Rename "hostname" to "remote-hostname" within "tls"

This commit renames "hostname" to "remote-hostname" within "tls" options to avoid semantic conflicts with generic "options" configuration.
2026-06-11 07:00:00 -04:00 · 2022-05-03 16:51:33 +03:00 · 2022-05-03 16:51:33 +03:00 · 4bb410de98
commit 4bb410de98
parent 7fb09a23c6
13 changed files with 44 additions and 41 deletions
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@ -566,10 +566,10 @@ TLS
  	cert-file quoted_string;
  	ciphers string;
  	dhparam-file quoted_string;
-  	hostname quoted_string;
  	key-file quoted_string;
  	prefer-server-ciphers boolean;
  	protocols { string; ... };
+  	remote-hostname quoted_string;
  	session-tickets boolean;
  };

--- a/bin/named/transportconf.c
+++ b/bin/named/transportconf.c
@ -124,8 +124,8 @@ add_doh_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) {
 			dns_transport_set_prefer_server_ciphers)
 			parse_transport_option(doh, transport, "ca-file",
 					       dns_transport_set_cafile);
-		parse_transport_option(doh, transport, "hostname",
-				       dns_transport_set_hostname);
+		parse_transport_option(doh, transport, "remote-hostname",
+				       dns_transport_set_remote_hostname);
 	}

 	return (ISC_R_SUCCESS);
@ -176,8 +176,8 @@ add_tls_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) {
 			dns_transport_set_prefer_server_ciphers)
 			parse_transport_option(tls, transport, "ca-file",
 					       dns_transport_set_cafile);
-		parse_transport_option(tls, transport, "hostname",
-				       dns_transport_set_hostname);
+		parse_transport_option(tls, transport, "remote-hostname",
+				       dns_transport_set_remote_hostname);
 	}

 	return (ISC_R_SUCCESS);
--- a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf
+++ b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf
@ -14,5 +14,5 @@
 # In some cases a "tls" statement may omit key-file and cert-file.
 tls local-tls {
    protocols {TLSv1.2;};
-    hostname "fqdn.example.com";
+    remote-hostname "fqdn.example.com";
 };
--- a/bin/tests/system/doth/ns2/named.conf.in
+++ b/bin/tests/system/doth/ns2/named.conf.in
@ -57,7 +57,7 @@ zone "." {
 };

 tls tls-example-primary {
-	hostname "srv01.crt01.example.com"; // enable Strict TLS
+	remote-hostname "srv01.crt01.example.com"; // enable Strict TLS
 	ca-file "../CA/CA.pem";
 };

@ -70,7 +70,7 @@ zone "example" {

 # the server's certificate does not contain SubjectAltName, which is required for DoT
 tls tls-example-primary-no-san {
-	hostname "srv01.crt02-no-san.example.com"; // enable Strict TLS
+	remote-hostname "srv01.crt02-no-san.example.com"; // enable Strict TLS
 	ca-file "../CA/CA.pem";
 };

@ -81,7 +81,7 @@ zone "example3" {
 	allow-transfer { any; };
 };

-# As you can see, the "hostname" is missing, but "ca-file" is
+# As you can see, the "remote-hostname" is missing, but "ca-file" is
 # specified. As the result, the primaries server certificate will be
 # verified using the IP address instead of hostname. That is fine,
 # because the server certificate is issued with IP address in the
@ -98,7 +98,7 @@ zone "example4" {
 };

 tls tls-example-primary-strict-tls-ipv4 {
-	hostname "10.53.0.1"; # the IP is in the server's cert SAN
+	remote-hostname "10.53.0.1"; # the IP is in the server's cert SAN
 	ca-file "../CA/CA.pem"; # enable Strict TLS
 };

@ -110,7 +110,7 @@ zone "example5" {
 };

 tls tls-example-primary-strict-tls-ipv6 {
-	hostname "fd92:7065:b8e:ffff::1"; # the IP is in the server's cert SAN
+	remote-hostname "fd92:7065:b8e:ffff::1"; # the IP is in the server's cert SAN
 	ca-file "../CA/CA.pem"; # enable Strict TLS
 };

@ -122,7 +122,7 @@ zone "example6" {
 };

 tls tls-example-primary-strict-tls-wrong-host {
-	hostname "not-present.example.com"; # this is not present in the server's cert SAN
+	remote-hostname "not-present.example.com"; # this is not present in the server's cert SAN
 	ca-file "../CA/CA.pem"; # enable Strict TLS
 };

@ -134,7 +134,7 @@ zone "example7" {
 };

 tls tls-example-primary-strict-tls-expired {
-	hostname "srv01.crt03-expired.example.com";
+	remote-hostname "srv01.crt03-expired.example.com";
 	ca-file "../CA/CA.pem";
 };

@ -146,7 +146,7 @@ zone "example8" {
 };

 tls tls-example-primary-mutual-tls {
-    hostname "srv01.crt01.example.com";
+    remote-hostname "srv01.crt01.example.com";
 	ca-file "../CA/CA.pem";
 	cert-file "../CA/certs/srv01.client02-ns2.example.com.pem";
 	key-file "../CA/certs/srv01.client02-ns2.example.com.key";
@ -167,7 +167,7 @@ zone "example10" {
 };

 tls tls-example-primary-mutual-tls-expired {
-    hostname "srv01.crt01.example.com";
+    remote-hostname "srv01.crt01.example.com";
 	ca-file "../CA/CA.pem";
 	cert-file "../CA/certs/srv01.client03-ns2-expired.example.com.pem";
 	key-file "../CA/certs/srv01.client03-ns2-expired.example.com.key";
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -294,7 +294,7 @@ The following statements are supported:
        Declares communication channels to get access to :iscman:`named` statistics.

