[dnsdist] A SNI with a raw IPv6 address closes the DoT connection

Remi Gacogne remi.gacogne at powerdns.com
Mon Mar 30 10:15:41 UTC 2020

Hello Stephane,

On 3/27/20 12:20 PM, Stephane Bortzmeyer via dnsdist wrote:
> I observe that sending a SNI which is a host name or an IPv4 address
> works fine but when the SNI is a raw IPv6 address, the TLS connection
> is immediately closed by the server.
> Is it my fault or the one of dnsdist?

What tool are you using to test? I can't reproduce that behaviour with
openssl s_client, but I'm not sure I'm sending a "raw IPv6 address" in
the same way you are:

openssl s_client -connect -servername 2001:db8::1

With this command the DoT connection is accepted by dnsdist (with the
OpenSSL DoT provider) and `dq:getServerNameIndication()` returns

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200330/958069c7/attachment.sig>

More information about the dnsdist mailing list