TLS errors in unbound

Hello, I am hoping someone more well-versed in SSL stuff can help me out real quick. I have valid ed25519 certificates I made a while back that I am trying to use with apache and unbound servers on Rocky 9. I made them with lego. I have spent a lot of time troubleshooting and finally came the conclusion that the version of unbound in the repo may not support ed25519, though support was added to the later versions at some point.

So, do I have to just make a brand new certificate with certbot or something or can I get an RSA public key somehow? I am guessing there is no way to convert given that they are completely different systems of encryption.

Hi,

According to this, support was in at least version 1.7.1 unbound: NLnet Labs - News - Unbound 1.7.1 released

Since Rocky 9 has Unbound 1.13.1 it should work fine. Apache also should be OK.

Hmm, I am getting SSL handshake errors related to the cert though so I am stumped. Resolver works fine internally, but I can’t even get plain DNS service remotely. Still doesn’t work with SELinux Permissive and the services are in the public zone of firewalld. I did install Rocky with CIS Level 1 hardening but I did not find anything in the draft that I think would affect that, other than a policy that prevented unauthorized binding on 443 and 80, but I am not trying to use DoH and it was pretty straightforward to override that anyway.

Hi, not sure what your config looks like, I just did a test like this:

server:
	tls-upstream: yes
	tls-cert-bundle: /etc/ssl/cert.pem
	access-control: 127.0.0.0/8 allow
	access-control: ::1/128 allow

forward-zone:
	name: "."
	forward-addr: 1.1.1.1@853
	forward-addr: 1.0.0.1@853
	forward-tls-upstream: yes

until I added forward-tls-upstream and also the TLS port 853 (here Cloudflare as example), but works fine now. I left mine running on port 53 for DNS. Without the forward-tls-upstream, the DNS wouldn’t resolve anything.

The only thing I’m not using an ED25519 cert, but I can play around and generate one if need be. Maybe try the default certs in the directory like above and if that works, then retry the ED25519 again.

This link also explains about handshake problems because of the tls-bundle problem: Actually secure DNS over TLS in Unbound | Ctrl blog

I suppose it might just be my own ignorance that is the issue then, because I was trying to TLS downstream and resolve with root servers directly upstream on plain DNS. This is my first time trying unbound on my server, but when I have run it on my LAN I never needed any upstream forwarding. It was my understanding that tls-cert-bundle is for upstream authentication and the .pem and .key files are for serving clients through a domain, but I could be wrong. I think I will just generate an RSA key and see how that goes, if no luck then maybe I will try adding a BIND server locally to forward to. I will post my unbound.conf when I get a chance once I dig it out of all the comments.

Hi, this article will help with downstream: Configuring Unbound for Downstream DoT | www.bentasker.co.uk

    interface: 0.0.0.0@853
    interface: ::0@853
    tls-port: 853

    tls-service-key: [path to your SSL Key]
    tls-service-pem: [path to your SSL cert]
 
    access-control: 0.0.0.0/0 allow

for example. Perhaps that is what you’ll need to do it with the ED25519 cert.

OK, so I did this just now, here is my amended config:

server:
	# Listen on standard port 53
	# Use TLS on forward zone
	interface: 0.0.0.0
	tls-upstream: yes
	tls-cert-bundle: /etc/ssl/cert.pem

	# Listen on TLS port 853
	interface: 0.0.0.0@853
	tls-port: 853
	tls-service-key: /etc/pki/tls/private/localhost.key
	tls-service-pem: /etc/pki/tls/certs/localhost.crt

	# Allow queries from everywhere
	access-control: 0.0.0.0/0 allow

forward-zone:
	name: "."
	forward-addr: 1.1.1.1@853
	forward-addr: 1.0.0.1@853
	forward-tls-upstream: yes

so now on my machine I can do:

[ian@elise ~]$ dig +short @rocky9 -p 853 google.com
142.250.186.206

shows that TLS downstream now working. Obviously substitute my self-signed localhost.crt/localhost.key with the cert you want to use for downstream. The upstream requires the TLS bundle, which you can find under /etc/ssl/cert.pem or /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

On Linux computers you can use systemd-resolved and configure this to use DNS Over TLS.

@iwalker It ended up working with new RSA certificates. So either the repo version of unbound does not support ECC certs, or maybe that certificate was only for a wildcard domain.

1 Like