> I've been trying to figure out from reading unbound.conf(5) how > to enable my existing unbound server to provide DoT service to > the client population. Then I find this oddity: > > tls-service-key: <file> > If enabled, the server provider TLS service on its TCP sockets. > The clients have to use tls-upstream: yes. The file is the pri- > vate key for the TLS session. The public certificate is in the > tls-service-pem file. Default is "", turned off. Requires a > restart (a reload is not enough) if changed, because the private > key is read while root permissions are held and before chroot > (if any). Normal DNS TCP service is not provided and gives > errors, this service is best run with a different port: config > or @port suffixes in the interface config. > > This baffled me at first. You mean that after having this configured, > unbound would insist on DNS-over-TLS on port 53/TCP?!?
I have since I wrote the above received private comments from another member on this list that this is in fact not the case, indicating that the particular sentence "Normal DNS TCP service is not provided and gives errors" is *NOT* true for port 53, and there is therefore no imperative to run a TLS-serving unbound as a separate process from the one serving normal DNS on port 53 for UDP and TCP. This, then, appears to be a documentation bug. Can someone "in the know" please confirm? Why is that sentence there in the first place, and what is it attempting to express? I am genuinely curious and would prefer to have this documentation bug fixed. Suggested rewording, based at least partly on guesswork on my part: tls-service-key: <file> If enabled, the server provides TLS service on the TCP ports marked implicitly or explicitly for TLS service with tls-port. The file must contain the private key for the TLS session, the public certificate is in the tls-service-pem file and it must also be specified if tls-service-key is specified. The default is "", turned off. Enabling or disabling this service requires a restart (a reload is not enough), because the key is read while root permissions are held and before chroot (if any). The ports enabled implicitly or explicitly via tls-port: do not provide normal DNS TCP service. Regards, - HÃ¥vard
