<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
When validating a certificate, be sure to use the context of the DNS service...</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
So, if your service runs under user BIND, you may need to su to BIND to test. This may help flush out issues where the ca.crt file was set so BIND could not read it.</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
I don't know what happens when you set TLS to strict, but I would think there's a way of trusting a self-signed certificate by adding as a CA file.</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
You could expand your openssl commands to create a self-signed CA, then sign each certificate with that CA. See easy-rsa as way of testing this. You only need to add a few more openssl commands to your list.</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
RW</div>
<div id="Signature" class="elementToProof">
<div id="divtagdefaultwrapper" dir="ltr" style="font-size:14pt;color:#000000;font-family:Calibri,Helvetica,sans-serif">
<p style="margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;"><br>
</p>
</div>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> bind-users <bind-users-bounces@lists.isc.org> on behalf of Klaus Darilion via bind-users <bind-users@lists.isc.org><br>
<b>Sent:</b> Thursday, February 27, 2025 11:10 AM<br>
<b>To:</b> Greg Choules via bind-users <bind-users@lists.isc.org><br>
<b>Subject:</b> XoT Testing: TLS peer certificate verification failed</font>
<div> </div>
</div>
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
@font-face
{font-family:Aptos}
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Aptos",sans-serif}
a:link, span.x_MsoHyperlink
{color:#467886;
text-decoration:underline}
span.x_E-MailFormatvorlage17
{font-family:"Aptos",sans-serif;
color:windowtext}
.x_MsoChpDefault
{font-size:11.0pt}
@page WordSection1
{margin:70.85pt 70.85pt 2.0cm 70.85pt}
div.x_WordSection1
{}
-->
</style>
<div lang="EN-US" link="#467886" vlink="#96607D" style="word-wrap:break-word">
<div style="font-size:9pt; font-family:'Calibri',sans-serif">
<div style="background-color:#D5EAFF; border:1px dotted #003333; padding:.8em"><span style="font-size:10pt; font-family:'Cambria','times new roman','garamond',serif; color:#ff0000">This email originated from outside of TESLA
</span><br>
<p style="font-size:8pt; line-height:10pt; font-family:'Cambria','times roman',serif">
Do not click links or open attachments unless you recognize the sender and know the content is safe.
</p>
</div>
</div>
<div>
<div class="x_WordSection1">
<p class="x_MsoNormal">Hi! I want to test XoT between Bind9.20.6 primary and secondary.</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">On the primary I created a self-signed certificate with CN=xot-test-primary.ops.nic.at and configured bind:</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"># Create a 10years valid self-signed certificate:</p>
<p class="x_MsoNormal"># openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048</p>
<p class="x_MsoNormal"># openssl req -new -key private.key -out request.csr -subj "/CN=xot-test-primary.ops.nic.at"</p>
<p class="x_MsoNormal"># openssl x509 -req -days 3650 -in request.csr -signkey private.key -out certificate.crt</p>
<p class="x_MsoNormal"># openssl x509 -text -noout -in certificate.crt</p>
<p class="x_MsoNormal"># chmod g+r private.key</p>
<p class="x_MsoNormal">#</p>
<p class="x_MsoNormal"># Create DH-params file to enable Diffie-Hellman Perfect Forward Secrecy:</p>
<p class="x_MsoNormal"># openssl dhparam -out dhparam.pem 4096</p>
<p class="x_MsoNormal">#</p>
<p class="x_MsoNormal"># <a href="https://bind9.readthedocs.io/en/v9.20.6/reference.html#namedconf-statement-tls">
https://bind9.readthedocs.io/en/v9.20.6/reference.html#namedconf-statement-tls</a></p>
<p class="x_MsoNormal">tls xot-test {</p>
<p class="x_MsoNormal"> cert-file "/etc/bind/certificate.crt";</p>
<p class="x_MsoNormal"> dhparam-file "/etc/bind/dhparam.pem";</p>
<p class="x_MsoNormal"> key-file "/etc/bind/private.key";</p>
<p class="x_MsoNormal">};</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">options {</p>
<p class="x_MsoNormal"> listen-on { 193.46.106.51; };</p>
<p class="x_MsoNormal"> listen-on-v6 { 2a02:850:1:4::51; };</p>
<p class="x_MsoNormal"> listen-on tls xot-test { 193.46.106.51; };</p>
<p class="x_MsoNormal"> listen-on-v6 tls xot-test { 2a02:850:1:4::51; };</p>
<p class="x_MsoNormal">};</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"><span style="">That seems to work fine. Then I configured the secondary similar:</span></p>
<p class="x_MsoNormal"><span style=""># Create a 10years valid self-signed certificate:</span></p>
<p class="x_MsoNormal"><span style=""># openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048</span></p>
<p class="x_MsoNormal"><span style=""># openssl req -new -key private.key -out request.csr -subj "/CN=xot-test-secondary.ops.nic.at"</span></p>
<p class="x_MsoNormal"><span style=""># openssl x509 -req -days 3650 -in request.csr -signkey private.key -out certificate.crt</span></p>
