Unbound have a similar design. SSLv3 should be also disabled there with a patch as trivial as this one. @Wouter: could you keep this in mind for the next releases?
Maybe it's worth to extend the control interface of NSD _and_ UNBOUND to
- enforce only the highest available protocol version
- enforce only one secure cipher suite
- be configurable for weaker settings
discussed Heardblead. I think it's worth to disable not only SSLv2 but
SSLv3 too.
-> attachted a simple patch for nsd-4.1.0...
Thank you. Similar code was already in nsd's code repository.
Unbound have a similar design. SSLv3 should be also disabled there
with a patch as trivial as this one. @Wouter: could you keep this
in mind for the next releases?
Maybe it's worth to extend the control interface of NSD _and_
UNBOUND to - enforce only the highest available protocol version -
enforce only one secure cipher suite - be configurable for weaker
settings
No sure why configuration would be helpful, but I see value in
constraining the settings to stronger security.
I think of setups where different nsd/unbound versions are managed using nsd/unbound-control
over public networks. I don't run such setup and also don't know if other do so.
But it's technical possible, therefore the configuration aspect...