odhcpd: add DNR (RFC 9463) support #213
Conversation
|
@rpigott this might interest you, given this PR: systemd/systemd#30952 |
|
Yes! Thanks for the ping. |
Storing request options as chars means that it's difficult to handle option codes > 127 due to the signedness of char (and options aren't chars, they're binary data). Signed-off-by: David Härdeman <[email protected]>
Discovery of Network-designated Resolvers (DNR) allows devices on the network
to discover encrypted DNS resolvers, which has so far required either manual
configuration or other approaches (like systemd-resolved's "opportunistic"
mode).
To enable DNR, a new uci parameter has been added, which needs to contain at
the very least, the priority (1-65535, lower = higher priority) and the server
hostname (Authentication Domain Name, ADN, to use the wording of RFC9463):
config dhcp 'lan'
…
list dnr '100 foobar.example.com'
Optionally (and preferably), a comma-separated list of IP addresses and
SvcParams can also be specified, like this (line wrapping added):
config dhcp 'lan'
…
list dnr '100 resolver1.example.com
fda7:ab54:69fb::1,fda7:ab54:69fb::2,10.0.0.1
alpn=dot port=853'
list dnr '200 resolver2.example.com
fda7:ab54:69fb::2,10.0.1.1,10.0.1.2
alpn=dot port=853'
Client support is on it's way (e.g. in systemd PR #30952 or in the Windows
Insiders program).
Signed-off-by: David Härdeman <[email protected]>
Alphix
force-pushed
the
add-rfc9463-ra-support
branch
from
8e4ffa9
to
861fb80
Compare
|
Ok, changed the options handling a bit (it's now |
|
And now I've done more testing, both on x86/qemu and on real hardware (Turris Omnia, running stock OpenWRT 23.05.2). Using a patched version of One thing I'm less certain about is the configuration format. I've just started looking at |
Hard choices need to be made. A single string is the cleanest copy/paste way to get data in, while chopping fields up makes error checking generally simpler. I recommend staying with long strings. |
|
@Alphix There is a bit in the RFC about lifetime: A value of zero means that this ADN MUST no longer be used. Is it possible (does it make sense to?) to add lifetime as a parameter or flag, for those cases where it can be set to zero and force invalidate a specific resolver? (i.e. have a config entry with lifetime 0 as 'reminder' that some older resolver must no longer be used). I'm debating a bit with myself here since some other settings co-opt zero to mean 0xffffffff i.e. infinity. It might not be immediately convenient to add. My last reading of the source is that lifetime is internally managed. Also, does this handle the ND(P) DNR? |
@systemcrash It's certainly possible...and you're right that it's currently internally managed (i.e. hardcoded in The config string could be extended to also include a lifetime. If we use a fake SVC parameter (e.g.
Yeah, all possibilities (sections 4, 5 and 6 of RFC9463) are covered:
|
Discovery of Network-designated Resolvers (DNR) allows devices on the network
to discover encrypted DNS resolvers, which has so far required either manual
configuration or other approaches (like
systemd-resolved's "opportunistic"mode).
To enable DNR, a new uci parameter has been added, which needs to contain at
the very least, the priority (1-65535, lower = higher priority) and the server
hostname (Authentication Domain Name, ADN, to use the wording of RFC9463):
Optionally (and preferably), a comma-separated list of IP addresses and SvcParams can also be specified, like this (line wrapping added):
Client support is on it's way (e.g. in systemd PR #30952 and in Windows).
Draft for now, needs more testing (I've only tested the RA alternative so far) and some small changes to how the options are handled.