From yorgos at nlnetlabs.nl Fri Mar 7 14:05:25 2025 From: yorgos at nlnetlabs.nl (Yorgos Thessalonikefs) Date: Fri, 7 Mar 2025 15:05:25 +0100 Subject: [nsd-users] Fwd: Re: Opening DoH 443/TCP without opening 443/UDP (NSD has similar issue on DoT) In-Reply-To: <6f97edd0-3373-45bb-a75b-f3cb1f4dc5e9@andreasschulze.de> References: <639c623f-152b-43be-89b0-6ec391cd3a30@andreasschulze.de> <6f97edd0-3373-45bb-a75b-f3cb1f4dc5e9@andreasschulze.de> Message-ID: Hi Andreas, The change is now merged. tls-port implicitly turns off listening on UDP on that same port. https://github.com/NLnetLabs/nsd/pull/428 Best regards, -- Yorgos On 06/02/2025 21:09, A. Schulze via nsd-users wrote: > posted to the wrong (old) address of nsd-users, now to the correct list > address ... > > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users From klaus.darilion at nic.at Mon Mar 17 13:31:39 2025 From: klaus.darilion at nic.at (Klaus Darilion) Date: Mon, 17 Mar 2025 13:31:39 +0000 Subject: [nsd-users] Can XoT use self-signed certificates? Message-ID: Hi! I am testing XoT with NSD as secondary. As far as I see, for certificate validation always the OS installed CA certificates are used. (/etc/ca-certificates.conf in Ubuntu) Is it possible to use self signed certificates and manually configure a trust-anchor (e.g. ca-file option in many other TLS supported software)? Is it possbile to use opportunistic/ephemeral TLS as supported by Bind? Thanks Klaus -------------- next part -------------- An HTML attachment was scrubbed... URL: From klaus.darilion at nic.at Tue Mar 18 13:14:53 2025 From: klaus.darilion at nic.at (Klaus Darilion) Date: Tue, 18 Mar 2025 13:14:53 +0000 Subject: [nsd-users] Can XoT use self-signed certificates? In-Reply-To: References: Message-ID: Answering myself (untested yet): It seems that 'tls-cert-bundle:' may be the solution to manually specify trust anchors. Frankly, this is a 'server:' option but I would have expected it under the tls-auth: section to be configurable per tls-context. Regards Klaus From: nsd-users On Behalf Of Klaus Darilion via nsd-users Sent: Monday, March 17, 2025 2:32 PM To: nsd-users at lists.nlnetlabs.nl Subject: [nsd-users] Can XoT use self-signed certificates? Hi! I am testing XoT with NSD as secondary. As far as I see, for certificate validation always the OS installed CA certificates are used. (/etc/ca-certificates.conf in Ubuntu) Is it possible to use self signed certificates and manually configure a trust-anchor (e.g. ca-file option in many other TLS supported software)? Is it possbile to use opportunistic/ephemeral TLS as supported by Bind? Thanks Klaus -------------- next part -------------- An HTML attachment was scrubbed... URL: From willem at nlnetlabs.nl Tue Mar 18 15:39:28 2025 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 18 Mar 2025 16:39:28 +0100 Subject: [nsd-users] Can XoT use self-signed certificates? In-Reply-To: References: Message-ID: <82db6651-0858-4083-888d-313160d455ef@nlnetlabs.nl> Op 18-03-2025 om 14:14 schreef Klaus Darilion via nsd-users: > > Answering myself (untested yet): It seems that ?tls-cert-bundle:? may > be the solution to manually specify trust anchors. Frankly, this is a > ?server:? option but I would have expected it under the tls-auth: > section to be configurable per tls-context. > We could modify that of course, but personally I also feel for the pin authentication that Knot-dns employs. Would that work for you? Regards, -- Willem > Regards > > Klaus > > *From:*nsd-users *On Behalf Of > *Klaus Darilion via nsd-users > *Sent:* Monday, March 17, 2025 2:32 PM > *To:* nsd-users at lists.nlnetlabs.nl > *Subject:* [nsd-users] Can XoT use self-signed certificates? > > Hi! > > I am testing XoT with NSD as secondary. > > As far as I see, for certificate validation always the OS installed CA > certificates are used. (/etc/ca-certificates.conf in Ubuntu) > > Is it possible to use self signed certificates and manually configure > a trust-anchor (e.g. ca-file option in many other TLS supported software)? > > Is it possbile to use opportunistic/ephemeral TLS as supported by Bind? > > Thanks > > Klaus > > > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xE5F8F8212F77A498_and_old_rev.asc Type: application/pgp-keys Size: 7749 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From klaus.darilion at nic.at Tue Mar 18 19:45:39 2025 From: klaus.darilion at nic.at (Klaus Darilion) Date: Tue, 18 Mar 2025 19:45:39 +0000 Subject: [nsd-users] Can XoT use self-signed certificates? In-Reply-To: <82db6651-0858-4083-888d-313160d455ef@nlnetlabs.nl> References: <82db6651-0858-4083-888d-313160d455ef@nlnetlabs.nl> Message-ID: Hi Willem! I am