Hi Havard, On 1/31/19 9:46 AM, Havard Eidnes via Unbound-users wrote: >> I've been trying to figure out from reading unbound.conf(5) how >> to enable my existing unbound server to provide DoT service to >> the client population. Then I find this oddity: >> >> tls-service-key: <file> >> If enabled, the server provider TLS service on its TCP sockets. >> The clients have to use tls-upstream: yes. The file is the pri- >> vate key for the TLS session. The public certificate is in the >> tls-service-pem file. Default is "", turned off. Requires a >> restart (a reload is not enough) if changed, because the private >> key is read while root permissions are held and before chroot >> (if any). Normal DNS TCP service is not provided and gives >> errors, this service is best run with a different port: config >> or @port suffixes in the interface config. >> >> This baffled me at first. You mean that after having this configured, >> unbound would insist on DNS-over-TLS on port 53/TCP?!? > > I have since I wrote the above received private comments from another > member on this list that this is in fact not the case, indicating that > the particular sentence "Normal DNS TCP service is not provided and > gives errors" is *NOT* true for port 53, and there is therefore no > imperative to run a TLS-serving unbound as a separate process from the > one serving normal DNS on port 53 for UDP and TCP. > > This, then, appears to be a documentation bug. Can someone "in the > know" please confirm? Why is that sentence there in the first place, > and what is it attempting to express? I am genuinely curious and > would prefer to have this documentation bug fixed. > > Suggested rewording, based at least partly on guesswork on my part:
Thanks for the better documentation. The previous line I added to tell people to use the '@port' syntax to provide the TLS service. The new wording you suggest is now in the documentation. Best regards, Wouter > > tls-service-key: <file> > If enabled, the server provides TLS service on the TCP ports marked > implicitly or explicitly for TLS service with tls-port. The file > must contain the private key for the TLS session, the public > certificate is in the tls-service-pem file and it must also be > specified if tls-service-key is specified. The default is "", > turned off. Enabling or disabling this service requires a restart > (a reload is not enough), because the key is read while root > permissions are held and before chroot (if any). The ports enabled > implicitly or explicitly via tls-port: do not provide normal DNS TCP > service. > > Regards, > > - HÃ¥vard >
signature.asc
Description: OpenPGP digital signature
