DNS over TLS fails when using IPv6
Hello,
I have just setup the DNS over TLS and I have noticed that queries over IPv6 do not work.
The DNS resolver is currently publicly accessible on 81.2.239.149:853
and [2001:15e8:110:795::1]:853
. With following pins:
[tls] RFC 7858 OOB key-pin (0): pin-sha256="UXGqCMdLvdkVB3sIxfb41G5gIn8lR8zjOMj13czd/V8="
[tls] RFC 7858 OOB key-pin (1): pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
Tests: (done from multiple locations except the last one)
$ kdig +tls google.com @81.2.239.149
;; TLS session (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 57521
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR
;; PADDING: 409 B
;; QUESTION SECTION:
;; google.com. IN A
;; ANSWER SECTION:
google.com. 268 IN A 172.217.23.206
;; Received 468 B
;; Time 2017-10-24 18:37:39 CEST
;; From 81.2.239.149@853(TCP) in 0.0 ms
$ kdig +tls google.com @[2001:15e8:110:795::1]
;; WARNING: TLS, handshake failed (The TLS connection was non-properly terminated.)
;; WARNING: failed to query server 2001:15e8:110:795::1@853(TCP)
$ kdig +tls google.com @[::1]
;; WARNING: TLS, handshake failed (The TLS connection was non-properly terminated.)
;; WARNING: failed to query server ::1@853(TCP)
My configuration follows:
-- load modules
modules = {
"policy",
"view",
"version",
"stats",
"daf",
predict = {
-- 15 minutes sampling window
window = 15,
-- track last 31 days
period = 31 * 24 * (60 / 15)
},
hints = "/etc/knot-resolver/static.hosts",
http = {
host = "node3.psb1.org",
port = 8053,
cert = false,
-- key = "/mnt/export.node1/acme.sh/node3.psb1.org/node3.psb1.org.key",
-- cert = "/mnt/export.node1/acme.sh/node3.psb1.org/node3.psb1.org.cer",
geoip = "/etc/knot-resolver/GeoLite2-City.mmdb"
}
}
-- init tls
net.tls("/mnt/export.node1/acme.sh/node3.psb1.org/fullchain.cer", "/mnt/export.node1/acme.sh/node3.psb1.org/node3.psb1.org.key")
-- setup cache
cache.storage = "lmdb:///run/knot-resolver/cache"
cache.size = 100 * MB
-- set mode
mode("normal")
-- setup trust anchors for DNSSEC
trust_anchors.file = "/usr/share/dns/root.key"
Thank you in advance.