Resolve #2776: Extend 'allow-transfer' with 'port' and 'transport' parameters (!5587) · Merge requests · ISC Open Source Projects / BIND

Artem Boldariev requested to merge 2776-allow-transfer-encrypted into main Nov 23, 2021

This MR extends ACL syntax with port and transport options.

zone "example" {
	...
	allow-transfer port 853 transport tls { any; };
};

The runtime representation and ACL loading code are extended to allow the syntax to be used beyond the allow-transfer option (e.g. in acl definitions and other allow-* options) and can be used to ultimately extend the ACL support with transport-only ACLs. For example, it could look like follows:

transport-acl do53 transport udp-tcp;
transport-acl allow-tls port 853 transport tls;
transport-acl allow-http port 443 transport http;

acl https-tls { !do53;  allow-tls; allow-http; any;};

options {
    allow-query { https-tls; };
};

But, due to fundamental nature of such a change, it has not been completed as a part of 9.17.X release series due to it being close to 9.18 stable release status. That means that we do not have enough time to fully test it. so, for now, the transport options are allowed only in allow-transfer options, as required by #2776 (closed) .

The complete integration is planned as a part of 9.19.X release series in a separate issue.

The code was manually verified to work as expected by temporarily enabling the extended syntax for acl statements and allow-query options, including ACL merging, negated ACLs (this can be trivially enabled):

acl tls port 853 transport tls {};

acl https-tls port 443 transport http { tls; };

zone "example" {
	type primary;
	file "example.db";
	allow-query {https-tls; any; };
};

Closes #2776 (closed)

Edited Nov 30, 2021 by Artem Boldariev

Resolve #2776: Extend 'allow-transfer' with 'port' and 'transport' parameters

Merge request reports