[PR #3184] [MERGED] add server SSLKEYLOGFILE support, extend dns-test TShark features #3624

New issue

Closed

opened 2026-03-16 11:53:42 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:53:42 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/3184
Author: @cpu
Created: 8/7/2025
Status: ✅ Merged
Merged: 8/11/2025
Merged by: @cpu

Base: main ← Head: cpu-dot-pcap_dev

📝 Commits (5)

56687db server: optionally support SSLKEYLOGFILE
e693050 dns-test: support tshark w/ TCP DNS traffic
f960735 dns-test: support TShark capturing DoT traffic
86270fe dns-test: capture TShark protocol and src/dest port
84ac03b dns-test: support multiple TShark filters

📊 Changes

21 files changed (+369 additions, -50 deletions)

View changed files

📝 bin/src/hickory-dns.rs (+7 -1)
📝 bin/src/lib.rs (+20 -0)
📝 conformance/packages/conformance-tests/src/resolver/dns/scenarios.rs (+5 -2)
📝 conformance/packages/conformance-tests/src/resolver/dnssec/regression.rs (+6 -3)
📝 conformance/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3/section_3_1/section_3_1_4.rs (+2 -1)
📝 conformance/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3/section_3_2.rs (+10 -4)
📝 conformance/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4/section_4_1.rs (+5 -2)
📝 conformance/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4/section_4_5.rs (+3 -3)
📝 conformance/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4/section_4_6.rs (+5 -2)
📝 conformance/packages/conformance-tests/src/resolver/dnssec/scenarios/secure.rs (+2 -2)
📝 conformance/packages/dns-test/src/docker/hickory.Dockerfile (+1 -0)
📝 conformance/packages/dns-test/src/name_server.rs (+1 -1)
📝 conformance/packages/dns-test/src/resolver.rs (+1 -1)
📝 conformance/packages/dns-test/src/templates/hickory.name-server.toml.jinja (+1 -0)
📝 conformance/packages/dns-test/src/tshark.rs (+257 -18)
📝 crates/server/src/server/h2_handler.rs (+6 -1)
📝 crates/server/src/server/mod.rs (+17 -2)
📝 tests/e2e-tests/src/resolver/dnssec/regression.rs (+1 -1)
📝 tests/e2e-tests/src/resolver/do_not_query.rs (+13 -4)
📝 tests/integration-tests/tests/integration/server_future_tests.rs (+1 -2)

...and 1 more files

📄 Description

Updates the hickory-dns binary with a new TLS-feature specific config field, ssl_keylog_enabled. When true, and the SSLKEYLOGFILE env var is set, TLS session key data will be written to the specified file in a format compatible with Wireshark. Since this breaks forward secrecy and must be used with care in test/debugging contexts only, it's disabled by default. The dns-test conformance docker image for Hickory is updated to enable it, writing the secrets to a fixed location for use in testing. Under the hood, the underlying server crate is updated to respect a bool argument when constructing default TLS server configs for whether or not to enable SSLKEYLOGFILE support.

Next, the TShark helper from the dns-test package is updated to extend its capture support. Previously it was hardcoded to only capture plaintext DNS over UDP port 53. This branch introduces a builder type that allows customizing this to capture plaintext DNS over TCP, as well as encrypted DNS using DoT (w/ the SSLKEYLOGFILE support mentioned above so the inner decoded DNS messages can be surfaced). Multiple protocol filters can be combined (using a logical OR) so that it's possible to capture both plaintext and encrypted DNS messages, for example (and to determine which protocol/ports were associated with each captured message).

