cert-file quoted_string;
ciphers string;
dhparam-file quoted_string;
- hostname quoted_string;
key-file quoted_string;
prefer-server-ciphers boolean;
protocols { string; ... };
+ remote-hostname quoted_string;
session-tickets boolean;
};
dns_transport_set_prefer_server_ciphers)
parse_transport_option(doh, transport, "ca-file",
dns_transport_set_cafile);
- parse_transport_option(doh, transport, "hostname",
- dns_transport_set_hostname);
+ parse_transport_option(doh, transport, "remote-hostname",
+ dns_transport_set_remote_hostname);
}
return (ISC_R_SUCCESS);
dns_transport_set_prefer_server_ciphers)
parse_transport_option(tls, transport, "ca-file",
dns_transport_set_cafile);
- parse_transport_option(tls, transport, "hostname",
- dns_transport_set_hostname);
+ parse_transport_option(tls, transport, "remote-hostname",
+ dns_transport_set_remote_hostname);
}
return (ISC_R_SUCCESS);
# In some cases a "tls" statement may omit key-file and cert-file.
tls local-tls {
protocols {TLSv1.2;};
- hostname "fqdn.example.com";
+ remote-hostname "fqdn.example.com";
};
};
tls tls-example-primary {
- hostname "srv01.crt01.example.com"; // enable Strict TLS
+ remote-hostname "srv01.crt01.example.com"; // enable Strict TLS
ca-file "../CA/CA.pem";
};
# the server's certificate does not contain SubjectAltName, which is required for DoT
tls tls-example-primary-no-san {
- hostname "srv01.crt02-no-san.example.com"; // enable Strict TLS
+ remote-hostname "srv01.crt02-no-san.example.com"; // enable Strict TLS
ca-file "../CA/CA.pem";
};
allow-transfer { any; };
};
-# As you can see, the "hostname" is missing, but "ca-file" is
+# As you can see, the "remote-hostname" is missing, but "ca-file" is
# specified. As the result, the primaries server certificate will be
# verified using the IP address instead of hostname. That is fine,
# because the server certificate is issued with IP address in the
};
tls tls-example-primary-strict-tls-ipv4 {
- hostname "10.53.0.1"; # the IP is in the server's cert SAN
+ remote-hostname "10.53.0.1"; # the IP is in the server's cert SAN
ca-file "../CA/CA.pem"; # enable Strict TLS
};
};
tls tls-example-primary-strict-tls-ipv6 {
- hostname "fd92:7065:b8e:ffff::1"; # the IP is in the server's cert SAN
+ remote-hostname "fd92:7065:b8e:ffff::1"; # the IP is in the server's cert SAN
ca-file "../CA/CA.pem"; # enable Strict TLS
};
};
tls tls-example-primary-strict-tls-wrong-host {
- hostname "not-present.example.com"; # this is not present in the server's cert SAN
+ remote-hostname "not-present.example.com"; # this is not present in the server's cert SAN
ca-file "../CA/CA.pem"; # enable Strict TLS
};
};
tls tls-example-primary-strict-tls-expired {
- hostname "srv01.crt03-expired.example.com";
+ remote-hostname "srv01.crt03-expired.example.com";
ca-file "../CA/CA.pem";
};
};
tls tls-example-primary-mutual-tls {
- hostname "srv01.crt01.example.com";
+ remote-hostname "srv01.crt01.example.com";
ca-file "../CA/CA.pem";
cert-file "../CA/certs/srv01.client02-ns2.example.com.pem";
key-file "../CA/certs/srv01.client02-ns2.example.com.key";
};
tls tls-example-primary-mutual-tls-expired {
- hostname "srv01.crt01.example.com";
+ remote-hostname "srv01.crt01.example.com";
ca-file "../CA/CA.pem";
cert-file "../CA/certs/srv01.client03-ns2-expired.example.com.pem";
key-file "../CA/certs/srv01.client03-ns2-expired.example.com.key";
Declares communication channels to get access to :iscman:`named` statistics.
``tls``
- Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``.
+ Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``remote-hostname``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``.
``http``
Specifies configuration information for an HTTP connection, including ``endponts``, ``listener-clients`` and ``streams-per-connection``.
.. warning::
Please note that TLS connections to primaries are **not
- authenticated** unless ``hostname`` or ``ca-file`` are specified
+ authenticated** unless ``remote-hostname`` or ``ca-file`` are specified
within the :ref:`tls statement <tls>` in use (see information on
:ref:`Strict TLS <strict-tls>` and :ref:`Mutual TLS <mutual-tls>`
for more details). **Not authenticated mode** (:ref:`Opportunistic
this option enables remote peer certificates verification. For
incoming connections specifying this option will make BIND require
a valid TLS certificate from a client. In the case of outgoing
- connections, if ``hostname`` is not specified, then the remote
+ connections, if ``remote-hostname`` is not specified, then the remote
server IP address is used instead.
``dhparam-file``
specified is essential for enabling perfect forward secrecy capable
ciphers in TLSv1.2.
