nsd users - Mar 2025 - Can XoT use self-signed certificates?

Hi!

I am testing XoT with NSD as secondary.

As far as I see, for certificate validation always the OS installed CA
certificates are used. (/etc/ca-certificates.conf in Ubuntu)

Is it possible to use self signed certificates and manually configure a
trust-anchor (e.g. ca-file option in many other TLS supported software)?

Is it possbile to use opportunistic/ephemeral TLS as supported by Bind?

Thanks
Klaus
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250317/88c39dd8/attachment.htm>

Answering myself (untested yet): It seems that 'tls-cert-bundle:' may be
the solution to manually specify trust anchors. Frankly, this is a
'server:' option but I would have expected it under the tls-auth:
section to be configurable per tls-context.

Regards
Klaus


From: nsd-users <nsd-users-bounces at lists.nlnetlabs.nl> On Behalf Of
Klaus Darilion via nsd-users
Sent: Monday, March 17, 2025 2:32 PM
To: nsd-users at lists.nlnetlabs.nl
Subject: [nsd-users] Can XoT use self-signed certificates?

Hi!

I am testing XoT with NSD as secondary.

As far as I see, for certificate validation always the OS installed CA
certificates are used. (/etc/ca-certificates.conf in Ubuntu)

Is it possible to use self signed certificates and manually configure a
trust-anchor (e.g. ca-file option in many other TLS supported software)?

Is it possbile to use opportunistic/ephemeral TLS as supported by Bind?

Thanks
Klaus
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250318/60cd712f/attachment.htm>