Note for unbound users with DoT
The TLS certificate of any upstream (forward) DNS resolvers specified for DoT (DNS over TLS) will not be validated unless the TO repo provides
- ca-bundle
and
- OpenSSL 1.1.x
ca-bundle is available in the TO repo since 3.10.5, requires manual installation and unbound setting however
I wouldn’t consider this surprising, really, as the “feature” of validating the other end of TLS is rather new in Unbound (commit from April).