Maintained by: NLnet Labs

ssl upstream config?

W.C.A. Wijngaards
Mon Jan 25 11:05:08 CET 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi RunxiaWan,

The 'Resolver' that you configured does not send traffic to the
Forwarder, and this machine does not provide service on port 853 with
SSL to clients.  I am not sure if it should send traffic elsewhere in
your design, but it is acting as a full resolver to the authority server
s.

The 'Forwarder' that you configured, is sending traffic to another
address, and it sends it over port 853 with SSL upstream.  It also
does not provide service on port 853 with SSL to clients.

Since neither of them is providing service on port 853 (with an
interface: line that has @853 on it) and ssl-port set to 853, perhaps
your design does not have a server that provides SSL service to
clients.  Such a server should also configure ssl-service-key and
ssl-service-pem files with the certificate for the SSL service.

Best regards, Wouter

On 25/01/16 10:28, RunxiaWan via Unbound-users wrote:
> Hi all,
> 
> I am trying to use Unbound’s SSL upstream. Cause I am new to
> Unbound here, I doubtI might configure them wrong.Both sides use
> unbound1.5.7
> 
> The configuration ofResolver:
> 
> server:
> 
> directory: "/etc/unbound"
> 
> username: root
> 
> # make sure unbound can access entropy from inside the chroot.
> 
> # e.g. on linux the use these commands (on BSD, devfs(8) is used):
> 
> #      mount --bind -n /dev/random /etc/unbound/dev/random
> 
> # and  mount --bind -n /dev/log /etc/unbound/dev/log
> 
> chroot: "/etc/unbound"
> 
> # logfile: "/etc/unbound/unbound.log"  #uncomment to use logfile.
> 
> pidfile: "/etc/unbound/unbound.pid"
> 
> # verbosity: 1      # uncomment and increase to get more logging.
> 
> # listen on all interfaces, answer queries from the local subnet.
> 
> interface: 0.0.0.0
> 
> interface: ::0
> 
> access-control: 10.0.0.0/8 allow
> 
> 
> 
> The configuration of Forwarder:
> 
> # unbound.conf(5) config file for unbound(8).
> 
> server:
> 
> directory: "/etc/unbound"
> 
> username: root
> 
> # make sure unbound can access entropy from inside the chroot.
> 
> # e.g. on linux the use these commands (on BSD, devfs(8) is used):
> 
> #      mount --bind -n /dev/random /etc/unbound/dev/random
> 
> # and  mount --bind -n /dev/log /etc/unbound/dev/log
> 
> chroot: "/etc/unbound"
> 
> # logfile: "/etc/unbound/unbound.log"  #uncomment to use logfile.
> 
> pidfile: "/etc/unbound/unbound.pid"
> 
> # verbosity: 1      # uncomment and increase to get more logging.
> 
> # listen on all interfaces, answer queries from the local subnet.
> 
> interface: 0.0.0.0
> 
> interface: ::0
> 
> access-control: 10.0.0.0/8 allow
> 
> tcp-upstream: yes
> 
> ssl-upstream: yes
> 
> ssl-port: 853
> 
> forward-zone:
> 
> name: "."
> 
> forward-addr: 10.4.1.2 at 853
> 
> server:
> 
> ssl-upstream: yes
> 
> tcp-upstream: yes
> 
> do-daemonize: no
> 
> logfile: ""
> 
> verbosity: 10
> 
> Any help is welcome. Thanks.
> 
> **
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWpfNPAAoJEJ9vHC1+BF+NlN8P/1KL9AcNcS62RPmWFS4Ly9cx
vOd7pkeVirFxbNMHw0wvOBSB/F0Cjqj+A1Pk5NcVVKOv9WxhCSNyws1hE89+Eku5
ysXw4Neu813F8vh3pj0G+JUOGiwoycTBKTjHCLtn69a73CQIzCTcVwcrKD1H1/6H
x+540yu1Sn9EpSTu7ipM6ABhRGgOX0ivYfjXcnJTl2MNoCkOoXL6BdzCi2DBb7sD
/Om9NmL95STDBq+JfVXw6c1WWDDwkHwaZU9x/aatweDP/wRXRgLAeczEm0AaZNT5
tjuBulPIXkj7BIUN+FJXUvmSEWqF8UvwNJyvrovce8ayGKIq7PpGddxkjafdBO3c
aSKn6CEoIqawG5qEuNy6NSmOXYYGuvUfdMKJgjK1qGxzn6aUOGKCVmI8LXcExMCg
fdN6qCNAR0AvpIlHDaZvpmFJJL9M/qrHqPfI3AnCOdo23vCLQ1/A4JNMIevYWjDl
9mU7yNQFYpshgkTjeCcS5MW/d0y1ZwqheabX9jVHyTHdZ7LsomGHonLNMYcKQA/1
2p00noBqpWbhv4tscdeLuD2fib3e7drMLJ6M8CHNnqAVrCmMPOuCi/DnTzDVWe6m
gKwjv2AtxKMkLenTg4ojI4wS1blu6R08+VILb8mJJ8BXicz3E837YX5CU6Xz6dAG
0Lg/6YLGmgL1+I5mxqkr
=oY0G
-----END PGP SIGNATURE-----