From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 26 Jun 2025 10:46:49 +0000 (+0200)
Subject: dnsdist: Enforce that additional addresses are DoT/DoH only
X-Git-Tag: dnsdist-2.1.0-alpha0~3^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df7cbdb3d7f66e3bfe788d149661101bcac36647;p=thirdparty%2Fpdns.git

dnsdist: Enforce that additional addresses are DoT/DoH only

I want to support additional addresses on frontends for all protocols,
but the amount of code to change is too important for the 2.0 branch.
So for now, let's document and enforce the current limitation to prevent
surprises.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
---

diff --git a/pdns/dnsdistdist/dnsdist-configuration-yaml.cc b/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
index 3e9291b1bb..184e92aae1 100644
--- a/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
+++ b/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
@@ -706,15 +706,20 @@ static void loadBinds(const ::rust::Vec<dnsdist::rust::settings::BindConfigurati
           state->d_tcpConcurrentConnectionsLimit = bind.tcp.max_concurrent_connections;
         }
 
-        for (const auto& addr : bind.additional_addresses) {
-          try {
-            ComboAddress address{std::string(addr)};
-            state->d_additionalAddresses.emplace_back(address, -1);
-          }
-          catch (const PDNSException& e) {
-            errlog("Unable to parse additional address %s for %s bind: %s", std::string(addr), protocol, e.reason);
+        if (protocol == "dot" || protocol == "doh") {
+          for (const auto& addr : bind.additional_addresses) {
+            try {
+              ComboAddress address{std::string(addr)};
+              state->d_additionalAddresses.emplace_back(address, -1);
+            }
+            catch (const PDNSException& e) {
+              errlog("Unable to parse additional address %s for %s bind: %s", std::string(addr), protocol, e.reason);
+            }
           }
         }
+        else if (!bind.additional_addresses.empty()) {
+          throw std::runtime_error("Passing a non-empty additional_addresses value to a " + protocol + " frontend is not supported");
+        }
 
         if (protocol == "dnscrypt") {
 #if defined(HAVE_DNSCRYPT)
diff --git a/pdns/dnsdistdist/dnsdist-settings-definitions.yml b/pdns/dnsdistdist/dnsdist-settings-definitions.yml
index 04a1b13ef2..f61107c0cf 100644
--- a/pdns/dnsdistdist/dnsdist-settings-definitions.yml
+++ b/pdns/dnsdistdist/dnsdist-settings-definitions.yml
@@ -1129,7 +1129,7 @@ bind:
     - name: "additional_addresses"
       type: "Vec<String>"
       default: ""
-      description: "List of additional addresses (with port) to listen on. Using this option instead of creating a new frontend for each address avoids the creation of new thread and Frontend objects, reducing the memory usage. The drawback is that there will be a single set of metrics for all addresses"
+      description: "List of additional addresses (with port) to listen on. Using this option instead of creating a new frontend for each address avoids the creation of new thread and Frontend objects, reducing the memory usage. The drawback is that there will be a single set of metrics for all addresses. This is only supported for DoT and DoH frontends, and therefore passing a non-empty list for other protocols will trigger an error"
     - name: "xsk"
       type: "String"
       default: ""