# pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\
port 53;\n\
tls-port 853;\n\
+ https-port 443;\n\
prefetch 2 9;\n\
recursing-file \"named.recursing\";\n\
recursive-clients 1000;\n\
EXTERN const char *named_g_builder INIT(PACKAGE_BUILDER);
EXTERN in_port_t named_g_port INIT(0);
EXTERN in_port_t named_g_tlsport INIT(0);
+EXTERN in_port_t named_g_http_secure_port INIT(0);
EXTERN isc_dscp_t named_g_dscp INIT(-1);
EXTERN named_server_t *named_g_server INIT(NULL);
static void
parse_port(char *arg) {
- enum { DNSPORT, TLSPORT } ptype = DNSPORT;
+ enum { DNSPORT, TLSPORT, HTTP_SECURE_PORT } ptype = DNSPORT;
char *value = arg;
int port;
} else if (strncmp(arg, "tls=", 4) == 0) {
value = arg + 4;
ptype = TLSPORT;
+ } else if (strncmp(arg, "https=", 6) == 0) {
+ value = arg + 6;
+ ptype = HTTP_SECURE_PORT;
}
port = parse_int(value, "port");
case TLSPORT:
named_g_tlsport = port;
break;
+ case HTTP_SECURE_PORT:
+ named_g_http_secure_port = port;
+ break;
default:
INSIST(0);
ISC_UNREACHABLE();
glue-cache boolean;// deprecated
heartbeat-interval integer;
hostname ( quoted_string | none );
+ https-endpoint quoted_string https-server string;
+ https-port integer;
+ https-server string [ port integer ] tls string { (
+ quoted_string [ port integer ] [ dscp integer ] |
+ ipv4_address [ port integer ] [ dscp integer ] |
+ ipv6_address [ port integer ] [ dscp integer ] ); ... };
inline-signing boolean;
interface-interval duration;
ipv4only-contact string;
forwarders [ port integer ] [ dscp integer ] { ( ipv4_address
| ipv6_address ) [ port integer ] [ dscp integer ]; ... };
glue-cache boolean;// deprecated
+ https-endpoint quoted_string https-server string;
inline-signing boolean;
ipv4only-contact string;
ipv4only-enable boolean;
``portnum``; if not not specified, the default is port 53. If
``value`` is of the form ``tls=<portnum>``, the server will
listen for TLS queries on ``portnum``; the default is 853.
-
+ If ``value`` is of the form ``https=<portnum>``, the server will
+ listen for HTTPS queries on ``portnum``; the default is 443.
+
``-s``
This option writes memory usage statistics to ``stdout`` on exit.
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+ key-file "key.pem";
+ cert-file "cert.pem";
+};
+
+options {
+ listen-on { 10.53.0.1; };
+ https-server local-server port 443 tls local-tls { 10.53.0.1; };
+ https-endpoint "/dns-query" https-server local-server;
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+ key-file "key.pem";
+ cert-file "cert.pem";
+};
+
+options {
+ listen-on { 10.53.0.1; };
+ https-server local-server port 443 tls local-tls { 10.53.0.1; };
+};
+
+view one {
+ https-endpoint "/dns-query" https-server local-server;
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+ key-file "key.pem";
+ cert-file "cert.pem";
+};
+
+options {
+ listen-on port 853 tls local-tls { 10.53.0.1; };
+};
atsign="@"
sed -e "s/${atsign}PORT${atsign}/${PORT}/g" \
-e "s/${atsign}TLSPORT${atsign}/${TLSPORT}/g" \
+ -e "s/${atsign}HTTPSPORT${atsign}/${HTTPSPORT}/g" \
-e "s/${atsign}EXTRAPORT1${atsign}/${EXTRAPORT1}/g" \
-e "s/${atsign}EXTRAPORT2${atsign}/${EXTRAPORT2}/g" \
-e "s/${atsign}EXTRAPORT3${atsign}/${EXTRAPORT3}/g" \
echo "export PORT=$(get_port "$baseport")"
echo "export TLSPORT=$(get_port)"
+echo "export HTTPSPORT=$(get_port)"
echo "export EXTRAPORT1=$(get_port)"
echo "export EXTRAPORT2=$(get_port)"
echo "export EXTRAPORT3=$(get_port)"
echostart "S:$systest:$(date_with_args)"
echoinfo "T:$systest:1:A"
echoinfo "A:$systest:System test $systest"
-echoinfo "I:$systest:PORTS:${PORT},${TLSPORT},${EXTRAPORT1},${EXTRAPORT2},${EXTRAPORT3},${EXTRAPORT4},${EXTRAPORT5},${EXTRAPORT6},${EXTRAPORT7},${EXTRAPORT8},${CONTROLPORT}"
+echoinfo "I:$systest:PORTS:${PORT},${TLSPORT},${HTTPSPORT},${EXTRAPORT1},${EXTRAPORT2},${EXTRAPORT3},${EXTRAPORT4},${EXTRAPORT5},${EXTRAPORT6},${EXTRAPORT7},${EXTRAPORT8},${CONTROLPORT}"
$PERL ${srcdir}/testsock.pl -p "$PORT" || {
echowarn "I:$systest:Network interface aliases not set up. Skipping test."
