[bind10-dev] bindctl not checking server certificate chain by default

[Jelte Jansen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


So we have this nice SSL thing in cmdctl that runs a somewhat secure
http server to receive commands on. But on the bindctl we don't even
check its certificate; at least not by default (it does if you specify
- -c <pemfile>).

(yes yes, additionally, the certificate we ship has also expired,
there's already a ticket for that)
((note that this is mostly unrelated to other issues in the
command/config framework, as I think we'd keep the general connection
method even if we wildly changed the internal representation and
handling))

I just almost created a new ticket to address that, but while writing
it up there are I realized there are several options, and we need to
decide what to do first (or we get a ticket that is too vague again);

- - we *could* decide that no-security-by-default is fine (in which case
we should very clearly document it, and point to the -c option)
- - we could force it to use the same certificate we install for cmdctl
  (two choices, same location as cmdctl uses, or make a second copy
and place it near the users file. and of course it needs to handle
fromsource/frominstall)
- - thirdly, we could default to not running at all until the
administrator points to a valid certificate.

I think the last option kind of depends on how out-of-the-box we want
it runnable (as this is already a problem with the initial creation of
the users file). And the second also depends on how we handle
installing a certificate in the first place

Thoughts?

ps. this might also be a nice place to showcase DANE support, for
remotely running bindctl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCBXnsACgkQ4nZCKsdOncUTOACcDqPzq017/5FnIgfUOjmm4Mki
u+4An0Pn59vxgVvlK5IYRCA8NdUncfcn
=deBA
-----END PGP SIGNATURE-----