doq: add a bit of documentation and display DoQ support in version() if enabled

diff --git a/pdns/dnsdist.cc b/pdns/dnsdist.cc
index d2b7759968b3094f0dd9bccea2dc37f7fd386c6f..1276f09df4cb02575ac99cc956b5b3eaae796db3 100644 (file)
--- a/pdns/dnsdist.cc
+++ b/pdns/dnsdist.cc
@@ -2572,6 +2572,9 @@ int main(int argc, char** argv)
 #ifdef HAVE_CDB
         cout<<"cdb ";
 #endif
+#ifdef HAVE_DNS_OVER_QUIC
+        cout<<"dns-over-quic ";
+#endif
 #ifdef HAVE_DNS_OVER_TLS
         cout<<"dns-over-tls(";
 #ifdef HAVE_GNUTLS

diff --git a/pdns/dnsdistdist/docs/guides/dns-over-quic.rst b/pdns/dnsdistdist/docs/guides/dns-over-quic.rst
new file mode 100644 (file)
index 0000000..48fb22d
--- /dev/null
+++ b/pdns/dnsdistdist/docs/guides/dns-over-quic.rst
@@ -0,0 +1,23 @@
+DNS-over-QUIC (DoQ)
+====================
+
+:program:`dnsdist` supports DNS-over-QUIC (DoQ, standardized in RFC 9250) for incoming queries since 1.9.0.
+To see if the installation supports this, run ``dnsdist --version``.
+If the output shows ``dns-over-quic`` incoming DNS-over-QUIC is supported.
+
+Incoming
+--------
+
+Adding a listen port for DNS-over-QUIC can be done with the :func:`addDOQLocal` function, e.g.::
+
+  addDOQLocal('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key')
+
+This will make :program:`dnsdist` listen on [2001:db8:1:f00::1]:853 on UDP, and will use the provided certificate and key to serve incoming TLS connections.
+
+The fourth parameter, if present, indicates various options. For instance, you can change the congestion control algorithm used. An example is::
+
+  addDOQLocal('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key', {congestionControlAlgo="bbr"})
+
+A particular attention should be taken to the permissions of the certificate and key files. Many ACME clients used to get and renew certificates, like CertBot, set permissions assuming that services are started as root, which is no longer true for dnsdist as of 1.5.0. For that particular case, making a copy of the necessary files in the /etc/dnsdist directory is advised, using for example CertBot's ``--deploy-hook`` feature to copy the files with the right permissions after a renewal.
+
+More information about sessions management can also be found in :doc:`../advanced/tls-sessions-management`.

diff --git a/pdns/dnsdistdist/docs/guides/index.rst b/pdns/dnsdistdist/docs/guides/index.rst
index 7a4f5761a95aadd515d2c85f2b8063afddbd1317..b5b6830508bc52e0f808b5a539facf3d14d24034 100644 (file)
--- a/pdns/dnsdistdist/docs/guides/index.rst
+++ b/pdns/dnsdistdist/docs/guides/index.rst
@@ -14,6 +14,7 @@ These chapters contain several guides and nuggets of information regarding dnsdi
    serverselection
    carbon
    dns-over-https
+   dns-over-quic
    dns-over-tls
    dnscrypt
 

diff --git a/pdns/dnsdistdist/docs/install.rst b/pdns/dnsdistdist/docs/install.rst
index 9d24c03dcbefbc67ededd10e9437da9e3b567bfd..5c87e2bbf5c3900dc7c51c0177fc991d7a6fef50 100644 (file)
--- a/pdns/dnsdistdist/docs/install.rst
+++ b/pdns/dnsdistdist/docs/install.rst
@@ -58,6 +58,7 @@ dnsdist depends on the following libraries:
 * `nghttp2 <https://nghttp2.org/>`_ (optional, outgoing DoH support)
 * `OpenSSL <https://www.openssl.org/>`_ (optional, DoT and DoH support)
 * `protobuf <https://developers.google.com/protocol-buffers/>`_ (optional, not needed as of 1.6.0)
+* `quiche <https://github.com/cloudflare/quiche>`_ (optional, incoming DoQ support)
 * `re2 <https://github.com/google/re2>`_ (optional)
 * `TinyCDB <https://www.corpit.ru/mjt/tinycdb.html>` (optional, CDB support)