Maintained by: NLnet Labs

DNS-over-TLS offered to clients; questions

Ralph Dolmans
Fri Nov 17 11:36:22 CET 2017


Hi Phil,

On 31-10-17 22:00, Phil Pennock via Unbound-users wrote:
> Is 3 correct?  No hostname or other identifier validation at all, so a
> stolen cert from elsewhere issued by a trusted CA can then impersonate
> DNS?  Anyone know if there are any moves to, eg, look for an IP address
> in the SAN field?

When using unbound as DNS-over-TLS client (as forwarder), no certificate
validation is happening. So stealing (or requesting) a cert signed by a
"well know" CA is not necessary, any cert will do.

Also see the discussing on Unbound bug #658 [0] for the current TLS
authentication status in Unbound.

-- Ralph

[0] - https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658#c5