mirror of
https://github.com/hickory-dns/hickory-dns.git
synced 2026-04-25 11:15:54 +03:00
[GH-ISSUE #2038] ClientConfig and RootCertStore improvements #858
Labels
No labels
blocked
breaking-change
bug
bug:critical
bug:tests
cleanup
compliance
compliance
compliance
crate:all
crate:client
crate:native-tls
crate:proto
crate:recursor
crate:resolver
crate:resolver
crate:rustls
crate:server
crate:util
dependencies
docs
duplicate
easy
easy
enhance
enhance
enhance
feature:dns-over-https
feature:dns-over-quic
feature:dns-over-tls
feature:dnsssec
feature:global_lb
feature:mdns
feature:tsig
features:edns
has workaround
ops
perf
platform:WASM
platform:android
platform:fuchsia
platform:linux
platform:macos
platform:windows
pull-request
question
test
tools
tools
trust
unclear
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/hickory-dns#858
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @daxpedda on GitHub (Sep 22, 2023).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2038
Goals
quinn::Endpoint(#2002).Problems
Storage
ResolverOptsStoring
rustls::ClientConfiginResolverOptsis currently not possible for several reasons:ResolverOptsrequiresCopy(#2029).ResolverOptsrequiresDefault(#2035).ResolverOptsrequiresDe/Serialize.CopyandDefaultcan be removed, butDe/Serializewould require one of the following solutions:De/Serializefrom `ResolverOpts. Though it's required in other crates: https://github.com/bluejekyll/trust-dns/pull/2001#issuecomment-1725234084.Deserializer forRustlsConfigpassing the native certificates error through ... somehow.Option<ClientConfig>s andOption<Arc<RootCertStore>>to createClientConfigs when needed and storeRootCertStorefor re-usage. Will require a customPartialEqimplementation withArc::ptr_eq()forRootCertStore.GenericConnectorI have originally done this in #2001. Not sure what exactly the downside would be here, so this is my preferred solution right now.
If we decide on this course we could also potentially revert #2029.
A new type
This could be stored in a field inside
AsyncResolver, which would be quite similar toGenericConnector.Runtime root certificate store selection
I believe this would require to store
ClientConfigsomewhere else thenResolverOpts. If we add fields toResolverOptsthat specify which store to use, already initializedClientConfigs insideResolverOptswould require to be re-initialized when changing those fields.We could mitigate this issue by making sure that
ResolverOptscan never be accessed through the API again afterClientConfigs are never initialized, which I believe is currently the case anyway. In this case I'm not sure why we would decide to store them inResolverOptsanyway.Related issues and PRs
@djc commented on GitHub (Sep 23, 2023):
Note that rustls-platform-verifier devolves to rustls-native-certs (optionally with webpki-roots as fallback) on Linux, so it probably doesn't solve many problems if you consider Linux an important deployment target.
I think cloning
ClientConfigonce per protocol is probably okay, but I'm wondering how that makes your "retry reloading certificates" scenario look?@daxpedda commented on GitHub (Sep 23, 2023):
Ah, will remove it from OP then!
In that regard it would solve nothing, unfortunately, I would say both these problems are unrelated.
But if you are saying it's not a problem, then I can as well remove it from the OP.
@djc commented on GitHub (Sep 25, 2023):
So it seems your currently favored solution is to store client configs in the
GenericConnector? How does that work out? How does it enable you to replace/update them at a later point in time? The solution in #2001 still seems to rely on a bunch ofLazyvalues which I don't think enables updates?@daxpedda commented on GitHub (Sep 25, 2023):
In the case of
GenericConnectorit means to reload the native certs, users have to create a newResolver. Depending on how exactly we implement it, it should also be easy to detect load failure when initializing theResolver.We have discussed this previously here: https://github.com/bluejekyll/trust-dns/pull/1943#discussion_r1229437556.
These
Lazyvalues were justoption.unwrap_or_else(), I was doing that to lazily intializeClientConfigs, and therefor load certificates, on demand and not on initialization of theResolver. But now that we haveArc<RootCertStore>, we might want to load those on initialization ofResolverto get a nice error message if loading native certificates fails.But initializing a new
Resolverwould still reload native certificates in #2001.@djc commented on GitHub (Jan 24, 2025):
I believe #2735 addresses most of these issues (building on top of #2569), happy to get your feedback.