require "tls none" for unencrypted HTTP listeners

unencrypted DoH connections may be used in some operational
environments where encryption is handled by a reverse proxy,
but it's going to be relatively rare, so we shouldn't make it
easy to do by mistake.  this commit changes the syntax for
listen-on and listen-on-v6 so that if "http" is specified, "tls"
must also be specified; for unencrypted listeners, "tls none"
can be used.

diff --git a/bin/named/server.c b/bin/named/server.c
index 4659815ffb799d497c041f0adb8e572f4bd9acbc..b199d36fc797b87970a9d1c530f83701a67ff535 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -8995,10 +8995,9 @@ load_configuration(const char *filename, named_server_t *server,
                        (void)cfg_map_get(options, "listen-on", &clistenon);
                }
                if (clistenon != NULL) {
-                       /* check return code? */
-                       (void)listenlist_fromconfig(
+                       CHECK(listenlist_fromconfig(
                                clistenon, config, named_g_aclconfctx,
-                               named_g_mctx, AF_INET, &listenon);
+                               named_g_mctx, AF_INET, &listenon));
                } else {
                        /*
                         * Not specified, use default.
@@ -9023,10 +9022,9 @@ load_configuration(const char *filename, named_server_t *server,
                        (void)cfg_map_get(options, "listen-on-v6", &clistenon);
                }
                if (clistenon != NULL) {
-                       /* check return code? */
-                       (void)listenlist_fromconfig(
+                       CHECK(listenlist_fromconfig(
                                clistenon, config, named_g_aclconfctx,
-                               named_g_mctx, AF_INET6, &listenon);
+                               named_g_mctx, AF_INET6, &listenon));
                } else {
                        /*
                         * Not specified, use default.
@@ -11067,20 +11065,25 @@ listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
        in_port_t port = 0;
        isc_dscp_t dscp = -1;
        const char *key = NULL, *cert = NULL;
-       bool do_tls = false, http = false;
+       bool do_tls = false, no_tls = false, http = false;
        ns_listenelt_t *delt = NULL;
 
        REQUIRE(target != NULL && *target == NULL);
 
-       /* XXXWPK TODO be more verbose on failures. */
        tlsobj = cfg_tuple_get(listener, "tls");
        if (tlsobj != NULL && cfg_obj_isstring(tlsobj)) {
                const char *tlsname = cfg_obj_asstring(tlsobj);
 
-               if (strcmp(tlsname, "ephemeral") != 0) {
+               if (strcasecmp(tlsname, "none") == 0) {
+                       no_tls = true;
+               } else if (strcasecmp(tlsname, "ephemeral") == 0) {
+                       do_tls = true;
+               } else {
                        const cfg_obj_t *keyobj = NULL, *certobj = NULL;
                        const cfg_obj_t *tlsmap = NULL;
 
+                       do_tls = true;
+
                        tlsmap = find_maplist(config, "tls", tlsname);
                        if (tlsmap == NULL) {
                                return (ISC_R_FAILURE);
@@ -11092,14 +11095,20 @@ listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
                        CHECK(cfg_map_get(tlsmap, "cert-file", &certobj));
                        cert = cfg_obj_asstring(certobj);
                }
-
-               do_tls = true;
        }
 
        httpobj = cfg_tuple_get(listener, "http");
        if (httpobj != NULL && cfg_obj_isstring(httpobj)) {
                const char *httpname = cfg_obj_asstring(httpobj);
 
+               if (!do_tls && !no_tls) {
+                       cfg_obj_log(httpobj, named_g_lctx, ISC_LOG_ERROR,
+                                   "http must specify a 'tls' "
+                                   "statement, 'tls ephemeral', or "
+                                   "'tls none'");
+                       return (ISC_R_FAILURE);
+               }
+
                http_server = find_maplist(config, "http", httpname);
                if (http_server == NULL) {
                        cfg_obj_log(httpobj, named_g_lctx, ISC_LOG_ERROR,

diff --git a/bin/tests/system/checkconf/good-doh-1.conf b/bin/tests/system/checkconf/good-doh-1.conf
new file mode 100644 (file)
index 0000000..8f98377
--- /dev/null
+++ b/bin/tests/system/checkconf/good-doh-1.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+       key-file "key.pem";
+       cert-file "cert.pem";
+};
+
+http local-http-server {
+       endpoints { "/dns-query"; };
+};
+
+options {
+       listen-on { 10.53.0.1; };
+       http-port 80;
+       https-port 443;
+       listen-on port 443 tls local-tls http local-http-server { 10.53.0.1; };
+       listen-on port 8080 tls none http local-http-server { 10.53.0.1; };
+};

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index fb9545e0594494d5ad68e2bf2971d4d6f034ec7b..0788229ba17aa4eb918c6564c7847264a874fac3 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2472,9 +2472,10 @@ referenced ``tls`` statement.
 
 If an HTTP configuration is specified, ``named`` will listen for
 DNS-over-HTTPS (DoH) connections using the HTTP endpoint specified in the
-referenced ``http`` statement. Normally, ``http`` and ``tls``
-configurations will be used together, but ``tls`` may be omitted if
-encryption is being handled by external software.
+referenced ``http`` statement. ``http`` and ``tls`` configurations must be
+used together. If an unencrypted connection is desired (for example, when
+load-sharing servers behind a reverse proxy), ``tls none`` may be
+used.
 
 If a port number is not specified, the default is 53 for standard DNS, 853
 for DNS-over-TLS, and 443 for DNS-over-HTTPS.
@@ -2506,7 +2507,7 @@ Multiple ``listen-on-v6`` options can be used. For example:
    listen-on-v6 port 1234 { !2001:db8::/32; any; };
    listen-on port 8853 tls example-tls { 2001:db8::100; };
    listen-on port 8453 tls example-tls http myserver { 2001:db8::100; };
-   listen-on port 8000 http myserver { 2001:db8::100; };
+   listen-on port 8000 tls none http myserver { 2001:db8::100; };
 
 The first two lines instruct the name server to listen for standard DNS
 queries on port 53 of any IPv6 addresses, and on port 1234 of IPv6
@@ -2516,8 +2517,8 @@ instructs the server to listen for for DNS-over-TLS connections on port
 in the a ``tls`` statement with the name ``example-tls``. The fourth
 instructs the server to listen for DNS-over-HTTPS connections, again using
 ``example-tls``, on the HTTP endpoint specified in ``http myserver``. The
-fifth line, in which the ``tls`` parameter is omitted, instructs the server
-to listen for *unencrypted* DNS queries over HTTP.
+fifth line, in which the ``tls`` parameter is set to ``none``, instructs
+the server to listen for *unencrypted* DNS queries over HTTP.
 
 To instruct the server not to listen on any IPv6 addresses, use:
 
@@ -4658,8 +4659,10 @@ The following options can be specified in a ``tls`` statement:
   ``hostname``
     The hostname associated with the certificate.
 
-The built-in ``ephemeral`` TLS connection object represents a temporary
-key and certificate created for the current ``named`` session only.
+There are two built-in TLS connection configurations: ``ephemeral``,
+uses a temporary key and certificate created for the current ``named``
+session only, and ``none``, which can be used when setting up an HTTP
+listener with no encryption.
 
 .. _http: