Op 18-03-2025 om 14:14 schreef Klaus Darilion via nsd-users:> > Answering myself (untested yet): It seems that ?tls-cert-bundle:? may > be the solution to manually specify trust anchors. Frankly, this is a > ?server:? option but I would have expected it under the tls-auth: > section to be configurable per tls-context. >We could modify that of course, but personally I also feel for the pin authentication that Knot-dns employs. Would that work for you? Regards, -- Willem> Regards > > Klaus > > *From:*nsd-users <nsd-users-bounces at lists.nlnetlabs.nl> *On Behalf Of > *Klaus Darilion via nsd-users > *Sent:* Monday, March 17, 2025 2:32 PM > *To:* nsd-users at lists.nlnetlabs.nl > *Subject:* [nsd-users] Can XoT use self-signed certificates? > > Hi! > > I am testing XoT with NSD as secondary. > > As far as I see, for certificate validation always the OS installed CA > certificates are used. (/etc/ca-certificates.conf in Ubuntu) > > Is it possible to use self signed certificates and manually configure > a trust-anchor (e.g. ca-file option in many other TLS supported software)? > > Is it possbile to use opportunistic/ephemeral TLS as supported by Bind? > > Thanks > > Klaus > > > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250318/4d85428b/attachment-0001.htm> -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xE5F8F8212F77A498_and_old_rev.asc Type: application/pgp-keys Size: 7749 bytes Desc: OpenPGP public key URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250318/4d85428b/attachment-0002.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250318/4d85428b/attachment-0003.bin>
Hi Willem! I am not sure either what would be the best approach. Knot?s PIN approach is great for private installations, but not for general TLS applications where you do not know the other party but want to know a trusted name (confirmed by some well known CA). So far I like Bind?s approach most, where the TLS configuration is similar to standard webservers where you can use either OS installed certificates or provide a list of trusted CA certs manually. Maybe we should wait for more XoT deployments and more feedback from admins. Anyway, IMHO all 3 implementations (Knot, Bind, NSD) lacks logging of TLS parameters and helpful error messages when TLS handshakes fail. For example, NSD?s ?axfr for ? from ?. refused tls-auth-xfr-only? as only error log is not very helpful when I try to understand why the connection fails. For example NSD could add some more info if connection fails, like: Did NSD as primary requested a client cert from the secondary name server? If yes, did the secondary provided a certificate? If yes, what is the host name that was searched in the certificate name? Was it found or not? Why was the client certificate not accepted? Or was everything with the client certificate but the configured policy forbids zone transfer? Thanks Klaus -- Klaus Darilion, Head of Operations nic.at GmbH, Jakob-Haringer-Stra?e 8/V 5020 Salzburg, Austria From: nsd-users <nsd-users-bounces at lists.nlnetlabs.nl> On Behalf Of Willem Toorop via nsd-users Sent: Tuesday, March 18, 2025 4:39 PM To: nsd-users at lists.nlnetlabs.nl Subject: Re: [nsd-users] Can XoT use self-signed certificates? Op 18-03-2025 om 14:14 schreef Klaus Darilion via nsd-users: Answering myself (untested yet): It seems that ?tls-cert-bundle:? may be the solution to manually specify trust anchors. Frankly, this is a ?server:? option but I would have expected it under the tls-auth: section to be configurable per tls-context. We could modify that of course, but personally I also feel for the pin authentication that Knot-dns employs. Would that work for you? Regards, -- Willem Regards Klaus From: nsd-users <nsd-users-bounces at lists.nlnetlabs.nl><mailto:nsd-users-bounces at lists.nlnetlabs.nl> On Behalf Of Klaus Darilion via nsd-users Sent: Monday, March 17, 2025 2:32 PM To: nsd-users at lists.nlnetlabs.nl<mailto:nsd-users at lists.nlnetlabs.nl> Subject: [nsd-users] Can XoT use self-signed certificates? Hi! I am testing XoT with NSD as secondary. As far as I see, for certificate validation always the OS installed CA certificates are used. (/etc/ca-certificates.conf in Ubuntu) Is it possible to use self signed certificates and manually configure a trust-anchor (e.g. ca-file option in many other TLS supported software)? Is it possbile to use opportunistic/ephemeral TLS as supported by Bind? Thanks Klaus _______________________________________________ nsd-users mailing list nsd-users at lists.nlnetlabs.nl<mailto:nsd-users at lists.nlnetlabs.nl> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250318/b8de978b/attachment.htm>
Another thing: it seems that mutual TLS with NSD as primary requires tls-cert-bundle to be set explicitly. I.e. my secondary has a public certificate from lets encrypt, and I would expect that the default tls-cert-bundle should work. But it does not. I get the misleading error (debug log level): nsd[2588241]: client cert does not match my-tls xot-test-secondary.ops.nic.at nsd[2588241]: axfr for test.klaus. from 193.46.106.61 refused, no acl matches But after explicitly setting the tld-cert-bundle to the LE root CA it suddenly worked: tls-cert-bundle: /etc/ssl/certs/ISRG_Root_X1.pem nsd[2600852]: my-tls xot-test-secondary.ops.nic.at verified nsd[2600852]: axfr for test.klaus. from 193.46.106.61 tls-auth xot-test-secondary.ops.nic.at So, the above error was wrong and should be something like ?failed to verify certificate issuer?. Further, why is it necessary to explicitly set the tls-cert-bundle? I guess there is a reason as Bind9 also requires to manually set the ca-file for mutual TLS and client verification. I just don?t understand why. Further it complicates life. If my Secondary-DNS provider has a certificate from a well known CA, and the hostname verification succeeds, I want to accept the client cert, regardless if the certificate was issued by Lets Encrypt, Sectigo or Comodo. Thanks Klaus -- Klaus Darilion, Head of Operations nic.at GmbH, Jakob-Haringer-Stra?e 8/V 5020 Salzburg, Austria From: nsd-users <nsd-users-bounces at lists.nlnetlabs.nl> On Behalf Of Willem Toorop via nsd-users Sent: Tuesday, March 18, 2025 4:39 PM To: nsd-users at lists.nlnetlabs.nl Subject: Re: [nsd-users] Can XoT use self-signed certificates? Op 18-03-2025 om 14:14 schreef Klaus Darilion via nsd-users: Answering myself (untested yet): It seems that ?tls-cert-bundle:? may be the solution to manually specify trust anchors. Frankly, this is a ?server:? option but I would have expected it under the tls-auth: section to be configurable per tls-context. We could modify that of course, but personally I also feel for the pin authentication that Knot-dns employs. Would that work for you? Regards, -- Willem Regards Klaus From: nsd-users <nsd-users-bounces at lists.nlnetlabs.nl><mailto:nsd-users-bounces at lists.nlnetlabs.nl> On Behalf Of Klaus Darilion via nsd-users Sent: Monday, March 17, 2025 2:32 PM To: nsd-users at lists.nlnetlabs.nl<mailto:nsd-users at lists.nlnetlabs.nl> Subject: [nsd-users] Can XoT use self-signed certificates? Hi! I am testing XoT with NSD as secondary. As far as I see, for certificate validation always the OS installed CA certificates are used. (/etc/ca-certificates.conf in Ubuntu) Is it possible to use self signed certificates and manually configure a trust-anchor (e.g. ca-file option in many other TLS supported software)? Is it possbile to use opportunistic/ephemeral TLS as supported by Bind? Thanks Klaus _______________________________________________ nsd-users mailing list nsd-users at lists.nlnetlabs.nl<mailto:nsd-users at lists.nlnetlabs.nl> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250318/a0f83732/attachment-0001.htm>