Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add webpki-roots and native-certs crate features, take 2 #2005

Merged
merged 5 commits into from
Aug 31, 2023
Merged

Add webpki-roots and native-certs crate features, take 2 #2005

merged 5 commits into from
Aug 31, 2023

Conversation

daxpedda
Copy link
Contributor

This splits the changes from #1943 into two parts. This is the first part, only introducing loading the native certificates. The changes are basically only touching the code that was loading certificates from webpki-roots and introducing the new crate features.

I could split this up further into trust-dns-proto and trust-dns-resolver?

This implementation has the big downside that trust-dns-resolver will attempt to load the native certificates only once and save the Result in a Lazy. So there currently no way for the user to re-attempt or reload the native certificates. This will be addressed in the second part.

Replaces #1943.

daxpedda
daxpedda commented Aug 22, 2023
View reviewed changes
crates/resolver/src/quic.rs Outdated Show resolved Hide resolved
This was referenced Aug 22, 2023
Closed
Open
@daxpedda daxpedda mentioned this pull request Aug 22, 2023
Closed
@daxpedda daxpedda changed the title Add webpki-roots and native-certs crate features Add webpki-roots and native-certs crate features, take 2 Aug 22, 2023
djc
djc reviewed Aug 23, 2023
View reviewed changes
Copy link
Collaborator

@djc djc left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, being nitpicky about the commit history, because I know there's a bunch more large changes here and I'd like to make reviewing them easy.

I'm inclined to say the Lazy<Arc<ClientConfig>> design doesn't make all that much sense and we should instead use a design where a "global" default Arc<ClientConfig> (or maybe even only the RootCertStore?) lives in something like the ResolverConfig, NameServerConfigGroup or ResolverOpts but maybe this should be left for a future PR? (Maybe this is already what you were planning on doing in a future PR.)

crates/proto/Cargo.toml Outdated Show resolved Hide resolved
crates/proto/src/https/https_client_stream.rs Show resolved Hide resolved
crates/proto/Cargo.toml Show resolved Hide resolved
crates/proto/src/https/https_client_stream.rs Show resolved Hide resolved
crates/proto/src/quic/quic_client_stream.rs Show resolved Hide resolved
crates/resolver/examples/custom_provider.rs Outdated Show resolved Hide resolved
crates/resolver/src/https.rs Outdated Show resolved Hide resolved
@daxpedda
Copy link
Contributor Author

Sorry, being nitpicky about the commit history, because I know there's a bunch more large changes here and I'd like to make reviewing them easy.

This is totally fine! I'm happy to do the legwork here and make it as easy as possible to review!

I'm inclined to say the Lazy<Arc<ClientConfig>> design doesn't make all that much sense and we should instead use a design where a "global" default Arc<ClientConfig> (or maybe even only the RootCertStore?) lives in something like the ResolverConfig, NameServerConfigGroup or ResolverOpts but maybe this should be left for a future PR? (Maybe this is already what you were planning on doing in a future PR.)

I think the big upside of Lazy<Arc<ClientConfig>> is for the bundled certificates to not consume memory more then once, but that doesn't play well with the native certs as we've seen in #1943.

Unfortunately storing a RootCertStore doesn't really work because we would have to clone it for every ClientConfig created from it. We could store a sharable WebPkiVerifier but that's not possible without enabling rustls/dangerous_configuration, I've described the issue in more detail here: #1990 (comment). I've worked around that in #2001 by creating a base ClientConfig that can be cloned, which just clones a bunch of Arcs, to reuse the root certificates without consuming additional memory.

As for where to store it I would argue that a "global" default would make sense to live in ResolverOpts.

Personally I'm also in favor of moving away from the Lazy and my preference would be to store it instead in ResolverOpts.

Let me know what you think!

@daxpedda
Copy link
Contributor Author

Let me know if you want me to squash anything or split a commit into a separate PR. E.g. I think 431db81 should be squashed.

@djc
Copy link
Collaborator

djc commented Aug 23, 2023

I've worked around that in #2001 by creating a base ClientConfig that can be cloned, which just clones a bunch of Arcs, to reuse the root certificates without consuming additional memory.

