From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 3 Mar 2025 15:57:42 +0000 (+0100)
Subject: dnsdist: Don't try to get TLS contexts for DoQ and DoH3 frontends
X-Git-Tag: dnsdist-2.0.0-alpha2~88^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b14fc4461091061665b18adac352dc3c5a93a454;p=thirdparty%2Fpdns.git

dnsdist: Don't try to get TLS contexts for DoQ and DoH3 frontends

Right now the BoringSSL context is handled by Quiche and we do not
mess with it.
---

diff --git a/pdns/dnsdistdist/dnsdist-configuration-yaml.cc b/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
index 3fad3db70a..9747a5de9b 100644
--- a/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
+++ b/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
@@ -239,7 +239,7 @@ static bool validateTLSConfiguration(const dnsdist::rust::settings::BindConfigur
   return true;
 }
 
-static bool handleTLSConfiguration(const dnsdist::rust::settings::BindConfiguration& bind, ClientState& state, std::shared_ptr<const TLSFrontend> parent)
+static bool handleTLSConfiguration(const dnsdist::rust::settings::BindConfiguration& bind, ClientState& state, const std::shared_ptr<const TLSFrontend>& parent)
 {
   auto tlsConfig = getTLSConfigFromRustIncomingTLS(bind.tls);
   if (!validateTLSConfiguration(bind, tlsConfig)) {
@@ -717,7 +717,7 @@ static void loadBinds(const ::rust::Vec<dnsdist::rust::settings::BindConfigurati
           if (!handleTLSConfiguration(bind, *state, tlsFrontendParent)) {
             continue;
           }
-          if (tlsFrontendParent == nullptr) {
+          if (tlsFrontendParent == nullptr && (protocol == "dot" || protocol == "doh")) {
             tlsFrontendParent = state->getTLSFrontend();
           }
         }