<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Op 18-03-2025 om 14:14 schreef Klaus
Darilion via nsd-users:<br>
</div>
<blockquote type="cite"
cite="mid:AS2PR03MB8866E6D9D0E1EEFA533E45F9F1DE2@AS2PR03MB8866.eurprd03.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Aptos;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}span.E-MailFormatvorlage19
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Answering
myself (untested yet): It seems that ‘<a class="moz-txt-link-freetext" href="tls-cert-bundle:’">tls-cert-bundle:’</a> may
be the solution to manually specify trust anchors. Frankly,
this is a ‘<a class="moz-txt-link-freetext" href="server:’">server:’</a> option but I would have expected it
under the tls-auth: section to be configurable per
tls-context.</span></p>
</div>
</blockquote>
<p>We could modify that of course, but personally I also feel for
the pin authentication that Knot-dns employs. Would that work for
you?<br>
</p>
<p>Regards,</p>
<p>-- Willem<br>
</p>
<blockquote type="cite"
cite="mid:AS2PR03MB8866E6D9D0E1EEFA533E45F9F1DE2@AS2PR03MB8866.eurprd03.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Klaus<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="DE" style="font-size:11.0pt"><o:p> </o:p></span></p>
<div
style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
nsd-users <a class="moz-txt-link-rfc2396E" href="mailto:nsd-users-bounces@lists.nlnetlabs.nl"><nsd-users-bounces@lists.nlnetlabs.nl></a>
<b>On Behalf Of </b>Klaus Darilion via nsd-users<br>
<b>Sent:</b> Monday, March 17, 2025 2:32 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:nsd-users@lists.nlnetlabs.nl">nsd-users@lists.nlnetlabs.nl</a><br>
<b>Subject:</b> [nsd-users] Can XoT use self-signed
certificates?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="color:black">Hi!<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">I am testing
XoT with NSD as secondary.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">As far as I
see, for certificate validation always the OS installed
CA certificates are used. (/etc/ca-certificates.conf in
Ubuntu)<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Is it
possible to use self signed certificates and manually
configure a trust-anchor (e.g. ca-file option in many
other TLS supported software)?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Is it
possbile to use opportunistic/ephemeral TLS as supported
by Bind?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Thanks<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Klaus<o:p></o:p></span></p>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre wrap="" class="moz-quote-pre">_______________________________________________
nsd-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:nsd-users@lists.nlnetlabs.nl">nsd-users@lists.nlnetlabs.nl</a>
<a class="moz-txt-link-freetext" href="https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users">https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users</a>
</pre>
</blockquote>
</body>
</html>