Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make TLS optional on remote-control #181

Open
simondeziel opened this issue May 31, 2021 · 3 comments
Open

Make TLS optional on remote-control #181

simondeziel opened this issue May 31, 2021 · 3 comments
Assignees
@k0ekk0ek

Comments

@simondeziel
Copy link

Unbound supports making TLS/certificate optional for the remote control facility using control-use-cert. This is handy when listening on localhost.

Same would be useful with NSD.
@wcawijngaards
Copy link
Member

This is partially already supported, if you enable remote control using a unix socket. Then key and cert files are not needed, (use directory permissions). Use an absolute path to the socket to use this, so control-interface: "/tmp/nsd.control.sock" instead of 127.0.0.1.

@simondeziel
Copy link
Author

I know but that's however not always feasible to expose that socket to the consumer. Our use case is a prometheus exporter that runs containerized in a snap (optix2000/nsd_exporter#8). This means the easy way is to use the localhost IP in which case it's annoying to do TLS as we need to copy the certs where the snap can access them.

@ppaeps
Copy link

ppaeps commented Oct 13, 2021

Even if you can get nsd_exporter to find the keys, TLS still won't work if it's been built with a new-ish version of Go.

Oct 13 15:12:13 weatherwax nsd_exporter[54866]: 2021/10/13 15:12:13 x509: certificate relies on legacy Common Name field, use SANs instead

(subjectAltName makes little sense for this use-case but I'll leave that windmill to someone else.)

You could use socat to connect a Unix domain socket to a TCP socket. Or you you can trick NSD to create a plain transfer socket by creating two sockets:

remote-control:
        control-enable: yes
        control-interface: /var/run/nsd.ctl
        control-interface: 127.0.0.1
        control-port: 8952

You'll get a scary warning with this configuration though.

[2021-10-13 16:22:25.890] nsd[39847]: warning: control-interface 127.0.0.1 is not using TLS, but plain transfer, because first control-interface in config file is a local socket (starts with a /).

@wcawijngaards would you merge a pull request that brings rc->use_cert into the configuration file if I submit one? Since it's possible to create plain transfer sockets anyway, I think having it documented and easily configurable should be okay.

@k0ekk0ek k0ekk0ek self-assigned this Aug 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@k0ekk0ek k0ekk0ek

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@k0ekk0ek @simondeziel @ppaeps @wcawijngaards