hickory-dns · bluejekyll · Mar 19, 2023 · Mar 16, 2023 · Mar 16, 2023
@@ -577,11 +577,18 @@ fn config_https(
     }
 
     for https_listener in &https_sockaddrs {
-        info!(
-            "loading cert for DNS over TLS named {} from {:?}",
-            tls_cert_config.get_endpoint_name(),
-            tls_cert_config.get_path()
-        );
+        if let Some(endpoint_name) = tls_cert_config.get_endpoint_name() {
+            info!(
+                "loading cert for DNS over TLS named {} from {:?}",
+                endpoint_name,
+                tls_cert_config.get_path()
+            );
+        } else {
+            info!(
+                "loading cert for DNS over TLS from {:?}",
+                tls_cert_config.get_path()
+            );
+        }
         // TODO: see about modifying native_tls to impl Clone for Pkcs12
         let tls_cert = dnssec::load_cert(zone_dir, tls_cert_config)
             .expect("error loading tls certificate file");
@@ -605,7 +612,7 @@ fn config_https(
                 https_listener,
                 config.get_tcp_request_timeout(),
                 tls_cert,
-                tls_cert_config.get_endpoint_name().to_string(),
+                tls_cert_config.get_endpoint_name().map(|s| s.to_string()),
             )
             .expect("could not register HTTPS listener");
     }
@@ -636,11 +643,18 @@ fn config_quic(
     }
 
     for quic_listener in &quic_sockaddrs {
-        info!(
-            "loading cert for DNS over TLS named {} from {:?}",
-            tls_cert_config.get_endpoint_name(),
-            tls_cert_config.get_path()
-        );
+        if let Some(endpoint_name) = tls_cert_config.get_endpoint_name() {
+            info!(
+                "loading cert for DNS over QUIC named {} from {:?}",
+                endpoint_name,
+                tls_cert_config.get_path()
+            );
+        } else {
+            info!(
+                "loading cert for DNS over QUIC from {:?}",
+                tls_cert_config.get_path()
+            );
+        }
         // TODO: see about modifying native_tls to impl Clone for Pkcs12
         let tls_cert = dnssec::load_cert(zone_dir, tls_cert_config)
             .expect("error loading tls certificate file");
@@ -664,7 +678,7 @@ fn config_quic(
                 quic_listener,
                 config.get_tcp_request_timeout(),
                 tls_cert,
-                tls_cert_config.get_endpoint_name().to_string(),
+                tls_cert_config.get_endpoint_name().map(|s| s.to_string()),
             )
             .expect("could not register QUIC listener");
     }

@@ -7,7 +7,6 @@
 
 //! HTTPS related server items
 
-use std::borrow::Borrow;
 use std::fmt::Debug;
 use std::str::FromStr;
 use std::sync::Arc;
@@ -26,15 +25,15 @@ use crate::https::HttpsError;
 /// To allow downstream clients to do something interesting with the lifetime of the bytes, this doesn't
 ///   perform a conversion to a Message, only collects all the bytes.
 pub async fn message_from<R>(
-    this_server_name: Arc<str>,
+    this_server_name: Option<Arc<str>>,
     request: Request<R>,
 ) -> Result<BytesMut, HttpsError>
 where
     R: Stream<Item = Result<Bytes, h2::Error>> + 'static + Send + Debug + Unpin,
 {
     debug!("Received request: {:#?}", request);
 
-    let this_server_name = this_server_name.borrow();
+    let this_server_name = this_server_name.as_deref();
     match crate::https::request::verify(this_server_name, &request) {
         Ok(_) => (),
         Err(err) => return Err(err),
@@ -127,7 +126,7 @@ mod tests {
         let request = request::new("ns.example.com", len).unwrap();
         let request = request.map(|()| stream);
 
-        let from_post = message_from(Arc::from("ns.example.com"), request);
+        let from_post = message_from(Some(Arc::from("ns.example.com")), request);
         let bytes = match block_on(from_post) {
             Ok(bytes) => bytes,
             e => panic!("{:#?}", e),

@@ -66,7 +66,7 @@ pub fn new(name_server_name: &str, message_len: usize) -> HttpsResult<Request<()
 }
 
