NSD 4.10.1rc2 pre-release

Jeroen_Koekkoek1 · July 23, 2024, 3:28pm

Hi,

NSD 4.10.1rc2 pre-release is available:
https://nlnetlabs.nl/downloads/nsd/nsd-4.10.1rc2.tar.gz
sha256 ce2e82bc673aeff3a71aeb422fa38fb8db0a591edb76c13b0e4dde83ec8253e9
pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.10.1rc2.tar.gz.asc

Version 4.10.1 consists primarily of bug fixes.

@bilias implemented mutual TLS authentication for zone transfers.
Please consult the nsd.conf manual for details on the newly introduced
configuration options tls-auth-port and tls-auth-xfr-only.

Michael Orlitzky provided integration for the OpenRC init system.

Version 4.10.0 was the first release to integrate simdzone. Build
issues on OpenBSD releases before 5.6, Gentoo and Solaris have been
reported and fixed. The fallback parser, used on systems that lack
SSE4.2 and AVX2 instruction sets, contained some bugs with regards to
state keeping and under certain circumstances a use after free bug was
encountered in buffer management.

4.10.1

A_Schulze · July 24, 2024, 10:00pm

NSD 4.10.1rc2 pre-release is available:

no compile time warnings while building on debian bookworm/x86_64

@bilias implemented mutual TLS authentication for zone transfers.
Please consult the nsd.conf manual for details on the newly introduced
configuration options tls-auth-port and tls-auth-xfr-only.

this is an nice feature that seem to work but have some nits.

nsd serving as simple tls server is configured with

server:
  username: nsd
         ip-address: ::@853
         tls-service-key: /path/to/key.pem
         tls-service-pem: /path/to/cert+intermediate.pem
         tls-port: 853

         # since 4.10.1rc2
         ip-address: ::@1853
         tls-auth-port: 1853
         tls-auth-xfr-only: yes
         tls-cert-bundle: /path/to/ca-certificates.crt

in this mode, /path/to/*.pem may accessible for the root user only.

Now, when adding a tls-auth for the purpose of client authentication I add

tls-auth:
         name: primary.nsd.example
         auth-domain-name: primary.nsd.example
         client-cert: /path/to/cert+intermediate.pem
         client-key: /path/to/key.pem

Here, the files /path/to/*.pem are used by a child process with limited privileges of the username 'nsd'
It would be better, if nsd read all tls-auth client-[cert|key] data before dropping privileges.
Then the files could be still limited to be readable by the root user.

next question:
now, the axfr request from secondary to primary is a mTLS connection. But what about notify messages
from primary to secondary? the zone-statement 'notify' does not mention a tls-auth-name
Are these notifies still plain, unencrypted, unauthenticated UDP packets?

next note:
I used an IPv6 network for my zone transfer tests and have the impression,
the outgoing-interface statement at the secondary is not working if AXFR-over-tls is used.

next note:
while trying to get AXFR-over-tls working, I saw errors like "error: xfrd tls: TLS verify failed - (62) depth: 0 error: hostname mismatch"
It would be helpful to see there "... hostname mismatch: expected 'foo', got 'bar'"

funny side note:
after "error: xfrd tls: TLS verify failed - (62) depth: 0 error: hostname mismatch" I also saw
"error: xfrd: TLS handshake failed: Success"

Andreas

Jeroen_Koekkoek1 · July 25, 2024, 7:22pm

Hi Andreas,

Good to hear compilation works as expected.

I'll start looking into the notes/issues tomorrow.

Best regards,
Jeroen

Jeroen_Koekkoek1 · July 30, 2024, 12:24pm

Hi Andreas,

The suggestions I captured in GitHub issues. Thanks for sharing.

Regarding whether notifies are still plain UDP. Yes, the config parser
doesn't accept additional arguments to "notify" and judging by the xfrd
code anything to do with notify is using UDP, so no TLS yet.

I've added a GitHub issue for this too.

Thanks for the suggestions. They make for nice additions/improvements.
I'll try to get to them for the next release (>4.10.1).

Best regards,
Jeroen

Jan-Piet_Mens2 · July 30, 2024, 8:16pm

Regarding whether notifies are still plain UDP. Yes, the config parser
doesn't accept additional arguments to "notify" and judging by the xfrd
code anything to do with notify is using UDP, so no TLS yet.

Is there currently or will there by provision for NOTIFY over TCP?

Knot-DNS only supports NOTIFY over TCP and not UDP, so interoperabilty is in
danger. nsd.conf(5) doesn't mention protocol in either notify: or allow-notify:
so I'm hoping [1] will add this capability.

Is it worth an additional issue there?

-JP

[1] https://github.com/NLnetLabs/nsd/issues/365

anandb · July 30, 2024, 10:10pm

Hi Jan-Piet,

Knot-DNS only supports NOTIFY over TCP and not UDP, so interoperabilty is in
danger. nsd.conf(5) doesn't mention protocol in either notify: or allow- notify:
so I'm hoping [1] will add this capability.

Knot DNS sends NOTIFY only over TCP. However, it will *accept* NOTIFY over both UDP and TCP.

NSD sends NOTIFY only over UDP. However, it will *accept* NOTIFY over both UDP and TCP.

Therefore, Knot DNS and NSD will interoperate as far as NOTIFY is concerned.

Regards,
Anand

Jan-Piet_Mens2 · July 31, 2024, 7:11am

Therefore, Knot DNS and NSD will interoperate as far as NOTIFY is concerned.

Thank you, Anand; I should have tested before speaking out.

I'm proposing [1] to add that information to nsd.conf(5)

Regards,

-JP

[1] https://github.com/NLnetLabs/nsd/pull/367