Open k0ekk0ek opened 3 months ago
Andreas Schulze provided some feedback on the Mutual TLS feature on the nsd-users mailing list.
* While trying to get AXFR-over-tls working, I saw errors like "error: xfrd tls: TLS verify failed - (62) depth: 0 error: hostname mismatch" It would be helpful to see there "... hostname mismatch: expected 'foo', got 'bar'"
This is captured in DEBUG
https://github.com/NLnetLabs/nsd/blob/b88421be3b5654eed5e2c432d20172b72ea12052/options.c#L2257-L2259 and https://github.com/NLnetLabs/nsd/blob/b88421be3b5654eed5e2c432d20172b72ea12052/options.c#L2315-L2317
I run my devel SSL code with
With nsd options -V100 -F 0x0020U -L100 I get:
2024-08-02 01:20:55.086] nsd[1029706]: info: CN s3.example.com does not match acl for s2.example.com [2024-08-02 01:20:55.086] nsd[1029706]: warning: client cert does not match tls-master s2.example.com [2024-08-02 01:20:55.086] nsd[1029706]: info: axfr for example.com. from 127.0.0.1 refused, no acl matches [2024-08-02 01:20:55.086] nsd[1029706]: info: axfr refused, no acl matches
Maybe we put those two in VERBOSITY LOG instead of DEBUG?
* I used an IPv6 network for my zone transfer tests and have the impression, the outgoing-interface statement at the secondary is not working if AXFR-over-tls is used.
per manual page:
outgoing-interface: <ip-address>
Access control list. The listed address is used to request AXFR|IXFR
(in case of a secondary) or used to send notifies (in case of a pri‐
mary).
secondary (client side) There was only a minor modification on the client side, a87e820577ed1975be42f0a2cae378c86a97a06a so this is probably not related to the TLS-AUTH code (server side).
notifies (server side) Didn't touch notifies. It was in my TODO plans, but after reading that nsd only supports UDP it make thinks a little harder for this. If TCP is enabled, then this is quite easy to implement #365
Andreas Schulze provided some feedback on the Mutual TLS feature on the nsd-users mailing list.
I used an IPv6 network for my zone transfer tests and have the impression, the outgoing-interface statement at the secondary is not working if AXFR-over-tls is used.
While trying to get AXFR-over-tls working, I saw errors like "error: xfrd tls: TLS verify failed - (62) depth: 0 error: hostname mismatch" It would be helpful to see there "... hostname mismatch: expected 'foo', got 'bar'"
After "error: xfrd tls: TLS verify failed - (62) depth: 0 error: hostname mismatch" I also saw "error: xfrd: TLS handshake failed: Success"