Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dnsdist: Add DNS over HTTPS support based on libh2o #7726

Merged
merged 23 commits into from Apr 23, 2019

Conversation

Projects
None yet
4 participants
@rgacogne
Copy link
Member

commented Apr 15, 2019

Short description

This PR is a rebase of #6911 on top of the current master, with a few fixes.
It also has less code duplication because of the cleanup done in #7526.
The only remaining issue I'm aware of is that we always send the request received over DoH to the backend over UDP, advertising an EDNS Payload Size of 4096 (unless there was an existing EDNS OPT RR). It means that the current design can't handle responses larger than 4096 bytes over DoH, and leads to a weird situation if the backend answers with TC=1.

Still needs documentation, and quite a lot of regression tests. I'm not sure how to proceed for that last point since the version of Ubuntu used by our Travis tests is much too old to have the required libh2o library, and Python libraries with support for HTTP/2.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)
Show resolved Hide resolved pdns/dnsdistdist/doh.cc Outdated

pieterlexis and others added some commits Apr 16, 2019

Merge pull request #7 from pieterlexis/dnsdist-redoh-pkgs
Ensure building libh2o is cached in docker
dnsdist: Add support for more than one TLS certificate for DoH
So we can present an ECDSA one to clients supporting it and a RSA
one to those who don't.
@rgacogne

This comment has been minimized.

Copy link
Member Author

commented Apr 17, 2019

Now with:

  • custom ciphersuites, including for TLS 1.3 ;
  • certificate reloading ;
  • TCP Fast Open, reuseport, interface and CPU pinning ;
  • more than one certificate (ECDSA and RSA, for example) ;
  • documentation.

rgacogne added some commits Apr 17, 2019

@rgacogne

This comment has been minimized.

Copy link
Member Author

commented Apr 17, 2019

I think this PR is done, it's still missing tests but I'm afraid we won't be able to run them on Travis anyway, so I'd be happy to merge this PR as soon as it has been reviewed.
In the meantime I'll write regression tests and disable them in Travis.

@pieterlexis

This comment has been minimized.

Copy link
Member

commented Apr 17, 2019

Travis tests is much too old to have the required libh2o library

We can build it ourselves though (as we do for packages on OSs that have no libh2o-evloop)

Python libraries with support for HTTP/2.

Perhaps we can take hyper for a spin

@pieterlexis pieterlexis reopened this Apr 17, 2019

@Habbie

This comment has been minimized.

Copy link
Member

commented Apr 17, 2019

Travis tests is much too old to have the required libh2o library

How about testing on a fresher docker image in circleci?

@Habbie

This comment has been minimized.

Copy link
Member

commented Apr 18, 2019

How about testing on a fresher docker image in circleci?

I've done (ugly, unfinished) circleci work based on this branch, in https://github.com/Habbie/pdns/tree/dnsdist-redoh-circleci (py2, with hacks, but all tests pass) - probably best to integrate that into the bigger matrix @pieterlexis is working on, when that has landed.

Show resolved Hide resolved pdns/dnsdist-lua.cc Outdated
Show resolved Hide resolved pdns/dnsdist-lua.cc Outdated
Show resolved Hide resolved pdns/dnsdistdist/doh.cc Outdated

rgacogne added some commits Apr 19, 2019

rgacogne added some commits Apr 19, 2019

@rgacogne rgacogne merged commit 07f217c into PowerDNS:master Apr 23, 2019

2 checks passed

ci/circleci: build Your tests passed on CircleCI!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@rgacogne rgacogne deleted the rgacogne:dnsdist-redoh branch Apr 23, 2019

@chbruyand

This comment has been minimized.

Copy link
Member

commented Apr 23, 2019

\o/

@rgacogne rgacogne referenced this pull request Apr 24, 2019

Merged

pkgs: build for Debian Buster #7737

3 of 7 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.