Skip to content

Correctly load tls-cert-bundle with chroot#486

Closed
bilias wants to merge 2 commits into
NLnetLabs:masterfrom
bilias:master
Closed

Correctly load tls-cert-bundle with chroot#486
bilias wants to merge 2 commits into
NLnetLabs:masterfrom
bilias:master

Conversation

@bilias

@bilias bilias commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

I've noticed an error about the tls-cert-bundle
xfrd tls: Unable to set the certificate bundle file /var/nsd/etc/cert-bundle.pem

I see that this comes from

server_start_xfrd()
  -> xfrd_init()
     -> xfrd_tcp_set_create()
         -> SSL_CTX_load_verify_locations()

which is happening after chroot

@bilias

bilias commented Jun 3, 2026

Copy link
Copy Markdown
Contributor Author

Added one more patch (99b6bf1)
If you have a zone with multiple acls on provide-xfr like this:

       provide-xfr: 1.2.3.4 tsig1 tls-auth-1
       provide-xfr: 2.3.4.5 tsig2 tls-auth-2

server is checking ACLs independently of tls-auth.

So in this case, when secondary 2.3.4.5 connects with tls-auth for zone transfer,
acl checks first for IP and tsig key. After that we have the SSL check.
It fails because it searches first for auth-domain-name of tls-auth-1

Server should not check other tls-auth definitions.
If an IP is matched in a specific ACL, check that specific tls-auth that is defined in that specific ACL.

Effectively this is only a logic change (no code change) and we move the TLS AUTH check code inside
if(acl_addr_matches(acl, q) && acl_key_matches(acl, q)) {
and not after it.

@bilias

bilias commented Jun 6, 2026

Copy link
Copy Markdown
Contributor Author

New PR (#489)

@bilias bilias closed this Jun 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant