Unbound 1.7.3 - no TLS certificate validation for upstream (forward) DNS resolvers

Note for unbound users with DoT

The TLS certificate of any upstream (forward) DNS resolvers specified for DoT (DNS over TLS) will not be validated unless the TO repo provides

  1. ca-bundle


  1. OpenSSL 1.1.x

ca-bundle is available in the TO repo since 3.10.5, requires manual installation and unbound setting however

I wouldn’t consider this surprising, really, as the “feature” of validating the other end of TLS is rather new in Unbound (commit from April).