TLS not working on the client-side (dig/named)
As of version 9.17.19, I can't get DoT queries to work on both
named. It used to work on 9.17.18, but with the problems reported on issue #2884 (closed)
dig simply silently fails:
# ./bin/dig @<server_IP> -p 853 <myzone> soa +tls #
named can't complete a TLS zone transfer:
28-Oct-2021 13:45:39.033 zone myzone/IN: Transfer started. 28-Oct-2021 13:45:39.033 zone myzone/IN: no database exists yet, requesting AXFR of initial version from <serverIP>#853 28-Oct-2021 13:45:39.033 zone myzone/IN: got TLS configuration for zone transfer: success 28-Oct-2021 13:45:39.035 transfer of 'myzone/IN' from <serverIP>#853: failed to connect: operation canceled 28-Oct-2021 13:45:39.035 zone myzone/IN: zone transfer finished: operation canceled 28-Oct-2021 13:45:39.035 zone_settimer: zone myzone/IN: enter 28-Oct-2021 13:45:39.035 queue_soa_query: zone myzone/IN: enter 28-Oct-2021 13:45:39.035 transfer of 'myzone/IN' from <serverIP>#853: Transfer status: operation canceled 28-Oct-2021 13:45:39.035 transfer of 'myzone/IN' from <serverIP>#853: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec) (serial 0)
I have tried using both an ephemeral TLS config and one with custom certificates.
Another issue that got me a bit confused is that on the
tls section of the configuration file, the parameters
key-file now seem to required, which wasn't the case in the previous version.
BIND version used
BIND 9.17.19 (Development Release) <id:b63de6b> running on FreeBSD amd64 12.2-RELEASE-p7 FreeBSD 12.2-RELEASE-p7 GENERIC built by make with '--prefix=/home/cesar/named' 'CC=clang' compiled by CLANG FreeBSD Clang 10.0.1 (firstname.lastname@example.org:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2) compiled with OpenSSL version: OpenSSL 1.1.1h-freebsd 24 Aug 2021 linked to OpenSSL version: OpenSSL 1.1.1h-freebsd 24 Aug 2021 compiled with libuv version: 1.40.0 linked to libuv version: 1.40.0 compiled with libnghttp2 version: 1.41.0 linked to libnghttp2 version: 1.41.0 compiled with libxml2 version: 2.9.10 linked to libxml2 version: 20910 compiled with json-c version: 0.15 linked to json-c version: 0.15 compiled with zlib version: 1.2.11 linked to zlib version: 1.2.11 threads support is enabled
Steps to reproduce
Try to make a TLS query using
dig +tls, or configure
named as a secondary server with TLS.
What is the current bug behavior?
dig returns no response when querying with TLS
named does not manage to complete a zone transfer with TLS