add parser support for TLS/DoH configuration options

This commit adds stub parser support and tests for:
- "tls" statement, specifying key and cert.
- an optional "tls" keyvalue in listen-on statements for DoT configuration.
- an "https-server" global option for HTTP/2 configuration.
- an "https-endpoint" view option for DoH configuration.

Documentation for these options has also been added to the ARM, but
needs further work.

bin/named/named.conf.rst

@@ -260,6 +260,11 @@ OPTIONS
   	glue-cache boolean;// deprecated
   	heartbeat-interval integer;
   	hostname ( quoted_string | none );
+  	https-endpoint quoted_string https-server string;
+  	https-server string [ port integer ] tls string { (
+  	    quoted_string [ port integer ] [ dscp integer ] |
+  	    ipv4_address [ port integer ] [ dscp integer ] |
+  	    ipv6_address [ port integer ] [ dscp integer ] ); ... };
   	inline-signing boolean;
   	interface-interval duration;
   	ixfr-from-differences ( primary | master | secondary | slave |
@@ -268,10 +273,10 @@ OPTIONS
   	key-directory quoted_string;
   	lame-ttl duration;
   	listen-on [ port integer ] [ dscp
-  	    integer ] {
+  	    integer ] [ tls string ] {
   	    address_match_element; ... };
   	listen-on-v6 [ port integer ] [ dscp
-  	    integer ] {
+  	    integer ] [ tls string ] {
   	    address_match_element; ... };
   	lmdb-mapsize sizeval;
   	lock-file ( quoted_string | none );
@@ -505,6 +510,16 @@ STATISTICS-CHANNELS
   	    } ];
   };
 
+TLS
+^^^
+
+::
+
+  tls string {
+  	cert-file quoted_string;
+  	key-file quoted_string;
+  };
+
 TRUST-ANCHORS
 ^^^^^^^^^^^^^
 
@@ -625,6 +640,7 @@ VIEW
   	forwarders [ port integer ] [ dscp integer ] { ( ipv4_address
   	    | ipv6_address ) [ port integer ] [ dscp integer ]; ... };
   	glue-cache boolean;// deprecated
+  	https-endpoint quoted_string https-server string;
   	inline-signing boolean;
   	ixfr-from-differences ( primary | master | secondary | slave |
   	    boolean );

bin/tests/system/checkconf/good-doh-global.conf

@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	key-file "key.pem";
+	cert-file "cert.pem";
+};
+
+options {
+	listen-on { 10.53.0.1; };
+	https-server local-server port 443 tls local-tls { 10.53.0.1; };
+	https-endpoint "/dns-query" https-server local-server;
+};

bin/tests/system/checkconf/good-doh-view.conf

@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	key-file "key.pem";
+	cert-file "cert.pem";
+};
+
+options {
+	listen-on { 10.53.0.1; };
+	https-server local-server port 443 tls local-tls { 10.53.0.1; };
+};
+
+view one {
+	https-endpoint "/dns-query" https-server local-server;
+};

bin/tests/system/checkconf/good-dot-global.conf

@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	key-file "key.pem";
+	cert-file "cert.pem";
+};
+
+options {
+	listen-on port 853 tls local-tls { 10.53.0.1; };
+};

doc/arm/reference.rst

@@ -1072,6 +1072,14 @@ default is used.
    the default is the ``named`` working directory.  See :ref:`acl`
    for details about ``geoip`` ACLs.
 
+.. _https_endpoint:
+
+``https-endpoint``
+   This configures an DNS-over-HTTPS service endpoint. It takes a string
+   which specifies the endpoint URL path, and an ``https-server``
+   parameter specifying the server name of an HTTPS listener. (See
+   :ref:`Link title <https_server>`.)
+
 ``key-directory``
    This is the directory where the public and private DNSSEC key files should be
    found when performing a dynamic update of secure zones, if different
@@ -2415,15 +2423,23 @@ for details on how to specify IP address lists.
    equal to 300 are treated as seconds and converted to
    milliseconds before applying the above limits.
 