not sure either what would be the best approach. Knot?s PIN approach is great for private installations, but not for general TLS applications where you do not know the other party but want to know a trusted name (confirmed by some well known CA). So far I like Bind?s approach most, where the TLS configuration is similar to standard webservers where you can use either OS installed certificates or provide a list of trusted CA certs manually. Maybe we should wait for more XoT deployments and more feedback from admins. Anyway, IMHO all 3 implementations (Knot, Bind, NSD) lacks logging of TLS parameters and helpful error messages when TLS handshakes fail. For example, NSD?s ?axfr for ? from ?. refused tls-auth-xfr-only? as only error log is not very helpful when I try to understand why the connection fails. For example NSD could add some more info if connection fails, like: Did NSD as primary requested a client cert from the secondary name server? If yes, did the secondary provided a certificate? If yes, what is the host name that was searched in the certificate name? Was it found or not? Why was the client certificate not accepted? Or was everything with the client certificate but the configured policy forbids zone transfer? Thanks Klaus -- Klaus Darilion, Head of Operations nic.at GmbH, Jakob-Haringer-Stra?e 8/V 5020 Salzburg, Austria From: nsd-users On Behalf Of Willem Toorop via nsd-users Sent: Tuesday, March 18, 2025 4:39 PM To: nsd-users at lists.nlnetlabs.nl Subject: Re: [nsd-users] Can XoT use self-signed certificates? Op 18-03-2025 om 14:14 schreef Klaus Darilion via nsd-users: Answering myself (untested yet): It seems that ?tls-cert-bundle:? may be the solution to manually specify trust anchors. Frankly, this is a ?server:? option but I would have expected it under the tls-auth: section to be configurable per tls-context. We could modify that of course, but personally I also feel for the pin authentication that Knot-dns employs. Would that work for you? Regards, -- Willem Regards Klaus From: nsd-users On Behalf Of Klaus Darilion via nsd-users Sent: Monday, March 17, 2025 2:32 PM To: nsd-users at lists.nlnetlabs.nl Subject: [nsd-users] Can XoT use self-signed certificates? Hi! I am testing XoT with NSD as secondary. As far as I see, for certificate validation always the OS installed CA certificates are used. (/etc/ca-certificates.conf in Ubuntu) Is it possible to use self signed certificates and manually configure a trust-anchor (e.g. ca-file option in many other TLS supported software)? Is it possbile to use opportunistic/ephemeral TLS as supported by Bind? Thanks Klaus _______________________________________________ nsd-users mailing list nsd-users at lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From klaus.darilion at nic.at Tue Mar 18 21:32:49 2025 From: klaus.darilion at nic.at (Klaus Darilion) Date: Tue, 18 Mar 2025 21:32:49 +0000 Subject: [nsd-users] Can XoT use self-signed certificates? In-Reply-To: <82db6651-0858-4083-888d-313160d455ef@nlnetlabs.nl> References: <82db6651-0858-4083-888d-313160d455ef@nlnetlabs.nl> Message-ID: Another thing: it seems that mutual TLS with NSD as primary requires tls-cert-bundle to be set explicitly. I.e. my secondary has a public certificate from lets encrypt, and I would expect that the default tls-cert-bundle should work. But it does not. I get the misleading error (debug log level): nsd[2588241]: client cert does not match my-tls xot-test-secondary.ops.nic.at nsd[2588241]: axfr for test.klaus. from 193.46.106.61 refused, no acl matches But after explicitly setting the tld-cert-bundle to the LE root CA it suddenly worked: tls-cert-bundle: /etc/ssl/certs/ISRG_Root_X1.pem nsd[2600852]: my-tls xot-test-secondary.ops.nic.at verified nsd[2600852]: axfr for test.klaus. from 193.46.106.61 tls-auth xot-test-secondary.ops.nic.at So, the above error was wrong and should be something like ?failed to verify certificate issuer?. Further, why is it necessary to explicitly set the tls-cert-bundle? I guess there is a reason as Bind9 also requires to manually set the ca-file for mutual TLS and client verification. I just don?t understand why. Further it complicates life. If my Secondary-DNS provider has a certificate from a well known CA, and the hostname verification succeeds, I want to accept the client cert, regardless if the certificate was issued by Lets Encrypt, Sectigo or Comodo. Thanks Klaus -- Klaus Darilion, Head of Operations nic.at GmbH, Jakob-Haringer-Stra?e 8/V 5020 Salzburg, Austria From: nsd-users On Behalf Of Willem Toorop via nsd-users Sent: Tuesday, March 18, 2025 4:39 PM To: nsd-users at lists.nlnetlabs.nl Subject: Re: [nsd-users] Can