dnsdist: add support for incoming DoQ

[chbruyand]

Short description

A few items on the todo list:

• have a proper retry token generation
• have a look at which quiche configuration options do we want to make configurable to the user
• test with async queries
• add error stats for version errors and invalid tokens
• add pipe error stats
• tests: add cache hit tests
• tests: fix checks with terminated streams with errors (dnspython doesn't notice and timeout)
• build with doq support in the CI
• enable doq in our packages
• cover quiche dependance and add a DoQ guide in the documentation

Closes #9897

Checklist

I have:

• read the CONTRIBUTING.md document
• compiled this code
• tested this code
• included documentation (including possible behaviour changes)
• documented the code
• added or modified regression test(s)
• added or modified unit test(s)

[rgacogne]

tests: fix checks with terminated streams with errors (dnspython doesn't notice and timeout)

This seems fixed with dnspython >= 2.4.0, see rthalley/dnspython#954

[rgacogne]

One issue is that libquiche.a comes with BoringSSL symbols, which of course conflict with some of the ones from OpenSSL that we use for DoT and DoH. We currently work-around that by using libquiche.so so that the BoringSSL symbols are only visible inside the libquiche.so object, so Quiche is happy while not polluting the remaining namespace. But it means that we cannot statically link against libquiche.a, like we were doing for libh2o when it was not packaged by the distribution. Our options are:

• provide libquiche.so as part of the dnsdist package, which seems awfully wrong
• generate a separate libquiche package on all distributions for which we want to support DoQ
• beg the distributions we care about to package Quiche, which I'm not very optimistic about.
• ?

[zeha]

provide libquiche.so as part of the dnsdist package, which seems awfully wrong

libpdns-quiche.so - in a per-version private directory, so more like /usr/lib/x86_64-.../dnsdist-1.9.xyz/libdnsdist-quiche.so. This is going to be ugly, but maybe the only way of doing it?

[rgacogne]

Why the per-version private directory?

[zeha]

Why the per-version private directory?

Sorry, that's a thinko. Multiple versions of the same product are irrelevant.

Would still need one .so for each product.

[rgacogne]

Would still need one .so for each product.

Ah, yes, good one!

[rgacogne]

I pushed two commits:

• test asynchronous queries / response with the DoQ transport
• optionally log TLS keying material to a file with DoQ

[rgacogne]

Would still need one .so for each product.

Ah, yes, good one!

For the record, this PR now builds Quiche for all supported distributions except el-7 (clang is too old for boring-sys there) and ships libdnsdist-quiche.so in our dnsdist packages.

[omoerbeek]

Basic local test looks good.
I'm seeing a few errors in the regression tests in debian bookworm:

FAILED test_Async.py::TestAsyncFFI::testAcceptThenDrop - doqclient.StreamRese...
FAILED test_Async.py::TestAsyncFFI::testDrop - doqclient.StreamResetError: St...
FAILED test_Async.py::TestAsyncLua::testAcceptThenDrop - doqclient.StreamRese...
FAILED test_Async.py::TestAsyncLua::testDrop - doqclient.StreamResetError: St...
FAILED test_RulesActions.py::TestAdvancedEDNSVersionRule::testBadVers - Asser...
======= 5 failed, 646 passed, 2 skipped, 7 warnings in 192.73s (0:03:12) =======

Also: the CI regression tests have quite some failures.

[omoerbeek]

We should watch out for unaligned access here

[rgacogne]

I have looked into this, and also other places where it might happen, which led to a pretty big commit: ca0346f I think we might want to make this a separate PR.

[rgacogne]

I pushed a new commit taking care of potential unaligned accesses in the DoQ code. I'll open a new PR for the existing code once we have merged this one.

[omoerbeek]

Embedded BoringSSL does not build on OpenBSD and the quiche install script has some Linuxism and fixed target locations. It's a pity quiche does not seem to be packaged on the platforms I looked at.

[rgacogne]

the quiche install script has some Linuxism and fixed target locations.

Do you mean builder-support/helpers/install_quiche.sh? If so I'll fix the issues, just let me know what they are :)

[omoerbeek]

the quiche install script has some Linuxism and fixed target locations.

Do you mean builder-support/helpers/install_quiche.sh? If so I'll fix the issues, just let me know what they are :)

[rgacogne]

Rebased on master to fix a conflict.

[coveralls]

coverage: 56.415%. first build when pulling d5d9573 on chbruyand:dnsdist-doq-quiche into 1e7c7f1 on PowerDNS:master.

[omoerbeek]

There's an issue on macOS: while the link works and produces an executable, I get

....
CXXLD    dnsdist
ld: warning: -bind_at_load is deprecated on macOS
mbp:dnsdistdist otto$ ./dnsdist 
dyld[37051]: Library not loaded: /private/tmp/quiche-0.18.0/target/release/deps/libquiche.dylib
  Referenced from: <E692B5D9-8631-32A9-BDAF-BA2AD2993EC4> /Users/otto/pdns/pdns/dnsdistdist/dnsdist
  Reason: tried: '/private/tmp/quiche-0.18.0/target/release/deps/libquiche.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/private/tmp/quiche-0.18.0/target/release/deps/libquiche.dylib' (no such file), '/private/tmp/quiche-0.18.0/target/release/deps/libquiche.dylib' (no such file)
Abort trap: 6

when I try to run it. This is not a blocker for an alpha2 release as far as I am concerned.

It appears that after renaming/moving a library, you need to use install_name_tool:
x.diff.txt

With that, dnsdist starts up and my QUIC tests work!

[omoerbeek]

I tested this successfully on Debian bookworm and macOS and I read through the code (though not in great detail), saw two small nits in addition to my earlier comments that were already addressed. Great work!

[rgacogne]

It appears that after renaming/moving a library, you need to use install_name_tool: x.diff.txt

With that, dnsdist starts up and my QUIC tests work!

Nice, I have pushed that change! I wonder what that tool does exactly, but that's a discussion for another day :)

[omoerbeek]

Pondering how to solve the OpenBSD build, might try not using the built-in BoringSSL and just link everything against the BoringSSL package, not using LibreSSL at all.