NLnetLabs / nsd

The NLnet Labs Name Server Daemon (NSD) is an authoritative, RFC compliant DNS nameserver.
https://nlnetlabs.nl/nsd
BSD 3-Clause "New" or "Revised" License
460 stars 103 forks source link

Bugs/notes related to Mutual TLS #364

Open k0ekk0ek opened 3 months ago

k0ekk0ek commented 3 months ago

Andreas Schulze provided some feedback on the Mutual TLS feature on the nsd-users mailing list.

bilias commented 2 months ago

Andreas Schulze provided some feedback on the Mutual TLS feature on the nsd-users mailing list.

* While trying to get AXFR-over-tls working, I saw errors like "error: xfrd tls: 
  TLS verify failed - (62) depth: 0 error: hostname mismatch"
  It would be helpful to see there "... 
  hostname mismatch: expected 'foo', got 'bar'"

This is captured in DEBUG

https://github.com/NLnetLabs/nsd/blob/b88421be3b5654eed5e2c432d20172b72ea12052/options.c#L2257-L2259 and https://github.com/NLnetLabs/nsd/blob/b88421be3b5654eed5e2c432d20172b72ea12052/options.c#L2315-L2317

I run my devel SSL code with

undef NDEBUG /**/ in config.h (after configure)

With nsd options -V100 -F 0x0020U -L100 I get:

2024-08-02 01:20:55.086] nsd[1029706]: info: CN s3.example.com does not match acl for s2.example.com [2024-08-02 01:20:55.086] nsd[1029706]: warning: client cert does not match tls-master s2.example.com [2024-08-02 01:20:55.086] nsd[1029706]: info: axfr for example.com. from 127.0.0.1 refused, no acl matches [2024-08-02 01:20:55.086] nsd[1029706]: info: axfr refused, no acl matches

Maybe we put those two in VERBOSITY LOG instead of DEBUG?

369

bilias commented 2 months ago
* I used an IPv6 network for my zone transfer tests and have the impression, 
  the outgoing-interface statement at the secondary is not working
  if AXFR-over-tls is used.

per manual page:

       outgoing-interface: <ip-address>
              Access  control list. The listed address is used to request AXFR|IXFR
              (in case of a secondary) or used to send notifies (in case of a  pri‐
              mary).