ssl_set1_host() is not available without openssl-1.1.0. Unbound can not do
host cert verification. DNS over TLS connects, but hosts are unverified. A
patch for log err is added with a noitce in README.md.
(see: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658)
Also, squash some minor robustness and TLS usability fixes.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
With growing interest, DNS over TLS can be setup in Unbounds foward-zone:
clause. A broader UCI solution is added to support forward-, stub-, and
auth- zone clauses in a new 'zone' section. This implentation required
reworking scripts, because they did not scale. 'forward_domain' and
'prefetch_root' options are removed, and superceded by 'zone' section.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
When UCI local zone is private and static, Unbound covered private
addresses with defaults. Optional delegated global IP6 prefix
protection lacked a static zone, but it was prevented from appearing
in global DNS responses. Domain names router-as-TLD, "lan." and
"local." were static, but they lacked default SOA or NS such as
Unbound had assinged to private addresses. Clean up these local
zones UCI evaluation and block global DNS inclusion.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
-dnsmasq really provides nice local DHCP-DNS records
-Unbound host records would be clumsy to update
-Unbound can be configured to forward to dnsmasq
-iptools provided to facilitate PTR records
-flexible ipv6 colon notation is a bit complex
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Eric Luehrsen
Eric Luehrsen