From: Remi Gacogne Date: Mon, 7 Feb 2022 17:23:41 +0000 (+0100) Subject: dnsdist: Inherit TLS parameters from the initial backend when upgrading X-Git-Tag: rec-4.7.0-alpha1~9^2~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8d2fe9be553f7c3d461085c8a9793017a34e0043;p=thirdparty%2Fpdns.git dnsdist: Inherit TLS parameters from the initial backend when upgrading --- diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc index e5b92e3303..6c3d66dc6a 100644 --- a/pdns/dnsdist-lua.cc +++ b/pdns/dnsdist-lua.cc @@ -544,36 +544,31 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck) } std::shared_ptr tlsCtx; - if (vars.count("tls")) { - TLSContextParameters tlsParams; - std::string ciphers; - std::string ciphers13; - - tlsParams.d_provider = boost::get(vars.at("tls")); - - if (vars.count("ciphers")) { - tlsParams.d_ciphers = boost::get(vars.at("ciphers")); - } - if (vars.count("ciphers13")) { - tlsParams.d_ciphers13 = boost::get(vars.at("ciphers13")); - } - if (vars.count("caStore")) { - tlsParams.d_caStore = boost::get(vars.at("caStore")); - } - if (vars.count("validateCertificates")) { - tlsParams.d_validateCertificates = boost::get(vars.at("validateCertificates")); - } - if (vars.count("releaseBuffers")) { - tlsParams.d_releaseBuffers = boost::get(vars.at("releaseBuffers")); - } - if (vars.count("enableRenegotiation")) { - tlsParams.d_enableRenegotiation = boost::get(vars.at("enableRenegotiation")); - } - if (vars.count("subjectName")) { - config.d_tlsSubjectName = boost::get(vars.at("subjectName")); - } + if (vars.count("ciphers")) { + config.d_tlsParams.d_ciphers = boost::get(vars.at("ciphers")); + } + if (vars.count("ciphers13")) { + config.d_tlsParams.d_ciphers13 = boost::get(vars.at("ciphers13")); + } + if (vars.count("caStore")) { + config.d_tlsParams.d_caStore = boost::get(vars.at("caStore")); + } + if (vars.count("validateCertificates")) { + config.d_tlsParams.d_validateCertificates = boost::get(vars.at("validateCertificates")); + } + if (vars.count("releaseBuffers")) { + config.d_tlsParams.d_releaseBuffers = boost::get(vars.at("releaseBuffers")); + } + if (vars.count("enableRenegotiation")) { + config.d_tlsParams.d_enableRenegotiation = boost::get(vars.at("enableRenegotiation")); + } + if (vars.count("subjectName")) { + config.d_tlsSubjectName = boost::get(vars.at("subjectName")); + } - tlsCtx = getTLSContext(tlsParams); + if (vars.count("tls")) { + config.d_tlsParams.d_provider = boost::get(vars.at("tls")); + tlsCtx = getTLSContext(config.d_tlsParams); if (vars.count("dohPath")) { #ifndef HAVE_NGHTTP2 diff --git a/pdns/dnsdist.hh b/pdns/dnsdist.hh index 8757183970..4c51a6842b 100644 --- a/pdns/dnsdist.hh +++ b/pdns/dnsdist.hh @@ -707,6 +707,7 @@ struct DownstreamState: public std::enable_shared_from_this { } + TLSContextParameters d_tlsParams; set pools; std::set d_cpus; checkfunc_t checkFunction; diff --git a/pdns/dnsdistdist/dnsdist-discovery.cc b/pdns/dnsdistdist/dnsdist-discovery.cc index 1c5964811c..58a6b025bf 100644 --- a/pdns/dnsdistdist/dnsdist-discovery.cc +++ b/pdns/dnsdistdist/dnsdist-discovery.cc @@ -145,6 +145,7 @@ static bool handleSVCResult(const PacketBuffer& answer, const ComboAddress& exis { std::map resolvers; if (!parseSVCParams(answer, resolvers)) { + vinfolog("No configuration found in response for backend %s", existingAddr.toStringWithPort()); return false; } @@ -198,6 +199,7 @@ static bool handleSVCResult(const PacketBuffer& answer, const ComboAddress& exis continue; #endif if (tempConfig.d_dohPath.empty()) { + vinfolog("Got a DoH upgrade offered for %s but no path, skipping", existingAddr.toStringWithPort()); continue; } } @@ -211,7 +213,6 @@ static bool handleSVCResult(const PacketBuffer& answer, const ComboAddress& exis } /* we have a config that we can use! */ - for (const auto& hint : resolver.hints) { tentativeAddresses.insert(hint); } @@ -386,6 +387,7 @@ bool ServiceDiscovery::tryToUpgradeBackend(const UpgradeableBackend& backend) { ServiceDiscovery::DiscoveredResolverConfig discoveredConfig; + vinfolog("Trying to discover configuration for backend %s", backend.d_ds->getNameWithAddr()); if (!ServiceDiscovery::getDiscoveredConfig(backend, discoveredConfig)) { return false; } @@ -431,8 +433,7 @@ bool ServiceDiscovery::tryToUpgradeBackend(const UpgradeableBackend& backend) try { /* create new backend, put it into the right pool(s) */ - TLSContextParameters tlsParams; - auto tlsCtx = getTLSContext(tlsParams); + auto tlsCtx = getTLSContext(config.d_tlsParams); auto newServer = std::make_shared(std::move(config), std::move(tlsCtx), true); /* check that we can connect to the backend (including certificate validation */