Hi Willem! I am not sure either what would be the best approach. Knot’s PIN approach is great for private installations, but not for general TLS applications where you do not know the other party but want to know a trusted name (confirmed by some well known CA). So far I like Bind’s approach most, where the TLS configuration is similar to standard webservers where you can use either OS installed certificates or provide a list of trusted CA certs manually. Maybe we should wait for more XoT deployments and more feedback from admins.
Anyway, IMHO all 3 implementations (Knot, Bind, NSD) lacks logging of TLS parameters and helpful error messages when TLS handshakes fail. For example, NSD’s “axfr for … from …. refused tls-auth-xfr-only” as only error log is not very helpful when I try to understand why the connection fails. For example NSD could add some more info if connection fails, like: Did NSD as primary requested a client cert from the secondary name server? If yes, did the secondary provided a certificate? If yes, what is the host name that was searched in the certificate name? Was it found or not? Why was the client certificate not accepted? Or was everything with the client certificate but the configured policy forbids zone transfer? Thanks Klaus -- Klaus Darilion, Head of Operations nic.at GmbH, Jakob-Haringer-Straße 8/V 5020 Salzburg, Austria From: nsd-users <nsd-users-boun...@lists.nlnetlabs.nl> On Behalf Of Willem Toorop via nsd-users Sent: Tuesday, March 18, 2025 4:39 PM To: nsd-users@lists.nlnetlabs.nl Subject: Re: [nsd-users] Can XoT use self-signed certificates? Op 18-03-2025 om 14:14 schreef Klaus Darilion via nsd-users: Answering myself (untested yet): It seems that ‘tls-cert-bundle:’ may be the solution to manually specify trust anchors. Frankly, this is a ‘server:’ option but I would have expected it under the tls-auth: section to be configurable per tls-context. We could modify that of course, but personally I also feel for the pin authentication that Knot-dns employs. Would that work for you? Regards, -- Willem Regards Klaus From: nsd-users <nsd-users-boun...@lists.nlnetlabs.nl><mailto:nsd-users-boun...@lists.nlnetlabs.nl> On Behalf Of Klaus Darilion via nsd-users Sent: Monday, March 17, 2025 2:32 PM To: nsd-users@lists.nlnetlabs.nl<mailto:nsd-users@lists.nlnetlabs.nl> Subject: [nsd-users] Can XoT use self-signed certificates? Hi! I am testing XoT with NSD as secondary. As far as I see, for certificate validation always the OS installed CA certificates are used. (/etc/ca-certificates.conf in Ubuntu) Is it possible to use self signed certificates and manually configure a trust-anchor (e.g. ca-file option in many other TLS supported software)? Is it possbile to use opportunistic/ephemeral TLS as supported by Bind? Thanks Klaus _______________________________________________ nsd-users mailing list nsd-users@lists.nlnetlabs.nl<mailto:nsd-users@lists.nlnetlabs.nl> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
_______________________________________________ nsd-users mailing list nsd-users@lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
