-
-
Notifications
You must be signed in to change notification settings - Fork 347
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNSoverQUIC #871
base: master
Are you sure you want to change the base?
DNSoverQUIC #871
Conversation
…, and check ub_initstate return.
…BR_V2 from ngtcp2.
…ice-key and tls-service-pem have a value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. There may some room for refactoring in this area.
ssl.h: No such file or directory This is because the latest version removes openssl specific libs, I think git checkout 1d0cad6697992cf71661e69a6cccb347f63e4aaa should work for ngtcp2. |
With ngtcp2-0.19.1, available from the releases and tags, together with openssl+quic, the code works with this API. That uses nghttp3-0.15.0 for the examples in ngtcp2, by the way. Since the configure script detects a number of changes, it could also work for some other, intermediate, versions. |
@gthess any update on this? |
This is pending review from my part to then go into the next feature release. Due to other developments, I will refocus on this on January. |
Hello,
Below is the log related to SSL_is_quic. configure:21910: checking for SSL_is_quic |
The check indicates that the openssl+quic version is not detected. That has the function that is looked for. If the openssl+quic version is in use, the error makes it seem like '--disable-flto' could fix the issue, if the lto optimization is causing it. So, using the system default openssl version is not likely to work, as that does not have the quic functionality. |
I tried the --disable-flto option immediately, but got the same result. Also, I found out that the default OpenSSL doesn't support QUIC, so I installed the QUIC-compatible version yesterday, but it didn't improve anything. $ openssl version below is the log again. |
Is that the openssl that is just a version increase, where openssl has more quic support. But what the code needs is the openssl version from the branch of code, linked at the top post, that has the quic functions that are used by libngtcp2. That prints a version line like |
I'm sorry for all the fuss. I seem to have forgotten to change the /path/to... |
I have OpenSSL version 3.3.2 which natively supports QUIC. Can I use this version? I have not yet swapped over to the forked version hoping I can use the native OpenSSL. But the quic-port command isn't recognized |
I believe that only implements the client part, and the branch implements server code, with the other library. |
Thank you. Do you know when this will be available in the next Unbound release? Currently 1.2.1 I believe. Also, if you are working on Upstream DoQ forwarding as well, similar to DOT? |
No, I do not know. The upstream part is present on plans. |
Implementation of DoQ for Unbound, DNS over QUIC transport. This implements doq for downstream, clients that query unbound server, RFC9250.
Compile this with the ngtcp2 library. And with openssl+quic. Like this:
With the compile, it can be turned on. This is governed by the config option in unbound.conf,
quic-port: 853
. When an interface is on that port number, the UDP socket receives DoQ queries.With this unbound.conf:
Then unbound serves quic queries to localhost on the 2853 port number. Also other interfaces work, like
::1@2853
. Unbound can be started attached to the console for debug, with./unbound -d -c theconfig.conf
. With-dd
it prints logs to the terminal as well. Ctrl-C can exit, or send a term signal.With
make doqclient
the test tool can be created to send a query. Send a query with./doqclient -s 127.0.0.1 -p 2853 www.example.com A IN
. With-v
it prints more diagnostics, also unbound logs more diagnostics, also from the internals of libngtcp2, when verbosity is 4 or more. An example of output from doqclient is:It is possible to have the TCP port on the same interface as DoQ server DoT or DoH, dnsovertls or dnsoverhttp, or also serve over TCP.
The resource consumption can be configured with
quic-size: 8m
. More queries are turned away. The number of quic queries is output innum.query.quic
in the statistics. Themem.quic
statistic outputs memory used.