be used. Or that is my understanding of the manual page. Forexample: https-port: <number> The port number on which to provide DNS-over-HTTPS service, default 443, only interfaces configured with that port number as @number get the HTTPS service.In your configuration, it looks like you have a clash between https port and tls port. By default, tls-port is 853, and https-port is 443. This is stated in the manpage. Now, you specify 853 port in "interface" line, so tls is activated on this port, according to the default "tls-port: 853". But you're setting https port to the same value. So it clashes with tls. Admittedly, unbound could check for such clash. But it doesn't do this. Either way, it is a configuration error. Do not set both tls and https port to the same value. I'm closing this bug report. Thanks, /mjt
--- End Message ---
