From: Tomas Krizek <tomas.krizek@nic.cz>
Date: Thu, 27 May 2021 13:20:53 +0000 (+0200)
Subject: rename kind="doh" to kind="doh_legacy"
X-Git-Tag: v5.4.0~17^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d1a878e7874423f157d63a06ccb0967de797f69;p=thirdparty%2Fknot-resolver.git

rename kind="doh" to kind="doh_legacy"

The purpose of this change is to make it harder to accidentally use the
legacy DoH implementation and free up the "doh" kind which may be used
as an alias to a modern implementation in the future.
---

diff --git a/NEWS b/NEWS
index bfe94176b..45b010383 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,11 @@ Bugfixes
 --------
 - trust_anchors.set_insecure: improve precision (#673, !1177)
 
+Incompatible changes
+--------------------
+- legacy DoH implementation configuration in net.listen() was renamed from
+  kind="doh" to kind="doh_legacy" (!1180)
+
 
 Knot Resolver 5.3.2 (2021-05-05)
 ================================
diff --git a/daemon/bindings/net.c b/daemon/bindings/net.c
index 8906f5e24..b5c9312f4 100644
--- a/daemon/bindings/net.c
+++ b/daemon/bindings/net.c
@@ -247,8 +247,7 @@ static int net_listen(lua_State *L)
 		} else if (k) {
 			flags.kind = k;
 			if (strcasecmp(k, "doh") == 0) {
-				kr_log_deprecate(
-					"kind=\"doh\" is an obsolete DoH implementation, use kind=\"doh2\" instead\n");
+				lua_error_p(L, "kind=\"doh\" was renamed to kind=\"doh_legacy\", switch to the new implementation with kind=\"doh2\" or update your config");
 			}
 		}
 
diff --git a/daemon/bindings/net_server.rst b/daemon/bindings/net_server.rst
index 53e0efee9..b652f4eb1 100644
--- a/daemon/bindings/net_server.rst
+++ b/daemon/bindings/net_server.rst
@@ -18,7 +18,7 @@ First you need to decide what service should be available on given IP address
   ":ref:`dns-over-https`","``doh2``"
   ":ref:`Web management <mod-http-built-in-services>`","``webmgmt``"
   ":ref:`Control socket <control-sockets>`","``control``"
-  ":ref:`mod-http-doh`","``doh``"
+  ":ref:`mod-http-doh`","``doh_legacy``"
 
 .. note:: By default, **unencrypted DNS and DNS-over-TLS** are configured to **listen
    on localhost**.
diff --git a/daemon/lua/postconfig.lua b/daemon/lua/postconfig.lua
index 818a3fc6e..cafcd6e8f 100644
--- a/daemon/lua/postconfig.lua
+++ b/daemon/lua/postconfig.lua
@@ -12,7 +12,7 @@ local function count_sockets()
 		elseif (socket.kind == 'dns' or
 			socket.kind == 'xdp' or
 			socket.kind == 'tls' or
-			socket.kind == 'doh' or
+			socket.kind == 'doh_legacy' or
 			socket.kind == 'doh2') then
 			dns_socks = dns_socks + 1
 		end
diff --git a/distro/tests/ansible-roles/knot_resolver/tasks/configure_doh.yaml b/distro/tests/ansible-roles/knot_resolver/tasks/configure_doh.yaml
index 1da17893d..cd4e7492c 100644
--- a/distro/tests/ansible-roles/knot_resolver/tasks/configure_doh.yaml
+++ b/distro/tests/ansible-roles/knot_resolver/tasks/configure_doh.yaml
@@ -4,7 +4,7 @@
   blockinfile:
     marker: -- {mark} ANSIBLE MANAGED BLOCK
     block: |
-      net.listen('127.0.0.1', 44353, { kind = 'doh' })
+      net.listen('127.0.0.1', 44353, { kind = 'doh_legacy' })
       modules.load('http')
     path: /etc/knot-resolver/kresd.conf
     insertbefore: BOF
diff --git a/doc/upgrading.rst b/doc/upgrading.rst
index ff739f7a1..497b22255 100644
--- a/doc/upgrading.rst
+++ b/doc/upgrading.rst
@@ -18,9 +18,6 @@ Following section provides information about selected changes in not-yet-release
 We advise users to prepare for these changes sooner rather than later to make it easier to upgrade to
 newer versions when they are released.
 
-* Going forward DNS-over-HTTP (DoH) will be supported only over HTTP/2 with TLS.
-  This limitation allows us to provide a new :ref:`more reliable and scalable implementation
-  of DoH <dns-over-https>` (``kind='doh2'``).
 * Command line option ``--forks`` (``-f``) `is deprecated and will be eventually removed
   <https://gitlab.nic.cz/knot/knot-resolver/-/issues/631>`_.
   Preferred way to manage :ref:`systemd-multiple-instances` is to use a process manager,
@@ -29,6 +26,13 @@ newer versions when they are released.
 .. _`systemd`: https://systemd.io/
 .. _`supervisord`: http://supervisord.org/
 
+5.3 to 5.4
+==========
+
+Configuration file
+------------------
+
+* ``kind='doh'`` in :func:`net.listen` was renamed to ``kind='doh_legacy'``. It is recommended to switch to the new DoH implementation with ``kind='doh2'``.
 