+.. _interfaces:
+
 Interfaces
 ^^^^^^^^^^
 
 The interfaces and ports that the server answers queries from may be
-specified using the ``listen-on`` option. ``listen-on`` takes an
-optional port and an ``address_match_list`` of IPv4 addresses. (IPv6
-addresses are ignored, with a logged warning.) The server listens on
-all interfaces allowed by the address match list. If a port is not
-specified, port 53 is used.
+specified using the ``listen-on`` and ``listen-on-v6`` options, as
+well as the ``https-server`` option for HTTPS queries.
+
+``listen-on`` takes an optional port, an optional TLS configuration
+identifier, and an ``address_match_list`` of IPv4 addresses. (IPv6
+addresses are ignored, with a logged warning.) The server listens on all
+interfaces allowed by the address match list. If a TLS configuration is
+specified, ``named`` will listen for DNS-over-TLS (DoT) connections, using
+the key and certificate specified in the referenced ``tls`` statement. If a
+port number is not specified, the default is 53 for standard DNS and 853
+for DNS-over-TLS.
 
 Multiple ``listen-on`` statements are allowed. For example:
 
@@ -2431,18 +2447,20 @@ Multiple ``listen-on`` statements are allowed. For example:
 
    listen-on { 5.6.7.8; };
    listen-on port 1234 { !1.2.3.4; 1.2/16; };
+   listen-on port 8853 tls example-tls { 4.3.2.1; };
 
-enables the name server on port 53 for the IP address 5.6.7.8, and
-on port 1234 of an address on the machine in net 1.2 that is not
-1.2.3.4.
+enables the name server to listen for standard DNS queries on port 53 of the
+IP address 5.6.7.8 and on port 1234 of an address on the machine in net 1.2
+that is not 1.2.3.4, and to listen for DNS-over-TLS connections on port
+8853 of the IP address 4.3.2.1.
 
-If no ``listen-on`` is specified, the server listens on port 53 on
-all IPv4 interfaces.
+If no ``listen-on`` is specified, the server listens for standard DNS
+on port 53 of all IPv4 interfaces.
 
-The ``listen-on-v6`` option is used to specify the interfaces and the
-ports on which the server listens for incoming queries sent using
-IPv6. If not specified, the server listens on port 53 on all IPv6
-interfaces.
+The ``listen-on-v6`` option is used to specify the interfaces and the ports
+on which the server listens for incoming queries sent using IPv6. If not
+specified, the server listens for standard DNS queries on port 53 of all
+IPv6 interfaces.
 
 Multiple ``listen-on-v6`` options can be used. For example:
 
@@ -2450,11 +2468,12 @@ Multiple ``listen-on-v6`` options can be used. For example:
 
    listen-on-v6 { any; };
    listen-on-v6 port 1234 { !2001:db8::/32; any; };
+   listen-on port 8853 tls example-tls { 2001:db8::100; };
 
-enables the name server on port 53 for any IPv6 addresses (with a
-single wildcard socket), and on port 1234 of IPv6 addresses that are not
-in the prefix 2001:db8::/32 (with separate sockets for each matched
-address).
+enables the name server to listen for standard DNS queries on port 53 of
+any IPv6 addresses and on port 1234 of IPv6 addresses that are not in the
+prefix 2001:db8::/32, and for DNS-over-TLS connections on port 8853 of
+the address 2001:db8::100.
 
 To instruct the server not to listen on any IPv6 address, use:
 
@@ -2462,6 +2481,15 @@ To instruct the server not to listen on any IPv6 address, use:
 
    listen-on-v6 { none; };
 
+.. _https_server:
+
+``https-server`` takes a server name, an optional port, a TLS
+configuration identifier, and an ``address_match_list`` of both IPv4 and
+IPv6 addresses.  This sets up an HTTPS responder using the key and
+certificate specified in the referenced ``tls`` statement.  The endpoint
+for incoming HTTPS queries must be specified using the ``https-endpoint``
+option (see :ref:`Link title <https_endpoint>`).
+
 .. _query_address:
 