the default is the ``named`` working directory. See :ref:`acl`
for details about ``geoip`` ACLs.
+.. _https_endpoint:
+
+``https-endpoint``
+ This configures an DNS-over-HTTPS service endpoint. It takes a string
+ which specifies the endpoint URL path, and an ``https-server``
+ parameter specifying the server name of an HTTPS listener. (See
+ :ref:`Link title <https_server>`.)
+
``key-directory``
This is the directory where the public and private DNSSEC key files should be
found when performing a dynamic update of secure zones, if different
The interfaces and ports that the server answers queries from may be
specified using the ``listen-on`` and ``listen-on-v6`` options.
+specified using the ``listen-on`` and ``listen-on-v6`` options, as
+well as the ``https-server`` option for HTTPS queries.
``listen-on`` takes an optional port, an optional TLS configuration
identifier, and an ``address_match_list`` of IPv4 addresses. (IPv6
listen-on-v6 { none; };
+.. _https_server:
+
+``https-server`` takes a server name, an optional port, a TLS
+configuration identifier, and an ``address_match_list`` of both IPv4 and
+IPv6 addresses. This sets up an HTTPS responder using the key and
+certificate specified in the referenced ``tls`` statement. The endpoint
+for incoming HTTPS queries must be specified using the ``https-endpoint``
+option (see :ref:`Link title <https_endpoint>`).
+
.. _query_address:
Query Address
\fBportnum\fP; if not not specified, the default is port 53. If
\fBvalue\fP is of the form \fBtls=<portnum>\fP, the server will
listen for TLS queries on \fBportnum\fP; the default is 853.
+If \fBvalue\fP is of the form \fBhttps=<portnum>\fP, the server will
+listen for HTTPS queries on \fBportnum\fP; the default is 443.
.TP
.B \fB\-s\fP
This option writes memory usage statistics to \fBstdout\fP on exit.
glue\-cache boolean;// deprecated
heartbeat\-interval integer;
hostname ( quoted_string | none );
+ https\-endpoint quoted_string https\-server string;
+ https\-port integer;
+ https\-server string [ port integer ] tls string { (
+ quoted_string [ port integer ] [ dscp integer ] |
+ ipv4_address [ port integer ] [ dscp integer ] |
+ ipv6_address [ port integer ] [ dscp integer ] ); ... };
inline\-signing boolean;
interface\-interval duration;
ipv4only\-contact string;
forwarders [ port integer ] [ dscp integer ] { ( ipv4_address
| ipv6_address ) [ port integer ] [ dscp integer ]; ... };
glue\-cache boolean;// deprecated
+ https\-endpoint quoted_string https\-server string;
inline\-signing boolean;
ipv4only\-contact string;
ipv4only\-enable boolean;
glue-cache <boolean>; // deprecated
heartbeat-interval <integer>;
hostname ( <quoted_string> | none );
+ https-endpoint <quoted_string> https-server <string>;
+ https-port <integer>;
+ https-server <string> [ port <integer> ] tls <string> { (
+ <quoted_string> [ port <integer> ] [ dscp <integer> ] |
+ <ipv4_address> [ port <integer> ] [ dscp <integer> ] |
+ <ipv6_address> [ port <integer> ] [ dscp <integer> ] ); ... };
inline-signing <boolean>;
interface-interval <duration>;
ipv4only-contact <string>;
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
glue-cache <boolean>; // deprecated
+ https-endpoint <quoted_string> https-server <string>;
inline-signing <boolean>;
ipv4only-contact <string>;
ipv4only-enable <boolean>;
glue-cache <boolean>; // deprecated
heartbeat-interval <integer>;
hostname ( <quoted_string> | none );
+ https-endpoint <quoted_string> https-server <string>;
+ https-port <integer>;
+ https-server <string> [ port <integer> ] tls <string> { (
+ <quoted_string> [ port <integer> ] [ dscp <integer> ] |
