[Unbound-users] local control socket; www.unbound.net certificate
Taylor R Campbell
campbell+unbound at mumble.net
Wed Nov 24 00:43:07 UTC 2010
unbound-control uses public-key authentication and TLS to communicate
with the Unbound daemon. Why not just use a local-domain socket?
In both cases, for local use, the security is really enforced only by
the file system's permissions model, as far as I can tell. Using
public-key authentication and TLS seems needlessly complicated (and
(marginally) less secure, if the keys are not generated on boot and
can be read from a cold disk).
By the way, when I point a web browser at <https://www.unbound.net/>,
the server presents an x.509 certificate with many different
subjectAltNames, none of which is www.unbound.net. I presume that the
certificate (with SHA-1 hash 29309a3b12e588b108ef1132ce3d3daa3a625bcc)
is not bogus, though, since the names are all related to nlnetlabs.nl,
and OpenSSL happily verifies the signature from CAcert.
More information about the Unbound-users
mailing list