 Query Address

doc/misc/options

@@ -211,6 +211,11 @@ options {
         host-statistics <boolean>; // ancient
         host-statistics-max <integer>; // ancient
         hostname ( <quoted_string> | none );
+        https-endpoint <quoted_string> https-server <string>;
+        https-server <string> [ port <integer> ] tls <string> { (
+            <quoted_string> [ port <integer> ] [ dscp <integer> ] |
+            <ipv4_address> [ port <integer> ] [ dscp <integer> ] |
+            <ipv6_address> [ port <integer> ] [ dscp <integer> ] ); ... };
         inline-signing <boolean>;
         interface-interval <duration>;
         ixfr-from-differences ( primary | master | secondary | slave |
@@ -219,10 +224,10 @@ options {
         key-directory <quoted_string>;
         lame-ttl <duration>;
         listen-on [ port <integer> ] [ dscp
-            <integer> ] {
+            <integer> ] [ tls <string> ] {
             <address_match_element>; ... }; // may occur multiple times
         listen-on-v6 [ port <integer> ] [ dscp
-            <integer> ] {
+            <integer> ] [ tls <string> ] {
             <address_match_element>; ... }; // may occur multiple times
         lmdb-mapsize <sizeval>;
         lock-file ( <quoted_string> | none );
@@ -459,6 +464,14 @@ statistics-channels {
             } ]; // may occur multiple times
 }; // may occur multiple times
 
+tls <string> {
+        cert-file <quoted_string>;
+        ciphers <string>; // not implemented
+        dh-param <quoted_string>; // not implemented
+        key-file <quoted_string>;
+        protocols <sslprotos>; // not implemented
+}; // may occur multiple times
+
 trust-anchors { <string> ( static-key |
     initial-key | static-ds | initial-ds )
     <integer> <integer> <integer>
@@ -576,6 +589,7 @@ view <string> [ <class> ] {
         forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
             | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
         glue-cache <boolean>; // deprecated
+        https-endpoint <quoted_string> https-server <string>;
         inline-signing <boolean>;
         ixfr-from-differences ( primary | master | secondary | slave |
             <boolean> );

doc/misc/options.active

@@ -188,6 +188,11 @@ options {
         glue-cache <boolean>; // deprecated
         heartbeat-interval <integer>;
         hostname ( <quoted_string> | none );
+        https-endpoint <quoted_string> https-server <string>;
+        https-server <string> [ port <integer> ] tls <string> { (
+            <quoted_string> [ port <integer> ] [ dscp <integer> ] |
+            <ipv4_address> [ port <integer> ] [ dscp <integer> ] |
+            <ipv6_address> [ port <integer> ] [ dscp <integer> ] ); ... };
         inline-signing <boolean>;
         interface-interval <duration>;
         ixfr-from-differences ( primary | master | secondary | slave |
@@ -196,10 +201,10 @@ options {
         key-directory <quoted_string>;
         lame-ttl <duration>;
         listen-on [ port <integer> ] [ dscp
-            <integer> ] {
+            <integer> ] [ tls <string> ] {
             <address_match_element>; ... }; // may occur multiple times
         listen-on-v6 [ port <integer> ] [ dscp
-            <integer> ] {
+            <integer> ] [ tls <string> ] {
             <address_match_element>; ... }; // may occur multiple times
         lmdb-mapsize <sizeval>;
         lock-file ( <quoted_string> | none );
@@ -413,6 +418,14 @@ statistics-channels {
             } ]; // may occur multiple times
 }; // may occur multiple times
 
