From: obsd@mulh.net
Subject: Re: unbound.conf default; use control-use-cert: no
To: tech@openbsd.org
Date: Fri, 17 Oct 2025 17:55:01 -0400

On 2025-10-17 18:53:22, Stuart Henderson write:
>  remote-control:
>  	control-enable: yes
> +	control-use-cert: no
>  	control-interface: /var/run/unbound.sock

What's the rational for this?

The documentation is clear that this option is ignored and 
certificates are not used when a socket is used.  Access is 
controled by file permissions instead of TLS for sockets.
For IP interfaces the certificates restrict the access.
(docs also say it uses TLSv1 security for the connection!)