[nsd-users] NSD 4.10.1rc2 pre-release

A. Schulze sca at andreasschulze.de
Wed Jul 24 22:00:19 UTC 2024 


Am 23.07.24 um 17:28 schrieb Jeroen Koekkoek via nsd-users:
> NSD 4.10.1rc2 pre-release is available:

no compile time warnings while building on debian bookworm/x86_64

> @bilias implemented mutual TLS authentication for zone transfers.
> Please consult the nsd.conf manual for details on the newly introduced
> configuration options tls-auth-port and tls-auth-xfr-only.

this is an nice feature that seem to work but have some nits.

nsd serving as simple tls server is configured with

server:
	username: nsd
         ip-address: ::@853
         tls-service-key: /path/to/key.pem
         tls-service-pem: /path/to/cert+intermediate.pem
         tls-port: 853

         # since 4.10.1rc2
         ip-address: ::@1853
         tls-auth-port: 1853
         tls-auth-xfr-only: yes
         tls-cert-bundle: /path/to/ca-certificates.crt


in this mode, /path/to/*.pem may accessible for the root user only.

Now, when adding a tls-auth for the purpose of client authentication I add

tls-auth:
         name: primary.nsd.example
         auth-domain-name: primary.nsd.example
         client-cert: /path/to/cert+intermediate.pem
         client-key: /path/to/key.pem

Here, the files /path/to/*.pem are used by a child process with limited privileges of the username 'nsd'
It would be better, if nsd read all tls-auth client-[cert|key] data before dropping privileges.
Then the files could be still limited to be readable by the root user.

next question:
now, the axfr request from secondary to primary is a mTLS connection. But what about notify messages
from primary to secondary? the zone-statement 'notify' does not mention a tls-auth-name
Are these notifies still plain, unencrypted, unauthenticated UDP packets?

next note:
I used an IPv6 network for my zone transfer tests and have the impression,
the outgoing-interface statement at the secondary is not working if AXFR-over-tls is used.

next note:
while trying to get AXFR-over-tls working, I saw errors like "error: xfrd tls: TLS verify failed - (62) depth: 0 error: hostname mismatch"
It would be helpful to see there "... hostname mismatch: expected 'foo', got 'bar'"

funny side note:
after "error: xfrd tls: TLS verify failed - (62) depth: 0 error: hostname mismatch" I also saw
"error: xfrd: TLS handshake failed: Success"

Andreas

More information about the nsd-users mailing list