On 2024 Jan 31 (Wed) at 17:14:22 +0000 (+0000), Bruno Blanes via Unbound-users wrote: :Has anyone been able to use DoT upstream with a LetsEncrypt certificate? I know they don't issue certificates on bare IP addresses and therefore the upstream server may not be able to verify Unbound's signature based only on the domain name. : :Do I need a certificate for Unbound's IP address for DoT to work? If so, is there a free CA that emits those?
I am doing DoT with a hostname, but sadly no bare IPs in the certificate. I just got a regular certificate using ACME, saved it to a spot unbound can read and just send a reload when it changes. RIPE NCC did try to deploy Discovery of Designated Resolvers (RFC9462), which depends on bare IPs in the cert, at the RIPE 87 meeting in December 2023, but found that LE does not support bare IPs. For more details: https://ripe87.ripe.net/archives/video/1267/ Starting at Page 15 of the slides Starting at 9:00 of the video -- What I've done, of course, is total garbage. -- R. Willard, Pure Math 430a
