[nsd-users] Can XoT use self-signed certificates?

Klaus Darilion klaus.darilion at nic.at
Tue Mar 18 19:45:39 UTC 2025 

Hi Willem!

I am not sure either what would be the best approach. Knot’s PIN approach is great for private installations, but not for general TLS applications where you do not know the other party but want to know a trusted name (confirmed by some well known CA). So far I like Bind’s approach most, where the TLS configuration is similar to standard webservers where you can use either OS installed certificates or provide a list of trusted CA certs manually. Maybe we should wait for more XoT deployments and more feedback from admins.

Anyway, IMHO all 3 implementations (Knot, Bind, NSD) lacks logging of TLS parameters and helpful error messages when TLS handshakes fail.

For example, NSD’s “axfr for … from …. refused tls-auth-xfr-only” as only error log is not very helpful when I try to understand why the connection fails. For example NSD could add some more info if connection fails, like: Did NSD as primary requested a client cert from the secondary name server? If yes, did the secondary provided a certificate? If yes, what is the host name that was searched in the certificate name? Was it found or not? Why was the client certificate not accepted? Or was everything with the client certificate but the configured policy forbids zone transfer?

Thanks
Klaus


--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria

From: nsd-users <nsd-users-bounces at lists.nlnetlabs.nl> On Behalf Of Willem Toorop via nsd-users
Sent: Tuesday, March 18, 2025 4:39 PM
To: nsd-users at lists.nlnetlabs.nl
Subject: Re: [nsd-users] Can XoT use self-signed certificates?

Op 18-03-2025 om 14:14 schreef Klaus Darilion via nsd-users:
Answering myself (untested yet): It seems that ‘tls-cert-bundle:’ may be the solution to manually specify trust anchors. Frankly, this is a ‘server:’ option but I would have expected it under the tls-auth: section to be configurable per tls-context.

We could modify that of course, but personally I also feel for the pin authentication that Knot-dns employs. Would that work for you?

Regards,

-- Willem

Regards
Klaus


From: nsd-users <nsd-users-bounces at lists.nlnetlabs.nl><mailto:nsd-users-bounces at lists.nlnetlabs.nl> On Behalf Of Klaus Darilion via nsd-users
Sent: Monday, March 17, 2025 2:32 PM
To: nsd-users at lists.nlnetlabs.nl<mailto:nsd-users at lists.nlnetlabs.nl>
Subject: [nsd-users] Can XoT use self-signed certificates?

Hi!

I am testing XoT with NSD as secondary.

As far as I see, for certificate validation always the OS installed CA certificates are used. (/etc/ca-certificates.conf in Ubuntu)

Is it possible to use self signed certificates and manually configure a trust-anchor (e.g. ca-file option in many other TLS supported software)?

Is it possbile to use opportunistic/ephemeral TLS as supported by Bind?

Thanks
Klaus



_______________________________________________

nsd-users mailing list

nsd-users at lists.nlnetlabs.nl<mailto:nsd-users at lists.nlnetlabs.nl>

https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250318/b8de978b/attachment.htm>

More information about the nsd-users mailing list