nsd users - Mar 2025 - Can XoT use self-signed certificates?

Another thing: it seems that mutual TLS with NSD as primary requires
tls-cert-bundle to be set explicitly. I.e. my secondary has a public certificate
from lets encrypt, and I would expect that the default tls-cert-bundle should
work. But it does not. I get the misleading error (debug log level):

nsd[2588241]: client cert does not match my-tls xot-test-secondary.ops.nic.at
nsd[2588241]: axfr for test.klaus. from 193.46.106.61 refused, no acl matches


But after explicitly setting the tld-cert-bundle to the LE root CA it suddenly
worked:
        tls-cert-bundle: /etc/ssl/certs/ISRG_Root_X1.pem

nsd[2600852]: my-tls xot-test-secondary.ops.nic.at verified
nsd[2600852]: axfr for test.klaus. from 193.46.106.61 tls-auth
xot-test-secondary.ops.nic.at


So, the above error was wrong and should be something like ?failed to verify
certificate issuer?.

Further, why is it necessary to explicitly set the tls-cert-bundle? I guess
there is a reason as Bind9 also requires to manually set the ca-file for mutual
TLS and client verification. I just don?t understand why. Further it complicates
life. If my Secondary-DNS provider has a certificate from a well known CA, and
the hostname verification succeeds, I want to accept the client cert, regardless
if the certificate was issued by Lets Encrypt, Sectigo or Comodo.

Thanks
Klaus

--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Stra?e 8/V
5020 Salzburg, Austria

From: nsd-users <nsd-users-bounces at lists.nlnetlabs.nl> On Behalf Of
Willem Toorop via nsd-users
Sent: Tuesday, March 18, 2025 4:39 PM
To: nsd-users at lists.nlnetlabs.nl
Subject: Re: [nsd-users] Can XoT use self-signed certificates?

Op 18-03-2025 om 14:14 schreef Klaus Darilion via nsd-users:
Answering myself (untested yet): It seems that ?tls-cert-bundle:? may be the
solution to manually specify trust anchors. Frankly, this is a ?server:? option
but I would have expected it under the tls-auth: section to be configurable per
tls-context.

We could modify that of course, but personally I also feel for the pin
authentication that Knot-dns employs. Would that work for you?

Regards,

-- Willem

Regards
Klaus


From: nsd-users <nsd-users-bounces at
lists.nlnetlabs.nl><mailto:nsd-users-bounces at lists.nlnetlabs.nl> On
Behalf Of Klaus Darilion via nsd-users
Sent: Monday, March 17, 2025 2:32 PM
To: nsd-users at lists.nlnetlabs.nl<mailto:nsd-users at
lists.nlnetlabs.nl>
Subject: [nsd-users] Can XoT use self-signed certificates?

Hi!

I am testing XoT with NSD as secondary.

As far as I see, for certificate validation always the OS installed CA
certificates are used. (/etc/ca-certificates.conf in Ubuntu)

Is it possible to use self signed certificates and manually configure a
trust-anchor (e.g. ca-file option in many other TLS supported software)?

Is it possbile to use opportunistic/ephemeral TLS as supported by Bind?

Thanks
Klaus



_______________________________________________

nsd-users mailing list

nsd-users at lists.nlnetlabs.nl<mailto:nsd-users at lists.nlnetlabs.nl>

https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250318/a0f83732/attachment-0001.htm>

Hello Klaus,

Klaus Darilion via nsd-users:
> Further, why is it necessary to explicitly set the tls-cert-bundle?  
> I guess there is a reason as Bind9 also requires to manually set the  
> ca-file for mutual TLS and client verification. I just don?t  
> understand why.
different OS flavors have different places for a "default set of certs
trusted by the os vendor" (CA/B truststor)
I think, for that reason, it's nessesary to be explicit in nsd.conf

I assume similiar reasons in unbound...

Andreas