Add 'ephemeral' keyword to 'tls' option in listen-on directive.

listen-on tls ephemeral will cause named to create an ephemeral TLS self-signed certificate and key, stored only in memory.
2025-08-29 13:38:26 +00:00 · 2020-10-09 22:13:45 +02:00 · 2020-10-09 22:13:45 +02:00 · e94afa5bc0
commit e94afa5bc0
parent 2cfc8a45a4
1 changed files with 30 additions and 22 deletions
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -10874,29 +10874,37 @@ ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
 	/* XXXWPK TODO be more verbose on failures. */
 	tlsobj = cfg_tuple_get(listener, "tls");
 	if (tlsobj != NULL && cfg_obj_isstring(tlsobj)) {
-		const cfg_obj_t *tlsconfigs = NULL;
-		const cfg_listelt_t *element;
-		(void)cfg_map_get(config, "tls", &tlsconfigs);
-		for (element = cfg_list_first(tlsconfigs); element != NULL;
-		     element = cfg_list_next(element))
-		{
-			cfg_obj_t *tconfig = cfg_listelt_value(element);
-			const cfg_obj_t *name = cfg_map_getname(tconfig);
-			if (!strcmp(cfg_obj_asstring(name),
-				    cfg_obj_asstring(tlsobj))) {
-				tls = true;
-				const cfg_obj_t *keyo = NULL, *certo = NULL;
-				(void)cfg_map_get(tconfig, "key-file", &keyo);
-				if (keyo == NULL) {
-					return (ISC_R_FAILURE);
+		if (!strcmp(cfg_obj_asstring(tlsobj), "ephemeral")) {
+			tls = true;
+		} else {
+			const cfg_obj_t *tlsconfigs = NULL;
+			const cfg_listelt_t *element;
+			(void)cfg_map_get(config, "tls", &tlsconfigs);
+			for (element = cfg_list_first(tlsconfigs);
+			     element != NULL; element = cfg_list_next(element))
+			{
+				cfg_obj_t *tconfig = cfg_listelt_value(element);
+				const cfg_obj_t *name =
+					cfg_map_getname(tconfig);
+				if (!strcmp(cfg_obj_asstring(name),
+					    cfg_obj_asstring(tlsobj))) {
+					tls = true;
+					const cfg_obj_t *keyo = NULL,
+							*certo = NULL;
+					(void)cfg_map_get(tconfig, "key-file",
+							  &keyo);
+					if (keyo == NULL) {
+						return (ISC_R_FAILURE);
+					}
+					(void)cfg_map_get(tconfig, "cert-file",
+							  &certo);
+					if (certo == NULL) {
+						return (ISC_R_FAILURE);
+					}
+					key = cfg_obj_asstring(keyo);
+					cert = cfg_obj_asstring(certo);
+					break;
 				}
-				(void)cfg_map_get(tconfig, "cert-file", &certo);
-				if (certo == NULL) {
-					return (ISC_R_FAILURE);
-				}
-				key = cfg_obj_asstring(keyo);
-				cert = cfg_obj_asstring(certo);
-				break;
 			}
 		}
 		if (!tls) {