Unbound-users wrote:
> Hi,
>
> On 07/31/2018 09:07 AM, Guillaume-Jean Herbiet via Unbound-users wrote:
>> Hello,
>>
>> We are using Unbound 1.7.3 to test the DNS-over-TLS service and advance
>> options (see specifications and config file below).
>>
>> Th
Hi,
On 07/31/2018 09:07 AM, Guillaume-Jean Herbiet via Unbound-users wrote:
> Hello,
>
> We are using Unbound 1.7.3 to test the DNS-over-TLS service and advance
> options (see specifications and config file below).
>
> The server is generally on very low use (avg. 2 queries/s
Hello,
We are using Unbound 1.7.3 to test the DNS-over-TLS service and advance
options (see specifications and config file below).
The server is generally on very low use (avg. 2 queries/s) but
configured following the optimization guide[1] in order to test options
and perform stress tests
t;>>>>> debug:
>>>>>>>> bio_cb 6, before read
>>>>>>>> 24.05.2018 17:01:35 C:\Program Files\Unbound\unbound.exe[18264:1]
>>>>>>>> debug:
>>>>>>>> bio_cb 134, return read
>>>>&g
;>> outnettcp got tcp error -1
>>>>>> 24.05.2018 17:01:35 C:\Program Files\Unbound\unbound.exe[18264:1] debug:
>>>>>> tcp error for address ip4 1.1.1.1 port 853 (len 16)
>>>>>>
>>>>>> and no resolve.
>>>>
>>>>>
>>>>> and no resolve.
>>>>>
>>>>>
>>>>>
>>>>> 24.05.2018 15:57, W.C.A. Wijngaards пишет:
>>>>>> Hi Yuri,
>>>>>>
>>>>>> On 09/05/18 16:51, Yuri wrote:
>>>>
ers пишет:
>>>>>> Hi,
>>>>>>
>>>>>> No idea what is going on anymore, here is two new sets of binaries.
>>>>>>
>>>>>> These are made with openssl 1.0.2j. The code in unbound that does
>>>>>> tls-
going on anymore, here is two new sets of binaries.
>>>>>
>>>>> These are made with openssl 1.0.2j. The code in unbound that does
>>>>> tls-upstream:yes is basically almost the same as previous releases, and
>>>>> with the same version of
t;
>>>> Note that the 1.0.2 openssl does not have the set verify name function
>>>> that is used to verify the tls authentication name, so it won't check that.
>>>>
>>>> open.nlnetlabs.nl/~wouter/unbound-1.7.1_20180509.zip
>>>> open.nln
;> that is used to verify the tls authentication name, so it won't check that.
>>
>> open.nlnetlabs.nl/~wouter/unbound-1.7.1_20180509.zip
>> open.nlnetlabs.nl/~wouter/unbound-1.7.2_20180509.zip
> Same shame, Wouter.:-(
>
> Both does not work with DoT.
I have a
09.05.2018 11:51, W.C.A. Wijngaards via Unbound-users пишет:
> Hi,
>
> No idea what is going on anymore, here is two new sets of binaries.
>
> These are made with openssl 1.0.2j. The code in unbound that does
> tls-upstream:yes is basically almost the same as previous releases, and
> with the sa
Hi,
No idea what is going on anymore, here is two new sets of binaries.
These are made with openssl 1.0.2j. The code in unbound that does
tls-upstream:yes is basically almost the same as previous releases, and
with the same version of openssl, shouldn't that work like it did in the
previous rele
Still not, Raymond.
Digging.
08.05.2018 21:45, Raymond Bannan via Unbound-users пишет:
> I downloaded the updated binary and tried on my system as well -
> unbound is still attempting to resolve without first negotiating TLS.
>
> It correctly reaches out to 1.1.1.1:853, but it doesn't negotiate a
I downloaded the updated binary and tried on my system as well - unbound
is still attempting to resolve without first negotiating TLS.
It correctly reaches out to 1.1.1.1:853, but it doesn't negotiate a TLS
connection. Is there anything I could do to help fix this?
-Ray
On 5/7/2018 8:25 AM,
Hardly. Same settings in same networks.
08.05.2018 19:58, A. Schulze via Unbound-users пишет:
>
> Yuri via Unbound-users:
>
>> I'm just wondering, why *NIX version works well, but windows not with
>> DoT.
>
> wild guess: an MTU issue?
>
--
"C++ seems like a language suitable for firing other pe
Yuri via Unbound-users:
I'm just wondering, why *NIX version works well, but windows not with DoT.
wild guess: an MTU issue?
I'm just wondering, why *NIX version works well, but windows not with DoT.
In same conditions, in same networks. With similar configurations. With
existing connectivity to sources.
08.05.2018 18:32, W.C.A. Wijngaards via Unbound-users пишет:
> Hi Yuri,
>
> Yes it is static linked, and you can se
Hi Yuri,
Yes it is static linked, and you can see what it is by running unbound
from the command prompt with the -h flag.