These capabilities are groundwork for being able to write more interesting tests that verify opportunistic encryption between a resovler and an auth. server works as expected, with the protocol/ports in use for queries changing based on probe results/server capabilities.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/3184 **Author:** [@cpu](https://github.com/cpu) **Created:** 8/7/2025 **Status:** ✅ Merged **Merged:** 8/11/2025 **Merged by:** [@cpu](https://github.com/cpu) **Base:** `main` ← **Head:** `cpu-dot-pcap_dev` --- ### 📝 Commits (5) - [`56687db`](https://github.com/hickory-dns/hickory-dns/commit/56687dbdb77955e3aa6fc8f734f8491927eb0de8) server: optionally support SSLKEYLOGFILE - [`e693050`](https://github.com/hickory-dns/hickory-dns/commit/e69305072f581fd527c787718926d05a19c12134) dns-test: support tshark w/ TCP DNS traffic - [`f960735`](https://github.com/hickory-dns/hickory-dns/commit/f9607356901f7f148c2ba31c8b5fb95858227a35) dns-test: support TShark capturing DoT traffic - [`86270fe`](https://github.com/hickory-dns/hickory-dns/commit/86270fee9478b58cbc6eb2b6d0bfe10676ca84dc) dns-test: capture TShark protocol and src/dest port - [`84ac03b`](https://github.com/hickory-dns/hickory-dns/commit/84ac03b47f597168bdb0a5b3080821bdf659615d) dns-test: support multiple TShark filters ### 📊 Changes **21 files changed** (+369 additions, -50 deletions) <details> <summary>View changed files</summary> 📝 `bin/src/hickory-dns.rs` (+7 -1) 📝 `bin/src/lib.rs` (+20 -0) 📝 `conformance/packages/conformance-tests/src/resolver/dns/scenarios.rs` (+5 -2) 📝 `conformance/packages/conformance-tests/src/resolver/dnssec/regression.rs` (+6 -3) 📝 `conformance/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3/section_3_1/section_3_1_4.rs` (+2 -1) 📝 `conformance/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3/section_3_2.rs` (+10 -4) 📝 `conformance/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4/section_4_1.rs` (+5 -2) 📝 `conformance/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4/section_4_5.rs` (+3 -3) 📝 `conformance/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4/section_4_6.rs` (+5 -2) 📝 `conformance/packages/conformance-tests/src/resolver/dnssec/scenarios/secure.rs` (+2 -2) 📝 `conformance/packages/dns-test/src/docker/hickory.Dockerfile` (+1 -0) 📝 `conformance/packages/dns-test/src/name_server.rs` (+1 -1) 📝 `conformance/packages/dns-test/src/resolver.rs` (+1 -1) 📝 `conformance/packages/dns-test/src/templates/hickory.name-server.toml.jinja` (+1 -0) 📝 `conformance/packages/dns-test/src/tshark.rs` (+257 -18) 📝 `crates/server/src/server/h2_handler.rs` (+6 -1) 📝 `crates/server/src/server/mod.rs` (+17 -2) 📝 `tests/e2e-tests/src/resolver/dnssec/regression.rs` (+1 -1) 📝 `tests/e2e-tests/src/resolver/do_not_query.rs` (+13 -4) 📝 `tests/integration-tests/tests/integration/server_future_tests.rs` (+1 -2) _...and 1 more files_ </details> ### 📄 Description Updates the `hickory-dns` binary with a new TLS-feature specific config field, `ssl_keylog_enabled`. When true, and the `SSLKEYLOGFILE` env var is set, TLS session key data will be written to the specified file in a format compatible with [Wireshark](https://wiki.wireshark.org/TLS#tls-decryption). Since this **breaks forward secrecy** and must be used with care in test/debugging contexts only, it's disabled by default. The `dns-test` conformance docker image for Hickory is updated to enable it, writing the secrets to a fixed location for use in testing. Under the hood, the underlying `server` crate is updated to respect a `bool` argument when constructing default TLS server configs for whether or not to enable `SSLKEYLOGFILE` support. Next, the `TShark` helper from the `dns-test` package is updated to extend its capture support. Previously it was hardcoded to only capture plaintext DNS over UDP port 53. This branch introduces a builder type that allows customizing this to capture plaintext DNS over TCP, as well as encrypted DNS using DoT (w/ the `SSLKEYLOGFILE` support mentioned above so the inner decoded DNS messages can be surfaced). Multiple protocol filters can be combined (using a logical OR) so that it's possible to capture both plaintext and encrypted DNS messages, for example (and to determine which protocol/ports were associated with each captured message). These capabilities are groundwork for being able to write more interesting tests that verify opportunistic encryption between a resovler and an auth. server works as expected, with the protocol/ports in use for queries changing based on probe results/server capabilities. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>