[dnsdist] A SNI with a raw IPv6 address closes the DoT connection

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Mar 30 10:50:03 UTC 2020


On Mon, Mar 30, 2020 at 12:15:41PM +0200,
 Remi Gacogne via dnsdist <dnsdist at mailman.powerdns.com> wrote 
 a message of 73 lines which said:

> What tool are you using to test? I can't reproduce that behaviour with
> openssl s_client,

I can:

% openssl s_client -connect dot.bortzmeyer.fr:853 -servername 2001:db8::1 
                                               
CONNECTED(00000003)
closed
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 313 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

% openssl s_client -connect dot.bortzmeyer.fr:853 -servername dot.bortzmeyer.fr
CONNECTED(00000003)                                                              
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = dot.bortzmeyer.fr
verify return:1
---
Certificate chain
 0 s:CN = dot.bortzmeyer.fr
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
[Everything works]

Since dot.bortzmeyer.fr is a pristine dnsdist 1.4.0, could it be a
paranoid IPS somewhere on the path? (AFAIK, there is none but you
never know, these days. As long as we don't have encrypted SNI, we
will have thee issues.)


More information about the dnsdist mailing list