nsd icon indicating copy to clipboard operation
nsd copied to clipboard
verified publisher icon NLnetLabs

"dot" ALPN token MUST be negotiated for XoT (according to RFC9103, Section 7.1)

Open arbv opened this issue 4 years ago • 5 comments

The XoT specification requires dot ALPN token to be negotiated for zone transfers:

7.1. Connection Establishment During connection establishment, the Application-Layer Protocol Negotiation (ALPN) token "dot" [DoT-ALPN] MUST be selected in the TLS handshake.

At the very least, version 4.3.8 of NSD does not appear to do that, which on practice leads to interoperability problems with the current development release of BIND (9.17.19) and dig, which require that for zone transfers according to the spec (details).

arbv avatar Nov 08 '21 22:11 arbv

We currently have Bind as a primary to some NSDs as secondaries, and wish to deploy XoT, but this issue is holding us back

cesarkuroiwa avatar Sep 27 '22 18:09 cesarkuroiwa

Thanks for the report @arbv. Sorry this didn't get picked up sooner, but luckily @cesarkuroiwa helped out :sweat_smile: I'll merge his PR ASAP after which I'll close this issue. Thanks to both of you :+1:

k0ekk0ek avatar Sep 28 '22 08:09 k0ekk0ek

I am glad to hear that the problem is solved! :+1:

arbv avatar Sep 29 '22 10:09 arbv

There is a catch, though. Judging from the MR, the case when NSD acts as a primary and BIND as the secondary is still not supported as no ALPN happens on accepted connections.

arbv avatar Sep 29 '22 10:09 arbv

Let's reopen this one then. I'll have a look at the server side, see how easy/hard it'd be to get that in.

k0ekk0ek avatar Oct 05 '22 12:10 k0ekk0ek