BIND9 DoT/DoH - request for comments

Tony Finch dot at dotat.at
Thu Apr 16 12:43:05 UTC 2020


Witold Kręcicki <wpk at isc.org> wrote:

> I'm currently working on DoH/DoT design - most specifically, the configuration
> syntax that will be used to set up DoH/DoT. Since removing or modifying
> options in named.conf is very hard I want it to be done properly - hence this
> request for comments. The current design document is here:
> https://gitlab.isc.org/isc-projects/bind9/-/wikis/DoT/DoH-Design

The TLS and DoT aspects seem OK to me. How are ACLs configured?

I think it would help to make the HTTP setup a bit richer. You'll have
multiple HTTP endpoints so I would expect to be able to configure them
consistently.

  * XML stats
  * JSON stats
  * DoH
  ? ACME
  ? JSON-flavoured DoH
  ? dig-like YAML-flavoured DoH

ACLs need to be per HTTP path, because stats, DoH queries, and ACME
challenges all have different user bases. Is there a fixed standard path
for each function, or is it configurable? There isn't much of a consensus
for DoH paths (doh101 uses /, others use /dns or /doh).

If ACME isn't built-in then it would be helpful to include support for
publishing a filesystem directory over HTTP. It would also be useful to
support something informative at / to help people who have pointed their
browser at their DNS server. (e.g. is / the default stats channel, or a
DoH endpoint, or a redirect to documentation?) Or you could decide that
you are going to keep well away from ports 80 and 443, which would be a
reasonable choice :-)

Thinking of specifics, one option might be a vaguely nginx-flavoured
top-level config section:

	http {
		listen-on port tls { addresses; };

		location "path" {
			allow { acl; };
			# one of
			handler stats-xml;
			handler doh;
			handler directory "/var/lib/dehydrated/acme-challenges";
		};

		# or without configurable paths
		# some subset of
		handler stats-xml allow { admins; };
		handler doh allow { localhost; localnets; };
		handler acme allow { any; };
		root redirect "URL";
	};

I imagine the existing statistics-channel configuration will become an
abbreviation for a more general-purpose http config.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Rockall, Malin: Northeast, veering east later, 4 to 6. Moderate, occasionally
rough at first. Mainly fair. Mainly good.


More information about the bind-users mailing list