You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Local console commands on dnsdist 1.2.x worked without having to use setKey() - in 1.3.x it seems that setKey() is required, otherwise the console client does not work at all and closes the command connection. dnsdist itself logs "Could not decrypt message".
Improvement of console output on mismatched keys is requested in #6683.
Environment
Operating system: Ubuntu 16.04
Software version: dnsdist 1.3.0-1pdns.xenial
Software source: PowerDNS repository
Steps to reproduce
Create dnsdist.conf with controlSocket("127.0.0.1") but without setKey()
Start dnsdist and attempt to connect to the console with -c
Compare to behavior of 1.2.x with the same config, then 1.3.x with setKey() configured
Expected behaviour
Local console access working even without using setKey()
Actual behaviour
Local console access fails in 1.3.x without setKey() but works in 1.2.x
The text was updated successfully, but these errors were encountered:
Hi, thanks for reporting this! Using the console without setKey() doesn't work when dnsdist has been compiled with libsodium support enabled, and that hasn't changed between 1.2.x and 1.3.0. We did however change libsodium's default detection from no to auto, meaning that it's now automatically enabled if the library is present.
I'm not 100% sure on how to fix this, we could make the console work without any defined key regardless of whether libsodium support is enabled, but this would have security implications, even on localhost where it would allow any user to connect to the console.
@hlindqvist, I'm also fine with it requiring a key locally but then I'd propose a few documentation changes because at the moment the docs only strongly suggest to enable encryption (setKey) when using remote connections, not that everything including local would fail when not having used setKey().
I agree that enforcing a key makes sense when having untrusted local users.
Short description
Local console commands on dnsdist 1.2.x worked without having to use setKey() - in 1.3.x it seems that setKey() is required, otherwise the console client does not work at all and closes the command connection. dnsdist itself logs "Could not decrypt message".
Improvement of console output on mismatched keys is requested in #6683.
Environment
Steps to reproduce
Expected behaviour
Local console access working even without using setKey()
Actual behaviour
Local console access fails in 1.3.x without setKey() but works in 1.2.x
The text was updated successfully, but these errors were encountered: