DNS-over-TLS offered to clients; questions
ralph at nlnetlabs.nl
Fri Nov 17 11:36:22 CET 2017
On 31-10-17 22:00, Phil Pennock via Unbound-users wrote:
> Is 3 correct? No hostname or other identifier validation at all, so a
> stolen cert from elsewhere issued by a trusted CA can then impersonate
> DNS? Anyone know if there are any moves to, eg, look for an IP address
> in the SAN field?
When using unbound as DNS-over-TLS client (as forwarder), no certificate
validation is happening. So stealing (or requesting) a cert signed by a
"well know" CA is not necessary, any cert will do.
Also see the discussing on Unbound bug #658  for the current TLS
authentication status in Unbound.
 - https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658#c5
More information about the Unbound-users