+tls <string> {
+        cert-file <quoted_string>;
+        ciphers <string>; // not implemented
+        dh-param <quoted_string>; // not implemented
+        key-file <quoted_string>;
+        protocols <sslprotos>; // not implemented
+}; // may occur multiple times
+
 trust-anchors { <string> ( static-key |
     initial-key | static-ds | initial-ds )
     <integer> <integer> <integer>
@@ -516,6 +529,7 @@ view <string> [ <class> ] {
         forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
             | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
         glue-cache <boolean>; // deprecated
+        https-endpoint <quoted_string> https-server <string>;
         inline-signing <boolean>;
         ixfr-from-differences ( primary | master | secondary | slave |
             <boolean> );

doc/misc/options.grammar.rst

@@ -118,6 +118,11 @@
   	glue-cache <boolean>; // deprecated
   	heartbeat-interval <integer>;
   	hostname ( <quoted_string> | none );
+  	https-endpoint <quoted_string> https-server <string>;
+  	https-server <string> [ port <integer> ] tls <string> { (
+  	    <quoted_string> [ port <integer> ] [ dscp <integer> ] |
+  	    <ipv4_address> [ port <integer> ] [ dscp <integer> ] |
+  	    <ipv6_address> [ port <integer> ] [ dscp <integer> ] ); ... };
   	inline-signing <boolean>;
   	interface-interval <duration>;
   	ixfr-from-differences ( primary | master | secondary | slave |
@@ -126,10 +131,10 @@
   	key-directory <quoted_string>;
   	lame-ttl <duration>;
   	listen-on [ port <integer> ] [ dscp
-  	    <integer> ] {
+  	    <integer> ] [ tls <string> ] {
   	    <address_match_element>; ... };
   	listen-on-v6 [ port <integer> ] [ dscp
-  	    <integer> ] {
+  	    <integer> ] [ tls <string> ] {
   	    <address_match_element>; ... };
   	lmdb-mapsize <sizeval>;
   	lock-file ( <quoted_string> | none );

