[GH-ISSUE #2090] hickory-dns binary doesn't forward webpki-roots,native-certs features to hickory-resolver #882

New issue

Closed

opened 2026-03-16 00:44:45 +03:00 by kerem · 2 comments

kerem commented

2026-03-16 00:44:45 +03:00

Owner

Originally created by @paolobarbolini on GitHub (Nov 11, 2023).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2090

Describe the bug
The hickory-dns forwarding resolver doesn't work when configured to use the tls, https, quic or h3 protocols event after enabling the native-certs or webpki-roots features because those only apply for the server and not for the client.

To Reproduce
Steps to reproduce the behavior:

Install via cargo install hickory-dns --no-default-features --features dns-over-rustls,resolver,ascii-art
Run it using the below zones configuration and observe how all DNS queries fail

[[zones]]
zone = "."
zone_type = "Forward"
stores = { type = "forward", name_servers = [{ socket_addr = "1.1.1.1:853", protocol = "tls", trust_nx_responses = false, tls_dns_name = "1.1.1.1" },
                                             { socket_addr = "1.0.0.1:853", protocol = "tls", trust_nx_responses = false, tls_dns_name = "1.0.0.1" }] }

Expected behavior
I expected it to work. Instead after enabling tracing via RUST_LOG=trace I discovered rustls was returning UnknownIssuer error.

System:

OS: Arch Linux
Architecture: x86_64
rustc version: 1.75.0-nightly (0f44eb32f 2023-11-09)

Version:
Crate: history-dns
Version: 0.24.0

Additional context
This patch fixed it for me

diff --git a/bin/Cargo.toml b/bin/Cargo.toml
index 30267023..a6313653 100644
--- a/bin/Cargo.toml
+++ b/bin/Cargo.toml
@@ -101,6 +101,7 @@ name = "hickory-dns"
 path = "src/hickory-dns.rs"
 
 [dependencies]
+hickory-resolver = { workspace = true, features = ["webpki-roots"] }
 # clap features:
 # - suggestion for advanced help with error in cli
 # - derive for clap derive api

Probably related to #2067

Originally created by @paolobarbolini on GitHub (Nov 11, 2023). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2090 **Describe the bug** The hickory-dns forwarding resolver doesn't work when configured to use the `tls`, `https`, `quic` or `h3` protocols event after enabling the `native-certs` or `webpki-roots` features because those only apply for the server and not for the client. **To Reproduce** Steps to reproduce the behavior: 1. Install via `cargo install hickory-dns --no-default-features --features dns-over-rustls,resolver,ascii-art` 2. Run it using the below zones configuration and observe how all DNS queries fail ``` [[zones]] zone = "." zone_type = "Forward" stores = { type = "forward", name_servers = [{ socket_addr = "1.1.1.1:853", protocol = "tls", trust_nx_responses = false, tls_dns_name = "1.1.1.1" }, { socket_addr = "1.0.0.1:853", protocol = "tls", trust_nx_responses = false, tls_dns_name = "1.0.0.1" }] } ``` **Expected behavior** I expected it to work. Instead after enabling tracing via `RUST_LOG=trace` I discovered rustls was returning `UnknownIssuer` error. **System:** - OS: Arch Linux - Architecture: x86_64 - rustc version: 1.75.0-nightly (0f44eb32f 2023-11-09) **Version:** Crate: history-dns Version: 0.24.0 **Additional context** This patch fixed it for me ```diff diff --git a/bin/Cargo.toml b/bin/Cargo.toml index 30267023..a6313653 100644 --- a/bin/Cargo.toml +++ b/bin/Cargo.toml @@ -101,6 +101,7 @@ name = "hickory-dns" path = "src/hickory-dns.rs" [dependencies] +hickory-resolver = { workspace = true, features = ["webpki-roots"] } # clap features: # - suggestion for advanced help with error in cli # - derive for clap derive api ``` Probably related to #2067

kerem closed this issue

2026-03-16 00:44:51 +03:00

kerem commented

2026-03-16 00:44:56 +03:00

Author

Owner

@djc commented on GitHub (Nov 12, 2023):

Yup, want to send a PR?

@djc commented on GitHub (Nov 12, 2023): Yup, want to send a PR?

kerem commented

2026-03-16 00:45:02 +03:00

Author

Owner

@hch12907 commented on GitHub (Feb 16, 2024):

Chiming in to say that I have hit the same issue. My patch is slightly more involved, however:

diff --git a/Cargo.toml b/Cargo.toml
index ac7f522..fc5c003 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -67,8 +67,8 @@ tls = ["dns-over-openssl"]
 # WARNING: there is a bug in the mutual tls auth code at the moment see issue #100
 # mtls = ["hickory-client/mtls"]
 
-webpki-roots = ["hickory-client/webpki-roots"]
-native-certs = ["hickory-client/native-certs"]
+webpki-roots = ["hickory-client/webpki-roots", "hickory-resolver/webpki-roots"]
+native-certs = ["hickory-client/native-certs", "hickory-resolver/native-certs"]
 rustls = ["dep:rustls"]
 
 [dependencies]
@@ -86,6 +86,7 @@ clap = { version = "4.5.1", default-features = false, features = [
 futures-util = { version = "0.3.30", default-features = false, features = [
     "std",
 ] }
+hickory-resolver = "0.24.0"
 hickory-client = "0.24.0"

@hch12907 commented on GitHub (Feb 16, 2024): Chiming in to say that I have hit the same issue. My patch is slightly more involved, however: ```diff diff --git a/Cargo.toml b/Cargo.toml index ac7f522..fc5c003 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -67,8 +67,8 @@ tls = ["dns-over-openssl"] # WARNING: there is a bug in the mutual tls auth code at the moment see issue #100 # mtls = ["hickory-client/mtls"] -webpki-roots = ["hickory-client/webpki-roots"] -native-certs = ["hickory-client/native-certs"] +webpki-roots = ["hickory-client/webpki-roots", "hickory-resolver/webpki-roots"] +native-certs = ["hickory-client/native-certs", "hickory-resolver/native-certs"] rustls = ["dep:rustls"] [dependencies] @@ -86,6 +86,7 @@ clap = { version = "4.5.1", default-features = false, features = [ futures-util = { version = "0.3.30", default-features = false, features = [ "std", ] } +hickory-resolver = "0.24.0" hickory-client = "0.24.0" ```

kerem referenced this issue

2026-03-16 02:24:23 +03:00

[PR #882] [MERGED] Add accessors for the CAA KeyValue type #1770