    ``tls``
-        Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``.
+        Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``remote-hostname``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``.

    ``http``
        Specifies configuration information for an HTTP connection, including ``endponts``, ``listener-clients`` and ``streams-per-connection``.
@ -893,7 +893,7 @@ where ``tls-configuration-name`` refers to a previously defined
 .. warning::

   Please note that TLS connections to primaries are **not
-   authenticated** unless ``hostname`` or ``ca-file`` are specified
+   authenticated** unless ``remote-hostname`` or ``ca-file`` are specified
   within the :ref:`tls statement <tls>` in use (see information on
   :ref:`Strict TLS <strict-tls>` and :ref:`Mutual TLS <mutual-tls>`
   for more details).  **Not authenticated mode** (:ref:`Opportunistic
@ -4844,7 +4844,7 @@ The following options can be specified in a ``tls`` statement:
    this option enables remote peer certificates verification. For
    incoming connections specifying this option will make BIND require
    a valid TLS certificate from a client. In the case of outgoing
-    connections, if ``hostname`` is not specified, then the remote
+    connections, if ``remote-hostname`` is not specified, then the remote
    server IP address is used instead.

  ``dhparam-file``
@ -4854,7 +4854,7 @@ The following options can be specified in a ``tls`` statement:
    specified is essential for enabling perfect forward secrecy capable
    ciphers in TLSv1.2.

-  ``hostname``
+  ``remote-hostname``
    The expected hostname in the TLS certificate of the
    remote server. This option enables a remote server certificate
    verification. If ``ca-file`` is not specified, then the
@ -4939,7 +4939,7 @@ TLS.

 Opportunistic TLS provides encryption for data but does not provide
 any authentication for the channel. This mode is the default one and
-it is used whenever ``hostname`` and ``ca-file`` options are not set
+it is used whenever ``remote-hostname`` and ``ca-file`` options are not set
 in ``tls`` statements in use. RFC 9103 allows optional fallback to
 clear-text DNS in the cases when TLS is not available. Still, BIND
 intentionally does not support that in order to protect from
@ -4953,15 +4953,15 @@ otherwise.
 Strict TLS provides server authentication via a pre-configured
 hostname for outgoing connections. This mechanism offers both channel
 confidentiality and channel authentication (of the server). In order
-to achieve Strict TLS, one needs to use ``hostname`` and, optionally,
+to achieve Strict TLS, one needs to use ``remote-hostname`` and, optionally,
 ``ca-file`` options in the ``tls`` statements used for establishing
 outgoing connections (e.g. the ones used to download zone from
 primaries via TLS). Providing any of the mentioned options will enable
-server authentication. If ``hostname`` is provided but ``ca-file`` is
+server authentication. If ``remote-hostname`` is provided but ``ca-file`` is
 missed, then the platform-specific certificate authority certificates
 are used for authentication. The set roughly corresponds to the one
 used by WEB-browsers to authenticate HTTPS hosts. On the other hand,
-if ``ca-file`` is provided but ``hostname`` is missing, then the
+if ``ca-file`` is provided but ``remote-hostname`` is missing, then the
 remote side's IP address is used instead.

 .. _mutual-tls:
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@ -640,10 +640,10 @@ tls string {
      cert\-file quoted_string;
      ciphers string;
      dhparam\-file quoted_string;
-      hostname quoted_string;
      key\-file quoted_string;
      prefer\-server\-ciphers boolean;
      protocols { string; ... };
+      remote\-hostname quoted_string;
      session\-tickets boolean;
 };
 .ft P
--- a/doc/misc/options
+++ b/doc/misc/options
@ -454,10 +454,10 @@ tls <string> {
        cert-file <quoted_string>;
        ciphers <string>;
        dhparam-file <quoted_string>;
-        hostname <quoted_string>;
        key-file <quoted_string>;
        prefer-server-ciphers <boolean>;
        protocols { <string>; ... };
+        remote-hostname <quoted_string>;
        session-tickets <boolean>;
 }; // may occur multiple times

--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@ -451,10 +451,10 @@ tls <string> {
        cert-file <quoted_string>;
        ciphers <string>;
        dhparam-file <quoted_string>;
-        hostname <quoted_string>;
        key-file <quoted_string>;
        prefer-server-ciphers <boolean>;
        protocols { <string>; ... };
+        remote-hostname <quoted_string>;
        session-tickets <boolean>;
 }; // may occur multiple times

