From d59cf5e0cec7aba9048f685e3cfd1f0e495f474c Mon Sep 17 00:00:00 2001
From: Artem Boldariev <artem@boldariev.com>
Date: Tue, 9 Jan 2024 19:16:26 +0200
Subject: [PATCH 1/4] Recreate listeners on DNS transport change

This commit ensures that listeners are recreated on reconfiguration in
the case when their type changes (or when PROXY protocol type changes,
too).

Previously, if a "listen-on" statement was modified to represent a
different transport, BIND would not pick-up the change on
reconfiguration if listener type changes (e.g. DoH -> DoT) for a given
interface address and port combination. This commit fixes that by
recreating the listener.

Initially, that worked for most of the new transports as we would
recreate listeners on each reconfiguration for DoH and DoT. But at
some point we changed that in such a way that listeners were not
recreated to avoid rebinding a port as on some platforms only root can
do that for port numbers <1000, making some ports binding possible
only on start-up. We chose to asynchronously update listener socket
settings (like TLS contexts, HTTP settings) instead.

Now, we both avoid recreating the sockets if unnecessary and recreate
listeners when listener type changes.
---
 lib/ns/include/ns/interfacemgr.h |   4 +-
 lib/ns/interfacemgr.c            | 105 ++++++++++++++++++++++++-------
 2 files changed, 87 insertions(+), 22 deletions(-)

diff --git a/lib/ns/include/ns/interfacemgr.h b/lib/ns/include/ns/interfacemgr.h
index aea5b2dfac..c9c051cb3a 100644
--- a/lib/ns/include/ns/interfacemgr.h
+++ b/lib/ns/include/ns/interfacemgr.h
@@ -76,6 +76,7 @@ struct ns_interface {
 	char		   name[32];   /*%< Null terminated. */
 	isc_nmsocket_t	  *udplistensocket;
 	isc_nmsocket_t	  *tcplistensocket;
+	isc_nmsocket_t	  *tlslistensocket;
 	isc_nmsocket_t	  *http_listensocket;
 	isc_nmsocket_t	  *http_secure_listensocket;
 	isc_quota_t	  *http_quota;
@@ -87,7 +88,8 @@ struct ns_interface {
 					   *   servicing TCP queries
 					   *   (whether accepting or
 					   *   connected) */
-	ns_clientmgr_t *clientmgr;	  /*%< Client manager. */
+	ns_clientmgr_t	   *clientmgr;	  /*%< Client manager. */
+	isc_nm_proxy_type_t proxy_type;
 	ISC_LINK(ns_interface_t) link;
 };
 
diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c
index b94d8600c2..d3b6f47e8a 100644
--- a/lib/ns/interfacemgr.c
+++ b/lib/ns/interfacemgr.c
@@ -446,7 +446,9 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
 	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
 
 	ifp = isc_mem_get(mgr->mctx, sizeof(*ifp));
-	*ifp = (ns_interface_t){ .generation = mgr->generation, .addr = *addr };
+	*ifp = (ns_interface_t){ .generation = mgr->generation,
+				 .addr = *addr,
+				 .proxy_type = ISC_NM_PROXY_NONE };
 
 	if (name == NULL) {
 		name = default_name;
@@ -530,7 +532,7 @@ ns_interface_listentls(ns_interface_t *ifp, isc_nm_proxy_type_t proxy,
 		ifp->mgr->nm, ISC_NM_LISTEN_ALL, &ifp->addr, ns_client_request,
 		ifp, ns__client_tcpconn, ifp, ifp->mgr->backlog,
 		&ifp->mgr->sctx->tcpquota, sslctx, proxy,
-		&ifp->tcplistensocket);
+		&ifp->tlslistensocket);
 
 	if (result != ISC_R_SUCCESS) {
 		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
@@ -662,9 +664,13 @@ interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, const char *name,
 		ns_interface_create(mgr, addr, name, &ifp);
 	} else {
 		REQUIRE(!LISTENING(ifp));
+		LOCK(&mgr->lock);
+		ifp->generation = mgr->generation;
+		UNLOCK(&mgr->lock);
 	}
 
 	ifp->flags |= NS_INTERFACEFLAG_LISTENING;
+	ifp->proxy_type = elt->proxy;
 
