From 2221cbffa56e5777098c6cd39dbd959506974aa6 Mon Sep 17 00:00:00 2001 From: Artem Boldariev Date: Tue, 3 May 2022 13:19:26 +0300 Subject: [PATCH] Update TLS-related warnings within ARM This commit updates TLS-related warnings so that the fact that Strict and Mutual TLS are implemented is taken into consideration. --- doc/arm/reference.rst | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 2807f01d0a..25ddd999eb 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -892,9 +892,14 @@ where ``tls-configuration-name`` refers to a previously defined .. warning:: - Please note that TLS connections to primaries are currently - **not authenticated**. This mode provides protection from passive observers - but does not protect from man-in-the-middle attacks on zone transfers. + Please note that TLS connections to primaries are **not + authenticated** unless ``hostname`` or ``ca-file`` are specified + within the :ref:`tls statement ` in use (see information on + :ref:`Strict TLS ` and :ref:`Mutual TLS ` + for more details). **Not authenticated mode** (:ref:`Opportunistic + TLS `) provides protection from passive + observers but does not protect from man-in-the-middle attacks on + zone transfers. .. _options_grammar: @@ -2476,9 +2481,11 @@ for details on how to specify IP address lists. .. warning:: - Please note that incoming TLS connections are currently - **not authenticated at the TLS level**. - Please use :ref:`tsig` to authenticate requestors. + Please note that incoming TLS connections are + **not authenticated at the TLS level by default**. + Please use :ref:`tsig` to authenticate requestors + or consider implementing :ref:`Mutual TLS ` + authentication. ``blackhole`` This specifies a list of addresses which the server does not accept queries @@ -4922,6 +4929,8 @@ BIND supports the following TLS authentication mechanisms described in the RFC 9103, Section 9.3: Opportunistic TLS, Strict TLS, and Mutual TLS. +.. _opportunistic-tls: + Opportunistic TLS provides encryption for data but does not provide any authentication for the channel. This mode is the default one and it is used whenever ``hostname`` and ``ca-file`` options are not set @@ -4933,6 +4942,8 @@ complementary tools either successfully establish a secure channel via TLS when instructed to do so or fail to establish a connection otherwise. +.. _strict-tls: + Strict TLS provides server authentication via a pre-configured hostname for outgoing connections. This mechanism offers both channel confidentiality and channel authentication (of the server). In order @@ -4947,6 +4958,8 @@ used by WEB-browsers to authenticate HTTPS hosts. On the other hand, if ``ca-file`` is provided but ``hostname`` is missing, then the remote side's IP address is used instead. +.. _mutual-tls: + Mutual TLS is an extension to Strict TLS that provides channel confidentiality and mutual channel authentication. It builds up upon the clients offering client certificates when establishing connections