Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 633
    • Issues 633
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 90
    • Merge requests 90
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #2796
Closed
Open
Issue created Jun 25, 2021 by Artem Boldariev@artemDeveloper

Add more configuration options to control TLS context (enough to implement Perfect Forward Secrecy)

It would be nice for us to borrow more configuration options from NGINX, which is an industry standard. As far as I can tell, borrowing the following options will make it possible to implement Perfect Forward Secrecy in BIND:

  • An ability to specify supported ciphers: ssl_ciphers;
  • An ability to specify Diffie-Hellman parameters for DHE ciphers: ssl_dhparam;
  • An ability to inform client that server ciphers should be preferred: ssl_prefer_server_ciphers;
  • An ability to enable/disable TLS session tickets: ssl_session_tickets).

Implementing this is hugely beneficial for both DoH and DoT.

The end result could look like this:

tls some-tls {
    ...
    ciphers "HIGH:!aNULL:!MD5";
    dhparam-file "/path/to/dh3072.pem"; // theoretically, we could compile in a default value for it. this needs more research.
    prefer-server-ciphers yes;
    session-tickets no;
    ...
};

Loosely related to #2775 (closed)

Edited Sep 28, 2021 by Artem Boldariev
Assignee
Assign to
Time tracking