From: Petr Špaček Date: Mon, 17 Jan 2022 18:49:48 +0000 (+0100) Subject: Clarify XoT usage and warn about the unauthenticated mode X-Git-Tag: v9.19.0~147^2~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ccfe6825085a94467bef8823391876e407626def;p=thirdparty%2Fbind9.git Clarify XoT usage and warn about the unauthenticated mode --- diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 2a851361c07..9faafb90f42 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -886,6 +886,18 @@ used by multiple stub and secondary zones in their ``primaries`` or keyword ``masters``, which can still be used, but is no longer the preferred terminology.) +To force the zone transfer requests to be sent over TLS, use ``tls`` keyword, +e.g. ``primaries { 192.0.2.1 tls tls-configuration-name; };``, +where ``tls-configuration-name`` refers to a previously defined +:ref:`tls statement `. + +.. warning:: + + Please note that TLS connections to primaries are currently + **not authenticated**. This mode provides protection from passive observers + but does not protect from man-in-the-middle attacks on zone transfers. + + .. _options_grammar: ``options`` Statement Grammar @@ -2435,6 +2447,12 @@ for details on how to specify IP address lists. allows outgoing zone transfers to any host using the TLS transport over port 853. +.. warning:: + + Please note that incoming TLS connections are currently + **not authenticated at the TLS level**. + Please use :ref:`tsig` to authenticate requestors. + ``blackhole`` This specifies a list of addresses which the server does not accept queries from or use to resolve a query. Queries from these addresses are not