 5.2 to 5.3
 ==========
diff --git a/modules/http/README.rst b/modules/http/README.rst
index e2d1b991c..9cfad1f91 100644
--- a/modules/http/README.rst
+++ b/modules/http/README.rst
@@ -24,7 +24,7 @@ and unlimited number of "used-defined kinds" can be added in configuration.
 +--------------+---------------------------------------------------------------------------------+
 | webmgmt      | :ref:`built-in web management <mod-http-built-in-services>` APIs (includes DoH) |
 +--------------+---------------------------------------------------------------------------------+
-| doh          | :ref:`mod-http-doh`                                                             |
+| doh_legacy   | :ref:`mod-http-doh`                                                             |
 +--------------+---------------------------------------------------------------------------------+
 
 Each network address and port combination can be configured to expose
@@ -100,7 +100,7 @@ kind of endpoint, e.g. to enforce TLS and use custom certificate only for DoH:
 		tls = true,
 		cert = '/etc/knot-resolver/mycert.crt',
 		key  = '/etc/knot-resolver/mykey.key',
-	}, 'doh')
+	}, 'doh_legacy')
 
 The format of both certificate and key is expected to be PEM, e.g. equivalent to
 the outputs of following:
@@ -129,13 +129,13 @@ Major drawback is that current browsers won't do HTTP/2 over insecure connection
 Legacy DNS-over-HTTPS (DoH)
 ---------------------------
 
-.. warning:: The legacy DoH implementation using ``http`` module (``kind='doh'``)
+.. warning:: The legacy DoH implementation using ``http`` module (``kind='doh_legacy'``)
    is deprecated. It has known performance and stability issues that won't be fixed.
    Use new :ref:`dns-over-https` implementation instead.
 
-This was an experimental implementation of :rfc:`8484`. It was configured using
-``doh`` kind in :func:`net.listen`. Its configuration (such as certificates)
-took place in ``http.config()``.
+This was an experimental implementation of :rfc:`8484`. It can be configured using
+``doh_legacy`` kind in :func:`net.listen`. Its configuration (such as certificates)
+takes place in ``http.config()``.
 
 Queries were served on ``/doh`` and ``/dns-query`` endpoints.
 
diff --git a/modules/http/custom_services.rst b/modules/http/custom_services.rst
index 095935742..4e60b0302 100644
--- a/modules/http/custom_services.rst
+++ b/modules/http/custom_services.rst
@@ -9,7 +9,7 @@ This chapter describes how to create custom HTTP services inside Knot Resolver.
 Please read HTTP module basics in chapter :ref:`mod-http` before continuing.
 
 Each network address+protocol+port combination configured using :func:`net.listen`
-is associated with *kind* of endpoint, e.g. ``doh`` or ``webmgmt``.
+is associated with *kind* of endpoint, e.g. ``doh_legacy`` or ``webmgmt``.
 
 Each of these *kind* names is associated with table of HTTP endpoints,
 and the default table can be replaced using ``http.config()`` configuration call
diff --git a/modules/http/http.lua.in b/modules/http/http.lua.in
index 521ddb285..b5354c683 100644
--- a/modules/http/http.lua.in
+++ b/modules/http/http.lua.in
@@ -52,7 +52,7 @@ end
 M.configs._all = {}
 
 -- DoH
-M.configs._builtin.doh = {}
+M.configs._builtin.doh_legacy = {}
 
 -- management endpoint
 M.configs._builtin.webmgmt = {}
@@ -121,7 +121,7 @@ local function serve_root()
 end
 
 -- Export HTTP service endpoints
-M.configs._builtin.doh.endpoints = {}
+M.configs._builtin.doh_legacy.endpoints = {}
 M.configs._builtin.webmgmt.endpoints = {}
 local mgmt_endpoints = M.configs._builtin.webmgmt.endpoints
 
@@ -146,11 +146,11 @@ for k, v in pairs(http_trace.endpoints) do
 end
 M.trace = http_trace
 
-M.configs._builtin.doh.endpoints = {}
+M.configs._builtin.doh_legacy.endpoints = {}
 local http_doh = require('kres_modules.http_doh')
 for k, v in pairs(http_doh.endpoints) do
 	mgmt_endpoints[k] = v
-	M.configs._builtin.doh.endpoints[k] = v
+	M.configs._builtin.doh_legacy.endpoints[k] = v
 end
 M.doh = http_doh
 
@@ -347,7 +347,7 @@ end
 
 -- @function Init module
 function M.init()
-	net.register_endpoint_kind('doh', cb_socket)
+	net.register_endpoint_kind('doh_legacy', cb_socket)
 	net.register_endpoint_kind('webmgmt', cb_socket)
 end
 
@@ -357,12 +357,12 @@ function M.deinit()
 		remove_socket(fd)
 	end
 	tls_cert.ephemeral_state_destroy(M.ephem_state)
-	net.register_endpoint_kind('doh')
+	net.register_endpoint_kind('doh_legacy')
 	net.register_endpoint_kind('webmgmt')
 end
 
 -- @function Configure module, i.e. store new configuration template
--- kind = socket type (doh/webmgmt)
+-- kind = socket type (doh_legacy/webmgmt)
 function M.config(conf, kind)
 	if conf == nil and kind == nil then
 		-- default module config, nothing to do
diff --git a/modules/http/http_doh.test.lua b/modules/http/http_doh.test.lua
index 194d08a8e..d30833e4f 100644
--- a/modules/http/http_doh.test.lua
+++ b/modules/http/http_doh.test.lua
@@ -85,11 +85,11 @@ else
 	modules.load('http')
 	http.config({
 		tls = false,
-	}, 'doh')
+	}, 'doh_legacy')
 
 	local bound
 	for _ = 1,1000 do
-		bound, _err = pcall(net.listen, '127.0.0.1', math.random(30000, 39999), { kind = 'doh' })
+		bound, _err = pcall(net.listen, '127.0.0.1', math.random(30000, 39999), { kind = 'doh_legacy' })
 		if bound then
 			break
 		end