From 9c34fa2896ea46ccde4d6bdf972f16a7d4f39dca Mon Sep 17 00:00:00 2001 From: Artem Boldariev Date: Thu, 23 Sep 2021 18:07:42 +0300 Subject: [PATCH] Mention that "tls" options defaults are outside of our control We have to mention that every option within a "tls" clause has defaults out of our control as some platforms have means for defining encryption policies globally for any application on the system. In order to comply with these policies, we have not to modify TLS contexts settings, unless we have to do so according to the options specified within "tls" clauses. --- doc/arm/reference.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index bed3ed0140..63beef4cbb 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -4802,6 +4802,13 @@ The following options can be specified in a ``tls`` statement: or the TLS certificate and key pair is planned to be used across multiple BIND instances. +The options described above are used to control different aspects of +TLS functioning. Thus, most of them have no well-defined default +values, as these depend on the cryptographic library version in use +and system-wide cryptographic policy. On the other hand, by specifying +the needed options one could have a uniform configuration deployable +across a range of platforms. + There are two built-in TLS connection configurations: ``ephemeral``, uses a temporary key and certificate created for the current ``named`` session only, and ``none``, which can be used when setting up an HTTP