Add CA certificates bundle for DNS-over-TLS

Question

Add CA certificates bundle for DNS-over-TLS

kien-truong opened this issue 2 years ago · comments

The new Docker images no longer contain ca-certificates-bundle, so DNS-over-TLS cannot be used without the user manually supplying one.

IMHO, this is a regression, compared to the older Docker images and should be fixed.

Kyle Harding · Answer 1 · Thu Jul 21 2022 23:18:22 GMT+0800 (China Standard Time)

Can you see if klutchell/unbound:pr-74 works for you?

Kien Truong · Answer 2 · Fri Jul 22 2022 18:09:11 GMT+0800 (China Standard Time)

Thanks, I tried that image and the certificates are included correctly.
However, you should probably also set the default configuration so that the user don't have to do it.

server:
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

churchofnoise · Answer 3 · Fri Jul 22 2022 19:22:27 GMT+0800 (China Standard Time)

Given that not everyone will use this, probably best to customize configuration in a separate conf file if needed, IMHO...

Kyle Harding · Answer 4 · Fri Jul 22 2022 20:56:15 GMT+0800 (China Standard Time)

@churchofnoise I don't think providing this path in the default configuration enables any features on it's own, it's just handy to have the path to the certificates already set if someone enables DNS-over-TLS since they wouldn't otherwise know where to find the certs.

tls-cert-bundle: <file>
              If  null or "", no file is used.  Set it to the certificate bun-
              dle file, for example "/etc/pki/tls/certs/ca-bundle.crt".  These
              certificates  are  used  for  authenticating connections made to
              outside peers.  For example auth-zone urls, and  also  DNS  over
              TLS  connections.  It is read at start up before permission drop
              and chroot.

@kien-truong thanks for the suggestion, I'll add this change to the PR and a new build of klutchell/unbound:pr-74 should be available for testing shortly.