Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dnsdist: Add initial DNS over TLS support #6117

Merged
merged 1 commit into from Jan 12, 2018

Conversation

@rgacogne
Copy link
Member

@rgacogne rgacogne commented Dec 25, 2017

Short description

This PR adds basic support for DNS over TLS (rfc7858) using either OpenSSL or GnuTLS. It has room for improvement:

  • documentation is very sparse ;
  • regression tests are almost non-existent ;
  • session resumption with the GnuTLS provider only supports tickets (rfc5077) ;
  • client-side authentication is not supported ;
  • EDNS0 Padding (rfc7830) and EDNS0 Keepalive (rfc7828) are not supported.

Comments are welcome!
Merry Christmas!

Closes #3980.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled and tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)
@johnhtodd
Copy link

@johnhtodd johnhtodd commented Jan 11, 2018

Having separate counters on this that were exposed in the metrics views would be great, so extensive protobuf tagging and post-processing isn't required to get counts of TLS-enabled queries. Thanks for doing this patch!

@rgacogne rgacogne merged commit d24089b into PowerDNS:master Jan 12, 2018
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@rgacogne rgacogne deleted the rgacogne:ddist-dns-over-tls branch Jan 12, 2018
@HLFH
Copy link
Contributor

@HLFH HLFH commented Jan 12, 2018

@rgacogne Hi. Since you closed this issue: #3980
Is DNS over TLS supported for pdns-auth?

@Habbie
Copy link
Member

@Habbie Habbie commented Jan 12, 2018

@HLFH put dnsdist in front of it!

@HLFH
Copy link
Contributor

@HLFH HLFH commented Jan 12, 2018

@Habbie I understand now it is an initial DNS over TLS support on dnsdist. Shouldn't pdns-recursor support it also after a new PR on pdns repo to comply with rfc7858? And then pdns-auth, but we have to wait for new RFC because rfc7858 does not think about DNS over TLS for recursive-to-authoritative traffic. Correct?

@Habbie
Copy link
Member

@Habbie Habbie commented Jan 12, 2018

@HLFH do you have a reason to not put dnsdist in front?

@HLFH
Copy link
Contributor

@HLFH HLFH commented Jan 12, 2018

@Habbie I use two nameservers pdns-auth on two separate DigitalOcean droplets, one resolver pdns-recursor on a dedicated server. I can't say I need a DNS load-balancer. Do you have a good post so I can set up dnsdist with my use case, since I want DNS over TLS support?

@Habbie
Copy link
Member

@Habbie Habbie commented Jan 12, 2018

Just deploy dnsdist with a single backend defined, and configure TLS. For further support, please find us on IRC or our mailinglists - https://www.powerdns.com/opensource.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

4 participants
You can’t perform that action at this time.