-FROM alpine:3.6 as pdns-authoritative
+FROM alpine:3.10 as pdns-authoritative
ARG BUILDER_CACHE_BUSTER=
RUN apk add --no-cache gcc g++ make tar autoconf automake protobuf-dev lua-dev \
RUN if grep 'VERSION="9 (stretch)"' /etc/os-release; then \
mkdir /libh2o && cd /libh2o && \
apt-get install -q -y curl libssl-dev zlib1g-dev cmake && \
- curl -L https://github.com/h2o/h2o/archive/v2.2.5.tar.gz | tar xz && \
- CFLAGS='-fPIC' cmake -DWITH_PICOTLS=off -DWITH_BUNDLED_SSL=off -DWITH_MRUBY=off -DCMAKE_INSTALL_PREFIX=/opt ./h2o-2.2.5 && \
+ curl -L https://github.com/h2o/h2o/archive/v2.2.6.tar.gz | tar xz && \
+ CFLAGS='-fPIC' cmake -DWITH_PICOTLS=off -DWITH_BUNDLED_SSL=off -DWITH_MRUBY=off -DCMAKE_INSTALL_PREFIX=/opt ./h2o-2.2.6 && \
make install && \
cd /pdns; \
fi
-FROM alpine:3.6 as dnsdist
+FROM alpine:3.10 as dnsdist
ARG BUILDER_CACHE_BUSTER=
RUN apk add --no-cache gcc g++ make tar autoconf automake protobuf-dev lua-dev \
-FROM alpine:3.6 as pdns-recursor
+FROM alpine:3.10 as pdns-recursor
ARG BUILDER_CACHE_BUSTER=
RUN apk add --no-cache gcc g++ make tar autoconf automake protobuf-dev lua-dev \
else \
mkdir /libh2o && cd /libh2o && \
yum install -y curl openssl-devel cmake && \
- curl -L https://github.com/h2o/h2o/archive/v2.2.5.tar.gz | tar xz && \
- CFLAGS='-fPIC' cmake -DWITH_PICOTLS=off -DWITH_BUNDLED_SSL=off -DWITH_MRUBY=off -DCMAKE_INSTALL_PREFIX=/opt ./h2o-2.2.5 && \
+ curl -L https://github.com/h2o/h2o/archive/v2.2.6.tar.gz | tar xz && \
+ CFLAGS='-fPIC' cmake -DWITH_PICOTLS=off -DWITH_BUNDLED_SSL=off -DWITH_MRUBY=off -DCMAKE_INSTALL_PREFIX=/opt ./h2o-2.2.6 && \
make install && \
cd /pdns; \
fi
@INCLUDE Dockerfile.dnsdist
@ENDIF
-FROM alpine:3.6 as sdist
+FROM alpine:3.10 as sdist
ARG BUILDER_CACHE_BUSTER=
@IF [ -z "$M_all$M_authoritative$M_recursor$M_dnsdist"]
read :ref:`rules-for-filling-out-dnssec-fields`
if you wish to calculate ordername and auth without using pdns-rectify.
-- ``insert-empty-non-terminal-order--query``: Insert empty non-terminal
+- ``insert-empty-non-terminal-order-query``: Insert empty non-terminal
in zone.
- ``delete-empty-non-terminal-query``: Delete an empty non-terminal in
a zone.
-@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019080950 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019081201 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
@ 3600 IN NS tmpdns.powerdns.com.