XoT use self-signed certificates? Op 18-03-2025 om 14:14 schreef Klaus Darilion via nsd-users: Answering myself (untested yet): It seems that ?tls-cert-bundle:? may be the solution to manually specify trust anchors. Frankly, this is a ?server:? option but I would have expected it under the tls-auth: section to be configurable per tls-context. We could modify that of course, but personally I also feel for the pin authentication that Knot-dns employs. Would that work for you? Regards, -- Willem Regards Klaus From: nsd-users On Behalf Of Klaus Darilion via nsd-users Sent: Monday, March 17, 2025 2:32 PM To: nsd-users at lists.nlnetlabs.nl Subject: [nsd-users] Can XoT use self-signed certificates? Hi! I am testing XoT with NSD as secondary. As far as I see, for certificate validation always the OS installed CA certificates are used. (/etc/ca-certificates.conf in Ubuntu) Is it possible to use self signed certificates and manually configure a trust-anchor (e.g. ca-file option in many other TLS supported software)? Is it possbile to use opportunistic/ephemeral TLS as supported by Bind? Thanks Klaus _______________________________________________ nsd-users mailing list nsd-users at lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From sca at andreasschulze.de Wed Mar 19 07:39:54 2025 From: sca at andreasschulze.de (A. Schulze) Date: Wed, 19 Mar 2025 08:39:54 +0100 Subject: [nsd-users] Can XoT use self-signed certificates? In-Reply-To: References: <82db6651-0858-4083-888d-313160d455ef@nlnetlabs.nl> Message-ID: <20250319083954.Horde.05OrGEIoTc5EawtEXmKbSyz@andreasschulze.de> Hello Klaus, Klaus Darilion via nsd-users: > Further, why is it necessary to explicitly set the tls-cert-bundle? > I guess there is a reason as Bind9 also requires to manually set the > ca-file for mutual TLS and client verification. I just don?t > understand why. different OS flavors have different places for a "default set of certs trusted by the os vendor" (CA/B truststor) I think, for that reason, it's nessesary to be explicit in nsd.conf I assume similiar reasons in unbound... Andreas From klaus.darilion at nic.at Wed Mar 19 09:08:18 2025 From: klaus.darilion at nic.at (Klaus Darilion) Date: Wed, 19 Mar 2025 09:08:18 +0000 Subject: [nsd-users] Can XoT use self-signed certificates? In-Reply-To: <20250319083954.Horde.05OrGEIoTc5EawtEXmKbSyz@andreasschulze.de> References: <82db6651-0858-4083-888d-313160d455ef@nlnetlabs.nl> <20250319083954.Horde.05OrGEIoTc5EawtEXmKbSyz@andreasschulze.de> Message-ID: >> Further, why is it necessary to explicitly set the tls-cert-bundle? >> I guess there is a reason as Bind9 also requires to manually set the >> ca-file for mutual TLS and client verification. I just don?t >> understand why. > different OS flavors have different places for a "default set of certs > trusted by the os vendor" (CA/B truststor) > I think, for that reason, it's nessesary to be explicit in nsd.conf The confusing thing is, that for "strict TLS" there is no need to configure 'tls-cert-bundle' and the OS installed CAs are used for validation. Only for mutual TLS it is mandatory to configure 'tls-cert-bundle', for which I do not see any reason. regards Klaus -------------- next part -------------- An HTML attachment was scrubbed... URL: From nsd at pydo.org Wed Mar 19 14:01:16 2025 From: nsd at pydo.org (Artur) Date: Wed, 19 Mar 2025 15:01:16 +0100 Subject: [nsd-users] Write zone file on update Message-ID: <1e932e8e-b0aa-43c0-8ae9-3fa3e2580dd6@pydo.org> Hello, On secondary dns server, the configured zone files are created then written every 3600 seconds (by default). These files are not written on zone update received from master. Maybe I'm missing something, but I imagine nsd can load these zone files and serve records (as long as records are not obsolete) even if the master server is unreachable. So, to avoid serving obsolete zone data it may be a good idea to update zone files as soon as an update incomes. Is there any option to do that in nsd ? -- Best regards, Artur From otto at relax.theregoesmy.email Wed Mar 19 14:56:00 2025 From: otto at relax.theregoesmy.email (Otto Retter) Date: Wed, 19 Mar 2025 14:56:00 +0000 Subject: [nsd-users] Write zone file on update In-Reply-To: <1e932e8e-b0aa-43c0-8ae9-3fa3e2580dd6@pydo.org> References: <1e932e8e-b0aa-43c0-8ae9-3fa3e2580dd6@pydo.org> Message-ID: <14bbfa61-0a24-405e-9a57-75781e915a83@relax.theregoesmy.email> Artur via nsd-users wrote: > On secondary dns server, the configured zone files are created then > written every 3600 seconds (by default). > These files are not written on zone update received from master. > Maybe I'm missing something, but I imagine nsd can