DNS-over-TLS offered to clients; questions

Ralph Dolmans ralph at nlnetlabs.nl
Fri Nov 17 10:36:22 UTC 2017

Hi Phil,

On 31-10-17 22:00, Phil Pennock via Unbound-users wrote:
> Is 3 correct?  No hostname or other identifier validation at all, so a
> stolen cert from elsewhere issued by a trusted CA can then impersonate
> DNS?  Anyone know if there are any moves to, eg, look for an IP address
> in the SAN field?

When using unbound as DNS-over-TLS client (as forwarder), no certificate
validation is happening. So stealing (or requesting) a cert signed by a
"well know" CA is not necessary, any cert will do.

Also see the discussing on Unbound bug #658 [0] for the current TLS
authentication status in Unbound.

-- Ralph

[0] - https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658#c5

More information about the Unbound-users mailing list