equal to 300 are treated as seconds and converted to
milliseconds before applying the above limits.
+.. _interfaces:
+
Interfaces
^^^^^^^^^^
The interfaces and ports that the server answers queries from may be
-specified using the ``listen-on`` option. ``listen-on`` takes an
-optional port and an ``address_match_list`` of IPv4 addresses. (IPv6
-addresses are ignored, with a logged warning.) The server listens on
-all interfaces allowed by the address match list. If a port is not
-specified, port 53 is used.
+specified using the ``listen-on`` and ``listen-on-v6`` options.
+
+``listen-on`` takes an optional port, an optional TLS configuration
+identifier, and an ``address_match_list`` of IPv4 addresses. (IPv6
+addresses are ignored, with a logged warning.) The server listens on all
+interfaces allowed by the address match list. If a TLS configuration is
+specified, ``named`` will listen for DNS-over-TLS (DoT) connections, using
+the key and certificate specified in the referenced ``tls`` statement. If a
+port number is not specified, the default is 53 for standard DNS and 853
+for DNS-over-TLS.
Multiple ``listen-on`` statements are allowed. For example:
listen-on { 5.6.7.8; };
listen-on port 1234 { !1.2.3.4; 1.2/16; };
+ listen-on port 8853 tls example-tls { 4.3.2.1; };
-enables the name server on port 53 for the IP address 5.6.7.8, and
-on port 1234 of an address on the machine in net 1.2 that is not
-1.2.3.4.
+enables the name server to listen for standard DNS queries on port 53 of the
+IP address 5.6.7.8 and on port 1234 of an address on the machine in net 1.2
+that is not 1.2.3.4, and to listen for DNS-over-TLS connections on port
+8853 of the IP address 4.3.2.1.
-If no ``listen-on`` is specified, the server listens on port 53 on
-all IPv4 interfaces.
+If no ``listen-on`` is specified, the server listens for standard DNS
+on port 53 of all IPv4 interfaces.
-The ``listen-on-v6`` option is used to specify the interfaces and the
-ports on which the server listens for incoming queries sent using
-IPv6. If not specified, the server listens on port 53 on all IPv6
-interfaces.
+The ``listen-on-v6`` option is used to specify the interfaces and the ports
+on which the server listens for incoming queries sent using IPv6. If not
+specified, the server listens for standard DNS queries on port 53 of all
+IPv6 interfaces.
Multiple ``listen-on-v6`` options can be used. For example:
listen-on-v6 { any; };
listen-on-v6 port 1234 { !2001:db8::/32; any; };
+ listen-on port 8853 tls example-tls { 2001:db8::100; };
-enables the name server on port 53 for any IPv6 addresses (with a
-single wildcard socket), and on port 1234 of IPv6 addresses that are not
-in the prefix 2001:db8::/32 (with separate sockets for each matched
-address).
+enables the name server to listen for standard DNS queries on port 53 of
+any IPv6 addresses and on port 1234 of IPv6 addresses that are not in the
+prefix 2001:db8::/32, and for DNS-over-TLS connections on port 8853 of
+the address 2001:db8::100.
To instruct the server not to listen on any IPv6 address, use:
static cfg_type_t cfg_type_optional_keyref;
static cfg_type_t cfg_type_optional_port;
static cfg_type_t cfg_type_optional_uint32;
+static cfg_type_t cfg_type_optional_tls;
static cfg_type_t cfg_type_options;
static cfg_type_t cfg_type_portiplist;
static cfg_type_t cfg_type_printtime;
static cfg_type_t cfg_type_sockaddr4wild;
static cfg_type_t cfg_type_sockaddr6wild;
static cfg_type_t cfg_type_statschannels;
+static cfg_type_t cfg_type_tlsconf;
static cfg_type_t cfg_type_view;
static cfg_type_t cfg_type_viewopts;
static cfg_type_t cfg_type_zone;
static cfg_tuplefielddef_t listenon_fields[] = {
{ "port", &cfg_type_optional_port, 0 },
{ "dscp", &cfg_type_optional_dscp, 0 },
+ { "tls", &cfg_type_optional_tls, 0 },