For this release I moved from 1.0.2j to 1.1.0h, and I now also wonder if
that has made an impact somehow.
Best regards, Wouter
On 08/05/18 14:28, Yuri via Unbound-users wrot
Is it possible that it is OpenSSL-related issue? Does OpenSSL library in
windows unbound statically linked?
08.05.2018 18:12, W.C.A. Wijngaards via Unbound-users пишет:
> Hi Yuri,
>
> On 08/05/18 14:07, Yuri via Unbound-users wrote:
>> Nop,
>>
>> I've disabled all firewalls with same results.
>>
>
Hi Yuri,
On 08/05/18 14:07, Yuri via Unbound-users wrote:
> Nop,
>
> I've disabled all firewalls with same results.
>
> And when I've tried to open TCP socket on 1.1.1.1 port 853 with telnet -
> it's opens.
>
Yes, Unbound logs also shows that the connection opens. But then
nothing but timeout
Nop,
I've disabled all firewalls with same results.
And when I've tried to open TCP socket on 1.1.1.1 port 853 with telnet -
it's opens.
--
"C++ seems like a language suitable for firing other people's legs."
*
* C++20 : Bug to the future *
*
Hi Yuri,
On 07/05/18 16:16, Yuri via Unbound-users wrote:
> Just checked. Unfortunately, patch does not fix issue.
>
> Same sympthom. Timeout, then no resolve.
From your previous logs, what unbound does is connect, then write. Then
it gets nothing to read. Until the timeout happens. The conne
Just checked. Unfortunately, patch does not fix issue.
Same sympthom. Timeout, then no resolve.
http://open.nlnetlabs.nl/~wouter/unbound-1.7.2_20180507.zip (16Mb)
http://open.nlnetlabs.nl/~wouter/unbound-1.7.2_20180507.zip.asc (pgp sig)
--
"C++ seems like a language suitable for firing other pe
NS, no DNSSEC etc.) - works.
>
I have made some fixes for DNS-over-TLS for unbound on windows, the are
in the patch below. I've also compiled a 64bit build for that snapshot.
Does the solve the problem?
http://open.nlnetlabs.nl/~wouter/unbound-1.7.2_20180507.zip (16Mb)
http://open.nlnetlab
Hi Raymond,
On 03/05/18 22:43, Raymond Bannan via Unbound-users wrote:
> I've spent several hours trying various permutations of the following
> config, but no matter what I do I can't get unbound to forward a DNS
> request over TLS:
This config looks correct. It should be connecting with TLS.
I've spent several hours trying various permutations of the following
config, but no matter what I do I can't get unbound to forward a DNS
request over TLS:
server:
tls-cert-bundle: "C:\Program Files\Unbound\cabundle.crt"
forward-zone:
name: "."
forward-ssl-upstream: yes
forward
Is there any plan to add client certificate authentication to Unbounds DNS over
TLS? I.e, so that servers can verify that clients are allowed to talk to them?
If not, is there any other way that I can restrict which clients can talk to an
unbound server, other than by filtering based on client IP
Hi,
Do we have an existing package to support DNS over TLS mentioned in RFC
7858. Do we need any additional change in unbound library to
deploy this additional security between client and recursive resolver?
Rgds
Simon
> in the SAN field?
When using unbound as DNS-over-TLS client (as forwarder), no certificate
validation is happening. So stealing (or requesting) a cert signed by a
"well know" CA is not necessary, any cert will do.
Also see the discussing on Unbound bug #658 [0] for the current TLS
au
Folks,
Configuring DNS-over-TLS to be offered to clients was easy with Unbound;
I'm running with ECC TLS from my private CA, and
https://github.com/bortzmeyer/monitor-dns-over-tls lets me confirm that
service is working, with a monitoring plugin no less!
Skimming RFC 7858, it appears tha
s (SIDN) via Unbound-users wrote:
>> Hi,
>>
>> So I wanted to play a little with DNS over TLS and found this:
>>
>> forward-zone:
>>name: "."
>>forward-addr: 2620:ff:c000:0:1::64:25@853
>>
>> Works.
>>
>> But trying
Hi Marco,
Is ssl-upstream setting perhaps the one that is bothering you? I have
no other clues, unfortunately.
Best regards, Wouter
On 23/10/16 15:19, Marco Davids (SIDN) via Unbound-users wrote:
> Hi,
>
> So I wanted to play a little with DNS over TLS and found this:
>
&g
Hi,
So I wanted to play a little with DNS over TLS and found this:
forward-zone:
name: "."
forward-addr: 2620:ff:c000:0:1::64:25@853
Works.
But trying to forward just a portion of my DNS-queries to this resolver
does not seem to work, like in:
forward-zone:
33 matches
Mail list logo