<p class="x_MsoNormal"><span style=""># openssl x509 -text -noout -in certificate.crt</span></p>
<p class="x_MsoNormal"><span style=""># chmod g+r private.key</span></p>
<p class="x_MsoNormal"><span style="">#</span></p>
<p class="x_MsoNormal"><span style=""># Create DH-params file to enable Diffie-Hellman Perfect Forward Secrecy:</span></p>
<p class="x_MsoNormal"><span style=""># openssl dhparam -out dhparam.pem 4096</span></p>
<p class="x_MsoNormal"><span style="">#</span></p>
<p class="x_MsoNormal"><span style=""># <a href="https://bind9.readthedocs.io/en/v9.20.6/reference.html#namedconf-statement-tls">
https://bind9.readthedocs.io/en/v9.20.6/reference.html#namedconf-statement-tls</a></span></p>
<p class="x_MsoNormal"><span style="">tls xot-test {</span></p>
<p class="x_MsoNormal"><span style=""> #ca-file "/etc/bind/ca.crt"; # Activating ca-file force client-certificates for incoming TLS connections</span></p>
<p class="x_MsoNormal"><span style=""> cert-file "/etc/bind/certificate.crt";</span></p>
<p class="x_MsoNormal"><span style=""> dhparam-file "/etc/bind/dhparam.pem";</span></p>
<p class="x_MsoNormal"><span style=""> key-file "/etc/bind/private.key";</span></p>
<p class="x_MsoNormal"><span style=""> #remote-hostname "xot-test-primary.ops.nic.at";</span></p>
<p class="x_MsoNormal"><span style="">}; // may occur multiple times</span></p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">zone "test.klaus" {</p>
<p class="x_MsoNormal"> type secondary;</p>
<p class="x_MsoNormal"> file "/var/cache/bind/test.klaus"; // Path to your zone file</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"> primaries {</p>
<p class="x_MsoNormal"> 193.46.106.51 key "tsig-key" tls xot-test;</p>
<p class="x_MsoNormal"> 2a02:850:1:4::51 key "tsig-key" tls xot-test;</p>
<p class="x_MsoNormal"> };</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">I copied the primary’s <span style="">certificate.crt to the secondary as ca.crt.</span></p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"><span style="">Using opportunistic TLS, zone transfer works fine.</span></p>
<p class="x_MsoNormal"><span style=""> </span></p>
<p class="x_MsoNormal"><span style="">But if I enable strict TLS, either by uncommenting ‘ca-file’ or ‘remote-hostname’ option, the TLS verification fails:</span></p>
<p class="x_MsoNormal"><span style=""> </span></p>
<p class="x_MsoNormal"> transfer of 'test.klaus/IN' from 193.46.106.51#853: failed to connect: TLS peer certificate verification failed</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">But the setup on the primary looks fine. I can successfully open a TLS connection when using curl:</p>
<p class="x_MsoNormal"># curl -v <a href="https://xot-test-primary.ops.nic.at:853">
https://xot-test-primary.ops.nic.at:853</a> --cacert ca.crt</p>
<p class="x_MsoNormal">* Host xot-test-primary.ops.nic.at:853 was resolved.</p>
<p class="x_MsoNormal">* IPv6: (none)</p>
<p class="x_MsoNormal">* IPv4: 193.46.106.51</p>
<p class="x_MsoNormal">* Trying 193.46.106.51:853...</p>
<p class="x_MsoNormal">* Connected to xot-test-primary.ops.nic.at (193.46.106.51) port 853</p>
<p class="x_MsoNormal">* ALPN: curl offers h2,http/1.1</p>
<p class="x_MsoNormal">* TLSv1.3 (OUT), TLS handshake, Client hello (1):</p>
<p class="x_MsoNormal">* CAfile: ca.crt</p>
<p class="x_MsoNormal">* CApath: /etc/ssl/certs</p>
<p class="x_MsoNormal">* TLSv1.3 (IN), TLS handshake, Server hello (2):</p>
<p class="x_MsoNormal">* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):</p>
<p class="x_MsoNormal">* TLSv1.3 (IN), TLS handshake, Certificate (11):</p>
<p class="x_MsoNormal">* TLSv1.3 (IN), TLS handshake, CERT verify (15):</p>
<p class="x_MsoNormal">* TLSv1.3 (IN), TLS handshake, Finished (20):</p>
<p class="x_MsoNormal">* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):</p>
<p class="x_MsoNormal">* TLSv1.3 (OUT), TLS handshake, Finished (20):</p>
<p class="x_MsoNormal">* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS</p>
<p class="x_MsoNormal">* ALPN: server did not agree on a protocol. Uses default.</p>
<p class="x_MsoNormal">* Server certificate:</p>
<p class="x_MsoNormal">* subject: CN=xot-test-primary.ops.nic.at</p>
<p class="x_MsoNormal">* start date: Feb 27 14:02:56 2025 GMT</p>
<p class="x_MsoNormal">* expire date: Feb 25 14:02:56 2035 GMT</p>
<p class="x_MsoNormal">* common name: xot-test-primary.ops.nic.at (matched)</p>
<p class="x_MsoNormal">* issuer: CN=xot-test-primary.ops.nic.at</p>
<p class="x_MsoNormal">* SSL certificate verify ok.</p>
<p class="x_MsoNormal">* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">So, what am I doing wrong? Is Bind using a not-trivial TLS certificate verification? I also failed getting more verbose verification details. Any help is appreciated.</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Thanks</p>
<p class="x_MsoNormal">Klaus</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"> </p>
</div>
</div>
</div>
</body>
</html>