- ``hostname``
+ ``remote-hostname``
The expected hostname in the TLS certificate of the
remote server. This option enables a remote server certificate
verification. If ``ca-file`` is not specified, then the
Opportunistic TLS provides encryption for data but does not provide
any authentication for the channel. This mode is the default one and
-it is used whenever ``hostname`` and ``ca-file`` options are not set
+it is used whenever ``remote-hostname`` and ``ca-file`` options are not set
in ``tls`` statements in use. RFC 9103 allows optional fallback to
clear-text DNS in the cases when TLS is not available. Still, BIND
intentionally does not support that in order to protect from
Strict TLS provides server authentication via a pre-configured
hostname for outgoing connections. This mechanism offers both channel
confidentiality and channel authentication (of the server). In order
-to achieve Strict TLS, one needs to use ``hostname`` and, optionally,
+to achieve Strict TLS, one needs to use ``remote-hostname`` and, optionally,
``ca-file`` options in the ``tls`` statements used for establishing
outgoing connections (e.g. the ones used to download zone from
primaries via TLS). Providing any of the mentioned options will enable
-server authentication. If ``hostname`` is provided but ``ca-file`` is
+server authentication. If ``remote-hostname`` is provided but ``ca-file`` is
missed, then the platform-specific certificate authority certificates
are used for authentication. The set roughly corresponds to the one
used by WEB-browsers to authenticate HTTPS hosts. On the other hand,
-if ``ca-file`` is provided but ``hostname`` is missing, then the
+if ``ca-file`` is provided but ``remote-hostname`` is missing, then the
remote side's IP address is used instead.
.. _mutual-tls:
cert\-file quoted_string;
ciphers string;
dhparam\-file quoted_string;
- hostname quoted_string;
key\-file quoted_string;
prefer\-server\-ciphers boolean;
protocols { string; ... };
+ remote\-hostname quoted_string;
session\-tickets boolean;
};
.ft P
cert-file <quoted_string>;
ciphers <string>;
dhparam-file <quoted_string>;
- hostname <quoted_string>;
key-file <quoted_string>;
prefer-server-ciphers <boolean>;
protocols { <string>; ... };
+ remote-hostname <quoted_string>;
session-tickets <boolean>;
}; // may occur multiple times
cert-file <quoted_string>;
ciphers <string>;
dhparam-file <quoted_string>;
- hostname <quoted_string>;
key-file <quoted_string>;
prefer-server-ciphers <boolean>;
protocols { <string>; ... };
+ remote-hostname <quoted_string>;
session-tickets <boolean>;
}; // may occur multiple times
cert-file <quoted_string>;
ciphers <string>;
dhparam-file <quoted_string>;
- hostname <quoted_string>;
key-file <quoted_string>;
prefer-server-ciphers <boolean>;
protocols { <string>; ... };
+ remote-hostname <quoted_string>;
session-tickets <boolean>;
};
char *
dns_transport_get_cafile(dns_transport_t *transport);
char *
-dns_transport_get_hostname(dns_transport_t *transport);
+dns_transport_get_remote_hostname(dns_transport_t *transport);
char *
dns_transport_get_endpoint(dns_transport_t *transport);
dns_http_mode_t
void
dns_transport_set_cafile(dns_transport_t *transport, const char *cafile);
void
-dns_transport_set_hostname(dns_transport_t *transport, const char *hostname);
+dns_transport_set_remote_hostname(dns_transport_t *transport,
+ const char *hostname);
void
dns_transport_set_endpoint(dns_transport_t *transport, const char *endpoint);
void
char *certfile;
char *keyfile;
char *cafile;
- char *hostname;
+ char *remote_hostname;
char *ciphers;
uint32_t protocol_versions;
ternary_t prefer_server_ciphers;
}
char *
-dns_transport_get_hostname(dns_transport_t *transport) {
+dns_transport_get_remote_hostname(dns_transport_t *transport) {
REQUIRE(VALID_TRANSPORT(transport));
- return (transport->tls.hostname);
+ return (transport->tls.remote_hostname);
}
char *
}
void
-dns_transport_set_hostname(dns_transport_t *transport, const char *hostname) {
+dns_transport_set_remote_hostname(dns_transport_t *transport,
+ const char *hostname) {
REQUIRE(VALID_TRANSPORT(transport));
REQUIRE(transport->type == DNS_TRANSPORT_TLS ||
transport->type == DNS_TRANSPORT_HTTP);
- if (transport->tls.hostname != NULL) {
- isc_mem_free(transport->mctx, transport->tls.hostname);
+ if (transport->tls.remote_hostname != NULL) {
+ isc_mem_free(transport->mctx, transport->tls.remote_hostname);
}
if (hostname != NULL) {
- transport->tls.hostname = isc_mem_strdup(transport->mctx,
- hostname);
+ transport->tls.remote_hostname = isc_mem_strdup(transport->mctx,
+ hostname);
}
}
if (transport->doh.endpoint != NULL) {
isc_mem_free(transport->mctx, transport->doh.endpoint);
}
- if (transport->tls.hostname != NULL) {
- isc_mem_free(transport->mctx, transport->tls.hostname);
+ if (transport->tls.remote_hostname != NULL) {
+ isc_mem_free(transport->mctx, transport->tls.remote_hostname);
}
if (transport->tls.cafile != NULL) {
isc_mem_free(transport->mctx, transport->tls.cafile);
&tlsctx, &found_store);
if (result != ISC_R_SUCCESS) {
const char *hostname =
- dns_transport_get_hostname(xfr->transport);
+ dns_transport_get_remote_hostname(
+ xfr->transport);
const char *ca_file =
dns_transport_get_cafile(xfr->transport);
const char *cert_file =
{ "key-file", &cfg_type_qstring, 0 },
{ "cert-file", &cfg_type_qstring, 0 },
{ "ca-file", &cfg_type_qstring, 0 },
- { "hostname", &cfg_type_qstring, 0 },
+ { "remote-hostname", &cfg_type_qstring, 0 },
{ "dhparam-file", &cfg_type_qstring, 0 },
{ "protocols", &cfg_type_tlsprotos, 0 },
{ "ciphers", &cfg_type_astring, 0 },
projects / thirdparty / bind9.git / commitdiff
