... | ... | @@ -44,12 +44,12 @@ DoT and DoH will have to extend BIND9 configuration syntax. Since it's virtually |
|
|
### TLS
|
|
|
Since TLS will be used by various services, it'd be convenient to introduce a single configuration option describing TLS parameters - most notably, key and certificate file. The proposed syntax for the option is:
|
|
|
```
|
|
|
tls-config <string> {
|
|
|
tls <string> {
|
|
|
key-file <quoted-string>;
|
|
|
cert-file <quoted-string>;
|
|
|
};
|
|
|
```
|
|
|
To make deployment simpler, a generic `default` tls-config with autogenerated certificate might be provided.
|
|
|
To make deployment simpler, a generic `default` tls with autogenerated certificate might be provided.
|
|
|
|
|
|
DISCUSSION:
|
|
|
- the autogenerated certificate will be emphemeral or saved in a secure place in workdir? (@ondrej)
|
... | ... | @@ -64,7 +64,7 @@ DISCUSSION: |
|
|
### DoT
|
|
|
Configuring listening for TLS connections extends the current listen-on and listen-on-v6 syntax:
|
|
|
```
|
|
|
listen-on [ port <integer> ] [ tls-config <string> ] { <address_match_element>; ... };
|
|
|
listen-on [ port <integer> ] [ tls <string> ] { <address_match_element>; ... };
|
|
|
```
|
|
|
|
|
|
### DoH
|
... | ... | @@ -72,7 +72,7 @@ Configuring DoH is more complex, as e.g. multiple views can use the same address |
|
|
|
|
|
A HTTP/2 server is configured by the following options:
|
|
|
```
|
|
|
http-server <string> [ port <integer> ] [ tls-config <string> ] { <address_match_element>; ... };
|
|
|
http-server <string> [ port <integer> ] [ tls <string> ] { <address_match_element>; ... };
|
|
|
```
|
|
|
A DoH endpoint for a server is configure with:
|
|
|
```
|
... | ... | @@ -85,12 +85,12 @@ DISCUSS: |
|
|
|
|
|
### Example
|
|
|
```
|
|
|
tls-config my_config {
|
|
|
tls my_config {
|
|
|
key-file "key.pem";
|
|
|
cert-file "cert.pem";
|
|
|
}
|
|
|
listen-on port 853 tls-config my_config { any; };
|
|
|
http-server my_server port 443 tls-config my_config { any; };
|
|
|
listen-on port 853 tls my_config { any; };
|
|
|
http-server my_server port 443 tls my_config { any; };
|
|
|
doh-endpoint "/dns-query" server my_server;
|
|
|
```
|
|
|
|
... | ... | |