dnsdist-1.4.0-alpha1.security-status 60 IN TXT "1 OK"
dnsdist-1.4.0-alpha2.security-status 60 IN TXT "1 OK"
dnsdist-1.4.0-beta1.security-status 60 IN TXT "1 OK"
+dnsdist-1.4.0-rc1.security-status 60 IN TXT "1 OK"
string &set(const string &); //!< Gives a writable reference and allocates space for it
string &set(const string &, const string &); //!< Does the same but also allows one to specify a help message
void setCmd(const string &, const string &); //!< Add a command flag
- string &setSwitch(const string &, const string &); //!< Add a command flag
+ string &setSwitch(const string &, const string &); //!< Add a switch flag
string helpstring(string prefix=""); //!< generates the --help
string configstring(bool current=false); //!< generates the --mkconfig
bool contains(const string &var, const string &val);
Changelog
=========
+.. changelog::
+ :version: 1.4.0-rc1
+ :released: 12th of August 2019
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7860
+
+ Disallow TCP disablement
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7862
+
+ Update boost.m4 to the latest version
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 7886
+
+ SuffixMatchTree: fix root removal, partial match of non-leaf nodes
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7909
+
+ Print stats from expungeByName (Matti Hiljanen)
+
+ .. change::
+ :tags: Bug Fixes, DNS over HTTPS
+ :pullreq: 7911
+ :tickets: 7894
+
+ Properly override the HTTP Server header for DoH
+
+ .. change::
+ :tags: Bug Fixes, DNS over HTTPS, DNS over TLS
+ :pullreq: 7915
+
+ Exit when requested DoT/DoH support is not compiled in
+
+ .. change::
+ :tags: Improvements, DNS over HTTPS
+ :pullreq: 7917
+
+ Send better HTTP status codes, handle ACL drops earlier
+
+ .. change::
+ :tags: Bug Fixes, DNS over HTTPS
+ :pullreq: 7927
+ :tickets: 7917
+
+ Proper HTTP response for timeouts over DoH
+
+ .. change::
+ :tags: Improvements, DNS over HTTPS
+ :pullreq: 7933
+ :tickets: 7898
+
+ Add more stats about DoH HTTP responses
+
+ .. change::
+ :tags: Bug Fixes, Carbon, Prometheus
+ :pullreq: 7934
+ :tickets: 7933
+
+ Deduplicate frontends entries with carbon and prometheus
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 7951
+ :tickets: 6942, 8084
+
+ Update boost.m4
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7952
+ :tickets: 7950
+
+ Squelch unused function warning
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 7974
+ :tickets: 7971
+
+ Fix short IOs over TCP
+
+ .. change::
+ :tags: Improvements, DNS over TLS
+ :pullreq: 7978
+
+ Improve error messages for DoT issues
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 7979
+
+ Fix handling of backend connection failing over TCP
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7985
+
+ SuffixMatchNode:add(): accept more types
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7990
+ :tickets: 7981
+
+ Explicitly align the buffer used for cmsgs
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7992
+
+ Add `quiet` parameter to NetmaskGroupRule
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7996
+ :tickets: 7981
+
+ Clear cmsg_space(sizeof(data)) in cmsghdr to appease Valgrind
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8003
+
+ Insert the response into the ringbuffer right after sending it
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8007
+
+ Add static assertions for the size of the src address control buffer
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8013
+
+ Don't create temporary strings to escape DNSName labels
+
+ .. change::
+ :tags: Bug Fixes, DNSCrypt
+ :pullreq: 8015
+ :tickets: 8014
+
+ Skip non-dnscrypt binds in `showDNSCryptBinds()`
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8024
+
+ Display TCP/DoT queries and responses in verbose mode, opcode in grepq
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8025
+
+ Be a bit more explicit about what failed in testCrypto()
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8030
+ :tickets: 8021
+
+ Handle ENOTCONN on read() over TCP
+
+ .. change::
+ :tags: Improvements, DNSCrypt
+ :pullreq: 8042
+ :tickets: 8020
+
+ Accept more than one certificate in `addDNSCryptBind()`
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8067
+
+ Make sure we always compile with BOOST_CB_ENABLE_DEBUG set to 0
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8078
+
+ Catch exceptions thrown when handling a TCP response
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8079
+
+ Fix unlimited retries when TCP Fast Open is enabled
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8081
+
+ M4/systemd.m4: fail when systemctl is not available
+
+ .. change::
+ :tags: Bug Fixes, Prometheus
+ :pullreq: 8105
+
+ Fix a typo in the Server's latency description for Prometheus (phonedph1)
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8110
+
+ Update URLs to use HTTPS scheme (Chris Hofstaedtler)
+
+ .. change::
+ :tags: Bug Fixes, DNS over HTTPS
+ :pullreq: 8112
+
+ Prevent a dangling DOHUnit pointer when send() failed
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8113
+
+ Double-check we only increment the outstanding counter once
+
+ .. change::
+ :tags: New Features
+ :pullreq: 8117
+
+ Implement ContinueAction()
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8131
+ :tickets: 8130
+
+ Console: flush cout after printing g_outputbuffer (Doug Freed)
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8135
+ :tickets: 8108
+
+ ext/ipcrypt: ship license in tarballs (Chris Hofstaedtler)
+
+ .. change::
+ :tags: New Features, DNS over HTTPS, DNS over TLS
+ :pullreq: 8141
+ :tickets: 7812
+
+ Add OCSP stapling (from files) for DoT and DoH
+
+ .. change::
+ :tags: New Features, DNS over HTTPS
+ :pullreq: 8148
+ :tickets: 7957, 7900
+
+ Add support for custom DoH headers (Melissa Voegeli)
+
+ .. change::
+ :tags: New Features, DNS over HTTPS
+ :pullreq: 8153
+ :tickets: 8133
+
+ Add lua bindings, rules and action for DoH
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8154
+
+ Use a counter to mark IDState usage instead of the FD
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8158
+
+ Fix signedness issue in isEDNSOptionInOpt()
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8175
+
+ Increase the default value of setMaxUDPOutstanding to 65535
+
.. changelog::
:version: 1.4.0-beta1
:released: 6th of June 2019
serverselection
carbon
dns-over-tls
+ ocsp-stapling
+
--- /dev/null
+OCSP Stapling
+=============
+
+dnsdist supports OCSP stapling for DNS over HTTPS and DNS over TLS since 1.4.0-rc1. OCSP, Online Certificate Status Protocol (:rfc:`RFC 6960`) is a protocol allowing a client to check the expiration status of a certificate from the certification authority (CA) that delivered it.