 /// Verifies the request is something we know what to deal with
-pub fn verify<T>(name_server: &str, request: &Request<T>) -> HttpsResult<()> {
+pub fn verify<T>(name_server: Option<&str>, request: &Request<T>) -> HttpsResult<()> {
     // Verify all HTTP parameters
     let uri = request.uri();
 
@@ -86,12 +86,14 @@ pub fn verify<T>(name_server: &str, request: &Request<T>) -> HttpsResult<()> {
     }
 
     // the authority must match our nameserver name
-    if let Some(authority) = uri.authority() {
-        if authority.host() != name_server {
-            return Err("incorrect authority".into());
+    if let Some(name_server) = name_server {
+        if let Some(authority) = uri.authority() {
+            if authority.host() != name_server {
+                return Err("incorrect authority".into());
+            }
+        } else {
+            return Err("no authority in HTTPS request".into());
         }
-    } else {
-        return Err("no authority in HTTPS request".into());
     }
 
     // TODO: switch to mime::APPLICATION_DNS when that stabilizes
@@ -150,6 +152,6 @@ mod tests {
     #[test]
     fn test_new_verify() {
         let request = new("ns.example.com", 512).expect("error converting to http");
-        assert!(verify("ns.example.com", &request).is_ok());
+        assert!(verify(Some("ns.example.com"), &request).is_ok());
     }
 }
@@ -204,7 +204,7 @@ impl Default for PrivateKeyType {
 #[derive(Deserialize, PartialEq, Eq, Debug)]
 pub struct TlsCertConfig {
     path: String,
-    endpoint_name: String,
+    endpoint_name: Option<String>,
     cert_type: Option<CertType>,
     password: Option<String>,
     private_key: Option<String>,
@@ -218,8 +218,8 @@ impl TlsCertConfig {
     }
 
     /// return the DNS name of the certificate hosted at the TLS endpoint
-    pub fn get_endpoint_name(&self) -> &str {
-        &self.endpoint_name
+    pub fn get_endpoint_name(&self) -> Option<&str> {
+        self.endpoint_name.as_deref()
     }
 
     /// Returns the format type of the certificate file

@@ -27,7 +27,7 @@ pub(crate) async fn h2_handler<T, I>(
     handler: Arc<T>,
     io: I,
     src_addr: SocketAddr,
-    dns_hostname: Arc<str>,
+    dns_hostname: Option<Arc<str>>,
 ) where
     T: RequestHandler,
     I: AsyncRead + AsyncWrite + Unpin,

@@ -29,7 +29,7 @@ pub(crate) async fn quic_handler<T>(
     handler: Arc<T>,
     mut quic_streams: QuicStreams,
     src_addr: SocketAddr,
-    _dns_hostname: Arc<str>,
+    _dns_hostname: Option<Arc<str>>,
 ) -> Result<(), ProtoError>
 where
     T: RequestHandler,

@@ -532,14 +532,15 @@ impl<T: RequestHandler> ServerFuture<T> {
         // TODO: need to set a timeout between requests.
         _timeout: Duration,
         certificate_and_key: (Vec<Certificate>, PrivateKey),
-        dns_hostname: String,
+        dns_hostname: Option<String>,
     ) -> io::Result<()> {
         use tokio_rustls::TlsAcceptor;
 
         use crate::proto::rustls::tls_server;
         use crate::server::https_handler::h2_handler;
 
-        let dns_hostname: Arc<str> = Arc::from(dns_hostname);
+        let dns_hostname: Option<Arc<str>> = dns_hostname.map(|n| n.into());
+
         let handler = self.handler.clone();
         debug!("registered https: {listener:?}");
 
@@ -626,12 +627,13 @@ impl<T: RequestHandler> ServerFuture<T> {
         // TODO: need to set a timeout between requests.
         _timeout: Duration,
         certificate_and_key: (Vec<Certificate>, PrivateKey),
-        dns_hostname: String,
+        dns_hostname: Option<String>,
     ) -> io::Result<()> {
         use crate::proto::quic::QuicServer;
         use crate::server::quic_handler::quic_handler;
 
-        let dns_hostname: Arc<str> = Arc::from(dns_hostname);
+        let dns_hostname: Option<Arc<str>> = dns_hostname.map(|n| n.into());
+
         let handler = self.handler.clone();
 
         debug!("registered quic: {:?}", socket);