TLS protocol Statement Grammar may be incorrect
Summary
The documentation for the tls protocols
statement indicates placing the protocol between curly braces, however this results in the following error with both named-checkconf
and when attempting an rndc reconfig
:
protocols { TLSv1.3; };
/etc/opt/isc/scls/isc-bind/named.conf: 10:expected string near '{'
When quotes are used instead of brackets, there is no error.
protocols "TLSv1.3";
BIND version used
BIND 9.17.18 (Development Release) <id:019a476>
running on Linux x86_64 4.18.0-305.19.1.el8_4.x86_64 #1 SMP Wed Sep 15 15:39:39 UTC 2021
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
'--program-prefix=' '--disable-dependency-tracking' '--prefix=/opt/isc/isc-bind/root/usr'
'--exec-prefix=/opt/isc/isc-bind/root/usr' '--bindir=/opt/isc/isc-bind/root/usr/bin'
'--sbindir=/opt/isc/isc-bind/root/usr/sbin' '--sysconfdir=/etc/opt/isc/scls/isc-bind'
'--datadir=/opt/isc/isc-bind/root/usr/share' '--includedir=/opt/isc/isc-bind/root/usr/include'
'--libdir=/opt/isc/isc-bind/root/usr/lib64' '--libexecdir=/opt/isc/isc-bind/root/usr/libexec'
'--localstatedir=/var/opt/isc/scls/isc-bind' '--sharedstatedir=/var/opt/isc/scls/isc-bind/lib'
'--mandir=/opt/isc/isc-bind/root/usr/share/man' '--infodir=/opt/isc/isc-bind/root/usr/share/info'
'--disable-static' '--enable-dnstap' '--with-pic' '--with-gssapi' '--with-json-c' '--with-libxml2'
'--without-lmdb' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L/opt/isc/isc-bind/root/usr/lib64'
'CPPFLAGS= -I/opt/isc/isc-bind/root/usr/include' 'LT_SYS_LIBRARY_PATH=/usr/lib64'
'PKG_CONFIG_PATH=:/opt/isc/isc-bind/root/usr/lib64/pkgconfig:/opt/isc/isc-bind/root/usr/share/pkgconfig'
'SPHINX_BUILD=/builddir/build/BUILD/bind-9.17.18/sphinx/bin/sphinx-build'
compiled by GCC 8.4.1 20200928 (Red Hat 8.4.1-1)
compiled with OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
compiled with libuv version: 1.41.0
linked to libuv version: 1.41.0
compiled with libnghttp2 version: 1.33.0
linked to libnghttp2 version: 1.33.0
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.3.3
linked to protobuf-c version: 1.3.3
threads support is enabled
default paths:
named configuration: /etc/opt/isc/scls/isc-bind/named.conf
rndc configuration: /etc/opt/isc/scls/isc-bind/rndc.conf
DNSSEC root key: /etc/opt/isc/scls/isc-bind/bind.keys
nsupdate session key: /var/opt/isc/scls/isc-bind/run/named/session.key
named PID file: /var/opt/isc/scls/isc-bind/run/named/named.pid
named lock file: /var/opt/isc/scls/isc-bind/run/named/named.lock
Steps to reproduce
Using the statement grammar for the protocols
option found here:
https://bind9.readthedocs.io/en/latest/reference.html?highlight=DoH#tls-statement-grammar
for example the following protocols line in the tls statement will fail:
protocols { TLSv1.3; };
When quotes are used, no error is encountered:
protocols "TLSv1.3";
What is the current bug behavior?
When rndc reconfig
is run:
rndc: 'reconfig' failed: unexpected token
In bind logs the following entry is included:
config: error: /etc/opt/isc/scls/isc-bind/named.conf:10: expected string near '{'
Line 10 is where I have protocols configured.
What is the expected correct behavior?
no errors and rndc reconfig succeeds.
Relevant configuration files
Full TLS statement below:
tls resolver01 {
cert-file "/etc/certificates/isc_bind/resolver01-cert.pem";
key-file "/etc/certificates/isc_bind/resolver01.pem";
hostname "resolver01.lab.home";
protocols "TLSv1.3"; // This works as expected
// protocols { TLSv1.3; }; // This fails.
};
Possible fixes
Quoting appears to work fine, so updating the documentation may be an option. However it feels more idiomatic to support brackets.