DNS over TLS and TCP out-of-order processing
Refresh !18 (closed)
I merged few bits from @dkg branch, but there are two notable things missing:
- watch for on-disk chang of credentials - not sure if this is really needed, I would suggest a separate MR, where we can discuss benefits of doing so.
- ephemeral key generation from
net.tls_servicename- this is fine, but instead of setting
tls_servicename, let's make it an explicit generator e.g. net.generate_certificate("name") instead of setting
struct network. Again I would suggest a separate MR.
To test the TLS listen, you can use a dns-over-tls branch from Knot DNS:
./daemon/kresd --tls=127.0.0.1\#5353 net.tls("cert", "key")
$ ./src/kdig +tls -p 5353 www.cmu.edu @127.0.0.1 ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 9741 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0 ;; QUESTION SECTION: ;; www.cmu.edu. IN A ;; ANSWER SECTION: www.cmu.edu. 86400 IN CNAME www-cmu-prod-vip.andrew.cmu.edu. www-cmu-prod-vip.andrew.cmu.edu. 21600 IN A 188.8.131.52 ;; Received 107 B ;; Time 2016-08-05 11:52:25 CEST ;; From 127.0.0.1@5353(TCP) in 2146.1 ms ;; TLS session info: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)