Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dnsdist: Refuse console connection without a proper key set #6715

Merged
merged 5 commits into from Jun 12, 2018

Conversation

@rgacogne
Copy link
Member

@rgacogne rgacogne commented Jun 5, 2018

Short description

Fixes #6683 and explicitly prevents the situation from #6709, which was working in some cases because of a very brittle side-effect.
This PR should add a few words to the documentation to clarify that the use of encryption is also strongly recommended for local connections.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)
@rgacogne rgacogne added this to the dnsdist-1.3.x milestone Jun 5, 2018
rgacogne added 2 commits Jun 6, 2018
…ypted too
@rgacogne rgacogne requested a review from chbruyand Jun 7, 2018
Copy link
Member

@chbruyand chbruyand left a comment

LGTM!

string msg = sodEncryptSym(line, g_consoleKey, writingNonce);
const auto msgLen = msg.length();
if (msgLen > std::numeric_limits<uint32_t>::max()) {
cout << "Encrypted essage is too long to be sent to the server, "<< std::to_string(msgLen) << " > " << std::numeric_limits<uint32_t>::max() << endl;

This comment has been minimized.

@chbruyand

chbruyand Jun 11, 2018
Member

*message ?

@@ -11,7 +11,7 @@ The console can be enabled with :func:`controlSocket`:

controlSocket('192.0.2.53:5199')

Exposing the console to the network without encryption enabled is not recommended. To enable encryption, first generate a key with :func:`makeKey`::
Enabling the console without encryption enabled is not recommended. To enable encryption, first generate a key with :func:`makeKey`::

This comment has been minimized.

@chbruyand

chbruyand Jun 11, 2018
Member

Maybe adding a word about the need of libsodium for encryption to actually happen would be nice ?

This comment has been minimized.

@rgacogne

rgacogne Jun 11, 2018
Author Member

We do so a few lines below but you are right in that it would be better to do it here, I'll move it up. Thanks!

rgacogne added 2 commits Jun 11, 2018
…ption
@rgacogne rgacogne merged commit 06aec90 into PowerDNS:master Jun 12, 2018
4 checks passed
4 checks passed
LGTM analysis: C/C++ No alert changes
Details
LGTM analysis: JavaScript No alert changes
Details
LGTM analysis: Python No alert changes
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@rgacogne rgacogne deleted the rgacogne:dnsdist-console-nokey branch Jun 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

2 participants
You can’t perform that action at this time.