I've been trying to figure out from reading unbound.conf(5) how
to enable my existing unbound server to provide DoT service to
the client population. Then I find this oddity:
tls-service-key: <file>
If enabled, the server provider TLS service on its TCP sockets.
The clients have to use tls-upstream: yes. The file is the pri-
vate key for the TLS session. The public certificate is in the
tls-service-pem file. Default is "", turned off. Requires a
restart (a reload is not enough) if changed, because the private
key is read while root permissions are held and before chroot
(if any). Normal DNS TCP service is not provided and gives
errors, this service is best run with a different port: config
or @port suffixes in the interface config.
This baffled me at first. You mean that after having this configured,
unbound would insist on DNS-over-TLS on port 53/TCP?!? How else am I
supposed to read this if that's not the case?
Then, on second thought, it strikes me that perhaps the deployment
model is supposed to be that you run a *separate* unbound server to
provide the DNS-over-TLS service, with interface: ...@853 for all the
addressses it's supposed to listen on, so that the already existing
unbound server isn't unduly burneded by a growing population of TCP-
based clients, and can be left running as is?
I've been trying to figure out from reading unbound.conf(5) how
to enable my existing unbound server to provide DoT service to
the client population. Then I find this oddity:
tls-service-key: <file>
If enabled, the server provider TLS service on its TCP sockets.
The clients have to use tls-upstream: yes. The file is the pri-
vate key for the TLS session. The public certificate is in the
tls-service-pem file. Default is "", turned off. Requires a
restart (a reload is not enough) if changed, because the private
key is read while root permissions are held and before chroot
(if any). Normal DNS TCP service is not provided and gives
errors, this service is best run with a different port: config
or @port suffixes in the interface config.
This baffled me at first. You mean that after having this configured,
unbound would insist on DNS-over-TLS on port 53/TCP?!?
I have since I wrote the above received private comments from another
member on this list that this is in fact not the case, indicating that
the particular sentence "Normal DNS TCP service is not provided and
gives errors" is *NOT* true for port 53, and there is therefore no
imperative to run a TLS-serving unbound as a separate process from the
one serving normal DNS on port 53 for UDP and TCP.
This, then, appears to be a documentation bug. Can someone "in the
know" please confirm? Why is that sentence there in the first place,
and what is it attempting to express? I am genuinely curious and
would prefer to have this documentation bug fixed.
Suggested rewording, based at least partly on guesswork on my part:
tls-service-key: <file>
If enabled, the server provides TLS service on the TCP ports marked
implicitly or explicitly for TLS service with tls-port. The file
must contain the private key for the TLS session, the public
certificate is in the tls-service-pem file and it must also be
specified if tls-service-key is specified. The default is "",
turned off. Enabling or disabling this service requires a restart
(a reload is not enough), because the key is read while root
permissions are held and before chroot (if any). The ports enabled
implicitly or explicitly via tls-port: do not provide normal DNS TCP
service.
I've been trying to figure out from reading unbound.conf(5) how
to enable my existing unbound server to provide DoT service to
the client population. Then I find this oddity:
tls-service-key: <file>
If enabled, the server provider TLS service on its TCP sockets.
The clients have to use tls-upstream: yes. The file is the pri-
vate key for the TLS session. The public certificate is in the
tls-service-pem file. Default is "", turned off. Requires a
restart (a reload is not enough) if changed, because the private
key is read while root permissions are held and before chroot
(if any). Normal DNS TCP service is not provided and gives
errors, this service is best run with a different port: config
or @port suffixes in the interface config.
This baffled me at first. You mean that after having this configured,
unbound would insist on DNS-over-TLS on port 53/TCP?!?
I have since I wrote the above received private comments from another
member on this list that this is in fact not the case, indicating that
the particular sentence "Normal DNS TCP service is not provided and
gives errors" is *NOT* true for port 53, and there is therefore no
imperative to run a TLS-serving unbound as a separate process from the
one serving normal DNS on port 53 for UDP and TCP.
This, then, appears to be a documentation bug. Can someone "in the
know" please confirm? Why is that sentence there in the first place,
and what is it attempting to express? I am genuinely curious and
would prefer to have this documentation bug fixed.
Suggested rewording, based at least partly on guesswork on my part:
Thanks for the better documentation. The previous line I added to tell
people to use the '@port' syntax to provide the TLS service. The new
wording you suggest is now in the documentation.