Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 532
    • Issues 532
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 101
    • Merge requests 101
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Merge requests
  • !5602

Merged
Created Nov 30, 2021 by Artem Boldariev@artemOwner

XoT: add support client-side TLS parameters for incoming XFRs, add 'tls' name configuration validation on secondaries

  • Overview 43
  • Commits 5
  • Pipelines 18
  • Changes 15

This merge request adds support for client-side TLS parameters to XoT.

Prior to this commit all client-side TLS contexts were using default parameters only, ignoring the options from the BIND's configuration file, even when a valid 'tls' configuration was specified, like in:

tls tls-v1.2-pfs {
	protocols { TLSv1.2; };
	ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
	prefer-server-ciphers no;
};

zone "example" {
	type secondary;
	primaries { 10.53.0.1 tls tls-v1.2-pfs; }; // only "ephemeral" were truly supported here before
	file "example.db";
	allow-transfer { any; };
};

Currently, the following tls parameters are supported:

  • protocols;
  • ciphers;
  • prefer-server-ciphers.

Also, this merge request ensures that the tls name specified in the 'primaries' clause of a zone statement is a valid one (defined).

Prior to that an invalid configuration would be silently accepted, leading to failures earlier:

zone "example" {
	type secondary;
	primaries { 10.53.0.1 tls an-undefined-tls-configuration; };
	file "example.db";
	allow-transfer { any; };
};

Additionally to that, it fixes a logical mistake in the code, which will lead to on abort() on systems with ancient OpenSSL versions, like Red Hat Linux 7 (on startup or zone transfer via XoT, the latter was possible only in this branch).

Partially addresses #2450

In a way, it is also a substitute for a #2992, which has no chance to make it into the 9.18.

Edited Dec 01, 2021 by Artem Boldariev
Assignee
Assign to
Reviewer
Request review from
Time tracking
Source branch: artem-xot-tls-protocols-ciphers