+4734. [contrib] Added sample configuration for DNS-over-TLS in
+ contrib/dnspriv.
+
4733. [bug] Change #4706 introduced a bug causing TCP clients
not be reused correctly, leading to unconstrained
memory growth. [RT #46029]
mkdane.sh generates TLSA records for use with DNS-based
Authentication of Named Entities (DANE)
+ - dnspriv/
+
+ Sample configuration for setting up a DNS-over-TLS server
+ using BIND with Nginx as a TLS proxy
+
- dlz/modules
Dynamically linkable DLZ modules that can be configured into
--- /dev/null
+<!--
+ - Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+### DNS Privacy in BIND
+
+This directory contains sample configuration files to enable BIND,
+with Nginx as a TLS proxy, to provide DNS over TLS.
+
+`named.conf` configures a validating recursive name server to listen
+on the localhost address at port 8853.
+
+`nginx.conf` configures a TLS proxy to listen on port 853 and
+forward queries and responses to `named`.
+
+For more information, please see
+[https://dnsprivacy.org/wiki/](https://dnsprivacy.org/wiki/)
--- /dev/null
+/*
+ * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+options {
+ listen-on port 8853 { 127.0.0.1; };
+ allow-query { localhost; };
+ recursion yes;
+ dnssec-validation auto;
+ tcp-clients 1024;
+};
--- /dev/null
+# Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# uncomment to choose an appropriate UID/GID; default is 'nobody'
+# user bind bind;
+
+worker_processes auto;
+pid /var/run/nginx.pid;
+
+events {
+ worker_connections 1024;
+ multi_accept on;
+}
+
+stream {
+ upstream dns_tcp_servers {
+ server 127.0.0.1:8853;
+ }
+
+ server {
+ listen 853 ssl;
+ proxy_pass dns_tcp_servers;
+
+ # update to a suitable SSL certificate (e.g. from LetsEncrypt),
+ # and uncomment the following lines:
+ # ssl_certificate /etc/nginx/lego/certificates/<cert>.crt;
+ # ssl_certificate_key /etc/nginx/lego/certificates/<cert>.key;
+
+ ssl_protocols TLSv1.2;
+ ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_session_tickets on;
+ ssl_session_timeout 4h;
+ ssl_handshake_timeout 30s;
+ }
+}
./conftools/perllib/dnsconf/Makefile.PL PERL 2000,2001,2004,2007,2012,2016
./conftools/perllib/dnsconf/named1.conf CONF-C 2000,2001,2004,2007,2016
./conftools/perllib/dnsconf/test.pl PERL 2000,2001,2004,2007,2012,2016
-./contrib/README X 2014,2015,2016
+./contrib/README X 2014,2015,2016,2017
./contrib/dane/mkdane.sh X 2012
./contrib/dane/tlsa6698.pem X 2012
./contrib/dlz/.gitignore X 2014
./contrib/dnsperf-2.1.0.0-1/util.h X 2016
./contrib/dnsperf-2.1.0.0-1/version.h X 2016
./contrib/dnsperf-patches/0001-Add-support-for-sending-EDNS-CLIENT-SUBNET-option-in.patch X 2016
+./contrib/dnspriv/README.md MKD 2017
+./contrib/dnspriv/named.conf CONF-C 2017
+./contrib/dnspriv/nginx.conf SH 2017
./contrib/idn/README.idnkit X 2005,2009
./contrib/idn/idnkit-1.0-src/.gitignore X 2014
./contrib/idn/idnkit-1.0-src/ChangeLog X 2003
projects / thirdparty / bind9.git / commitdiff