 	if (elt->is_http) {
 		result = ns_interface_listenhttp(
@@ -733,6 +739,10 @@ ns_interface_shutdown(ns_interface_t *ifp) {
 		isc_nm_stoplistening(ifp->tcplistensocket);
 		isc_nmsocket_close(&ifp->tcplistensocket);
 	}
+	if (ifp->tlslistensocket != NULL) {
+		isc_nm_stoplistening(ifp->tlslistensocket);
+		isc_nmsocket_close(&ifp->tlslistensocket);
+	}
 	if (ifp->http_listensocket != NULL) {
 		isc_nm_stoplistening(ifp->http_listensocket);
 		isc_nmsocket_close(&ifp->http_listensocket);
@@ -788,6 +798,14 @@ find_matching_interface(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) {
 	return (ifp);
 }
 
+static void
+log_interface_shutdown(const ns_interface_t *ifp) {
+	char sabuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf));
+	isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO,
+		      "no longer listening on %s", sabuf);
+}
+
 /*%
  * Remove any interfaces whose generation number is not the current one.
  */
@@ -812,10 +830,7 @@ purge_old_interfaces(ns_interfacemgr_t *mgr) {
 	for (ifp = ISC_LIST_HEAD(interfaces); ifp != NULL; ifp = next) {
 		next = ISC_LIST_NEXT(ifp, link);
 		if (LISTENING(ifp)) {
-			char sabuf[256];
-			isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf));
-			isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO,
-				      "no longer listening on %s", sabuf);
+			log_interface_shutdown(ifp);
 			ns_interface_shutdown(ifp);
 		}
 		ISC_LIST_UNLINK(interfaces, ifp, link);
@@ -932,9 +947,8 @@ replace_listener_tlsctx(ns_interface_t *ifp, isc_tlsctx_t *newctx) {
 	isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf));
 	isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO,
 		      "updating TLS context on %s", sabuf);
-	if (ifp->tcplistensocket != NULL) {
-		/* 'tcplistensocket' is used for DoT */
-		isc_nmsocket_set_tlsctx(ifp->tcplistensocket, newctx);
+	if (ifp->tlslistensocket != NULL) {
+		isc_nmsocket_set_tlsctx(ifp->tlslistensocket, newctx);
 	} else if (ifp->http_secure_listensocket != NULL) {
 		isc_nmsocket_set_tlsctx(ifp->http_secure_listensocket, newctx);
 	}
@@ -1005,6 +1019,61 @@ update_listener_configuration(ns_interfacemgr_t *mgr, ns_interface_t *ifp,
 	UNLOCK(&mgr->lock);
 }
 
+static bool
+same_listener_type(ns_interface_t *ifp, ns_listenelt_t *new_le) {
+	bool same_transport_type = false;
+
+	if (new_le->is_http && new_le->sslctx != NULL &&
+	    ifp->http_secure_listensocket != NULL)
+	{
+		/* HTTPS/DoH */
+		same_transport_type = true;
+	} else if (new_le->is_http && new_le->sslctx == NULL &&
+		   ifp->http_listensocket != NULL)
+	{
+		/* HTTP/plain DoH */
+		same_transport_type = true;
+	} else if (new_le->sslctx != NULL && ifp->tlslistensocket != NULL) {
+		/* TLS/DoT */
+		same_transport_type = true;
+	} else if (new_le->sslctx == NULL && (ifp->udplistensocket != NULL ||
+					      ifp->tcplistensocket != NULL))
+	{
+		/* "plain" DNS/Do53 */
+		same_transport_type = true;
+	}
+
+	/*
+	 * Check if transport type of the listener has not changed. That
+	 * implies that PROXY type has not been changed as well.
+	 */
+	return (same_transport_type && new_le->proxy == ifp->proxy_type);
+}
+
+static bool
+interface_update_or_shutdown(ns_interfacemgr_t *mgr, ns_interface_t *ifp,
+			     ns_listenelt_t *le, const bool config) {
+	if (LISTENING(ifp) && config && !same_listener_type(ifp, le)) {
+		/*
+		 * DNS listener type has been changed on re-configuration. We
+		 * will need to recreate the listener anew.
+		 */
+		log_interface_shutdown(ifp);
+		ns_interface_shutdown(ifp);
+	} else {
+		LOCK(&mgr->lock);
+		ifp->generation = mgr->generation;
+		UNLOCK(&mgr->lock);
+		if (LISTENING(ifp)) {
+			if (config) {
+				update_listener_configuration(mgr, ifp, le);
+			}
+			return (true);
+		}
+	}
+	return (false);
+}
+
 static isc_result_t
 do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) {
 	isc_interfaceiter_t *iter = NULL;
@@ -1072,12 +1141,9 @@ do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) {
 
