Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
[CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle
« previous
next »
Print
Pages: [
1
]
Author
Topic: [CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle (Read 2833 times)
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
[CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle
«
on:
November 28, 2023, 08:13:36 am »
Hi everyone,
Since we started using certctl for CA trust (also because FreeBSD ports curl moved to it) there is a small patch to Unbound DoT that needs widespread testing:
https://github.com/opnsense/core/commit/455e9d6e86d
# opnsense-patch 455e9d6e86d && pluginctl -s unbound restart
Functionally the two variants should be the same but the reality is that Unbound manual is very "mystic" about this particular option and all the tutorials on the Internet seem to prefer using the bundle file. All help testing this is welcome here.
Thanks,
Franco
Logged
newsense
Hero Member
Posts: 1035
Karma: 77
Re: [CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle
«
Reply #1 on:
November 28, 2023, 09:47:42 am »
Seems ready for 23.7.10 ? The attached kernel crash says you didn't break it.
Still not believing my eyes, I stopped AGH, sent all traffic through 127.0.0.1:53 and the 3 configured DoT servers lit up like a seasonal_tree:853 in pftop.
23.7.8_20/3.0.12
Logged
dinguz
Sr. Member
Posts: 275
Karma: 13
Re: [CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle
«
Reply #2 on:
November 28, 2023, 08:18:56 pm »
It seems to be working fine here, are there any specific things to test that you're particularly interested in?
Logged
In theory there is no difference between theory and practice. In practice there is.
lar.hed
Sr. Member
Posts: 323
Karma: 10
Re: [CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle
«
Reply #3 on:
November 29, 2023, 12:25:59 pm »
I guess it might be a bit to early to say this, so I say it anyway and are ready to bit the dust later...
With this patch applied, Unbound works and behaves as expected. No more, for the moment I guess I need to add, max running Unbound process that load one core to 100%. It just behaves as expected. I have been waiting for this some time now, so well I guess I need to start that egg timer...
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: [CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle
«
Reply #4 on:
November 29, 2023, 02:51:24 pm »
Yes, using /etc/ssl/cert.pem vs. /etc/ssl/certs/ is exactly the same outcome. The only question was whether to trust the documentation but that has been cleared up indeed. Thanks!
Logged
lar.hed
Sr. Member
Posts: 323
Karma: 10
Re: [CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle
«
Reply #5 on:
November 30, 2023, 09:58:18 am »
Still running as expected, no problem, and no 100% CPU Core process runaway stuff. This just works!
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: [CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle
«
Reply #6 on:
November 30, 2023, 10:54:17 pm »
Works for me.™
Cheers
Maurice
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
doktornotor
Hero Member
Posts: 709
Karma: 70
Re: [CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle
«
Reply #7 on:
December 02, 2023, 12:10:38 pm »
Works here as well.
Logged
phantomsfbw
Jr. Member
Posts: 66
Karma: 3
Re: [CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle
«
Reply #8 on:
December 02, 2023, 02:36:16 pm »
Working here
Logged
Tschabadu
Newbie
Posts: 10
Karma: 0
Re: [CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle
«
Reply #9 on:
December 03, 2023, 06:56:48 am »
Patch applied and working. Many thanks.
Logged
lar.hed
Sr. Member
Posts: 323
Karma: 10
Re: [CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle
«
Reply #10 on:
December 03, 2023, 08:12:09 pm »
Well the egg timer just stopped so now I know that the problem with 100% CPU in one core is not related to this fix.
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: [CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle
«
Reply #11 on:
December 13, 2023, 02:07:37 pm »
Thanks for the help. Shipped this in 23.7.10.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
[CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle