[Pdns-users] What is required for the dnsdist testCrypto() function to work?

sthaug at nethelp.no sthaug at nethelp.no
Thu Jul 4 12:37:10 UTC 2019

>> should I expect the testCrypto() function to work? Because it doesn't:
> [...]
>>> testCrypto()
>> Crypto failed..
> This error message is indeed not helpful at all.. I'm pretty sure it
> just means that have not configured a session key with setKey(), since
> this function mostly tests that the encryption between a console client
> and dnsdist works, and is not related at all to TLS. It made sense
> between the addition of DoT and DoH, but I agree it's quite misleading
> nowadays.
>> The reason for asking about the testCrypto() function is that I'm
>> trying to get DoT working, so far without success.
> It's completely unrelated to testCrypto(), could you paste your
> configuration and explain what doesn't work?

Thanks! Ignoring the testCrypto() error message and staring some more
at my tcpdump logs resulted in solving the problem. Turns out dnsdist
wants to ask the recursive servers using TCP (is this documented?),
which I had not permitted. As soon as I fixed this, everything worked.

> Please be aware that dnsdist has its own mailing-list, by the way :-)

Thanks, now signed up.

Steinar Haug, AS2116

More information about the Pdns-users mailing list