lib/isccfg/namedconf.c

@@ -91,6 +91,8 @@ static cfg_type_t cfg_type_dnstap;
 static cfg_type_t cfg_type_dnstapoutput;
 static cfg_type_t cfg_type_dyndb;
 static cfg_type_t cfg_type_plugin;
+static cfg_type_t cfg_type_httpendpoint;
+static cfg_type_t cfg_type_httpserver;
 static cfg_type_t cfg_type_ixfrdifftype;
 static cfg_type_t cfg_type_ixfrratio;
 static cfg_type_t cfg_type_key;
@@ -111,6 +113,7 @@ static cfg_type_t cfg_type_optional_facility;
 static cfg_type_t cfg_type_optional_keyref;
 static cfg_type_t cfg_type_optional_port;
 static cfg_type_t cfg_type_optional_uint32;
+static cfg_type_t cfg_type_optional_tls;
 static cfg_type_t cfg_type_options;
 static cfg_type_t cfg_type_portiplist;
 static cfg_type_t cfg_type_printtime;
@@ -127,6 +130,7 @@ static cfg_type_t cfg_type_sizeval;
 static cfg_type_t cfg_type_sockaddr4wild;
 static cfg_type_t cfg_type_sockaddr6wild;
 static cfg_type_t cfg_type_statschannels;
+static cfg_type_t cfg_type_tlsconf;
 static cfg_type_t cfg_type_view;
 static cfg_type_t cfg_type_viewopts;
 static cfg_type_t cfg_type_zone;
@@ -148,6 +152,7 @@ static cfg_type_t cfg_type_tkey_dhkey = { "tkey-dhkey",	   cfg_parse_tuple,
 static cfg_tuplefielddef_t listenon_fields[] = {
 	{ "port", &cfg_type_optional_port, 0 },
 	{ "dscp", &cfg_type_optional_dscp, 0 },
+	{ "tls", &cfg_type_optional_tls, 0 },
 	{ "acl", &cfg_type_bracketed_aml, 0 },
 	{ NULL, NULL, 0 }
 };
@@ -1073,6 +1078,7 @@ static cfg_clausedef_t namedconf_clauses[] = {
 	{ "primaries", &cfg_type_primaries, CFG_CLAUSEFLAG_MULTI },
 	{ "statistics-channels", &cfg_type_statschannels,
 	  CFG_CLAUSEFLAG_MULTI },
+	{ "tls", &cfg_type_tlsconf, CFG_CLAUSEFLAG_MULTI },
 	{ "view", &cfg_type_view, CFG_CLAUSEFLAG_MULTI },
 	{ NULL, NULL, 0 }
 };
@@ -1182,6 +1188,7 @@ static cfg_clausedef_t options_clauses[] = {
 	{ "host-statistics", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
 	{ "host-statistics-max", &cfg_type_uint32, CFG_CLAUSEFLAG_ANCIENT },
 	{ "hostname", &cfg_type_qstringornone, 0 },
+	{ "https-server", &cfg_type_httpserver, 0 },
 	{ "interface-interval", &cfg_type_duration, 0 },
 	{ "keep-response-order", &cfg_type_bracketed_aml, 0 },
 	{ "listen-on", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
@@ -1984,6 +1991,7 @@ static cfg_clausedef_t view_clauses[] = {
 	{ "filter-aaaa-on-v4", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "filter-aaaa-on-v6", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "glue-cache", &cfg_type_boolean, CFG_CLAUSEFLAG_DEPRECATED },
+	{ "https-endpoint", &cfg_type_httpendpoint, 0 },
 	{ "ixfr-from-differences", &cfg_type_ixfrdifftype, 0 },
 	{ "lame-ttl", &cfg_type_duration, 0 },
 #ifdef HAVE_LMDB
@@ -3808,3 +3816,62 @@ cfg_print_zonegrammar(const unsigned int zonetype, unsigned int flags,
 	pctx.indent--;
 	cfg_print_cstr(&pctx, "};\n");
 }
+
+/*%
+ * "tls" and related statement syntax.
+ */
+static cfg_type_t cfg_type_sslprotos = {
+	"sslprotos",	  cfg_parse_spacelist, cfg_print_spacelist,
+	cfg_doc_terminal, &cfg_rep_list,       &cfg_type_astring
+};
+
+static cfg_clausedef_t tls_clauses[] = {
+	{ "key-file", &cfg_type_qstring, 0 },
+	{ "cert-file", &cfg_type_qstring, 0 },
+	{ "dh-param", &cfg_type_qstring, CFG_CLAUSEFLAG_NOTIMP },
+	{ "protocols", &cfg_type_sslprotos, CFG_CLAUSEFLAG_NOTIMP },
+	{ "ciphers", &cfg_type_astring, CFG_CLAUSEFLAG_NOTIMP },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *tls_clausesets[] = { tls_clauses, NULL };
+static cfg_type_t cfg_type_tlsconf = { "tlsconf",     cfg_parse_named_map,
+				       cfg_print_map, cfg_doc_map,
+				       &cfg_rep_map,  tls_clausesets };
+
+static keyword_type_t tls_kw = { "tls", &cfg_type_astring };
+static cfg_type_t cfg_type_optional_tls = {
+	"tlsoptional",	       parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_string,		&tls_kw
+};
+static cfg_type_t cfg_type_tls = { "tls",	    parse_keyvalue,
+				   print_keyvalue,  doc_keyvalue,
+				   &cfg_rep_string, &tls_kw };
+
+static keyword_type_t servername_kw = { "https-server", &cfg_type_astring };
+static cfg_type_t cfg_type_servername = {
+	"servername",	       parse_keyvalue, print_keyvalue,
+	doc_keyvalue, &cfg_rep_string,		&servername_kw
+};
+
+/* http-endpoint */
+static cfg_tuplefielddef_t endpoint_fields[] = {
+	{ "path", &cfg_type_qstring, 0 },
+	{ "servername", &cfg_type_servername, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_httpendpoint = { "endpoint",	     cfg_parse_tuple,
+					    cfg_print_tuple, cfg_doc_tuple,
+					    &cfg_rep_tuple,  endpoint_fields };
+
+/* http-server */
+static cfg_tuplefielddef_t server_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "tls", &cfg_type_tls, 0 },
+	{ "addresses", &cfg_type_bracketed_sockaddrnameportlist, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_httpserver = { "server",	   cfg_parse_tuple,
+					  cfg_print_tuple, cfg_doc_tuple,
+					  &cfg_rep_tuple,  server_fields };