Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

LDNS:  ldns.1.6.17_dns-over-tls.patch

Note

Since this patches use TLS v1.2 a recent version of OpenSSL is required.

LDNS

ldns.1.6.17_t-dns.patch

Features

  • Adds -F option to read multiple message files from a directory.
  • Adds -R option to re-use TCP/TLS connections when possible.
  • Adds -l option to do TLS on a dedicated TLS port.
  • Adds -C option to do STARTTLS (no TO bit) (experimental).
  • Adds -L option to do STARTTLS (with TO bit) (experimental).
  • Adds -P option to prevent failed STARTTLS negotiation falling back to TCP.
  • Adds experimental support for TCP Fast open (linux only). Enable with --enable-tcp-fastopen configure option.

...

Installation

  1. apply patch
  2. run 'autoreconf --force'
  3. additionally specify the '--with-ssl' and --with-tls' flags when running 'configure'

Unbound

  1. optionally specify the --enable-tcp-fastopen when running 'configure'
  2. make, make install

Unbound: unbound-1.

...

5.

...

1_t-dns.patch

Features

  • Add support for TDNS-DNS over-TLS (experimental) to Unbound as a server and a client
    • Adds new configuration file options:
         
        • 'do-starttls:             yes/no'  
        #  enable starttls for downstream queries
        •                 # enable STARTTLS for downstream queries
        • 'starttls-upsteam' : yes/no                    # enable STARTTLS for upstream queries
        • 'starttls-delay':       number of second  # time to cache the STARTTLS capability of an upstream server before retrying a  STARTTLS negotiation
      • Adds option to use the TO bit for STARTTLS downstream. Enable with --enable-TObit configure option.
      • Adds new statistics counters: SSL queries, EDNS_TO queries and STARTTLS queries
    • Initial attempt to change behaviour of writes over SSL so that the DNS message is sent in a single packet when possible. (Previous behaviour was to send the length and message content separately.) 
    • Adds experimental client and server support for TCP Fast open (linux only). Enable with --enable-tcp-fastopen configure option.

    NSD

    ...

    Installation

    1. apply patch
    2. run 'autoreconf --force'
    3. optionally specify the --enable-tcp-fastopen  and/or --enable-TObit flags and when running 'configure'
    4. make, make install

    NSD: nsd-4.1.0_dns-over-tls.patch

    Features

    • Implement a TLS service on a dedicated TLS port 
      • Adds new options in configuration file: 
        • 'tls-service-key:   <path_to_key_file>
        • 'tls-service-pem: <path_to_pem_file>'
        '
        • tls-port:
        <port for TLS service>' nsd-4.1.0_t-dns.patch 
        •                <port for TLS service> 
    • Add support for TDNS-DNS over-TLS (experimental). 
      • Adds new
      option in
      • configuration file options:
       
        • '
        allow
        • do-
        tls-upgrade:
        • starttls:             yes/no'                   # enable STARTTLS
      • Adds option to use the TO bit for STARTTLS. Enable with --enable-TObit configure option.
    • Initial attempt to change behaviour of writes over SSL so that the DNS message is sent in a single packet when possible. (Previous behaviour was to send the length and message content separately.) 
    • Adds experimental server support for TCP Fast open (linux only). Enable with --enable-tcp-fastopen configure option.