[PR #899] [MERGED] Allow for custom rustls::ClientConfig to be passed to the Resolver #1780

New issue

Closed

opened 2026-03-16 02:24:56 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 02:24:56 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/899
Author: @ziprandom
Created: 10/23/2019
Status: ✅ Merged
Merged: 10/26/2019
Merged by: @bluejekyll

Base: master ← Head: nameserverconfig-holds-rustls-clientconfig

📝 Commits (3)

0100f9c Allow for the rustls client to be passed to the resolver
6a54e11 remove HttpsClientStreamBuilder::add_ca, assert ALPN_H2 in build
8277666 remove NameServerConfigGroup.set_tls_client_config, add with_client_config

📊 Changes

16 files changed (+260 additions, -52 deletions)

View changed files

📝 Cargo.lock (+1 -0)
📝 bin/Cargo.toml (+1 -0)
📝 bin/tests/named_https_tests.rs (+19 -3)
📝 crates/client/src/https_client_connection.rs (+1 -1)
📝 crates/https/src/https_client_stream.rs (+15 -18)
📝 crates/resolver/src/config.rs (+133 -5)
📝 crates/resolver/src/https.rs (+8 -9)
📝 crates/resolver/src/name_server/connection_provider.rs (+21 -2)
📝 crates/resolver/src/name_server/name_server.rs (+6 -0)
📝 crates/resolver/src/name_server/name_server_pool.rs (+24 -10)
📝 crates/resolver/src/system_conf/unix.rs (+8 -0)
📝 crates/resolver/src/system_conf/windows.rs (+4 -0)
📝 crates/resolver/src/tls/dns_over_rustls.rs (+12 -2)
📝 crates/resolver/src/tls/mod.rs (+1 -1)
📝 tests/integration-tests/tests/client_future_tests.rs (+4 -1)
📝 tests/integration-tests/tests/name_server_pool_tests.rs (+2 -0)

📄 Description

Currently the trust-dns-resolver uses a hardcoded rustls::ClientConfig when built with the dns-over-rustls feature. This makes it impossible to change the accepted root certificates and other properties of the TLS client.

This PR adds a new field to the NameServerConfig to optionally pass a rustls::ClientConfig which gets used instead. The webpki-roots store is used as the default fallback so existing implementations should work as before.

A new type TlsClientConfig was added as a wrapper for rustls::ClientConfig which doesn't implement the Debug, Eq & PartialEq traits. This might become obsolete if rustls can provide the trait implementations one day.

The custom rustls:ClientConfig can be set via a set_tls_client_config method which exists both on trust-dns-resolver::NameServerConfigGroup and trust-dns-resolver::ResolverConf.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/899 **Author:** [@ziprandom](https://github.com/ziprandom) **Created:** 10/23/2019 **Status:** ✅ Merged **Merged:** 10/26/2019 **Merged by:** [@bluejekyll](https://github.com/bluejekyll) **Base:** `master` ← **Head:** `nameserverconfig-holds-rustls-clientconfig` --- ### 📝 Commits (3) - [`0100f9c`](https://github.com/hickory-dns/hickory-dns/commit/0100f9cbd1784b3fc9c530af35c1be3ed5b41637) Allow for the rustls client to be passed to the resolver - [`6a54e11`](https://github.com/hickory-dns/hickory-dns/commit/6a54e11197e802997dacbff38c33024564ff643d) remove HttpsClientStreamBuilder::add_ca, assert ALPN_H2 in build - [`8277666`](https://github.com/hickory-dns/hickory-dns/commit/82776666f98015a411f9633ce605be456b689779) remove NameServerConfigGroup.set_tls_client_config, add with_client_config ### 📊 Changes **16 files changed** (+260 additions, -52 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+1 -0) 📝 `bin/Cargo.toml` (+1 -0) 📝 `bin/tests/named_https_tests.rs` (+19 -3) 📝 `crates/client/src/https_client_connection.rs` (+1 -1) 📝 `crates/https/src/https_client_stream.rs` (+15 -18) 📝 `crates/resolver/src/config.rs` (+133 -5) 📝 `crates/resolver/src/https.rs` (+8 -9) 📝 `crates/resolver/src/name_server/connection_provider.rs` (+21 -2) 📝 `crates/resolver/src/name_server/name_server.rs` (+6 -0) 📝 `crates/resolver/src/name_server/name_server_pool.rs` (+24 -10) 📝 `crates/resolver/src/system_conf/unix.rs` (+8 -0) 📝 `crates/resolver/src/system_conf/windows.rs` (+4 -0) 📝 `crates/resolver/src/tls/dns_over_rustls.rs` (+12 -2) 📝 `crates/resolver/src/tls/mod.rs` (+1 -1) 📝 `tests/integration-tests/tests/client_future_tests.rs` (+4 -1) 📝 `tests/integration-tests/tests/name_server_pool_tests.rs` (+2 -0) </details> ### 📄 Description Currently the `trust-dns-resolver` uses a hardcoded `rustls::ClientConfig` when built with the `dns-over-rustls` feature. This makes it impossible to change the accepted root certificates and other properties of the TLS client. This PR adds a new field to the `NameServerConfig` to optionally pass a `rustls::ClientConfig` which gets used instead. The `webpki-roots` store is used as the default fallback so existing implementations should work as before. A new type `TlsClientConfig` was added as a wrapper for `rustls::ClientConfig` which doesn't implement the `Debug`, `Eq` & `PartialEq` traits. This might become obsolete if rustls can provide the trait implementations one day. The custom `rustls:ClientConfig` can be set via a `set_tls_client_config `method which exists both on `trust-dns-resolver::NameServerConfigGroup` and `trust-dns-resolver::ResolverConf`. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>