Skip to content

Bug: Server should check only specific tls-auth#489

Open
bilias wants to merge 1 commit into
NLnetLabs:masterfrom
bilias:tls_server_acl
Open

Bug: Server should check only specific tls-auth#489
bilias wants to merge 1 commit into
NLnetLabs:masterfrom
bilias:tls_server_acl

Conversation

@bilias

@bilias bilias commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

If you have a zone with multiple acls on provide-xfr with tls-auth like this:

tls-auth:
       name: "tls-auth-1"
       auth-domain-name: "sec1.example.com"

tls-auth:
       name: "tls-auth-2"
       auth-domain-name: "sec2.example.com"

zone:
       name: example.com
       provide-xfr: 1.2.3.4 tsig1 tls-auth-1
       provide-xfr: 2.3.4.5 tsig2 tls-auth-2

server is checking ACLs independently of tls-auth.

So in this case, when secondary 2.3.4.5 (sec2.example.com) connects with tls-auth for zone transfer,
acl checks first for IP and tsig key. After that we have the SSL check.
Server searches first for auth-domain-name of tls-auth-1 and it fails.

Server should not check other tls-auth definitions.
If an IP is matched in a specific ACL, check that specific tls-auth that is defined in that specific ACL.

Effectively this is only a logic change (no code change) and we move the TLS AUTH check code inside
if(acl_addr_matches(acl, q) && acl_key_matches(acl, q)) {
and not after it.

@bilias bilias changed the title Server should check only specific tls-auth Bug: Server should check only specific tls-auth Jun 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant