Hello,
nsd and unbound can be controlled using nsd-control and unbound-control.
SSL is used to ensure privacy and authentication. Although those connections are
commonly used at localhost only they are usable over public networks by design.
But the server allow weak ciphers. Users have no option to control these setting.
# sslscan --no-failed localhost:8952
Actually, I suggest we adopt the patch that floated around last year to
allow people to use a pipe when running on localhost, which would be
much simpler then the entire TLS overhead. Keep the TLS for people
who wish to remote control their unbound instances, but I don't think
those are many. Whereas everyone with unbound-control/dnssec-trigger
setups now have to go through the overhead/complexity of TLS.
Paul
Keep the TLS for people
who wish to remote control their unbound instances, but I don't think
those are many.
We do exist 
In fact, I'm not even using the official nsd-control client: we need to programmatically control remote NSD4 servers, so I've implemented (a subset of) nsd-control in Python. So please keep nsd-control around, but by all means eliminate weak ciphers, as long as it's interoperable with other SSL implementations.
My 0.62 rubles 