[dnsdist] dnsdist 1.5.1 doh + options bug ?
Dave Knight
dave at knig.ht
Fri Oct 9 21:34:55 UTC 2020
> On Oct 6, 2020, at 3:05 AM, Remi Gacogne via dnsdist <dnsdist at mailman.powerdns.com> wrote:
>
> Hi Dave,
>
> On 10/6/20 2:14 AM, Dave Knight via dnsdist wrote:
>> Hello all,
>>
>> Recently started exploring dnsdist and joined the mail list just today.
>>
>> I'd been playing with DoT and DoH in 1.4.0 without problems. Since switching to 1.5.0 and now 1.5.1 I have problems with DoH.
>>
>> I did some fiddling in the config and found that DoH doesn't work for a listener configured where addDOHLocal has { options }.
>> [...]
>> addDOHLocal( '[::1]:443',
>> '/etc/ssl/certs/bigalsfancydns.com.pem',
>> '/etc/ssl/private/bigalsfancydns.com.key',
>> { reusePort=True } )
>
> If you look at the documentation for addDOHLocal[1] you'll see that the
> fourth parameter is a path, or a list of paths, and not the options that
> you are trying to set. These come in the fifth parameter. Basically all
> your configurations except for the '4' one do not accept HTTP(S) queries
> on any path, hence your issue.
>
> [1]: https://dnsdist.org/reference/config.html#addDOHLocal
>
Seems the consensus is on me doing something stupid :p
<https://urldefense.com/v3/__https://dnsdist.org/reference/config.htmlhttps:/*dnsdist.org/reference/config.html__;Lw!!N14HnBHF!oORs_u7wMd2W68JgnlaS6wqOoF1HZEF_zf24PDs5I2yD94V45yHcbghFGCQ$ >
addDOHLocal(address[, certFile(s)[, keyFile(s)[, urls[, options]]]])
..
Changed in version 1.5.0:
..
url now defaults to /dns-query instead of /
I interpreted ‘there is a default’ as ‘i can omit this’ and didn’t bother to consider that the changed position of subsequent parameters was important.
What is the right way to signal that I want to use the default value? This seems to work…
addDOHLocal( '[::1]:443',
'/etc/ssl/certs/bigalsfancydns.com.pem',
'/etc/ssl/private/bigalsfancydns.com.key’,
nil,
{ reusePort=True } )
but is it the correct way to do it?
In addition to that, I was getting the case wrong as I’m generating it with ansible and jinja2
{ reusePort={{ item.reuse_port | default(false) }} } )
needed to add a |string|lower to that.
I suppose the real issue is that neither of these bits of broken config were logged, or caught by an explicit check
# dnsdist --check-config
Configuration '/usr/local/etc/dnsdist.conf' OK!
Thanks everyone who replied!
Kind regards,
dave
More information about the dnsdist
mailing list