Re: BIND9 DoT/DoH - request for comments

[Tony Finch]

Witold Kręcicki <w...@isc.org> wrote:

> I'm currently working on DoH/DoT design - most specifically, the configuration
> syntax that will be used to set up DoH/DoT. Since removing or modifying
> options in named.conf is very hard I want it to be done properly - hence this
> request for comments. The current design document is here:
> https://gitlab.isc.org/isc-projects/bind9/-/wikis/DoT/DoH-Design

The TLS and DoT aspects seem OK to me. How are ACLs configured?

I think it would help to make the HTTP setup a bit richer. You'll have
multiple HTTP endpoints so I would expect to be able to configure them
consistently.

  * XML stats
  * JSON stats
  * DoH
  ? ACME
  ? JSON-flavoured DoH
  ? dig-like YAML-flavoured DoH

ACLs need to be per HTTP path, because stats, DoH queries, and ACME
challenges all have different user bases. Is there a fixed standard path
for each function, or is it configurable? There isn't much of a consensus
for DoH paths (doh101 uses /, others use /dns or /doh).

If ACME isn't built-in then it would be helpful to include support for
publishing a filesystem directory over HTTP. It would also be useful to
support something informative at / to help people who have pointed their
browser at their DNS server. (e.g. is / the default stats channel, or a
DoH endpoint, or a redirect to documentation?) Or you could decide that
you are going to keep well away from ports 80 and 443, which would be a
reasonable choice :-)

Thinking of specifics, one option might be a vaguely nginx-flavoured
top-level config section:

        http {
                listen-on port tls { addresses; };

                location "path" {
                        allow { acl; };
                        # one of
                        handler stats-xml;
                        handler doh;
                        handler directory "/var/lib/dehydrated/acme-challenges";
                };

                # or without configurable paths
                # some subset of
                handler stats-xml allow { admins; };
                handler doh allow { localhost; localnets; };
                handler acme allow { any; };
                root redirect "URL";
        };

I imagine the existing statistics-channel configuration will become an
abbreviation for a more general-purpose http config.

Tony.
-- 
f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/
Rockall, Malin: Northeast, veering east later, 4 to 6. Moderate, occasionally
rough at first. Mainly fair. Mainly good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users