Hi Andreas,
For error reporting, the server has to include the Report-Channel EDNS
option. With the reporting agent that the error reports are sent to. The
server collects the information. NSD does not have the option to do that.
I fixed the issue, so that the server prints 'doh' and 'dot' for
connections. It printed dot instead of doh, and did not print dot for
dot connections. Thank you for testing and finding the issue!
Best regards, Wouter
On 4/9/25 22:58, A. Schulze via Unbound-users wrote:
Am 09.04.25 um 21:25 schrieb A. Schulze via Unbound-users:
Unbound 1.23.0rc1 pre-release is available:
maybe not new...
I've configured:
<usual setup>
interface: ::@443
https-port: 443
http-endpoint: "/doh-test"
tls-service-pem: "/path/to/cert+intermediate.pem"
tls-service-key: "/path/to/key.pem"
Then I do a query:
# kdig @unbound.example. hostname.bind. txt ch +https=/doh-test +short
"unbound.example"
But the log say "dot" !
Apr 09 22:48:01 unbound[1:0] reply: 2001:db8::2 hostname.bind. TXT CH
NOERROR 0.000000 1 75 on dot :: 443
I would expect "doh/http/https" but not "dot"
Oh, btw:
compiled with openssl-3.5.0, both (dot and doh) support the new pq key
exchange out of the box.
# /usr/local/bin/openssl version
OpenSSL 3.5.0 8 Apr 2025 (Library: OpenSSL 3.5.0 8 Apr 2025)
# /usr/local/bin/openssl3 s_client -connect unbound.example:443 <
/dev/null 2>&1 | grep group
Negotiated TLS1.3 group: X25519MLKEM768
# openssl3 s_client -connect unbound.dev.somaf.de:853 < /dev/null 2>&1 |
grep group
Negotiated TLS1.3 group: X25519MLKEM768
nice :-)
Andreas
