From: Artem Boldariev Date: Tue, 3 May 2022 13:51:33 +0000 (+0300) Subject: Rename "hostname" to "remote-hostname" within "tls" X-Git-Tag: v9.18.3~8^2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=4bb410de982f5d6f9cf21fd14ac7489ee140d3f5;p=thirdparty%2Fbind9.git Rename "hostname" to "remote-hostname" within "tls" This commit renames "hostname" to "remote-hostname" within "tls" options to avoid semantic conflicts with generic "options" configuration. --- diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst index 36f473e45d5..8a4cc8cc5d6 100644 --- a/bin/named/named.conf.rst +++ b/bin/named/named.conf.rst @@ -566,10 +566,10 @@ TLS cert-file quoted_string; ciphers string; dhparam-file quoted_string; - hostname quoted_string; key-file quoted_string; prefer-server-ciphers boolean; protocols { string; ... }; + remote-hostname quoted_string; session-tickets boolean; }; diff --git a/bin/named/transportconf.c b/bin/named/transportconf.c index a0417f76aaa..8d3153c7724 100644 --- a/bin/named/transportconf.c +++ b/bin/named/transportconf.c @@ -124,8 +124,8 @@ add_doh_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) { dns_transport_set_prefer_server_ciphers) parse_transport_option(doh, transport, "ca-file", dns_transport_set_cafile); - parse_transport_option(doh, transport, "hostname", - dns_transport_set_hostname); + parse_transport_option(doh, transport, "remote-hostname", + dns_transport_set_remote_hostname); } return (ISC_R_SUCCESS); @@ -176,8 +176,8 @@ add_tls_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) { dns_transport_set_prefer_server_ciphers) parse_transport_option(tls, transport, "ca-file", dns_transport_set_cafile); - parse_transport_option(tls, transport, "hostname", - dns_transport_set_hostname); + parse_transport_option(tls, transport, "remote-hostname", + dns_transport_set_remote_hostname); } return (ISC_R_SUCCESS); diff --git a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf index 340f620ac53..d541d1508ab 100644 --- a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf +++ b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf @@ -14,5 +14,5 @@ # In some cases a "tls" statement may omit key-file and cert-file. tls local-tls { protocols {TLSv1.2;}; - hostname "fqdn.example.com"; + remote-hostname "fqdn.example.com"; }; diff --git a/bin/tests/system/doth/ns2/named.conf.in b/bin/tests/system/doth/ns2/named.conf.in index 0c5ec7d73be..d871c57afc9 100644 --- a/bin/tests/system/doth/ns2/named.conf.in +++ b/bin/tests/system/doth/ns2/named.conf.in @@ -57,7 +57,7 @@ zone "." { }; tls tls-example-primary { - hostname "srv01.crt01.example.com"; // enable Strict TLS + remote-hostname "srv01.crt01.example.com"; // enable Strict TLS ca-file "../CA/CA.pem"; }; @@ -70,7 +70,7 @@ zone "example" { # the server's certificate does not contain SubjectAltName, which is required for DoT tls tls-example-primary-no-san { - hostname "srv01.crt02-no-san.example.com"; // enable Strict TLS + remote-hostname "srv01.crt02-no-san.example.com"; // enable Strict TLS ca-file "../CA/CA.pem"; }; @@ -81,7 +81,7 @@ zone "example3" { allow-transfer { any; }; }; -# As you can see, the "hostname" is missing, but "ca-file" is +# As you can see, the "remote-hostname" is missing, but "ca-file" is # specified. As the result, the primaries server certificate will be # verified using the IP address instead of hostname. That is fine, # because the server certificate is issued with IP address in the @@ -98,7 +98,7 @@ zone "example4" { }; tls tls-example-primary-strict-tls-ipv4 { - hostname "10.53.0.1"; # the IP is in the server's cert SAN + remote-hostname "10.53.0.1"; # the IP is in the server's cert SAN ca-file "../CA/CA.pem"; # enable Strict TLS }; @@ -110,7 +110,7 @@ zone "example5" { }; tls tls-example-primary-strict-tls-ipv6 { - hostname "fd92:7065:b8e:ffff::1"; # the IP is in the server's cert SAN + remote-hostname "fd92:7065:b8e:ffff::1"; # the IP is in the server's cert SAN ca-file "../CA/CA.pem"; # enable Strict TLS }; @@ -122,7 +122,7 @@ zone "example6" { }; tls tls-example-primary-strict-tls-wrong-host { - hostname "not-present.example.com"; # this is not present in the server's cert SAN + remote-hostname "not-present.example.com"; # this is not present in the server's cert SAN ca-file "../CA/CA.pem"; # enable Strict TLS }; @@ -134,7 +134,7 @@ zone "example7" { }; tls tls-example-primary-strict-tls-expired { - hostname "srv01.crt03-expired.example.com"; + remote-hostname "srv01.crt03-expired.example.com"; ca-file "../CA/CA.pem"; }; @@ -146,7 +146,7 @@ zone "example8" { }; tls tls-example-primary-mutual-tls { - hostname "srv01.crt01.example.com"; + remote-hostname "srv01.crt01.example.com"; ca-file "../CA/CA.pem"; cert-file "../CA/certs/srv01.client02-ns2.example.com.pem"; key-file "../CA/certs/srv01.client02-ns2.example.com.key"; @@ -167,7 +167,7 @@ zone "example10" { }; tls tls-example-primary-mutual-tls-expired { - hostname "srv01.crt01.example.com"; + remote-hostname "srv01.crt01.example.com"; ca-file "../CA/CA.pem"; cert-file "../CA/certs/srv01.client03-ns2-expired.example.com.pem"; key-file "../CA/certs/srv01.client03-ns2-expired.example.com.key"; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index b63a3d54cb1..e3cd0f11495 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -294,7 +294,7 @@ The following statements are supported: Declares communication channels to get access to :iscman:`named` statistics. ``tls`` - Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``. + Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``remote-hostname``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``. ``http`` Specifies configuration information for an HTTP connection, including ``endponts``, ``listener-clients`` and ``streams-per-connection``. @@ -893,7 +893,7 @@ where ``tls-configuration-name`` refers to a previously defined .. warning:: Please note that TLS connections to primaries are **not - authenticated** unless ``hostname`` or ``ca-file`` are specified + authenticated** unless ``remote-hostname`` or ``ca-file`` are specified within the :ref:`tls statement ` in use (see information on :ref:`Strict TLS ` and :ref:`Mutual TLS ` for more details). **Not authenticated mode** (:ref:`Opportunistic @@ -4844,7 +4844,7 @@ The following options can be specified in a ``tls`` statement: this option enables remote peer certificates verification. For incoming connections specifying this option will make BIND require a valid TLS certificate from a client. In the case of outgoing - connections, if ``hostname`` is not specified, then the remote + connections, if ``remote-hostname`` is not specified, then the remote server IP address is used instead. ``dhparam-file`` @@ -4854,7 +4854,7 @@ The following options can be specified in a ``tls`` statement: specified is essential for enabling perfect forward secrecy capable ciphers in TLSv1.2. - ``hostname`` + ``remote-hostname`` The expected hostname in the TLS certificate of the remote server. This option enables a remote server certificate verification. If ``ca-file`` is not specified, then the @@ -4939,7 +4939,7 @@ TLS. Opportunistic TLS provides encryption for data but does not provide any authentication for the channel. This mode is the default one and -it is used whenever ``hostname`` and ``ca-file`` options are not set +it is used whenever ``remote-hostname`` and ``ca-file`` options are not set in ``tls`` statements in use. RFC 9103 allows optional fallback to clear-text DNS in the cases when TLS is not available. Still, BIND intentionally does not support that in order to protect from @@ -4953,15 +4953,15 @@ otherwise. Strict TLS provides server authentication via a pre-configured hostname for outgoing connections. This mechanism offers both channel confidentiality and channel authentication (of the server). In order -to achieve Strict TLS, one needs to use ``hostname`` and, optionally, +to achieve Strict TLS, one needs to use ``remote-hostname`` and, optionally, ``ca-file`` options in the ``tls`` statements used for establishing outgoing connections (e.g. the ones used to download zone from primaries via TLS). Providing any of the mentioned options will enable -server authentication. If ``hostname`` is provided but ``ca-file`` is +server authentication. If ``remote-hostname`` is provided but ``ca-file`` is missed, then the platform-specific certificate authority certificates are used for authentication. The set roughly corresponds to the one used by WEB-browsers to authenticate HTTPS hosts. On the other hand, -if ``ca-file`` is provided but ``hostname`` is missing, then the +if ``ca-file`` is provided but ``remote-hostname`` is missing, then the remote side's IP address is used instead. .. _mutual-tls: diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index bbeeeb2acd6..10da5ca64ae 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -640,10 +640,10 @@ tls string { cert\-file quoted_string; ciphers string; dhparam\-file quoted_string; - hostname quoted_string; key\-file quoted_string; prefer\-server\-ciphers boolean; protocols { string; ... }; + remote\-hostname quoted_string; session\-tickets boolean; }; .ft P diff --git a/doc/misc/options b/doc/misc/options index cc544d309b1..9b3ae1d0976 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -454,10 +454,10 @@ tls { cert-file ; ciphers ; dhparam-file ; - hostname ; key-file ; prefer-server-ciphers ; protocols { ; ... }; + remote-hostname ; session-tickets ; }; // may occur multiple times diff --git a/doc/misc/options.active b/doc/misc/options.active index c6021bdd56d..cfc0aa7a26e 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -451,10 +451,10 @@ tls { cert-file ; ciphers ; dhparam-file ; - hostname ; key-file ; prefer-server-ciphers ; protocols { ; ... }; + remote-hostname ; session-tickets ; }; // may occur multiple times diff --git a/doc/misc/tls.grammar.rst b/doc/misc/tls.grammar.rst index fec9c738cca..37d1b97a4f0 100644 --- a/doc/misc/tls.grammar.rst +++ b/doc/misc/tls.grammar.rst @@ -16,9 +16,9 @@ cert-file ; ciphers ; dhparam-file ; - hostname ; key-file ; prefer-server-ciphers ; protocols { ; ... }; + remote-hostname ; session-tickets ; }; diff --git a/lib/dns/include/dns/transport.h b/lib/dns/include/dns/transport.h index 4018b776917..09bf9875e51 100644 --- a/lib/dns/include/dns/transport.h +++ b/lib/dns/include/dns/transport.h @@ -49,7 +49,7 @@ dns_transport_get_keyfile(dns_transport_t *transport); char * dns_transport_get_cafile(dns_transport_t *transport); char * -dns_transport_get_hostname(dns_transport_t *transport); +dns_transport_get_remote_hostname(dns_transport_t *transport); char * dns_transport_get_endpoint(dns_transport_t *transport); dns_http_mode_t @@ -79,7 +79,8 @@ dns_transport_set_keyfile(dns_transport_t *transport, const char *keyfile); void dns_transport_set_cafile(dns_transport_t *transport, const char *cafile); void -dns_transport_set_hostname(dns_transport_t *transport, const char *hostname); +dns_transport_set_remote_hostname(dns_transport_t *transport, + const char *hostname); void dns_transport_set_endpoint(dns_transport_t *transport, const char *endpoint); void diff --git a/lib/dns/transport.c b/lib/dns/transport.c index e7fbb70ac3c..ae1ab7415b1 100644 --- a/lib/dns/transport.c +++ b/lib/dns/transport.c @@ -50,7 +50,7 @@ struct dns_transport { char *certfile; char *keyfile; char *cafile; - char *hostname; + char *remote_hostname; char *ciphers; uint32_t protocol_versions; ternary_t prefer_server_ciphers; @@ -118,10 +118,10 @@ dns_transport_get_cafile(dns_transport_t *transport) { } char * -dns_transport_get_hostname(dns_transport_t *transport) { +dns_transport_get_remote_hostname(dns_transport_t *transport) { REQUIRE(VALID_TRANSPORT(transport)); - return (transport->tls.hostname); + return (transport->tls.remote_hostname); } char * @@ -201,18 +201,19 @@ dns_transport_set_cafile(dns_transport_t *transport, const char *cafile) { } void -dns_transport_set_hostname(dns_transport_t *transport, const char *hostname) { +dns_transport_set_remote_hostname(dns_transport_t *transport, + const char *hostname) { REQUIRE(VALID_TRANSPORT(transport)); REQUIRE(transport->type == DNS_TRANSPORT_TLS || transport->type == DNS_TRANSPORT_HTTP); - if (transport->tls.hostname != NULL) { - isc_mem_free(transport->mctx, transport->tls.hostname); + if (transport->tls.remote_hostname != NULL) { + isc_mem_free(transport->mctx, transport->tls.remote_hostname); } if (hostname != NULL) { - transport->tls.hostname = isc_mem_strdup(transport->mctx, - hostname); + transport->tls.remote_hostname = isc_mem_strdup(transport->mctx, + hostname); } } @@ -339,8 +340,8 @@ transport_destroy(dns_transport_t *transport) { if (transport->doh.endpoint != NULL) { isc_mem_free(transport->mctx, transport->doh.endpoint); } - if (transport->tls.hostname != NULL) { - isc_mem_free(transport->mctx, transport->tls.hostname); + if (transport->tls.remote_hostname != NULL) { + isc_mem_free(transport->mctx, transport->tls.remote_hostname); } if (transport->tls.cafile != NULL) { isc_mem_free(transport->mctx, transport->tls.cafile); diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c index d7ff12c4c8a..6c3f8cbd526 100644 --- a/lib/dns/xfrin.c +++ b/lib/dns/xfrin.c @@ -977,7 +977,8 @@ xfrin_start(dns_xfrin_ctx_t *xfr) { &tlsctx, &found_store); if (result != ISC_R_SUCCESS) { const char *hostname = - dns_transport_get_hostname(xfr->transport); + dns_transport_get_remote_hostname( + xfr->transport); const char *ca_file = dns_transport_get_cafile(xfr->transport); const char *cert_file = diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index ccc93ae4d14..1758b88d0e5 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -3937,7 +3937,7 @@ static cfg_clausedef_t tls_clauses[] = { { "key-file", &cfg_type_qstring, 0 }, { "cert-file", &cfg_type_qstring, 0 }, { "ca-file", &cfg_type_qstring, 0 }, - { "hostname", &cfg_type_qstring, 0 }, + { "remote-hostname", &cfg_type_qstring, 0 }, { "dhparam-file", &cfg_type_qstring, 0 }, { "protocols", &cfg_type_tlsprotos, 0 }, { "ciphers", &cfg_type_astring, 0 },