Note for unbound
users with DoT
The TLS certificate of any upstream (forward) DNS resolvers specified for DoT (DNS over TLS) will not be validated unless the TO repo provides
- ca-bundle
and
- OpenSSL 1.1.x
Note for unbound
users with DoT
The TLS certificate of any upstream (forward) DNS resolvers specified for DoT (DNS over TLS) will not be validated unless the TO repo provides
and
ca-bundle
is available in the TO repo since 3.10.5, requires manual installation and unbound setting however
I wouldn’t consider this surprising, really, as the “feature” of validating the other end of TLS is rather new in Unbound (commit from April).