dnsdist: Switch the default DoT provider from GnuTLS to OpenSSL

The feedback from our users is that the OpenSSL provider is faster
and more stable. We also provide better Session Ticket Keys rotation
options with OpenSSL.

diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc
index 04c08ca21c37789578e55e41cb3b8f5a0e501121..5609d7b664ef77e5a5725ff925291cb7acb80cfe 100644 (file)
--- a/pdns/dnsdist-lua.cc
+++ b/pdns/dnsdist-lua.cc
@@ -1989,7 +1989,12 @@ void setupLuaConfig(bool client)
 
         try {
           frontend->d_addr = ComboAddress(addr, 853);
-          vinfolog("Loading TLS provider %s", frontend->d_provider);
+          if (!frontend->d_provider.empty()) {
+            vinfolog("Loading TLS provider '%s'", frontend->d_provider);
+          }
+          else {
+            vinfolog("Loading default TLS provider 'openssl'");
+          }
           // only works pre-startup, so no sync necessary
           auto cs = std::unique_ptr<ClientState>(new ClientState(frontend->d_addr, true, reusePort, tcpFastOpenQueueSize, interface, cpus));
           cs->tlsFrontend = frontend;

diff --git a/pdns/dnsdistdist/docs/reference/config.rst b/pdns/dnsdistdist/docs/reference/config.rst
index 844e7f7e9e9d6c50c844a740aac2316baac9cc52..d01cd3490d17dce6b0bab88b09a9045b47c98780 100644 (file)
--- a/pdns/dnsdistdist/docs/reference/config.rst
+++ b/pdns/dnsdistdist/docs/reference/config.rst
@@ -161,7 +161,7 @@ Listen Sockets
   * ``tcpFastOpenQueueSize=0``: int - Set the TCP Fast Open queue size, enabling TCP Fast Open when available and the value is larger than 0.
   * ``interface=""``: str - Set the network interface to use.
   * ``cpus={}``: table - Set the CPU affinity for this listener thread, asking the scheduler to run it on a single CPU id, or a set of CPU ids. This parameter is only available if the OS provides the pthread_setaffinity_np() function.
-  * ``provider``: str - The TLS library to use between GnuTLS and OpenSSL, if they were available and enabled at compilation time.
+  * ``provider``: str - The TLS library to use between GnuTLS and OpenSSL, if they were available and enabled at compilation time. Default is to use OpenSSL when available.
   * ``ciphers``: str - The TLS ciphers to use. The exact format depends on the provider used. When the OpenSSL provder is used, ciphers for TLS 1.3 must be specified via ``ciphersTLS13``.
   * ``ciphersTLS13``: str - The ciphers to use for TLS 1.3, when the OpenSSL provider is used. When the GnuTLS provider is used, ``ciphers`` applies regardless of the TLS protocol and this setting is not used.
   * ``numberOfTicketsKeys``: int - The maximum number of tickets keys to keep in memory at the same time, if the provider supports it (GnuTLS doesn't, OpenSSL does). Only one key is marked as active and used to encrypt new tickets while the remaining ones can still be used to decrypt existing tickets after a rotation. Default to 5.

diff --git a/pdns/dnsdistdist/tcpiohandler.cc b/pdns/dnsdistdist/tcpiohandler.cc
index 4eaf0a924d57f68670333a7e5c9e931934dc734f..f529c922cd013db13329ab4c5aa834376c8bd2e1 100644 (file)
--- a/pdns/dnsdistdist/tcpiohandler.cc
+++ b/pdns/dnsdistdist/tcpiohandler.cc
@@ -886,13 +886,13 @@ bool TLSFrontend::setupTLS()
     }
 #endif /* HAVE_LIBSSL */
   }
-#ifdef HAVE_GNUTLS
-  d_ctx = std::make_shared<GnuTLSIOCtx>(*this);
-#else /* HAVE_GNUTLS */
 #ifdef HAVE_LIBSSL
   d_ctx = std::make_shared<OpenSSLTLSIOCtx>(*this);
-#endif /* HAVE_LIBSSL */
+#else /* HAVE_LIBSSL */
+#ifdef HAVE_GNUTLS
+  d_ctx = std::make_shared<GnuTLSIOCtx>(*this);
 #endif /* HAVE_GNUTLS */
+#endif /* HAVE_LIBSSL */
 
 #endif /* HAVE_DNS_OVER_TLS */
   return true;