Add CA certificates bundle for DNS-over-TLS
kien-truong opened this issue · 4 comments
The new Docker images no longer contain ca-certificates-bundle, so DNS-over-TLS cannot be used without the user manually supplying one.
IMHO, this is a regression, compared to the older Docker images and should be fixed.
Can you see if klutchell/unbound:pr-74
works for you?
Thanks, I tried that image and the certificates are included correctly.
However, you should probably also set the default configuration so that the user don't have to do it.
server:
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
Given that not everyone will use this, probably best to customize configuration in a separate conf file if needed, IMHO...
@churchofnoise I don't think providing this path in the default configuration enables any features on it's own, it's just handy to have the path to the certificates already set if someone enables DNS-over-TLS since they wouldn't otherwise know where to find the certs.
tls-cert-bundle: <file>
If null or "", no file is used. Set it to the certificate bun-
dle file, for example "/etc/pki/tls/certs/ca-bundle.crt". These
certificates are used for authenticating connections made to
outside peers. For example auth-zone urls, and also DNS over
TLS connections. It is read at start up before permission drop
and chroot.
@kien-truong thanks for the suggestion, I'll add this change to the PR and a new build of klutchell/unbound:pr-74
should be available for testing shortly.