+ <ipv4_address> [ port <integer> ] [ dscp <integer> ] |
+ <ipv6_address> [ port <integer> ] [ dscp <integer> ] ); ... };
inline-signing <boolean>;
interface-interval <duration>;
ipv4only-contact <string>;
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
glue-cache <boolean>; // deprecated
+ https-endpoint <quoted_string> https-server <string>;
inline-signing <boolean>;
ipv4only-contact <string>;
ipv4only-enable <boolean>;
glue-cache <boolean>; // deprecated
heartbeat-interval <integer>;
hostname ( <quoted_string> | none );
+ https-endpoint <quoted_string> https-server <string>;
+ https-port <integer>;
+ https-server <string> [ port <integer> ] tls <string> { (
+ <quoted_string> [ port <integer> ] [ dscp <integer> ] |
+ <ipv4_address> [ port <integer> ] [ dscp <integer> ] |
+ <ipv6_address> [ port <integer> ] [ dscp <integer> ] ); ... };
inline-signing <boolean>;
interface-interval <duration>;
ipv4only-contact <string>;
static cfg_type_t cfg_type_dnstapoutput;
static cfg_type_t cfg_type_dyndb;
static cfg_type_t cfg_type_plugin;
+static cfg_type_t cfg_type_http_secure_endpoint;
+static cfg_type_t cfg_type_http_secure_server;
static cfg_type_t cfg_type_ixfrdifftype;
static cfg_type_t cfg_type_ixfrratio;
static cfg_type_t cfg_type_key;
{ "host-statistics", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "host-statistics-max", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "hostname", &cfg_type_qstringornone, 0 },
+ { "https-server", &cfg_type_http_secure_server, 0 },
{ "interface-interval", &cfg_type_duration, 0 },
{ "keep-response-order", &cfg_type_bracketed_aml, 0 },
{ "listen-on", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
{ "pid-file", &cfg_type_qstringornone, 0 },
{ "port", &cfg_type_uint32, 0 },
{ "tls-port", &cfg_type_uint32, 0 },
+ { "https-port", &cfg_type_uint32, 0 },
{ "querylog", &cfg_type_boolean, 0 },
{ "random-device", &cfg_type_qstringornone, 0 },
{ "recursing-file", &cfg_type_qstring, 0 },
{ "filter-aaaa-on-v4", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
{ "filter-aaaa-on-v6", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
{ "glue-cache", &cfg_type_boolean, CFG_CLAUSEFLAG_DEPRECATED },
+ { "https-endpoint", &cfg_type_http_secure_endpoint, 0 },
{ "ipv4only-enable", &cfg_type_boolean, 0 },
{ "ipv4only-contact", &cfg_type_astring, 0 },
{ "ipv4only-server", &cfg_type_astring, 0 },
"tlsoptional", parse_optional_keyvalue, print_keyvalue,
doc_optional_keyvalue, &cfg_rep_string, &tls_kw
};
+static cfg_type_t cfg_type_tls = { "tls", parse_keyvalue,
+ print_keyvalue, doc_keyvalue,
+ &cfg_rep_string, &tls_kw };
+
+static keyword_type_t servername_kw = { "https-server", &cfg_type_astring };
+static cfg_type_t cfg_type_servername = { "servername", parse_keyvalue,
+ print_keyvalue, doc_keyvalue,
+ &cfg_rep_string, &servername_kw };
+
+/* http-endpoint */
+static cfg_tuplefielddef_t endpoint_fields[] = {
+ { "path", &cfg_type_qstring, 0 },
+ { "servername", &cfg_type_servername, 0 },
+ { NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_http_secure_endpoint = {
+ "endpoint", cfg_parse_tuple, cfg_print_tuple,
+ cfg_doc_tuple, &cfg_rep_tuple, endpoint_fields
+};
+
+/* http-server */
+static cfg_tuplefielddef_t server_fields[] = {
+ { "name", &cfg_type_astring, 0 },
+ { "port", &cfg_type_optional_port, 0 },
+ { "tls", &cfg_type_tls, 0 },
+ { "addresses", &cfg_type_bracketed_sockaddrnameportlist, 0 },
+ { NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_http_secure_server = {
+ "server", cfg_parse_tuple, cfg_print_tuple,
+ cfg_doc_tuple, &cfg_rep_tuple, server_fields
+};
projects / thirdparty / bind9.git / commitdiff
