Maintained by: NLnet Labs

[Unbound-users] local control socket; www.unbound.net certificate

Taylor R Campbell
Wed Nov 24 01:43:07 CET 2010


unbound-control uses public-key authentication and TLS to communicate
with the Unbound daemon.  Why not just use a local-domain socket?

In both cases, for local use, the security is really enforced only by
the file system's permissions model, as far as I can tell.  Using
public-key authentication and TLS seems needlessly complicated (and
(marginally) less secure, if the keys are not generated on boot and
can be read from a cold disk).

By the way, when I point a web browser at <https://www.unbound.net/>,
the server presents an x.509 certificate with many different
subjectAltNames, none of which is www.unbound.net.  I presume that the
certificate (with SHA-1 hash 29309a3b12e588b108ef1132ce3d3daa3a625bcc)
is not bogus, though, since the names are all related to nlnetlabs.nl,
and OpenSSL happily verifies the signature from CAcert.