dnsdist: Add support for DNS over TLS backends

Still needs:
- documentation
- tests
- session reuse (SSL_set_session)
- healthchecks
- UDP/DoH to DoT

diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc
index b1f0925fc78a6afec41f19d43b9d9cccc8fe4dbb..d0a0822da499213a394f048305bb22cb22efcfed 100644 (file)
--- a/pdns/dnsdist-lua.cc
+++ b/pdns/dnsdist-lua.cc
@@ -494,6 +494,32 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck)
         }
       }
 
+      if (vars.count("tls")) {
+        TLSContextParameters tlsParams;
+        std::string ciphers;
+        std::string ciphers13;
+
+        tlsParams.d_provider = boost::get<string>(vars.at("tls"));
+
+        if (vars.count("ciphers")) {
+          tlsParams.d_ciphers = boost::get<string>(vars.at("ciphers"));
+        }
+        if (vars.count("ciphers13")) {
+          tlsParams.d_ciphers13 = boost::get<string>(vars.at("ciphers13"));
+        }
+        if (vars.count("caStore")) {
+          tlsParams.d_caStore = boost::get<string>(vars.at("caStore"));
+        }
+        if (vars.count("validateCertificates")) {
+          tlsParams.d_validateCertificates = boost::get<bool>(vars.at("validateCertificates"));
+        }
+        if (vars.count("subjectName")) {
+          ret->d_tlsSubjectName = boost::get<string>(vars.at("subjectName"));
+        }
+
+        ret->d_tlsCtx = getTLSContext(tlsParams);
+      }
+
       /* this needs to be done _AFTER_ the order has been set,
          since the server are kept ordered inside the pool */
       auto localPools = g_pools.getCopy();

diff --git a/pdns/dnsdist.hh b/pdns/dnsdist.hh
index f2089e51519817afbbb0eb0fa058f425f5b3d223..ba505177ef8f8463a703f82b02fb3956581834dd 100644 (file)
--- a/pdns/dnsdist.hh
+++ b/pdns/dnsdist.hh
@@ -670,6 +670,7 @@ struct DownstreamState
   checkfunc_t checkFunction;
   DNSName checkName{"a.root-servers.net."};
   QType checkType{QType::A};
+  std::string d_tlsSubjectName;
   uint16_t checkClass{QClass::IN};
   std::atomic<uint64_t> idOffset{0};
   std::atomic<bool> hashesComputed{false};

diff --git a/pdns/dnsdistdist/dnsdist-tcp-downstream.cc b/pdns/dnsdistdist/dnsdist-tcp-downstream.cc
index 9623866699a5d9052998f1bb366b2f561e4c0e09..e7f67a056f6da521f9c0cee9eea755449c502aee 100644 (file)
--- a/pdns/dnsdistdist/dnsdist-tcp-downstream.cc
+++ b/pdns/dnsdistdist/dnsdist-tcp-downstream.cc
@@ -342,7 +342,7 @@ bool TCPConnectionToBackend::reconnect()
       socket->setNonBlocking();
 
       gettimeofday(&d_connectionStartTime, nullptr);
-      auto handler = std::make_unique<TCPIOHandler>("", socket->releaseHandle(), timeval{0,0}, d_ds->d_tlsCtx, time(nullptr));
+      auto handler = std::make_unique<TCPIOHandler>(d_ds->d_tlsSubjectName, socket->releaseHandle(), timeval{0,0}, d_ds->d_tlsCtx, time(nullptr));
       handler->tryConnect(d_ds->tcpFastOpen && isFastOpenEnabled(), d_ds->remote);
       d_queries = 0;