Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dnsdist: Refuse console connection without a proper key set #6715

Merged
merged 5 commits into from Jun 12, 2018

Conversation

rgacogne
Copy link
Member

@rgacogne rgacogne commented Jun 5, 2018

Short description

Fixes #6683 and explicitly prevents the situation from #6709, which was working in some cases because of a very brittle side-effect.
This PR should add a few words to the documentation to clarify that the use of encryption is also strongly recommended for local connections.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@rgacogne rgacogne requested a review from chbruyand June 7, 2018 14:36
Copy link
Member

@chbruyand chbruyand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

string msg = sodEncryptSym(line, g_consoleKey, writingNonce);
const auto msgLen = msg.length();
if (msgLen > std::numeric_limits<uint32_t>::max()) {
cout << "Encrypted essage is too long to be sent to the server, "<< std::to_string(msgLen) << " > " << std::numeric_limits<uint32_t>::max() << endl;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

*message ?

@@ -11,7 +11,7 @@ The console can be enabled with :func:`controlSocket`:

controlSocket('192.0.2.53:5199')

Exposing the console to the network without encryption enabled is not recommended. To enable encryption, first generate a key with :func:`makeKey`::
Enabling the console without encryption enabled is not recommended. To enable encryption, first generate a key with :func:`makeKey`::
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe adding a word about the need of libsodium for encryption to actually happen would be nice ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do so a few lines below but you are right in that it would be better to do it here, I'll move it up. Thanks!

@rgacogne rgacogne merged commit 06aec90 into PowerDNS:master Jun 12, 2018
@rgacogne rgacogne deleted the dnsdist-console-nokey branch June 12, 2018 12:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Please have dnsdist -c verify it can talk to the server
2 participants