[dnsdist] dnscrypt

Remi Gacogne remi.gacogne at powerdns.com
Sun Apr 16 18:42:32 UTC 2017


On 04/16/2017 07:03 PM, Maciej Soltysiak wrote:
> dnsdist doesn't serve the dnscrypt cert for me.
> I set it up first with:
> generateDNSCryptProviderKey("/opt/dnscrypt/etc/providerPublic.key",
> "/opt/dnscrypt/etc/providerPrivate.key")
> generateDNSCryptCertificate("/opt/dnscrypt/etc/providerPrivate.key",
> "/opt/dnscrypt/etc/resolver.cert", "/run/dnscryptPrivate.key", 1,
> 1492355593, 1492398793)
> Then I added the bind with:
> addDNSCryptBind(" <>",
> "2.dnscrypt-cert.poz.dnscrypt.pl
> <http://2.dnscrypt-cert.poz.dnscrypt.pl>",
> "/opt/dnscrypt/etc/resolver.cert", "/run/dnscryptPrivate.key")
> I made sure the permissions are that _dnsdist user can read the files.
> When I connect using dnscrypt-proxy with 2.dnscrypt-cert.poz.dnscrypt.pl
> <http://2.dnscrypt-cert.poz.dnscrypt.pl> as provider name, it sends the
> packet to fetch the cert but dnsdist doesn't reply.
> I'd normally think this means provider name mismatch, but it's the same.

Even if the provider name did not match, I believe dnsdist should send a
certificate response. Could you look at the output of the "dumpStats()"
command to see if any counter increases? Oh, did you configure the ACL
properly, because by default queries from non-rfc1918 addresses are dropped?


Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20170416/9b1f413e/attachment.sig>

More information about the dnsdist mailing list