[Pdns-users] Recursor forwarder DoT configuration
Brian Candler
b.candler at pobox.com
Fri Sep 8 14:59:59 UTC 2023
On 08/09/2023 15:50, Christoph via Pdns-users wrote:
> - does it validate the server certificate? how do I configure the name
> when performing certificate verification?
Not answering your questions about PDNS recursor specifically, but I'll
just point out that 1.1.1.1:853 and 1.0.0.1:853 both have valid signed
certificates with IP SANs, so certificate validation can be performed
with IP address only.
$ openssl s_client -connect 1.1.1.1:853
...
Verify return code: 0 (ok)
Decoding the certificate with openssl x509 -noout -text:
X509v3 Subject Alternative Name:
DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com,
DNS:one.one.one.one, IP Address:1.0.0.1, IP Address:1.1.1.1, IP
Address:162.159.36.1, IP Address:162.159.46.1, IP
Address:2606:4700:4700:0:0:0:0:1001, IP
Address:2606:4700:4700:0:0:0:0:1111, IP
Address:2606:4700:4700:0:0:0:0:64, IP Address:2606:4700:4700:0:0:0:0:6400
...
For the same reason, using https://1.1.1.1/ in your browser also works.
More information about the Pdns-users
mailing list