Folks, Configuring DNS-over-TLS to be offered to clients was easy with Unbound; I'm running with ECC TLS from my private CA, and https://github.com/bortzmeyer/monitor-dns-over-tls lets me confirm that service is working, with a monitoring plugin no less!
Skimming RFC 7858, it appears that: (1) port 853 is mandated for an opportunistic discovery mode, where clients just try it and see if it works, without any signalling; (2) pinning is supposed to be available, but there's no wire protocol way of signalling pins, whether via DHCP or anything else; (3) certificate verification is _entirely_ chain verification, no identity verification. Is 3 correct? No hostname or other identifier validation at all, so a stolen cert from elsewhere issued by a trusted CA can then impersonate DNS? Anyone know if there are any moves to, eg, look for an IP address in the SAN field? Any conveying signalling of pins by some means? Thanks, -Phil
