[CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle

Started by franco, November 28, 2023, 08:13:36 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 28, 2023, 08:13:36 AM
Hi everyone,

Since we started using certctl for CA trust (also because FreeBSD ports curl moved to it) there is a small patch to Unbound DoT that needs widespread testing:

https://github.com/opnsense/core/commit/455e9d6e86d

# opnsense-patch 455e9d6e86d && pluginctl -s unbound restart

Functionally the two variants should be the same but the reality is that Unbound manual is very "mystic" about this particular option and all the tutorials on the Internet seem to prefer using the bundle file. All help testing this is welcome here.


Thanks,
Franco
November 28, 2023, 09:47:42 AM #1
Seems ready for 23.7.10 ? The attached kernel crash says you didn't break it.

Still not believing my eyes, I stopped AGH, sent all traffic through 127.0.0.1:53 and the 3 configured DoT servers lit up like a seasonal_tree:853 in pftop.

23.7.8_20/3.0.12



November 28, 2023, 08:18:56 PM #2
It seems to be working fine here, are there any specific things to test that you're particularly interested in?
In theory there is no difference between theory and practice. In practice there is.
November 29, 2023, 12:25:59 PM #3
I guess it might be a bit to early to say this, so I say it anyway and are ready to bit the dust later...

With this patch applied, Unbound works and behaves as expected. No more, for the moment I guess I need to add, max running Unbound process that load one core to 100%. It just behaves as expected. I have been waiting for this some time now, so well I guess I need to start that egg timer...
November 29, 2023, 02:51:24 PM #4
Yes, using /etc/ssl/cert.pem vs. /etc/ssl/certs/ is exactly the same outcome. The only question was whether to trust the documentation but that has been cleared up indeed. Thanks!
November 30, 2023, 09:58:18 AM #5
Still running as expected, no problem, and no 100% CPU Core process runaway stuff. This just works!
November 30, 2023, 10:54:17 PM #6
Works for me.™

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
December 02, 2023, 12:10:38 PM #7
Works here as well.
December 02, 2023, 02:36:16 PM #8
Working here :)
December 03, 2023, 06:56:48 AM #9
Patch applied and working. Many thanks.
December 03, 2023, 08:12:09 PM #10
Well the egg timer just stopped so now I know that the problem with 100% CPU in one core is not related to this fix.
December 13, 2023, 02:07:37 PM #11
Thanks for the help. Shipped this in 23.7.10.


Cheers,
Franco
Print
Go Up Pages1
User actions