From: Charles-Henri Bruyand Date: Tue, 26 Sep 2023 09:59:32 +0000 (+0200) Subject: doq: add a bit of documentation and display DoQ support in version() if enabled X-Git-Tag: rec-5.0.0-alpha2~6^2~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c64f6dd31459b4235d1aaea57d68f66cc91b87ee;p=thirdparty%2Fpdns.git doq: add a bit of documentation and display DoQ support in version() if enabled --- diff --git a/pdns/dnsdist.cc b/pdns/dnsdist.cc index d2b7759968..1276f09df4 100644 --- a/pdns/dnsdist.cc +++ b/pdns/dnsdist.cc @@ -2572,6 +2572,9 @@ int main(int argc, char** argv) #ifdef HAVE_CDB cout<<"cdb "; #endif +#ifdef HAVE_DNS_OVER_QUIC + cout<<"dns-over-quic "; +#endif #ifdef HAVE_DNS_OVER_TLS cout<<"dns-over-tls("; #ifdef HAVE_GNUTLS diff --git a/pdns/dnsdistdist/docs/guides/dns-over-quic.rst b/pdns/dnsdistdist/docs/guides/dns-over-quic.rst new file mode 100644 index 0000000000..48fb22dc4e --- /dev/null +++ b/pdns/dnsdistdist/docs/guides/dns-over-quic.rst @@ -0,0 +1,23 @@ +DNS-over-QUIC (DoQ) +==================== + +:program:`dnsdist` supports DNS-over-QUIC (DoQ, standardized in RFC 9250) for incoming queries since 1.9.0. +To see if the installation supports this, run ``dnsdist --version``. +If the output shows ``dns-over-quic`` incoming DNS-over-QUIC is supported. + +Incoming +-------- + +Adding a listen port for DNS-over-QUIC can be done with the :func:`addDOQLocal` function, e.g.:: + + addDOQLocal('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key') + +This will make :program:`dnsdist` listen on [2001:db8:1:f00::1]:853 on UDP, and will use the provided certificate and key to serve incoming TLS connections. + +The fourth parameter, if present, indicates various options. For instance, you can change the congestion control algorithm used. An example is:: + + addDOQLocal('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key', {congestionControlAlgo="bbr"}) + +A particular attention should be taken to the permissions of the certificate and key files. Many ACME clients used to get and renew certificates, like CertBot, set permissions assuming that services are started as root, which is no longer true for dnsdist as of 1.5.0. For that particular case, making a copy of the necessary files in the /etc/dnsdist directory is advised, using for example CertBot's ``--deploy-hook`` feature to copy the files with the right permissions after a renewal. + +More information about sessions management can also be found in :doc:`../advanced/tls-sessions-management`. diff --git a/pdns/dnsdistdist/docs/guides/index.rst b/pdns/dnsdistdist/docs/guides/index.rst index 7a4f5761a9..b5b6830508 100644 --- a/pdns/dnsdistdist/docs/guides/index.rst +++ b/pdns/dnsdistdist/docs/guides/index.rst @@ -14,6 +14,7 @@ These chapters contain several guides and nuggets of information regarding dnsdi serverselection carbon dns-over-https + dns-over-quic dns-over-tls dnscrypt diff --git a/pdns/dnsdistdist/docs/install.rst b/pdns/dnsdistdist/docs/install.rst index 9d24c03dcb..5c87e2bbf5 100644 --- a/pdns/dnsdistdist/docs/install.rst +++ b/pdns/dnsdistdist/docs/install.rst @@ -58,6 +58,7 @@ dnsdist depends on the following libraries: * `nghttp2 `_ (optional, outgoing DoH support) * `OpenSSL `_ (optional, DoT and DoH support) * `protobuf `_ (optional, not needed as of 1.6.0) +* `quiche `_ (optional, incoming DoQ support) * `re2 `_ (optional) * `TinyCDB ` (optional, CDB support)