On Wed, 13 Nov 2013, Andreas Schulze wrote:
nsd and unbound can be controlled using nsd-control and unbound-control.
SSL is used to ensure privacy and authentication. Although those connections
are
commonly used at localhost only they are usable over public networks by
design.
But the server allow weak ciphers. Users have no option to control these
setting.
I suggest to enhance the code to use a fixed cipher and protocol by default
and optional make these settings configurable.
Also DH key exchange would be nice (PFS,
http://de.wikipedia.org/wiki/Perfect_Forward_Secrecy)
Actually, I suggest we adopt the patch that floated around last year to
allow people to use a pipe when running on localhost, which would be
much simpler then the entire TLS overhead. Keep the TLS for people
who wish to remote control their unbound instances, but I don't think
those are many. Whereas everyone with unbound-control/dnssec-trigger
setups now have to go through the overhead/complexity of TLS.
Paul
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
