unbound-control uses public-key authentication and TLS to communicate with the Unbound daemon. Why not just use a local-domain socket? In both cases, for local use, the security is really enforced only by the file system's permissions model, as far as I can tell. Using public-key authentication and TLS seems needlessly complicated (and (marginally) less secure, if the keys are not generated on boot and can be read from a cold disk). By the way, when I point a web browser at <https://www.unbound.net/>, the server presents an x.509 certificate with many different subjectAltNames, none of which is www.unbound.net. I presume that the certificate (with SHA-1 hash 29309a3b12e588b108ef1132ce3d3daa3a625bcc) is not bogus, though, since the names are all related to nlnetlabs.nl, and OpenSSL happily verifies the signature from CAcert.