[PR #1943] [CLOSED] Add `webpki-roots` and `native-certs` crate features #2713

New issue

Closed

opened 2026-03-16 11:04:07 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:04:07 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/1943
Author: @daxpedda
Created: 5/22/2023
Status: ❌ Closed

Base: main ← Head: native-certs

📝 Commits (6)

14f6833 Add webpki-roots and native-certs features
59aeb66 Fallible rustls-native-certs initialization
e9ca987 Store ClientConfig per connection provider
8a75049 Use RootCertStore::add_parsable_certificates()
de614db Fix example requiring root certificates
140966b Make QuicClientStreamBuilder construction non-fallible

📊 Changes

18 files changed (+287 additions, -107 deletions)

View changed files

📝 Cargo.lock (+15 -3)
📝 Cargo.toml (+2 -2)
📝 crates/client/Cargo.toml (+3 -1)
📝 crates/proto/Cargo.toml (+7 -4)
📝 crates/proto/src/error.rs (+7 -0)
📝 crates/proto/src/https/https_client_stream.rs (+28 -6)
📝 crates/proto/src/quic/mod.rs (+1 -1)
📝 crates/proto/src/quic/quic_client_stream.rs (+36 -11)
📝 crates/resolver/Cargo.toml (+5 -1)
📝 crates/resolver/examples/custom_provider.rs (+24 -6)
📝 crates/resolver/src/config.rs (+2 -0)
📝 crates/resolver/src/https.rs (+12 -22)
📝 crates/resolver/src/name_server/connection_provider.rs (+60 -9)
📝 crates/resolver/src/quic.rs (+4 -15)
📝 crates/resolver/src/tls/dns_over_rustls.rs (+43 -13)
📝 crates/resolver/src/tls/mod.rs (+2 -3)
📝 util/Cargo.toml (+5 -2)
📝 util/src/dns.rs (+31 -8)

📄 Description

I will need some guidance on how to proceed from here. Currently when both crate features are enabled, certificates from both webpki-roots and rustls-native-certs are loaded, which is probably not what we want.

Suggestions:

Either we prefer one or the other.
Allow only one crate feature to be enabled with a compile-time check.
Expose a configuration option that selects between one of them, with probably native certs being the default.

I'm leaning towards option 3., because a follow-up from me would be to expose some API to disable/enable them during runtime anyway. This is also how reqwest does it, but when both features are active they will just load both.

I didn't touch the integration tests crate and CI yet.

Follow-up to https://github.com/bluejekyll/trust-dns/issues/1940.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/1943 **Author:** [@daxpedda](https://github.com/daxpedda) **Created:** 5/22/2023 **Status:** ❌ Closed **Base:** `main` ← **Head:** `native-certs` --- ### 📝 Commits (6) - [`14f6833`](https://github.com/hickory-dns/hickory-dns/commit/14f6833a79319c516196655c8026d2aa6ab5fb93) Add `webpki-roots` and `native-certs` features - [`59aeb66`](https://github.com/hickory-dns/hickory-dns/commit/59aeb66cb5ae99730d0e3788208422202e3ad990) Fallible `rustls-native-certs` initialization - [`e9ca987`](https://github.com/hickory-dns/hickory-dns/commit/e9ca9877079c0a404c6361f86c449301a119b0ba) Store `ClientConfig` per connection provider - [`8a75049`](https://github.com/hickory-dns/hickory-dns/commit/8a75049bd373ff30ce81509a94d227f72dcf40ed) Use `RootCertStore::add_parsable_certificates()` - [`de614db`](https://github.com/hickory-dns/hickory-dns/commit/de614db66188297aa49f78cbf1bf261b61fb4c2e) Fix example requiring root certificates - [`140966b`](https://github.com/hickory-dns/hickory-dns/commit/140966b7a434b8d3ea8c126c02bf431f8aa0ea1c) Make `QuicClientStreamBuilder` construction non-fallible ### 📊 Changes **18 files changed** (+287 additions, -107 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+15 -3) 📝 `Cargo.toml` (+2 -2) 📝 `crates/client/Cargo.toml` (+3 -1) 📝 `crates/proto/Cargo.toml` (+7 -4) 📝 `crates/proto/src/error.rs` (+7 -0) 📝 `crates/proto/src/https/https_client_stream.rs` (+28 -6) 📝 `crates/proto/src/quic/mod.rs` (+1 -1) 📝 `crates/proto/src/quic/quic_client_stream.rs` (+36 -11) 📝 `crates/resolver/Cargo.toml` (+5 -1) 📝 `crates/resolver/examples/custom_provider.rs` (+24 -6) 📝 `crates/resolver/src/config.rs` (+2 -0) 📝 `crates/resolver/src/https.rs` (+12 -22) 📝 `crates/resolver/src/name_server/connection_provider.rs` (+60 -9) 📝 `crates/resolver/src/quic.rs` (+4 -15) 📝 `crates/resolver/src/tls/dns_over_rustls.rs` (+43 -13) 📝 `crates/resolver/src/tls/mod.rs` (+2 -3) 📝 `util/Cargo.toml` (+5 -2) 📝 `util/src/dns.rs` (+31 -8) </details> ### 📄 Description I will need some guidance on how to proceed from here. Currently when both crate features are enabled, certificates from both `webpki-roots` and `rustls-native-certs` are loaded, which is probably not what we want. Suggestions: 1. Either we prefer one or the other. 2. Allow only one crate feature to be enabled with a compile-time check. 3. Expose a configuration option that selects between one of them, with probably native certs being the default. I'm leaning towards option 3., because a follow-up from me would be to expose some API to disable/enable them during runtime anyway. This is also how `reqwest` does it, but when both features are active they will just load both. I didn't touch the integration tests crate and CI yet. Follow-up to https://github.com/bluejekyll/trust-dns/issues/1940. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>