TLS forwarder lookup fails in resolver.c when TLS CA certificate not available

Summary

When configuring a forwarder with a TLS configuration that specifies a CA file to verify the remote certificate, BIND dies at the RUNTIME_CHECK in resolver.c when it cannot read the CA file.

BIND version affected

BIND 9.19.19-1+0~~20231220.107+debian12~~1.gbpfc5ec0-Debian (Development Release) id:

Steps to reproduce

Use the provided configuration snippet in any working configuration.
Do not have a /certificates directory.
Look up something from test.example.com.

What is the current bug behavior?

BIND crashes in the resolver library due to the TLS context not being set up correctly.

What is the expected correct behavior?

BIND complains about not being able to read about the CA certificate on startup.

Relevant configuration files

named.conf (excerpt):

tls auth1 {
      ca-file "/certificates/ca.crt";
      remote-hostname "auth1";
};
tls auth2 {
      ca-file "/certificates/ca.crt";
      remote-hostname "auth2";
};

zone test.example.com {
	type forward;
	forwarders port 853 { 172.23.23.11 tls auth1; 172.23.23.12 tls auth2; };
	forward only;
};

Relevant logs

recursive-2      | 12-Feb-2024 08:57:44.370 client @0x713184c1c000 172.23.23.23#45455 (foo.test.example.com): query: foo.test.example.com IN A +E(0)K (172.23.23.14)
recursive-2      | fetch: foo.test.example.com/A
recursive-2      | QNAME minimization -  minimized, qmintype 2 qminname corp
recursive-2      | resolver.c:2175:fctx_query(): fatal error: 
recursive-2      | RUNTIME_CHECK(result == ISC_R_SUCCESS) failed
recursive-2      | exiting (due to fatal error in library)
recursive-2 exited with code 139

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information