dnsdist: Ponder supporting TCP_FASTOPEN_KEY when available

[rgacogne]

• Program: Authoritative, Recursor, dnsdist
• Issue type: Feature request

Short description

Setting the TCP Fast Open key via TCP_FASTOPEN_KEY would allow accepting the same TFO cookie for all machines in a cluster (think anycast).

[Y7n05h]

I will try to resolve the dnsdist part of this issue. This may take some time.

[Y7n05h]

We need to set TCP_FASTOPEN_KEY via setsockopt . But how to generate a key? I guess this key needs a random number that is cryptographically secure. So we probably can't use rand() and random_engine from c or c++. Perhaps /dev/urandom could be used, I found code using them. I also noticed that there are some random number generation implementations in the current code, but I'm not sure if they can be used in scenarios where cryptographic security is required.

[rgacogne]

Since the goal is to be able to use the same key on multiple dnsdist instances, likely deployed in an anycast cluster, I think it makes sense to assume that the key will be provided by the administrator in dnsdist's configuration, a bit like setWHashedPertubation. So I wouldn't worry too much about generating the key, as it will very likely be generated outside of dnsdist.

[rgacogne]

Implemented in #11497.