 			ifp = find_matching_interface(mgr, &listen_addr);
 			if (ifp != NULL) {
-				ifp->generation = mgr->generation;
-				if (LISTENING(ifp)) {
-					if (config) {
-						update_listener_configuration(
-							mgr, ifp, le);
-					}
+				bool cont = interface_update_or_shutdown(
+					mgr, ifp, le, config);
+				if (cont) {
 					continue;
 				}
 			}
@@ -1217,12 +1283,9 @@ do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) {
 
 			ifp = find_matching_interface(mgr, &listen_sockaddr);
 			if (ifp != NULL) {
-				ifp->generation = mgr->generation;
-				if (LISTENING(ifp)) {
-					if (config) {
-						update_listener_configuration(
-							mgr, ifp, le);
-					}
+				bool cont = interface_update_or_shutdown(
+					mgr, ifp, le, config);
+				if (cont) {
 					continue;
 				}
 			}

From 211f12ff850677c39cdaa9bdb36c860a5837e0b2 Mon Sep 17 00:00:00 2001
From: Artem Boldariev <artem@boldariev.com>
Date: Wed, 10 Jan 2024 19:24:46 +0200
Subject: [PATCH 2/4] Add a system test to verify listener transport change
 functionality

This commit adds a system test that helps to verify that changing a
listener transport by editing "listen-on" statements before
reconfiguration works as expected.
---
 bin/tests/system/transport-change/clean.sh    |  24 +++++
 .../ns1/named-http-plain-proxy.conf.in        |  47 ++++++++
 .../ns1/named-http-plain.conf.in              |  47 ++++++++
 .../ns1/named-https-proxy-encrypted.conf.in   |  47 ++++++++
 .../ns1/named-https-proxy-plain.conf.in       |  47 ++++++++
 .../transport-change/ns1/named-https.conf.in  |  47 ++++++++
 .../transport-change/ns1/named-proxy.conf.in  |  47 ++++++++
 .../ns1/named-tls-proxy-encrypted.conf.in     |  47 ++++++++
 .../ns1/named-tls-proxy-plain.conf.in         |  47 ++++++++
 .../transport-change/ns1/named-tls.conf.in    |  47 ++++++++
 .../system/transport-change/ns1/named.conf.in |  47 ++++++++
 bin/tests/system/transport-change/prereq.sh   |  22 ++++
 bin/tests/system/transport-change/privkey.pem |   0
 .../transport-change/self-signed-cert.pem     |  11 ++
 .../transport-change/self-signed-key.pem      |   5 +
 bin/tests/system/transport-change/setup.sh    |  21 ++++
 bin/tests/system/transport-change/tests.sh    | 100 ++++++++++++++++++
 .../tests_sh_transport_change.py              |  14 +++
 18 files changed, 667 insertions(+)
 create mode 100644 bin/tests/system/transport-change/clean.sh
 create mode 100644 bin/tests/system/transport-change/ns1/named-http-plain-proxy.conf.in
 create mode 100644 bin/tests/system/transport-change/ns1/named-http-plain.conf.in
 create mode 100644 bin/tests/system/transport-change/ns1/named-https-proxy-encrypted.conf.in
 create mode 100644 bin/tests/system/transport-change/ns1/named-https-proxy-plain.conf.in
 create mode 100644 bin/tests/system/transport-change/ns1/named-https.conf.in
 create mode 100644 bin/tests/system/transport-change/ns1/named-proxy.conf.in
 create mode 100644 bin/tests/system/transport-change/ns1/named-tls-proxy-encrypted.conf.in
 create mode 100644 bin/tests/system/transport-change/ns1/named-tls-proxy-plain.conf.in
 create mode 100644 bin/tests/system/transport-change/ns1/named-tls.conf.in
 create mode 100644 bin/tests/system/transport-change/ns1/named.conf.in
 create mode 100644 bin/tests/system/transport-change/prereq.sh
 create mode 100644 bin/tests/system/transport-change/privkey.pem
 create mode 100644 bin/tests/system/transport-change/self-signed-cert.pem
 create mode 100644 bin/tests/system/transport-change/self-signed-key.pem
 create mode 100644 bin/tests/system/transport-change/setup.sh
 create mode 100644 bin/tests/system/transport-change/tests.sh
 create mode 100644 bin/tests/system/transport-change/tests_sh_transport_change.py