+Since the requirement for the client to first retrieve the certificate then do additional steps to gather an OCSP response is not very efficient, and also discloses to the CA which certificate is validated, a mechanism has been designed to allow the server to retrieve the OCSP response from the CA and provide it to the client during the TLS exchange. This mechanism is named the TLS Certificate Status Request extension (:rfc:`RFC 6066`), also known as OCSP stapling.
+
+While OCSP stapling is a net win for the client, it means that the server needs to retrieve the OCSP response itself and update it at regular interval, since the OCSP response tends to be short-lived by design.
+
+dnsdist, as for example haproxy, only supports loading the OCSP response from a file, and has no embedded HTTP client to retrieve the OCSP response and refresh it, leaving it to the administrator to regularly retrieve the OCSP response and feed it to dnsdist.
+
+Local PKI
+---------
+
+When a local PKI is used to issue the certificate, or for testing purposes, dnsdist provides the :func:`generateOCSPResponse` function to generate an OCSP response file for a certificate, using the certificate and private key of the certification authority that signed that certificate:
+
+.. code-block:: lua
+ generateOCSPResponse(pathToServerCertificate, pathToCACertificate, pathToCAPrivateKey, outputFile, numberOfDaysOfValidity, numberOfMinutesOfValidity)
+
+The resulting file can be directly used with the :func:`addDOHLocal` or the :func:`addTLSLocal` functions:
+
+.. code-block:: lua
+ addDOHLocal("127.0.0.1:443", "/path/to/the/server/certificate", "/path/to/the/server/private/key", { "/" }, { ocspResponses={"/path/to/generated/ocsp/response"}})
+ addTLSLocal("127.0.0.1:853", "/path/to/the/server/certificate", "/path/to/the/server/private/key", { ocspResponses={"/path/to/generated/ocsp/response"}})
+
+After starting dnsdist, it is possible to update the OCSP response by connecting to the :ref:`console<Console>`, generating a new OCSP response and calling :func:`reloadAllCertificates` so that dnsdist reloads the certificates, keys and OCSP responses associated to the DNS over TLS and DNS over HTTPS contexts.
+
+Certificate signed by an external authority
+-------------------------------------------
+
+When the certificate has been signed by an external certification authority, the process is a bit more complicated because the OCSP needs to be retrieved from that CA, and there are very few options available to do that at the moment.
+
+One of those options is to the use the OpenSSL ocsp command-line tool, although it's a bit cumbersome to use.
+
+The first step is to retrieve the URL at which the CA provides an OCSP responder. This can be done via the OpenSSL x509 command:
+
+.. code-block:: sh
+ openssl x509 -noout -ocsp_uri -in /path/to/the/server/certificate
+
+It will output something like "http://ocsp.int-x3.letsencrypt.org".
+
+Now we can use the OCSP tool to request an OCSP response for this certificate from the CA, provided that we have the certificate of the CA at hand, but it's usually needed to get a correct chain of certificates anyway:
+
+.. code-block:: sh
+ openssl ocsp -issuer /path/to/the/ca/certificate -cert /path/to/the/server/certificate -text -url url/we/retrieved/earlier -respout /path/to/write/the/OCSP/response
+
+If everything goes well, this results in an OCSP response for the server certificate being written to /path/to/write/the/OCSP/response. It seems that earlier versions of OpenSSL did not properly handle the URL, and one needed to split the host and path parts of the OCSP URL, and use the ``-header`` option of the ocsp command:
+
+.. code-block:: sh
+ openssl ocsp -issuer /path/to/the/ca/certificate -cert /path/to/the/server/certificate -text -url <path> -header 'Host' <host> -respout /path/to/write/the/OCSP/response
+
+We can now use it directly with the :func:`addDOHLocal` or the :func:`addTLSLocal` functions:
+
+.. code-block:: lua
+ addDOHLocal("127.0.0.1:443", "/path/to/the/server/certificate", "/path/to/the/server/private/key", { "/" }, { ocspResponses={"/path/to/write/the/OCSP/response"}})
+ addTLSLocal("127.0.0.1:853", "/path/to/the/server/certificate", "/path/to/the/server/private/key", { ocspResponses={"/path/to/write/the/OCSP/response"}})
+
+Since this response will be only valid for a while, a script needs to be written to retrieve it regularly via ``cron`` or any other mechanism. Once the new response has been retrieved, it is possible to tell dnsdist to reload it by connecting to the :ref:`console<Console>` and calling :func:`reloadAllCertificates` so that it reloads the certificates, keys and OCSP responses associated to the DNS over TLS and DNS over HTTPS contexts.
