In dnspython issue 1061 we were surprised that passing a cafile for the TLS configuration loads the CA in addition to the certifi set instead of replacing it. My impression is that other TLS software I've used replaces.

Do you think this is a bug?

I honestly don't know, I'd be inclined to align with whatever other packages are doing. Could you cite some examples to get a feel for how various packages behave?

I tested TLS behavior with httpx and python's native TLS via dnspython's dns.query.https() and dns.query.tls() methods, and they both raise certificate validation failures if I specify a cafile that has just a local CA root. So, at least for OpenSSL which these will both be using, the behavior is replace not augment.

I would absolutely also say +1 for replacing, not augmenting, when a custom CA path is specified. It would match every implementation I've come across. This could also be fixed with a new option to disable loading the system CAs.

But usually it is left up to the system administrator to maintain a combined CA store (system CAs + custom CA) if one is needed.

Fixed, thanks!