BIND: use Stream DNS for DNS over TLS connections

This commit makes BIND use the new Stream DNS transport for DNS over TLS.
2025-08-31 22:45:39 +00:00 · 2022-11-29 18:15:54 +02:00
parent 83f399b852
commit 03e33a014c
5 changed files with 9 additions and 7 deletions
--- a/bin/tests/test_server.c
+++ b/bin/tests/test_server.c
@@ -256,7 +256,7 @@ run(void) {
 	case DOT: {
 		isc_tlsctx_createserver(NULL, NULL, &tls_ctx);

-		result = isc_nm_listentlsdns(
+		result = isc_nm_listenstreamdns(
 			netmgr, ISC_NM_LISTEN_ALL, &sockaddr, read_cb, NULL,
 			accept_cb, NULL, 0, NULL, tls_ctx, &sock);
 		break;
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -964,9 +964,9 @@ xfrin_start(dns_xfrin_ctx_t *xfr) {
 			goto failure;
 		}
 		INSIST(tlsctx != NULL);
-		isc_nm_tlsdnsconnect(xfr->netmgr, &xfr->sourceaddr,
-				     &xfr->primaryaddr, xfrin_connect_done,
-				     connect_xfr, 30000, tlsctx, sess_cache);
+		isc_nm_streamdnsconnect(xfr->netmgr, &xfr->sourceaddr,
+					&xfr->primaryaddr, xfrin_connect_done,
+					connect_xfr, 30000, tlsctx, sess_cache);
 	} break;
 	default:
 		UNREACHABLE();
--- a/lib/isccfg/aclconf.c
+++ b/lib/isccfg/aclconf.c
@@ -731,7 +731,7 @@ cfg_acl_fromconfig2(const cfg_obj_t *acl_data, const cfg_obj_t *cctx,
 			} else if (strcasecmp(cfg_obj_asstring(obj_transport),
 					      "tls") == 0)
 			{
-				transports = isc_nm_tlsdnssocket;
+				transports = isc_nm_streamdnssocket;
 				encrypted = true;
 			} else if (strcasecmp(cfg_obj_asstring(obj_transport),
 					      "http") == 0)
--- a/lib/ns/interfacemgr.c
+++ b/lib/ns/interfacemgr.c
@@ -543,7 +543,7 @@ static isc_result_t
 ns_interface_listentls(ns_interface_t *ifp, isc_tlsctx_t *sslctx) {
 	isc_result_t result;

-	result = isc_nm_listentlsdns(
+	result = isc_nm_listenstreamdns(
 		ifp->mgr->nm, ISC_NM_LISTEN_ALL, &ifp->addr, ns__client_request,
 		ifp, ns__client_tcpconn, ifp, ifp->mgr->backlog,
 		&ifp->mgr->sctx->tcpquota, sslctx, &ifp->tcplistensocket);
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -11962,7 +11962,9 @@ ns_query_start(ns_client_t *client, isc_nmhandle_t *handle) {
 				query_error(client, DNS_R_NOTIMP, __LINE__);
 				return;
 			}
-			if (isc_nm_socket_type(handle) == isc_nm_tlsdnssocket &&
+			if (isc_nm_socket_type(handle) ==
+				    isc_nm_streamdnssocket &&
+			    isc_nm_has_encryption(handle) &&
 			    !isc_nm_xfr_allowed(handle))
 			{
 				/*