--- a/doc/misc/tls.grammar.rst
+++ b/doc/misc/tls.grammar.rst
@ -16,9 +16,9 @@
  	cert-file <quoted_string>;
  	ciphers <string>;
  	dhparam-file <quoted_string>;
-  	hostname <quoted_string>;
  	key-file <quoted_string>;
  	prefer-server-ciphers <boolean>;
  	protocols { <string>; ... };
+  	remote-hostname <quoted_string>;
  	session-tickets <boolean>;
  };
--- a/lib/dns/include/dns/transport.h
+++ b/lib/dns/include/dns/transport.h
@ -49,7 +49,7 @@ dns_transport_get_keyfile(dns_transport_t *transport);
 char *
 dns_transport_get_cafile(dns_transport_t *transport);
 char *
-dns_transport_get_hostname(dns_transport_t *transport);
+dns_transport_get_remote_hostname(dns_transport_t *transport);
 char *
 dns_transport_get_endpoint(dns_transport_t *transport);
 dns_http_mode_t
@ -79,7 +79,8 @@ dns_transport_set_keyfile(dns_transport_t *transport, const char *keyfile);
 void
 dns_transport_set_cafile(dns_transport_t *transport, const char *cafile);
 void
-dns_transport_set_hostname(dns_transport_t *transport, const char *hostname);
+dns_transport_set_remote_hostname(dns_transport_t *transport,
+				  const char	     *hostname);
 void
 dns_transport_set_endpoint(dns_transport_t *transport, const char *endpoint);
 void
--- a/lib/dns/transport.c
+++ b/lib/dns/transport.c
@ -50,7 +50,7 @@ struct dns_transport {
 		char *certfile;
 		char *keyfile;
 		char *cafile;
-		char *hostname;
+		char *remote_hostname;
 		char *ciphers;
 		uint32_t protocol_versions;
 		ternary_t prefer_server_ciphers;
@ -118,10 +118,10 @@ dns_transport_get_cafile(dns_transport_t *transport) {
 }

 char *
-dns_transport_get_hostname(dns_transport_t *transport) {
+dns_transport_get_remote_hostname(dns_transport_t *transport) {
 	REQUIRE(VALID_TRANSPORT(transport));

-	return (transport->tls.hostname);
+	return (transport->tls.remote_hostname);
 }

 char *
@ -201,18 +201,19 @@ dns_transport_set_cafile(dns_transport_t *transport, const char *cafile) {
 }

 void
-dns_transport_set_hostname(dns_transport_t *transport, const char *hostname) {
+dns_transport_set_remote_hostname(dns_transport_t *transport,
+				  const char *hostname) {
 	REQUIRE(VALID_TRANSPORT(transport));
 	REQUIRE(transport->type == DNS_TRANSPORT_TLS ||
 		transport->type == DNS_TRANSPORT_HTTP);

-	if (transport->tls.hostname != NULL) {
-		isc_mem_free(transport->mctx, transport->tls.hostname);
+	if (transport->tls.remote_hostname != NULL) {
+		isc_mem_free(transport->mctx, transport->tls.remote_hostname);
 	}

 	if (hostname != NULL) {
-		transport->tls.hostname = isc_mem_strdup(transport->mctx,
-							 hostname);
+		transport->tls.remote_hostname = isc_mem_strdup(transport->mctx,
+								hostname);
 	}
 }

@ -339,8 +340,8 @@ transport_destroy(dns_transport_t *transport) {
 	if (transport->doh.endpoint != NULL) {
 		isc_mem_free(transport->mctx, transport->doh.endpoint);
 	}
-	if (transport->tls.hostname != NULL) {
-		isc_mem_free(transport->mctx, transport->tls.hostname);
+	if (transport->tls.remote_hostname != NULL) {
+		isc_mem_free(transport->mctx, transport->tls.remote_hostname);
 	}
 	if (transport->tls.cafile != NULL) {
 		isc_mem_free(transport->mctx, transport->tls.cafile);
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@ -977,7 +977,8 @@ xfrin_start(dns_xfrin_ctx_t *xfr) {
 					       &tlsctx, &found_store);
 		if (result != ISC_R_SUCCESS) {
 			const char *hostname =
-				dns_transport_get_hostname(xfr->transport);
+				dns_transport_get_remote_hostname(
+					xfr->transport);
 			const char *ca_file =
 				dns_transport_get_cafile(xfr->transport);
 			const char *cert_file =
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@ -3937,7 +3937,7 @@ static cfg_clausedef_t tls_clauses[] = {
 	{ "key-file", &cfg_type_qstring, 0 },
 	{ "cert-file", &cfg_type_qstring, 0 },
 	{ "ca-file", &cfg_type_qstring, 0 },
-	{ "hostname", &cfg_type_qstring, 0 },
+	{ "remote-hostname", &cfg_type_qstring, 0 },
 	{ "dhparam-file", &cfg_type_qstring, 0 },
 	{ "protocols", &cfg_type_tlsprotos, 0 },
 	{ "ciphers", &cfg_type_astring, 0 },