diff --git a/bin/tests/system/transport-change/clean.sh b/bin/tests/system/transport-change/clean.sh
new file mode 100644
index 0000000000..e8d1b95ee5
--- /dev/null
+++ b/bin/tests/system/transport-change/clean.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f ./*/named.conf
+rm -f ./*/named.memstats
+rm -f ./*/named.run
+rm -f ./*/named.run.prev
+rm -f ./dig.out.*
+rm -f ./*/example.db
+rm -rf ./headers.*
diff --git a/bin/tests/system/transport-change/ns1/named-http-plain-proxy.conf.in b/bin/tests/system/transport-change/ns1/named-http-plain-proxy.conf.in
new file mode 100644
index 0000000000..012b167ae3
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-http-plain-proxy.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ proxy plain tls none http default { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ proxy plain tls none http default { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-http-plain.conf.in b/bin/tests/system/transport-change/ns1/named-http-plain.conf.in
new file mode 100644
index 0000000000..627742920b
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-http-plain.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ tls none http default { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ tls none http default { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-https-proxy-encrypted.conf.in b/bin/tests/system/transport-change/ns1/named-https-proxy-encrypted.conf.in
new file mode 100644
index 0000000000..8c28c26a8e
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-https-proxy-encrypted.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ proxy encrypted tls self-signed http default { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ proxy encrypted tls self-signed http default { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-https-proxy-plain.conf.in b/bin/tests/system/transport-change/ns1/named-https-proxy-plain.conf.in
new file mode 100644
index 0000000000..7b5538ce0d
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-https-proxy-plain.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ proxy plain tls self-signed http default { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ proxy plain tls self-signed http default { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-https.conf.in b/bin/tests/system/transport-change/ns1/named-https.conf.in
new file mode 100644
index 0000000000..c24346e941
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-https.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ tls self-signed http default { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ tls self-signed http default { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-proxy.conf.in b/bin/tests/system/transport-change/ns1/named-proxy.conf.in
new file mode 100644
index 0000000000..1b9fb684aa
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-proxy.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test
+	listen-on port @EXTRAPORT1@ proxy plain { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ proxy plain { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-tls-proxy-encrypted.conf.in b/bin/tests/system/transport-change/ns1/named-tls-proxy-encrypted.conf.in
new file mode 100644
index 0000000000..4183fb8a31
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-tls-proxy-encrypted.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ proxy encrypted tls self-signed { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ proxy encrypted tls self-signed { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-tls-proxy-plain.conf.in b/bin/tests/system/transport-change/ns1/named-tls-proxy-plain.conf.in
new file mode 100644
index 0000000000..8a283cb21b
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-tls-proxy-plain.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ proxy plain tls self-signed { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ proxy plain tls self-signed { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-tls.conf.in b/bin/tests/system/transport-change/ns1/named-tls.conf.in
new file mode 100644
index 0000000000..4bcc976173
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-tls.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ tls self-signed { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ tls self-signed { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named.conf.in b/bin/tests/system/transport-change/ns1/named.conf.in
new file mode 100644
index 0000000000..0ee7fc5d36
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test
+	listen-on port @EXTRAPORT1@ { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/prereq.sh b/bin/tests/system/transport-change/prereq.sh
new file mode 100644
index 0000000000..0c19f1178b
--- /dev/null
+++ b/bin/tests/system/transport-change/prereq.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck disable=SC1091
+. ../conf.sh
+
+$FEATURETEST --with-libnghttp2 || {
+  echo_i "This test requires libnghttp2 support." >&2
+  exit 255
+}
+
+exit 0
diff --git a/bin/tests/system/transport-change/privkey.pem b/bin/tests/system/transport-change/privkey.pem
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/bin/tests/system/transport-change/self-signed-cert.pem b/bin/tests/system/transport-change/self-signed-cert.pem
new file mode 100644
index 0000000000..3f4df28f60
--- /dev/null
+++ b/bin/tests/system/transport-change/self-signed-cert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBqTCCAVCgAwIBAgIULBCxkDF3scu+KzMu4JWrS1MiD8gwCgYIKoZIzj0EAwIw
+FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wIBcNMjQwMTEwMTQwOTAyWhgPMjA1MTA1
+MjgxNDA5MDJaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAEraleW8FCXwU72Iva/H2FRiY5yrnKOVG0wZ8UN8bghx2yyK+z
+EFaHS5buo5jEnWnweX2qrX4N9RWDii7nqfwjNaN6MHgwHQYDVR0OBBYEFEGCx9FF
+rNxaR7zTM74ksT4fDaGjMB8GA1UdIwQYMBaAFEGCx9FFrNxaR7zTM74ksT4fDaGj
+MA8GA1UdEwEB/wQFMAMBAf8wJQYDVR0RBB4wHIILZXhhbXBsZS5jb22CDSouZXhh
+bXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgL+cDL9EKz9YY3iR6/fZqjniXaiap
+lMfzbtesX1LVi04CIBOBW97oz4jQ1K4D1QN4aDJpit2LJWrEKHyLk4SPqZUS
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/transport-change/self-signed-key.pem b/bin/tests/system/transport-change/self-signed-key.pem
new file mode 100644
index 0000000000..b68bd11a6c
--- /dev/null
+++ b/bin/tests/system/transport-change/self-signed-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg9uAMbwHDtsF9BDAu
+CafftgyXCZbbRy8aJpoo76B8iwWhRANCAAStqV5bwUJfBTvYi9r8fYVGJjnKuco5
+UbTBnxQ3xuCHHbLIr7MQVodLlu6jmMSdafB5faqtfg31FYOKLuep/CM1
+-----END PRIVATE KEY-----
diff --git a/bin/tests/system/transport-change/setup.sh b/bin/tests/system/transport-change/setup.sh
new file mode 100644
index 0000000000..f726f7020d
--- /dev/null
+++ b/bin/tests/system/transport-change/setup.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck disable=SC1091
+. ../conf.sh
+
+$SHELL clean.sh
+
+$SHELL "${TOP_SRCDIR}"/bin/tests/system/genzone.sh 2 >ns1/example.db
+
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/transport-change/tests.sh b/bin/tests/system/transport-change/tests.sh
new file mode 100644
index 0000000000..646f5af290
--- /dev/null
+++ b/bin/tests/system/transport-change/tests.sh
@@ -0,0 +1,100 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+# shellcheck disable=SC1091
+. ../conf.sh
+
+dig_out_basename="dig.out.test"
+testing="testing if the query is successfully completed"
+
+dig_with_opts() {
+  # shellcheck disable=SC2086
+  "$DIG" -p "${EXTRAPORT1}" +noadd +nosea +nostat +noquest +nocmd "$@" NS example
+}
+
+status=0
+n=0
+
+run_dig_test() {
+  test_message="$1"
+  shift
+  n=$((n + 1))
+  echo_i "$test_message ($n)"
+  dig_failed=0
+  dig_with_opts "$@" >"$dig_out_basename$n" || dig_failed=1
+}
+
+run_dig_test_expect_success() {
+  ret=0
+  run_dig_test "$@"
+  if [ $dig_failed != 0 ]; then
+    ret=1
+  elif ! [ -s "$dig_out_basename$n" ]; then
+    ret=1
+  fi
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=$((status + ret))
+}
+
+run_dig_multitest_expect_success() {
+  message="$1"
+  shift
+  run_dig_test_expect_success "$message (IPv4)" -b 10.53.0.10 @10.53.0.1 "$@"
+  run_dig_test_expect_success "$message (IPv6)" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 "$@"
+}
+
+reconfig_server() {
+  message="$1"
+  shift
+  config_file="$1"
+  shift
+  echo_i "$message"
+  copy_setports "ns1/$config_file" "ns1/named.conf"
+  rndc_reconfig ns1 10.53.0.1
+}
+
+run_dig_multitest_expect_success "$testing: a UDP query over Do53"
+run_dig_multitest_expect_success "$testing: a TCP query over Do53" +tcp
+
+reconfig_server "reconfiguring the server to use PROXYv2" named-proxy.conf.in
+run_dig_multitest_expect_success "$testing: a UDP query for Do53 over PROXYv2" +proxy
+run_dig_multitest_expect_success "$testing: a TCP query for Do53 over PROXYv2" +tcp +proxy
+
+reconfig_server "reconfiguring the server to use TLS/DoT" named-tls.conf.in
+run_dig_multitest_expect_success "$testing: a query over TLS/DoT" +tls
+
+reconfig_server "reconfiguring the server to use TLS/DoT over encrypted PROXYv2" named-tls-proxy-encrypted.conf.in
+run_dig_multitest_expect_success "$testing: a query over TLS/DoT over encrypted PROXYv2" +tls +proxy
+
+reconfig_server "reconfiguring the server to use TLS/DoT over plain PROXYv2" named-tls-proxy-plain.conf.in
+run_dig_multitest_expect_success "$testing: a query over TLS/DoT over plain PROXYv2" +tls +proxy +proxy-plain
+
+reconfig_server "reconfiguring the server to use HTTPS/DoH" named-https.conf.in
+run_dig_multitest_expect_success "$testing: a query over HTTPS/DoH" +https
+
+reconfig_server "reconfiguring the server to use HTTPS/DoH over encrypted PROXYv2" named-https-proxy-encrypted.conf.in
+run_dig_multitest_expect_success "$testing: a query over HTTPS/DoH over encrypted PROXYv2" +https +proxy
+
+reconfig_server "reconfiguring the server to use HTTPS/DoH over plain PROXYv2" named-https-proxy-plain.conf.in
+run_dig_multitest_expect_success "$testing: a query over HTTPS/DoH over plain PROXYv2" +https +proxy +proxy-plain
+
+reconfig_server "reconfiguring the server to use plain HTTP/DoH" named-http-plain.conf.in
+run_dig_multitest_expect_success "$testing: a query over plain HTTP/DoH" +http-plain
+
+reconfig_server "reconfiguring the server to use plain HTTP/DoH over PROXYv2" named-http-plain-proxy.conf.in
+run_dig_multitest_expect_success "$testing: a query over plain HTTP/DoH over PROXYv2" +http-plain +proxy
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/transport-change/tests_sh_transport_change.py b/bin/tests/system/transport-change/tests_sh_transport_change.py
new file mode 100644
index 0000000000..d86446389e
--- /dev/null
+++ b/bin/tests/system/transport-change/tests_sh_transport_change.py
@@ -0,0 +1,14 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+
+def test_transport_change(run_tests_sh):
+    run_tests_sh()