load these zone files > and serve records (as long as records are not obsolete) even if the > master server is unreachable. > So, to avoid serving obsolete zone data it may be a good idea to update > zone files as soon as an update incomes. > Is there any option to do that in nsd ? > Hi Artur, Not sure if it's exactly what you're looking for, but you could write some hook on XFR that calls `nsd-control write`. Probably others have some cleaner or more elegant solutions. - Otto From anandb at ripe.net Wed Mar 19 22:53:47 2025 From: anandb at ripe.net (Anand Buddhdev) Date: Wed, 19 Mar 2025 23:53:47 +0100 Subject: [nsd-users] Write zone file on update In-Reply-To: <1e932e8e-b0aa-43c0-8ae9-3fa3e2580dd6@pydo.org> References: <1e932e8e-b0aa-43c0-8ae9-3fa3e2580dd6@pydo.org> Message-ID: Hi Artur, You can set "zonefiles-write" option in the "server" section to a low value like "1", which will make NSD write the zone file to disk almost immediately after an update. Regards, Anand On Wed, 19 Mar 2025 at 15:10, Artur via nsd-users < nsd-users at lists.nlnetlabs.nl> wrote: > Hello, > > On secondary dns server, the configured zone files are created then > written every 3600 seconds (by default). > These files are not written on zone update received from master. > Maybe I'm missing something, but I imagine nsd can load these zone files > and serve records (as long as records are not obsolete) even if the > master server is unreachable. > So, to avoid serving obsolete zone data it may be a good idea to update > zone files as soon as an update incomes. > Is there any option to do that in nsd ? > > -- > Best regards, > Artur > > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nsd at pydo.org Wed Mar 19 23:18:28 2025 From: nsd at pydo.org (Artur) Date: Thu, 20 Mar 2025 00:18:28 +0100 Subject: [nsd-users] Write zone file on update In-Reply-To: References: <1e932e8e-b0aa-43c0-8ae9-3fa3e2580dd6@pydo.org> Message-ID: Hello Anand, Le 19/03/2025 ? 23:53, Anand Buddhdev a ?crit?: > You can set "zonefiles-write" option in the "server" section to a low > value like "1", which will make NSD write the zone file to disk almost > immediately after an update. Yes, it works as expected. Thank you. However, the NSD documentation is confusing. It states : "Write updated secondary zones to their zonefile *every N seconds*." I would rather say: "Write secondary zones to their zonefiles N seconds after the zones update." Or : "Write secondary zone to its zonefile N seconds after the zone update." I don't know if any nsd dev is reading this, but maybe there is an improvement to the documentation here. Thank you Otto for your suggestion too. -- Best regards, Artur -------------- next part -------------- An HTML attachment was scrubbed... URL: From anandb at ripe.net Thu Mar 20 09:31:32 2025 From: anandb at ripe.net (Anand Buddhdev) Date: Thu, 20 Mar 2025 10:31:32 +0100 Subject: [nsd-users] Write zone file on update In-Reply-To: References: <1e932e8e-b0aa-43c0-8ae9-3fa3e2580dd6@pydo.org> Message-ID: Hi Artur, I agree that the documentation could be a bit clearer. But it is not actually "N seconds after a zone update". It is "every N seconds after starting the server". Setting the value to "1" means that NSD checks for updated zones every second, and writes them to disk. In most cases, the default of 1 hour works fine. But like you, other people have also been concerned about serving stale zones when NSD is restarted. Some have worked around this by having some kind of pre-stop hook in systemd to call "nsd-control write". There has also been talk about requesting a feature within NSD itself, to write all updated zones before exiting, so that it can work identically regardless of the init system used to run NSD. Regards, Anand On Thu, 20 Mar 2025 at 00:18, Artur wrote: > Hello Anand, > > Le 19/03/2025 ? 23:53, Anand Buddhdev a ?crit : > > You can set "zonefiles-write" option in the "server" section to a low > value like "1", which will make NSD write the zone file to disk almost > immediately after an update. > > Yes, it works as expected. Thank you. > > However, the NSD documentation is confusing. It states : "Write updated > secondary zones to their zonefile *every N seconds*." > I would rather say: "Write secondary zones to their zonefiles N seconds > after the zones update." > Or : "Write secondary zone to its zonefile N seconds after the zone > update." > > I don't know if any nsd dev is reading this, but maybe there is an > improvement to the documentation here. > > Thank you Otto for your suggestion too. > > -- > Best regards, > Artur > > -------------- next part -------------- An HTML attachment was scrubbed... URL: