[Pdns-users] What is required for the dnsdist testCrypto() function to work?

sthaug at nethelp.no sthaug at nethelp.no
Thu Jul 4 10:47:26 UTC 2019

I have a newly installed FreeBSD-12.0 system, with dnsdist installed
from the FreeBSD package system, and all the dependencies:

New packages to be INSTALLED:
        dnsdist: 1.3.3_6
        libsodium: 1.0.16
        gnutls: 3.6.7
        trousers: 0.3.14_2
        tpm-emulator: 0.7.4_2
        gmp: 6.1.2_1
        indexinfo: 0.3.1
        p11-kit: 0.23.15
        libtasn1: 4.13_1
        ca_root_nss: 3.44.1
        libffi: 3.2.1_3
        nettle: 3.4.1_1
        libidn2: 2.1.1
        libunistring: 0.9.10_1
        lua52: 5.2.4
        libedit: 3.1.20181209_2,1
        re2: 20190301
        protobuf: 3.7.1,1
        boost-libs: 1.69.0_2
        icu: 64.2,1

The dnsdist version claims it supports crypto:

# dnsdist -V
dnsdist 1.3.3 (Lua 5.2.4)
Enabled features: dns-over-tls(gnutls openssl) dnscrypt libsodium protobuf re2 recvmmsg/sendmmsg

If I start this dnsdist with a config file containing one line:


should I expect the testCrypto() function to work? Because it doesn't:

# dnsdist -C /usr/local/etc/dnsdist.conf
Added downstream server
Listening on
dnsdist 1.3.3 comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2
ACL allowing queries from:,,,,,, ::1/128, fc00::/7, fe80::/10
Console ACL allowing connections from: ::1/128,
Marking downstream as 'up'
> Polled security status of version 1.3.3 at startup, no known issues reported: OK

> testCrypto()
Crypto failed..

Oh yeah, I can verify using tcpdump that it is indeed polling the
DNS server at and getting replies.

The reason for asking about the testCrypto() function is that I'm
trying to get DoT working, so far without success.

Steinar Haug, AS2116

More information about the Pdns-users mailing list