Skip to content


Michał Kępień requested to merge 2723-add-SSLKEYLOGFILE-support into main

This MR implements TLS pre-master secret logging using the libisc logging framework. Doing it this way enables us to get size limiting and file rotation "for free" at the cost of additional locking done by libisc logging contexts. (Credit to @pspacek for originally coming up with this idea!)

As setting the SSLKEYLOGFILE environment variable is the de facto standard way of exporting TLS pre-master secrets from a piece of software (this method is supported by Firefox, Chrome, Apache, GnuTLS, curl, and Python, to name a few), this MR proposes to use that variable in the same manner.

Since the proposed defaults may not be appropriate in certain cases, this MR also allows custom logging configuration to be provided for TLS pre-master secrets.

Indirectly, this MR also enables TLS pre-master secret logging to be enabled/disabled at runtime (by changing the logging stanza and running rndc reconfig).

While this approach is arguably far from perfect, it appears to be checking off a lot of boxes:

  • it is simple to employ for one-off experiments while still allowing more complex configurations when necessary,

  • it makes BIND 9 behave similarly to other software out there,

  • it should be simple to review.

We really need some way of doing this in BIND 9.18. More user-friendly additions which are deemed useful in the long run (e.g. rndc commands) can always be implemented after further discussions, which should take place when we are not under time pressure.

Closes #2723 (closed)

Edited by Michał Kępień

Merge request reports