{ "acl", &cfg_type_bracketed_aml, 0 },
{ NULL, NULL, 0 }
};
{ "primaries", &cfg_type_primaries, CFG_CLAUSEFLAG_MULTI },
{ "statistics-channels", &cfg_type_statschannels,
CFG_CLAUSEFLAG_MULTI },
+ { "tls", &cfg_type_tlsconf, CFG_CLAUSEFLAG_MULTI },
{ "view", &cfg_type_view, CFG_CLAUSEFLAG_MULTI },
{ NULL, NULL, 0 }
};
{ "dnstap-output", &cfg_type_dnstapoutput, 0 },
{ "dnstap-identity", &cfg_type_serverid, 0 },
{ "dnstap-version", &cfg_type_qstringornone, 0 },
-#else /* ifdef HAVE_DNSTAP */
+#else /* ifdef HAVE_DNSTAP */
{ "dnstap-output", &cfg_type_dnstapoutput,
CFG_CLAUSEFLAG_NOTCONFIGURED },
{ "dnstap-identity", &cfg_type_serverid, CFG_CLAUSEFLAG_NOTCONFIGURED },
{ "fstrm-set-output-queue-model", &cfg_type_fstrm_model, 0 },
{ "fstrm-set-output-queue-size", &cfg_type_uint32, 0 },
{ "fstrm-set-reopen-interval", &cfg_type_duration, 0 },
-#else /* ifdef HAVE_DNSTAP */
+#else /* ifdef HAVE_DNSTAP */
{ "fstrm-set-buffer-hint", &cfg_type_uint32,
CFG_CLAUSEFLAG_NOTCONFIGURED },
{ "fstrm-set-flush-timeout", &cfg_type_uint32,
#endif /* HAVE_DNSTAP */
#if defined(HAVE_GEOIP2)
{ "geoip-directory", &cfg_type_qstringornone, 0 },
-#else /* if defined(HAVE_GEOIP2) */
+#else /* if defined(HAVE_GEOIP2) */
{ "geoip-directory", &cfg_type_qstringornone,
CFG_CLAUSEFLAG_NOTCONFIGURED },
#endif /* HAVE_GEOIP2 */
#ifdef USE_DNSRPS
{ "dnsrps-enable", &cfg_type_boolean, 0 },
{ "dnsrps-options", &cfg_type_bracketed_text, 0 },
-#else /* ifdef USE_DNSRPS */
+#else /* ifdef USE_DNSRPS */
{ "dnsrps-enable", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTCONFIGURED },
{ "dnsrps-options", &cfg_type_bracketed_text,
CFG_CLAUSEFLAG_NOTCONFIGURED },
#ifdef USE_DNSRPS
{ "dnsrps-enable", &cfg_type_boolean, 0 },
{ "dnsrps-options", &cfg_type_bracketed_text, 0 },
-#else /* ifdef USE_DNSRPS */
+#else /* ifdef USE_DNSRPS */
{ "dnsrps-enable", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTCONFIGURED },
{ "dnsrps-options", &cfg_type_bracketed_text,
CFG_CLAUSEFLAG_NOTCONFIGURED },
{ "dnssec-validation", &cfg_type_boolorauto, 0 },
#ifdef HAVE_DNSTAP
{ "dnstap", &cfg_type_dnstap, 0 },
-#else /* ifdef HAVE_DNSTAP */
+#else /* ifdef HAVE_DNSTAP */
{ "dnstap", &cfg_type_dnstap, CFG_CLAUSEFLAG_NOTCONFIGURED },
#endif /* HAVE_DNSTAP */
{ "dual-stack-servers", &cfg_type_nameportiplist, 0 },
{ "lame-ttl", &cfg_type_duration, 0 },
#ifdef HAVE_LMDB
{ "lmdb-mapsize", &cfg_type_sizeval, 0 },
-#else /* ifdef HAVE_LMDB */
+#else /* ifdef HAVE_LMDB */
{ "lmdb-mapsize", &cfg_type_sizeval, CFG_CLAUSEFLAG_NOOP },
#endif /* ifdef HAVE_LMDB */
{ "max-acache-size", &cfg_type_sizenodefault, CFG_CLAUSEFLAG_OBSOLETE },
pctx.indent--;
cfg_print_cstr(&pctx, "};\n");
}
+
+/*%
+ * "tls" and related statement syntax.
+ */
+static cfg_type_t cfg_type_sslprotos = {
+ "sslprotos", cfg_parse_spacelist, cfg_print_spacelist,
+ cfg_doc_terminal, &cfg_rep_list, &cfg_type_astring
+};
+
+static cfg_clausedef_t tls_clauses[] = {
+ { "key-file", &cfg_type_qstring, 0 },
+ { "cert-file", &cfg_type_qstring, 0 },
+ { "dh-param", &cfg_type_qstring, CFG_CLAUSEFLAG_NOTIMP },
+ { "protocols", &cfg_type_sslprotos, CFG_CLAUSEFLAG_NOTIMP },
+ { "ciphers", &cfg_type_astring, CFG_CLAUSEFLAG_NOTIMP },
+ { NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *tls_clausesets[] = { tls_clauses, NULL };
+static cfg_type_t cfg_type_tlsconf = { "tlsconf", cfg_parse_named_map,
+ cfg_print_map, cfg_doc_map,
+ &cfg_rep_map, tls_clausesets };
+
+static keyword_type_t tls_kw = { "tls", &cfg_type_astring };
+static cfg_type_t cfg_type_optional_tls = {
+ "tlsoptional", parse_optional_keyvalue, print_keyvalue,
+ doc_optional_keyvalue, &cfg_rep_string, &tls_kw
+};
+static cfg_type_t cfg_type_tls = { "tls", parse_keyvalue,
+ print_keyvalue, doc_keyvalue,
+ &cfg_rep_string, &tls_kw };
projects / thirdparty / bind9.git / commitdiff