From d1a2ad0f443982efeb703a0a0214e5f778241f91 Mon Sep 17 00:00:00 2001
From: Artem Boldariev <artem@boldariev.com>
Date: Thu, 11 Jan 2024 16:30:17 +0200
Subject: [PATCH 3/4] Update CHANGES [GL #4518] [GL #4528]

Mentioned that all changes to listen-on statements are now applied on
reconfiguration.
---
 CHANGES | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGES b/CHANGES
index 10358f8a9f..d852491eac 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+6322.	[bug]		Changes to "listen-on" statements were ignored on
+			reconfiguration unless the port or interface address was
+			changed, making it impossible to change a related
+			listener transport type. Thanks to Thomas Amgarten.
+			[GL #4518] [GL #4528]
+
 6321.	[func]		The 'tls' block was extended with a new
 			'cipher-suites' option that allows setting
 			allowed cipher suites for TLSv1.3.

From ad5378fad755b96f6b0b8d6465533b2e32f94869 Mon Sep 17 00:00:00 2001
From: Artem Boldariev <artem@boldariev.com>
Date: Thu, 11 Jan 2024 16:39:59 +0200
Subject: [PATCH 4/4] Update release notes [GL #4518] [GL #4528]

Mentioned that all changes to listen-on statements are now applied on
reconfiguration.
---
 doc/notes/notes-current.rst | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index d76a0a7ed4..1459acdbe8 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -38,7 +38,13 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~
 
-- None.
+- Changes to ``listen-on`` statements were ignored on reconfiguration
+  unless the port or interface address was changed, making it
+  impossible to change a related listener transport type. That issue
+  has been fixed.
+
+  ISC would like to thank Thomas Amgarten for bringing this issue to
+  our attention. :gl:`#4518`, :gl:`#4528`
 
 Known Issues
 ~~~~~~~~~~~~