Skip to content

TLS not working on the client-side (dig/named)

Summary

As of version 9.17.19, I can't get DoT queries to work on both dig and named. It used to work on 9.17.18, but with the problems reported on issue #2884 (closed)

Now, dig simply silently fails:

[1170]#	./bin/dig @<server_IP> -p 853 <myzone> soa +tls
[1171]#

whereas named can't complete a TLS zone transfer:

28-Oct-2021 13:45:39.033 zone myzone/IN: Transfer started.
28-Oct-2021 13:45:39.033 zone myzone/IN: no database exists yet, requesting AXFR of initial version from <serverIP>#853
28-Oct-2021 13:45:39.033 zone myzone/IN: got TLS configuration for zone transfer: success
28-Oct-2021 13:45:39.035 transfer of 'myzone/IN' from <serverIP>#853: failed to connect: operation canceled
28-Oct-2021 13:45:39.035 zone myzone/IN: zone transfer finished: operation canceled
28-Oct-2021 13:45:39.035 zone_settimer: zone myzone/IN: enter
28-Oct-2021 13:45:39.035 queue_soa_query: zone myzone/IN: enter
28-Oct-2021 13:45:39.035 transfer of 'myzone/IN' from <serverIP>#853: Transfer status: operation canceled
28-Oct-2021 13:45:39.035 transfer of 'myzone/IN' from <serverIP>#853: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec) (serial 0)

I have tried using both an ephemeral TLS config and one with custom certificates.

Another issue that got me a bit confused is that on the tls section of the configuration file, the parameters cert-file and key-file now seem to required, which wasn't the case in the previous version.

BIND version used

BIND 9.17.19 (Development Release) <id:b63de6b>
running on FreeBSD amd64 12.2-RELEASE-p7 FreeBSD 12.2-RELEASE-p7 GENERIC
built by make with  '--prefix=/home/cesar/named' 'CC=clang'
compiled by CLANG FreeBSD Clang 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)
compiled with OpenSSL version: OpenSSL 1.1.1h-freebsd  24 Aug 2021
linked to OpenSSL version: OpenSSL 1.1.1h-freebsd  24 Aug 2021
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libnghttp2 version: 1.41.0
linked to libnghttp2 version: 1.41.0
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

Steps to reproduce

Try to make a TLS query using dig +tls, or configure named as a secondary server with TLS.

What is the current bug behavior?

dig returns no response when querying with TLS named does not manage to complete a zone transfer with TLS

Edited by Cesar Kuroiwa
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information