Enabling 0-RTT for QUIC/H3 clients #387
Conversation
dohclient.go
Outdated
| @@ -181,7 +181,12 @@ func (d *DoHClient) ResolveGET(q *dns.Msg) (*dns.Msg, error) { | |||
| ctx, cancel := context.WithTimeout(context.Background(), d.opt.QueryTimeout) | |||
| defer cancel() | |||
|
|
|||
| req, err := http.NewRequestWithContext(ctx, "GET", u, nil) | |||
| method := http.MethodGet | |||
| if d.opt.Transport == "quic" { | |||
There was a problem hiding this comment.
Since 0-RTT affects the security-properties, what do you think about adding a flag to config like enable-0rtt or so to enable it. In the docs we could then link to https://datatracker.ietf.org/doc/html/rfc8446#section-8 so users know and can decide if they want it anyway.
|
I updated the DoQ client to use DialEarly. The implementation looks a bit weird but others (SSH3 for example) are also using |
There was a problem hiding this comment.
Thanks a lot for this. As for docs, would you mind adding a note about the new flag to the documentation in https://github.com/folbricht/routedns/blob/master/doc/configuration.md#DNS-over-QUIC-Resolver ? If not I can do that later too though
doqclient.go
Outdated
| } | ||
|
|
||
| // Use quic.DialEarly to attempt to use 0-RTT DNS queries for lower latency | ||
| s.EarlyConnection, err = quic.DialEarly(context.TODO(), s.udpConn, udpAddr, s.tlsConfig, s.config) |
There was a problem hiding this comment.
I'm surprised that this change was even necessary. quicDial itself also calls quic.DialEarly. And it basically does the same thing.
Also there's a bit of a filehandle leak here when this fails. s.udpConn will not get closed. See the comment in https://github.com/folbricht/routedns/blob/master/dohclient.go#L427-L428
There was a problem hiding this comment.
you are right, I tested it again and it works without the changes to use DialEarly. I will revert this
…ad a bug. Renamed the 0RTT toggle and updated the documentation.
|
@LeonardWalter you mentioned in your commit message that there was a bug in the previous doqclient code; what was the bug? |
|
The problem was what Frank mentioned with the updConn not being closed in my earlier commit (4d4f1a1) |
|
@LeonardWalter to be clear it wasn't a criticism of the commit, i wasn't sure i understood it correctly; apologies. also, so i understand correctly, dohclient.go will do the correct thing for http2 / TCP? |
dohclient.go
Outdated
| @@ -181,7 +186,12 @@ func (d *DoHClient) ResolveGET(q *dns.Msg) (*dns.Msg, error) { | |||
| ctx, cancel := context.WithTimeout(context.Background(), d.opt.QueryTimeout) | |||
| defer cancel() | |||
|
|
|||
| req, err := http.NewRequestWithContext(ctx, "GET", u, nil) | |||
| method := http.MethodGet | |||
| if d.opt.Use0RTT { | |||
There was a problem hiding this comment.
| if d.opt.Use0RTT { | |
| if d.opt.Use0RTT && opt.Transport == "quic" { |
Should we add this? To handle a mis-configuration where Use0RTT is used but it's not actually quic, but http2
|
@mattkeenan I looked at the DoH RFC
AFAIK there are countermeasures to this in TLS1.3 but don't quote me on this I am no expert. Other DoH implementations also it.
|
|
Also, I really don't like how I disable 0-RTT for DoQ
|
|
Let's keep the session cache enabled in all cases. It's a good thing to have regardless of config. |
|
Do you know of a flag or something to disable 0-RTT. I know Allow0RTT is only used for the server side. So far I haven't discovered a good way to toggle 0-RTT on and off |
|
Server side? Is it needed? Seems fine to support it in all cases |
Updated the DoQ and DoH QUIC client to enable 0-RTT based on the guide from: https://quic-go.net/docs/http3/client/#using-0-rtt