Maintained by: NLnet Labs

[Unbound-users] weak ciphers enabled to remote-control nsd+unbound

Paul Wouters
Wed Nov 13 22:24:48 CET 2013


On Wed, 13 Nov 2013, Andreas Schulze wrote:

> nsd and unbound can be controlled using nsd-control and unbound-control.
> SSL is used to ensure privacy and authentication. Although those connections 
> are
> commonly used at localhost only they are usable over public networks by 
> design.
>
> But the server allow weak ciphers. Users have no option to control these 
> setting.

> I suggest to enhance the code to use a fixed cipher and protocol by default
> and optional make these settings configurable.
>
> Also DH key exchange would be nice (PFS, 
> http://de.wikipedia.org/wiki/Perfect_Forward_Secrecy)

Actually, I suggest we adopt the patch that floated around last year to
allow people to use a pipe when running on localhost, which would be
much simpler then the entire TLS overhead. Keep the TLS for people
who wish to remote control their unbound instances, but I don't think
those are many. Whereas everyone with unbound-control/dnssec-trigger
setups now have to go through the overhead/complexity of TLS.

Paul