From yorgos at nlnetlabs.nl  Fri Mar  7 14:05:25 2025
From: yorgos at nlnetlabs.nl (Yorgos Thessalonikefs)
Date: Fri, 7 Mar 2025 15:05:25 +0100
Subject: [nsd-users] Fwd: Re: Opening DoH 443/TCP without opening
 443/UDP (NSD has similar issue on DoT)
In-Reply-To: <6f97edd0-3373-45bb-a75b-f3cb1f4dc5e9@andreasschulze.de>
References: <639c623f-152b-43be-89b0-6ec391cd3a30@andreasschulze.de>
 <6f97edd0-3373-45bb-a75b-f3cb1f4dc5e9@andreasschulze.de>
Message-ID: <c4b94c26-24bf-44ed-bf35-df8abf371310@nlnetlabs.nl>

Hi Andreas,

The change is now merged.
tls-port implicitly turns off listening on UDP on that same port.

https://github.com/NLnetLabs/nsd/pull/428

Best regards,
-- Yorgos

On 06/02/2025 21:09, A. Schulze via nsd-users wrote:
> posted to the wrong (old) address of nsd-users, now to the correct list 
> address ...
> 
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users


From klaus.darilion at nic.at  Mon Mar 17 13:31:39 2025
From: klaus.darilion at nic.at (Klaus Darilion)
Date: Mon, 17 Mar 2025 13:31:39 +0000
Subject: [nsd-users] Can XoT use self-signed certificates?
Message-ID: <DU0PR03MB885310B448D1138615CBCB4FF1DF2@DU0PR03MB8853.eurprd03.prod.outlook.com>

Hi!

I am testing XoT with NSD as secondary.

As far as I see, for certificate validation always the OS installed CA certificates are used. (/etc/ca-certificates.conf in Ubuntu)

Is it possible to use self signed certificates and manually configure a trust-anchor (e.g. ca-file option in many other TLS supported software)?

Is it possbile to use opportunistic/ephemeral TLS as supported by Bind?

Thanks
Klaus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250317/88c39dd8/attachment.htm>

From klaus.darilion at nic.at  Tue Mar 18 13:14:53 2025
From: klaus.darilion at nic.at (Klaus Darilion)
Date: Tue, 18 Mar 2025 13:14:53 +0000
Subject: [nsd-users] Can XoT use self-signed certificates?
In-Reply-To: <DU0PR03MB885310B448D1138615CBCB4FF1DF2@DU0PR03MB8853.eurprd03.prod.outlook.com>
References: <DU0PR03MB885310B448D1138615CBCB4FF1DF2@DU0PR03MB8853.eurprd03.prod.outlook.com>
Message-ID: <AS2PR03MB8866E6D9D0E1EEFA533E45F9F1DE2@AS2PR03MB8866.eurprd03.prod.outlook.com>

Answering myself (untested yet): It seems that 'tls-cert-bundle:' may be the solution to manually specify trust anchors. Frankly, this is a 'server:' option but I would have expected it under the tls-auth: section to be configurable per tls-context.

Regards
Klaus


From: nsd-users <nsd-users-bounces at lists.nlnetlabs.nl> On Behalf Of Klaus Darilion via nsd-users
Sent: Monday, March 17, 2025 2:32 PM
To: nsd-users at lists.nlnetlabs.nl
Subject: [nsd-users] Can XoT use self-signed certificates?

Hi!

I am testing XoT with NSD as secondary.

As far as I see, for certificate validation always the OS installed CA certificates are used. (/etc/ca-certificates.conf in Ubuntu)

Is it possible to use self signed certificates and manually configure a trust-anchor (e.g. ca-file option in many other TLS supported software)?

Is it possbile to use opportunistic/ephemeral TLS as supported by Bind?

Thanks
Klaus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250318/60cd712f/attachment.htm>

From willem at nlnetlabs.nl  Tue Mar 18 15:39:28 2025
From: willem at nlnetlabs.nl (Willem Toorop)
Date: Tue, 18 Mar 2025 16:39:28 +0100
Subject: [nsd-users] Can XoT use self-signed certificates?
In-Reply-To: <AS2PR03MB8866E6D9D0E1EEFA533E45F9F1DE2@AS2PR03MB8866.eurprd03.prod.outlook.com>
References: <DU0PR03MB885310B448D1138615CBCB4FF1DF2@DU0PR03MB8853.eurprd03.prod.outlook.com>
 <AS2PR03MB8866E6D9D0E1EEFA533E45F9F1DE2@AS2PR03MB8866.eurprd03.prod.outlook.com>
Message-ID: <82db6651-0858-4083-888d-313160d455ef@nlnetlabs.nl>

Op 18-03-2025 om 14:14 schreef Klaus Darilion via nsd-users:
>
> Answering myself (untested yet): It seems that ?tls-cert-bundle:? may 
> be the solution to manually specify trust anchors. Frankly, this is a 
> ?server:? option but I would have expected it under the tls-auth: 
> section to be configurable per tls-context.
>
We could modify that of course, but personally I also feel for the pin 
authentication that Knot-dns employs. Would that work for you?

Regards,

-- Willem

> Regards
>
> Klaus
>
> *From:*nsd-users <nsd-users-bounces at lists.nlnetlabs.nl> *On Behalf Of 
> *Klaus Darilion via nsd-users
> *Sent:* Monday, March 17, 2025 2:32 PM
> *To:* nsd-users at lists.nlnetlabs.nl
> *Subject:* [nsd-users] Can XoT use self-signed certificates?
>
> Hi!
>
> I am testing XoT with NSD as secondary.
>
> As far as I see, for certificate validation always the OS installed CA 
> certificates are used. (/etc/ca-certificates.conf in Ubuntu)
>
> Is it possible to use self signed certificates and manually configure 
> a trust-anchor (e.g. ca-file option in many other TLS supported software)?
>
> Is it possbile to use opportunistic/ephemeral TLS as supported by Bind?
>
> Thanks
>
> Klaus
>
>
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250318/4d85428b/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE5F8F8212F77A498_and_old_rev.asc
Type: application/pgp-keys
Size: 7749 bytes
Desc: OpenPGP public key
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250318/4d85428b/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250318/4d85428b/attachment-0003.bin>