[dnsdist] A SNI with a raw IPv6 address closes the DoT connection
remi.gacogne at powerdns.com
Mon Mar 30 10:15:41 UTC 2020
On 3/27/20 12:20 PM, Stephane Bortzmeyer via dnsdist wrote:
> I observe that sending a SNI which is a host name or an IPv4 address
> works fine but when the SNI is a raw IPv6 address, the TLS connection
> is immediately closed by the server.
> Is it my fault or the one of dnsdist?
What tool are you using to test? I can't reproduce that behaviour with
openssl s_client, but I'm not sure I'm sending a "raw IPv6 address" in
the same way you are:
openssl s_client -connect 127.0.0.1:853 -servername 2001:db8::1
With this command the DoT connection is accepted by dnsdist (with the
OpenSSL DoT provider) and `dq:getServerNameIndication()` returns
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the dnsdist