+
+Testing
+-------
+
+Once a valid OCSP response has retrieved and loaded into dnsdist, it is possible to test that everything is working fine using the OpenSSL s_client command:
+
+.. code-block:: sh
+ openssl s_client -connect <IP:port> -status -servername <SNI name to use> | grep -F 'OCSP Response Status'
+
+should return something like ``OCSP Response Status: successful (0x0)``, indicating that the client received a valid OCSP stapling response from the server.
Hashes the password to generate a 16-byte key that can be used to pseudonymize IP addresses with IP cipher.
+.. function:: generateOCSPResponse(pathToServerCertificate, pathToCACertificate, pathToCAPrivateKey, outputFile, numberOfDaysOfValidity, numberOfMinutesOfValidity)
+
+ .. versionadded:: 1.4.0
+
+ When a local PKI is used to issue the certificate, or for testing purposes, :func:`generateOCSPResponse` can be used to generate an OCSP response file for a certificate, using the certificate and private key of the certification authority that signed that certificate.
+ The resulting file can be directly used with the :func:`addDOHLocal` or the :func:`addTLSLocal` functions.
+
+ :param string pathToServerCertificate: Path to a file containing the certificate used by the server.
+ :param string pathToCACertificate: Path to a file containing the certificate of the certification authority that was used to sign the server certificate.
+ :param string pathToCAPrivateKey: Path to a file containing the private key corresponding to the certification authority certificate.
+ :param string outputFile: Path to a file where the resulting OCSP response will be written to.
+ :param int numberOfDaysOfValidity: Number of days this OCSP response should be valid.
+ :param int numberOfMinutesOfValidity: Number of minutes this OCSP response should be valid, in addition to the number of days.
+
DOHFrontend
~~~~~~~~~~~
# Boost Context was introduced in 1.51 (Aug 2012), but there was an immediate
# API break in 1.52 (Nov 2012), so we only support that, and later.
-pdns_context_library="System V ucontexts"
+pdns_context_library=""
AS_IF([test $boost_major_version -ge 152], [BOOST_CONTEXT([], [no])])
+AS_IF([test x"$boost_cv_lib_context" = "xyes"], [
+ pdns_context_library="Boost Context"
+], [
+ AC_CHECK_FUNCS([getcontext makecontext swapcontext], [pdns_context_library="System V ucontexts"])
+])
AC_MSG_CHECKING([what context library to use for MTasker])
-AS_IF([test x"$boost_cv_lib_context" = "xyes"], [pdns_context_library="Boost Context"])
-AC_MSG_RESULT([$pdns_context_library])
+AS_IF([test -n "$pdns_context_library"], [AC_MSG_RESULT([$pdns_context_library])], [AC_MSG_ERROR([neither boost::context nor System V ucontexts available])])
PDNS_ENABLE_UNIT_TESTS
PDNS_ENABLE_REPRODUCIBLE
float diff= makeFloat(d_last - now);
d_last=now;
- double factor=exp(diff)/2.0; // might be '0.5', or 0.0001
- d_val=(float)((1-factor)*val+ (float)factor*d_val);
+ float factor=expf(diff)/2.0f; // might be '0.5', or 0.0001
+ d_val=(1-factor)*val + factor*d_val;
}
}
- double get(const struct timeval* tv)
+ float get(const struct timeval* tv)
{
struct timeval now=*tv;
float diff=makeFloat(d_lastget-now);
d_lastget=now;
- float factor=exp(diff/60.0f); // is 1.0 or less
+ float factor=expf(diff/60.0f); // is 1.0 or less
return d_val*=factor;
}
- double peek(void) const
+ float peek(void) const
{
return d_val;
}