DNSoverQUIC #871
DNSoverQUIC #871
Conversation
…, and check ub_initstate return.
|
Hello,
Below is the log related to SSL_is_quic. configure:21910: checking for SSL_is_quic |
|
The check indicates that the openssl+quic version is not detected. That has the function that is looked for. If the openssl+quic version is in use, the error makes it seem like '--disable-flto' could fix the issue, if the lto optimization is causing it. So, using the system default openssl version is not likely to work, as that does not have the quic functionality. |
|
I tried the --disable-flto option immediately, but got the same result. Also, I found out that the default OpenSSL doesn't support QUIC, so I installed the QUIC-compatible version yesterday, but it didn't improve anything. $ openssl version below is the log again. |
|
Is that the openssl that is just a version increase, where openssl has more quic support. But what the code needs is the openssl version from the branch of code, linked at the top post, that has the quic functions that are used by libngtcp2. That prints a version line like |
|
I'm sorry for all the fuss. I seem to have forgotten to change the /path/to... |
|
I have OpenSSL version 3.3.2 which natively supports QUIC. Can I use this version? I have not yet swapped over to the forked version hoping I can use the native OpenSSL. But the quic-port command isn't recognized |
|
I believe that only implements the client part, and the branch implements server code, with the other library. |
Thank you. Do you know when this will be available in the next Unbound release? Currently 1.2.1 I believe. Also, if you are working on Upstream DoQ forwarding as well, similar to DOT? |
|
No, I do not know. The upstream part is present on plans. |
|
i have a few questions. Does this installation before or after i setup an unbound resolver? because i 've done everything above but i cannot find quic -port in unbound.conf. I have installed unbound resolver before starting this and i try doqclient but it show errors ngtcp2_conn_handle_expriry fail: ERR_IDLE_CLOSE. Please help. I'm new to unbound. I chose it to setup up DoQ lab and now im so lost. |
|
The instructions above are for compilation, you would need to compile before running the unbound server. That means using the version of the software that is compiled, and not a version that is installed from a package system. Perhaps ports are firewalled on the computer, and this is dropping all traffic, and thus timeouts, instead of a compilation problem. |
I dont think that is the case. My firewall is down and my unbound is built from source. I did restart my unbound server but it did not work (it still can perform normal query with dig but cannot perform DoQ one with /doqclient . Maybe because i built the server first then the instructions. They just dont work together. unbound-checkconf even gives me error for putting "quic-port" in unbound.conf. So i think it is a compilation problem. |
|
Yeah the build of the server needs the result from those instructions. So the instructions are earlier, but I cannot tell what the compilation problem is, apart from that in the unbound that is attempted the doq does not seem to be present. |
|
I build the server again. This time when i try to start the server, it fails and log looks like this: [1727840988] unbound[66391:0] error: doq server socket create: no tls-service-key Clearly it requires a tls-key. But where can i get one? Do i have to make it myself or its already somewhere in the software? Does it supposed to have tls within quic? |
|
The dnsoverquic needs |
There was a problem hiding this comment.
Code looks good and the flow makes sense!
Only some review comments in two PRs in total.
Quick notes on testing:
- tested with master merged locally
- test iterations combining lock/mem tests and debug builds
- tested with third-party clients which work for the most part; I'll add the results/information to the accompanying blog post when this is released.
- lock_protect also for HAVE_NGTCP2_CCERR_DEFAULT - fix doq logging for inet_ntop failures
- no value returned from msghdr_get_ecn when S_SPLINT_S is defined
- Merge #871: DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m` that enable dnsoverquic, and the counters `num.query.quic` and `mem.quic` in the statistics output. The feature needs to be enabled by compiling with libngtcp2, with `--with-libngtcp2=path` and libngtcp2 needs openssl+quic, pass that with `--with-ssl=path` to compile unbound as well.
* nlnet/master: (24 commits) Add changelog entry for tag for 1.22.0rc1. - Tag for 1.22.0 release. This did not contain the 1154 fix from 16 oct. The code repository continues with version 1.22.1 in development. - Fix NLnetLabs#1154: Tag Incorrectly Applying for Other Interfaces Using the Same IP. This fix is not for 1.22.0. - Fix for dnstap with dnscrypt and dnstap without dnsoverquic. - Fix for dnsoverquic and dnstap to use the correct dnstap environment. - Fix dnsoverquic to extend the number of streams when one is closed. - Fix to display warning if quic-port is set but dnsoverquic is not enabled when compiled. - Fix contrib/aaaa-filter-iterator.patch for change in call signature for cache_fill_missing. - Fix harden-unverified-glue for AAAA cache_fill_missing lookups. - Fix to disable detection of quic configured ports when quic is not compiled in. - Fix add reallocarray to alloc stats unit test, and disable override of strdup in unbound-host, and the result of config get option is freed properly. - Fix cookie_file test sporadic fails for time change during the test. - Fix for dnstap compile of doqclient with doq disabled. Changelog entry and unit test for fix of NSEC TTL and prefetch ttl. - Fix to limit NSEC TTL for messages from cachedb. Fix to limit the prefetch ttl for messages after a CNAME with short TTL. - Fix to limit NSEC TTL for messages from cachedb. Fix to limit the prefetch ttl for messages after a CNAME with short TTL. Changelog note for NLnetLabs#871 - Merge NLnetLabs#871: DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m` that enable dnsoverquic, and the counters `num.query.quic` and `mem.quic` in the statistics output. The feature needs to be enabled by compiling with libngtcp2, with `--with-libngtcp2=path` and libngtcp2 needs openssl+quic, pass that with `--with-ssl=path` to compile unbound as well. DNSoverQUIC (NLnetLabs#871) - Fix NLnetLabs#1128: Cannot override tcp-upstream and tls-upstream with forward-tcp-upstream and forward-tls-upstream. - Fix NLnetLabs#1149: unbound-control-setup hangs sometimes depending on the openssl version. - The fix for CVE-2024-8508 was part of 1.21.1, a security point release on 1.21.0. The code repository continues with this fix and the version number 1.22.0. ...
Implementation of DoQ for Unbound, DNS over QUIC transport. This implements doq for downstream, clients that query unbound server, RFC9250.
Compile this with the ngtcp2 library. And with openssl+quic. Like this:
With the compile, it can be turned on. This is governed by the config option in unbound.conf,
quic-port: 853. When an interface is on that port number, the UDP socket receives DoQ queries.With this unbound.conf:
Then unbound serves quic queries to localhost on the 2853 port number. Also other interfaces work, like
::1@2853. Unbound can be started attached to the console for debug, with./unbound -d -c theconfig.conf. With-ddit prints logs to the terminal as well. Ctrl-C can exit, or send a term signal.With
make doqclientthe test tool can be created to send a query. Send a query with./doqclient -s 127.0.0.1 -p 2853 www.example.com A IN. With-vit prints more diagnostics, also unbound logs more diagnostics, also from the internals of libngtcp2, when verbosity is 4 or more. An example of output from doqclient is:It is possible to have the TCP port on the same interface as DoQ server DoT or DoH, dnsovertls or dnsoverhttp, or also serve over TCP.
The resource consumption can be configured with
quic-size: 8m. More queries are turned away. The number of quic queries is output innum.query.quicin the statistics. Themem.quicstatistic outputs memory used.