23 Dub
2019
23 Dub
'19
18:31
On 19/04/2019 08.37, Daniel Kahn Gillmor wrote:> So here's a new
proposal (and maybe if this still doesn't sit well we
should ask the systemd folks for their
recommendation):
Ship a default-disabled (not masked) kresd-doh.socket, which has:
[Unit]
Description=Knot Resolver DoH (DNS-over-HTTP) network listener
Documentation=man:kresd.systemd(7)
Documentation=man:kresd(8)
Before=sockets.target
[Socket]
FreeBind=true
FileDescriptorName=doh
ListenStream=443
Slice=system-kresd.slice
[Install]
WantedBy=sockets.target
the ListenStream=443 directive means that, when connected, it listens on
all interfaces, on the standard https port.
I'd have to test that across various distros with varying systemd
versions, because I have a strong feeling there's a reason we recommend
using this snippet in upstream documentation (instead of
ListenDatagram=53 in this case):
BindIPv6Only=both
ListenDatagram=[::]:53
However, that's a different topic.
And note that it *doesn't*
have any Service= directive.
Then an admin that wants to have kresd@.service listen on DoH drops the
following snippet in /etc/systemd/system/kresd@.service.d/override.conf:
[Service]
Sockets=kresd-doh.socket
this override snippet won't be part of any distro, and won't get in the
way of anything during package upgrade.
Its presence basically says "yes, please offer DoH service".
Overall, your proposal seems doable. I have a couple objections:
1. Network interface configuration should be consistent. Either an
administrator has to configure interfaces for all our services - DNS,
DoT, DoH and webmgmt, or none of them. Assuming we'd use the proposed
drop-in to enable DoH socket, this is what I'd adjust: either (a) use
localhost:443 as a default for kresd-doh.socket, instead of binding to
all interfaces; or (b) find a way for DNS/DoT to also default to listen
all interfaces upon a manual action, without explicitly specifying the
interfaces with ListenDatagram= and ListenStream=, as we currently
recommend. (Note: without this manual action, they should still listen
on localhost)
2. kresd-doh.socket would require special enablement through a drop-in
file for kresd@.service, which is unlike any other of our sockets. I
think our systemd integration/configuration is already quite confusing
for administrators, and adding a "special case" socket certainly won't
help, even with proper documentation.
I'd consider (1) to be a requirement. (2) is probably unavoidable if we
decide to use 443 as the default port for DoH. It seems like achieving a
configuration that's both reasonably simple and consistent across DNS /
DoT and DoH is just impossible when opting to use 443 as the default
port for DoH.
Alternately, we could use the same setup as plain DNS
and DNS-over-TLS,
and just expect that people for whom a collision on the loopback's TCP
port 443 will use kresd-*.socket.d/override.conf to choose a different
port.
I think this is unacceptable, mostly because:
a) The collision might not be obvious. The DoH service might start up
and appear to be operating correctly, until you try to access your
existing HTTPS service.
b) Except for those interested in DoH, almost nobody will even suspect
that installing a DNS resolver might break their existing and running
HTTPS service.
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869