upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-05 05:12:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'artem-update-arm-tls-warnings' into 'main'

Browse source 
Update TLS-related warnings within ARM

See merge request isc-projects/bind9!6249
This commit is contained in:
Artem Boldariev 2022-05-03 11:17:29 +00:00
commit 38ad4d9a62
1 changed files with 19 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
doc/arm/reference.rst
View file

@ -892,9 +892,14 @@ where ``tls-configuration-name`` refers to a previously defined
.. warning::
Please note that TLS connections to primaries are currently
**not authenticated**. This mode provides protection from passive observers
but does not protect from man-in-the-middle attacks on zone transfers.
Please note that TLS connections to primaries are **not
authenticated** unless ``hostname`` or ``ca-file`` are specified
within the :ref:`tls statement <tls>` in use (see information on
:ref:`Strict TLS <strict-tls>` and :ref:`Mutual TLS <mutual-tls>`
for more details). **Not authenticated mode** (:ref:`Opportunistic
TLS <opportunistic-tls>`) provides protection from passive
observers but does not protect from man-in-the-middle attacks on
zone transfers.
.. _options_grammar:
@ -2476,9 +2481,11 @@ for details on how to specify IP address lists.
.. warning::
Please note that incoming TLS connections are currently
**not authenticated at the TLS level**.
Please use :ref:`tsig` to authenticate requestors.
Please note that incoming TLS connections are
**not authenticated at the TLS level by default**.
Please use :ref:`tsig` to authenticate requestors
or consider implementing :ref:`Mutual TLS <mutual-tls>`
authentication.
``blackhole``
This specifies a list of addresses which the server does not accept queries
@ -4922,6 +4929,8 @@ BIND supports the following TLS authentication mechanisms described in
the RFC 9103, Section 9.3: Opportunistic TLS, Strict TLS, and Mutual
TLS.
.. _opportunistic-tls:
Opportunistic TLS provides encryption for data but does not provide
any authentication for the channel. This mode is the default one and
it is used whenever ``hostname`` and ``ca-file`` options are not set
@ -4933,6 +4942,8 @@ complementary tools either successfully establish a secure channel via
TLS when instructed to do so or fail to establish a connection
otherwise.
.. _strict-tls:
Strict TLS provides server authentication via a pre-configured
hostname for outgoing connections. This mechanism offers both channel
confidentiality and channel authentication (of the server). In order
@ -4947,6 +4958,8 @@ used by WEB-browsers to authenticate HTTPS hosts. On the other hand,
if ``ca-file`` is provided but ``hostname`` is missing, then the
remote side's IP address is used instead.
.. _mutual-tls:
Mutual TLS is an extension to Strict TLS that provides channel
confidentiality and mutual channel authentication. It builds up upon
the clients offering client certificates when establishing connections