From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 22 Apr 2021 13:52:32 +0000 (+0200)
Subject: dnsdist: Add support for DNS over TLS backends
X-Git-Tag: dnsdist-1.7.0-alpha1~45^2~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=218889f3c76b00bc451994f3e0cf1f2fc93c5cb5;p=thirdparty%2Fpdns.git

dnsdist: Add support for DNS over TLS backends

Still needs:
- documentation
- tests
- session reuse (SSL_set_session)
- healthchecks
- UDP/DoH to DoT
---

diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc
index b1f0925fc7..d0a0822da4 100644
--- a/pdns/dnsdist-lua.cc
+++ b/pdns/dnsdist-lua.cc
@@ -494,6 +494,32 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck)
         }
       }
 
+      if (vars.count("tls")) {
+        TLSContextParameters tlsParams;
+        std::string ciphers;
+        std::string ciphers13;
+
+        tlsParams.d_provider = boost::get<string>(vars.at("tls"));
+
+        if (vars.count("ciphers")) {
+          tlsParams.d_ciphers = boost::get<string>(vars.at("ciphers"));
+        }
+        if (vars.count("ciphers13")) {
+          tlsParams.d_ciphers13 = boost::get<string>(vars.at("ciphers13"));
+        }
+        if (vars.count("caStore")) {
+          tlsParams.d_caStore = boost::get<string>(vars.at("caStore"));
+        }
+        if (vars.count("validateCertificates")) {
+          tlsParams.d_validateCertificates = boost::get<bool>(vars.at("validateCertificates"));
+        }
+        if (vars.count("subjectName")) {
+          ret->d_tlsSubjectName = boost::get<string>(vars.at("subjectName"));
+        }
+
+        ret->d_tlsCtx = getTLSContext(tlsParams);
+      }
+
       /* this needs to be done _AFTER_ the order has been set,
          since the server are kept ordered inside the pool */
       auto localPools = g_pools.getCopy();
diff --git a/pdns/dnsdist.hh b/pdns/dnsdist.hh
index f2089e5151..ba505177ef 100644
--- a/pdns/dnsdist.hh
+++ b/pdns/dnsdist.hh
@@ -670,6 +670,7 @@ struct DownstreamState
   checkfunc_t checkFunction;
   DNSName checkName{"a.root-servers.net."};
   QType checkType{QType::A};
+  std::string d_tlsSubjectName;
   uint16_t checkClass{QClass::IN};
   std::atomic<uint64_t> idOffset{0};
   std::atomic<bool> hashesComputed{false};
diff --git a/pdns/dnsdistdist/dnsdist-tcp-downstream.cc b/pdns/dnsdistdist/dnsdist-tcp-downstream.cc
index 9623866699..e7f67a056f 100644
--- a/pdns/dnsdistdist/dnsdist-tcp-downstream.cc
+++ b/pdns/dnsdistdist/dnsdist-tcp-downstream.cc
@@ -342,7 +342,7 @@ bool TCPConnectionToBackend::reconnect()
       socket->setNonBlocking();
 
       gettimeofday(&d_connectionStartTime, nullptr);
-      auto handler = std::make_unique<TCPIOHandler>("", socket->releaseHandle(), timeval{0,0}, d_ds->d_tlsCtx, time(nullptr));
+      auto handler = std::make_unique<TCPIOHandler>(d_ds->d_tlsSubjectName, socket->releaseHandle(), timeval{0,0}, d_ds->d_tlsCtx, time(nullptr));
       handler->tryConnect(d_ds->tcpFastOpen && isFastOpenEnabled(), d_ds->remote);
       d_queries = 0;