1/* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * SPDX-License-Identifier: MPL-2.0 5 * 6 * This Source Code Form is subject to the terms of the Mozilla Public 7 * License, v. 2.0. If a copy of the MPL was not distributed with this 8 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 9 * 10 * See the COPYRIGHT file distributed with this work for additional 11 * information regarding copyright ownership. 12 */ 13 14include "../../_common/rndc.key"; 15 16controls { 17 inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; 18}; 19 20tls local { 21 key-file "../CA/certs/srv02.crt01.example.com.key"; 22 cert-file "../CA/certs/srv02.crt01.example.com.pem"; 23 dhparam-file "../dhparam3072.pem"; 24}; 25 26http local { 27 endpoints { "/dns-query"; }; 28}; 29 30options { 31 query-source address 10.53.0.2; 32 notify-source 10.53.0.2; 33 transfer-source 10.53.0.2; 34 port @PORT@; 35 tls-port @TLSPORT@; 36 https-port @HTTPSPORT@; 37 http-port @HTTPPORT@; 38 pid-file "named.pid"; 39 listen-on { 10.53.0.2; }; 40 listen-on tls local { 10.53.0.2; }; // DoT 41 listen-on-v6 tls local { fd92:7065:b8e:ffff::2; }; 42 listen-on tls local http local { 10.53.0.2; }; // DoH 43 listen-on-v6 tls local http local { fd92:7065:b8e:ffff::2; }; 44 listen-on tls none http local { 10.53.0.2; }; // unencrypted DoH 45 listen-on-v6 tls none http local { fd92:7065:b8e:ffff::2; }; 46 listen-on-v6 { none; }; 47 recursion no; 48 notify no; 49 ixfr-from-differences yes; 50 check-integrity no; 51 dnssec-validation yes; 52 transfers-in 100; 53 transfers-out 100; 54}; 55 56zone "." { 57 type hint; 58 file "../../_common/root.hint"; 59}; 60 61tls tls-example-primary { 62 remote-hostname "srv01.crt01.example.com"; // enable Strict TLS 63 ca-file "../CA/CA.pem"; 64}; 65 66zone "example" { 67 type secondary; 68 primaries { 10.53.0.1 tls tls-example-primary; }; 69 file "example.db"; 70 allow-transfer { any; }; 71}; 72 73# the server's certificate does not contain SubjectAltName, which is required for DoT 74tls tls-example-primary-no-san { 75 remote-hostname "srv01.crt02-no-san.example.com"; // enable Strict TLS 76 ca-file "../CA/CA.pem"; 77}; 78 79zone "example3" { 80 type secondary; 81 primaries { 10.53.0.1 port @EXTRAPORT2@ tls tls-example-primary-no-san; }; 82 file "example3.db"; 83 allow-transfer { any; }; 84}; 85 86# As you can see, the "remote-hostname" is missing, but "ca-file" is 87# specified. As the result, the primaries server certificate will be 88# verified using the IP address instead of hostname. That is fine, 89# because the server certificate is issued with IP address in the 90# SubjectAltName section. 91tls tls-example-primary-strict-tls-no-hostname { 92 ca-file "../CA/CA.pem"; // enable Strict TLS 93}; 94 95zone "example4" { 96 type secondary; 97 primaries { 10.53.0.1 tls tls-example-primary-strict-tls-no-hostname; }; 98 file "example4.db"; 99 allow-transfer { any; }; 100}; 101 102tls tls-example-primary-strict-tls-ipv4 { 103 remote-hostname "10.53.0.1"; # the IP is in the server's cert SAN 104 ca-file "../CA/CA.pem"; # enable Strict TLS 105}; 106 107zone "example5" { 108 type secondary; 109 primaries { 10.53.0.1 tls tls-example-primary-strict-tls-ipv4; }; 110 file "example5.db"; 111 allow-transfer { any; }; 112}; 113 114tls tls-example-primary-strict-tls-ipv6 { 115 remote-hostname "fd92:7065:b8e:ffff::1"; # the IP is in the server's cert SAN 116 ca-file "../CA/CA.pem"; # enable Strict TLS 117}; 118 119zone "example6" { 120 type secondary; 121 primaries { 10.53.0.1 tls tls-example-primary-strict-tls-ipv6; }; 122 file "example6.db"; 123 allow-transfer { any; }; 124}; 125 126tls tls-example-primary-strict-tls-wrong-host { 127 remote-hostname "not-present.example.com"; # this is not present in the server's cert SAN 128 ca-file "../CA/CA.pem"; # enable Strict TLS 129}; 130 131zone "example7" { 132 type secondary; 133 primaries { 10.53.0.1 tls tls-example-primary-strict-tls-wrong-host; }; 134 file "example7.db"; 135 allow-transfer { any; }; 136}; 137 138tls tls-example-primary-strict-tls-expired { 139 remote-hostname "srv01.crt03-expired.example.com"; 140 ca-file "../CA/CA.pem"; 141}; 142 143zone "example8" { 144 type secondary; 145 primaries { 10.53.0.1 port @EXTRAPORT4@ tls tls-example-primary-strict-tls-expired; }; 146 file "example8.db"; 147 allow-transfer { any; }; 148}; 149 150tls tls-example-primary-mutual-tls { 151 remote-hostname "srv01.crt01.example.com"; 152 ca-file "../CA/CA.pem"; 153 cert-file "../CA/certs/srv01.client02-ns2.example.com.pem"; 154 key-file "../CA/certs/srv01.client02-ns2.example.com.key"; 155}; 156 157zone "example9" { 158 type secondary; 159 primaries { 10.53.0.1 port @EXTRAPORT5@ tls tls-example-primary-mutual-tls; }; 160 file "example9.db"; 161 allow-transfer { any; }; 162}; 163 164zone "example10" { 165 type secondary; 166 primaries { 10.53.0.1 port @EXTRAPORT5@ tls tls-example-primary; }; 167 file "example10.db"; 168 allow-transfer { any; }; 169}; 170 171tls tls-example-primary-mutual-tls-expired { 172 remote-hostname "srv01.crt01.example.com"; 173 ca-file "../CA/CA.pem"; 174 cert-file "../CA/certs/srv01.client03-ns2-expired.example.com.pem"; 175 key-file "../CA/certs/srv01.client03-ns2-expired.example.com.key"; 176}; 177 178zone "example11" { 179 type secondary; 180 primaries { 10.53.0.1 port @EXTRAPORT5@ tls tls-example-primary-mutual-tls-expired; }; 181 file "example11.db"; 182 allow-transfer { any; }; 183}; 184