Hi Phil, On 31-10-17 22:00, Phil Pennock via Unbound-users wrote: > Is 3 correct? No hostname or other identifier validation at all, so a > stolen cert from elsewhere issued by a trusted CA can then impersonate > DNS? Anyone know if there are any moves to, eg, look for an IP address > in the SAN field?
When using unbound as DNS-over-TLS client (as forwarder), no certificate validation is happening. So stealing (or requesting) a cert signed by a "well know" CA is not necessary, any cert will do. Also see the discussing on Unbound bug #658 [0] for the current TLS authentication status in Unbound. -- Ralph [0] - https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658#c5
