search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.17k stars 360 forks source link

multi domain same ssl - unbound as a DOT server issue #601

Closed DaddyMadu closed 1 year ago

DaddyMadu commented 2 years ago

dear team good day i have 3 domains on the same server and all included in one multi domain positive comodo ssl and the server has one static ip domain insecure future is not excluding connection to main domain and tls is connected to both domains ​ To reproduce 1- setup up a domain and sub domain like www.example.com, dns.example.com 2- install multi domain ssl : www.example.com, dns.example.com 3- setup unbound DOT server with tls certificate on port 853

add insecure domain parameter and define www.example.com as insecure

Expected behavior

query dns over tls on www.example.com unbound still accepts connection from this domain as it's already included in the certificate chain i should only be able to connect to dns.example.com or maybe i got it wrong and shouldn't labeled this as bug! please feel free to correct me, thank you!

System: ​- Unbound version: 1.13.1 ​- OS: ubuntu 21.10 ​- unbound -V output:

'Version 1.13.1

Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --with-libevent --with-libnghttp2 --with-pythonmodule --enable-subnet --enable-dnstap --enable-systemd --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --libdir=/usr/lib
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 1.1.1l  24 Aug 2021
Linked modules: dns64 python subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
gthess commented 1 year ago

I believe there is a confusion for the insecure-domain configuration option. The insecure part refers to DNSSEC and not the trust of TLS certificates. That means that Unbound treats the www.example.com zone as DNSSEC-insecure. As for the issue you report I am not exactly certain what you are trying to achieve :).

gthess commented 1 year ago

Closing this as inactive non-issue.