As for where to store it I would argue that a "global" default would make sense to live in ResolverOpts.

Personally I'm also in favor of moving away from the Lazy and my preference would be to store it instead in ResolverOpts.

This sounds like a good direction!

@daxpedda
Copy link
Contributor Author

CI currently fails on a test called test_sec_lookup_fails, doesn't work for me locally on main either so I believe this is unrelated to this PR. Can be reproduced with:
cargo test -p trust-dns-resolver --all-features -- test_sec_lookup_fails

@daxpedda
Copy link
Contributor Author

CI currently fails on a test called test_sec_lookup_fails, doesn't work for me locally on main either so I believe this is unrelated to this PR. Can be reproduced with: cargo test -p trust-dns-resolver --all-features -- test_sec_lookup_fails

I guess https://trust-dns.org is down?

@daxpedda
Copy link
Contributor Author

CI currently fails on a test called test_sec_lookup_fails, doesn't work for me locally on main either so I believe this is unrelated to this PR. Can be reproduced with: cargo test -p trust-dns-resolver --all-features -- test_sec_lookup_fails

I guess https://trust-dns.org is down?

I temporarily disabled the test to make the CI run. Let me know if you want me to remove it before merging.

@djc
Copy link
Collaborator

djc commented Aug 24, 2023

I'm going to leave it to @bluejekyll to decide if he wants to merge this with the ignored test (or fix up his DNS/web server setup?).

@daxpedda
Copy link
Contributor Author

If we decide that we don't want to merge this now because it's a breaking change, let me know. There are other PRs I want to work on that (hopefully) don't require a breaking change, but I am waiting on this because I don't want to spend time constantly rebasing everything.

No stress though, I'm not in a hurry!

@djc
Copy link
Collaborator

djc commented Aug 28, 2023

I think we pretty much default to only doing breaking releases except if there's a security response needed.

@daxpedda daxpedda force-pushed the native-certs-2 branch 3 times, most recently from 5b47f29 to 655f5f4 Compare August 30, 2023 20:42
@daxpedda
Copy link
Contributor Author

I removed the commit disabling the test.

The last commit "Fix CI" was probably necessary because of the 1.72 release and has nothing to do with this PR. I'm happy to split it into a separate PR if needed.

@djc
Copy link
Collaborator

djc commented Aug 31, 2023

Cool, look forward to merging this.

The last commit "Fix CI" was probably necessary because of the 1.72 release and has nothing to do with this PR. I'm happy to split it into a separate PR if needed.

Separate PR is unnecessary from my side, but would like one commit for cargo fmt and one commit for clippy fixes.

@bluejekyll
Copy link
Member

Sorry for the delay on this. I'm reviewing this now.

bluejekyll
bluejekyll requested changes Aug 31, 2023
View reviewed changes
Copy link
Member

@bluejekyll bluejekyll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for all the cleanup on the examples and configuration as well. This looks great. You clearly spent a lot of time and energy on this change, I really appreciate all that effort.

See the one comment about the panic, once that is fixed, I will happily merge this in.

crates/proto/src/https/https_client_stream.rs Show resolved Hide resolved
bluejekyll
bluejekyll approved these changes Aug 31, 2023
View reviewed changes
Copy link
Member

@bluejekyll bluejekyll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, this is an awesome change. Thank you for all the work!

@bluejekyll bluejekyll merged commit 8e38497 into hickory-dns:main Aug 31, 2023
16 of 18 checks passed
@daxpedda
Copy link
Contributor Author

daxpedda commented Sep 2, 2023

Separate PR is unnecessary from my side, but would like one commit for cargo fmt and one commit for clippy fixes.

Apologies, never got to separate those commits!

Thank you all for the guidance, was a great experience!

This was referenced Sep 6, 2023
Closed
Open
@daxpedda daxpedda mentioned this pull request Sep 7, 2023
Closed
@daxpedda daxpedda mentioned this pull request Sep 22, 2023
Open
@daxpedda daxpedda mentioned this pull request Oct 11, 2023
Closed
@cpu cpu mentioned this pull request Nov 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djc djc djc approved these changes

@bluejekyll bluejekyll bluejekyll approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@daxpedda @djc @bluejekyll