18 Dub
2019
18 Dub
'19
16:06
Hi, below is a continuation of a discussion regarding the default port
for DNS-over-HTTPS (DoH) in Knot Resolver. My argument is to use 44353
as a packaging default, since using port 443 by default makes an
unexpected collision likely. The DoH service requires configuration to
be exposed on public interfaces anyway, so users are free to override
this value as they see fit.
On 18/04/2019 15.16, Daniel Kahn Gillmor wrote:> On Thu 2019-04-18
10:01:39 +0200, Tomas Krizek wrote:
Sockets= is required, otherwise the socket won't be passed to any other
instance than kresd@1, which goes against our use-case of scaling up
using multiple independent systemd processes.
No documentation, mostly just trial and error (and a lot of swearing :)
If kresd-doh.service is masked by default, this places a symlink to
/etc/systemd/system, which is where users usually makes their changes
(as opposed to /usr/lib/systemd/system). Is this acceptable with various
packaging policies across distros?
Let's say it is. User unmasks this socket file and the uninstalls the
package. This will issue a warning, since the symlink was part of the
package.
A more problematic case is when you consider package upgrade. If
/etc/systemd/system/kresd-doh.service -> /dev/null is part of the
package, then the user removes this files via unmasking to actually use
the socket, it will get re-masked again during the next package upgrade.
I disagree. knot-resolver-module-http now provides two socket files:
kresd-doh.socket
kresd-webmgmt.socket
Now both are enabled by default after the installation, on localhost
only, and users simply need to load http module in their config.
It seems unnecessarily complicated to require additional handling of
kresd-doh.socket as opposed to kresd-webmgmt.socket (which has no reason
not to be enabled by default).
I don't consider the localhost default to be an issue. All other
sockets, i.e. plain DNS and DNS-over-TLS, are configured like this and
I'd like to keep it this way. If a user decides to expose the DNS
service, it should require a manual action.
The port, of course, is a matter of lively debate. However, perhaps the
default port in kresd-doh.socket file doesn't matter all that much. It's
easy to override and documented how to do that.
thanks for
these constructive suggestions. I've tried to use port 443
for kres-doh.socket and have the socket masked (simply disabling it
isn't enough, since kresd(a)*.service requsts it via Sockets=).
I think the answer there is, don't put it in Sockets= -- if it's
enabled, it will get associated properly because of the Service= line,
and if it's not enabled, it won't get associated. However, I
wasn't able to find a reasonable way to do it across all
ditros in a way that would work reliably in all cases (including
upgrades).
Do you have a pointer to documentation about what mechanisms you tried,
and how they failed on different distros? I'd like to understand what
you ran into, so i can try to help reason about it without having to
replicate all the work. I also think
that it'd be confusing for users that kresd-doh.socket
would require extra command to use, as opposed to kresd-webmgmt.socket
(both used by http module).
I don't think that's confusing. These are different interfaces, and
it's entirely reasonable that they would be controlled separately. In the end,
we've decided to go with 127.0.0.1:44353 as the default for
kresd-doh.socket in upstream and Fedora/EPEL packages. The documented
use case is how to remove this default and listen on port 443 on all
interfaces.
Hm, that makes me sad for a number of reasons (both the ephemeral-range
port *and* the 127.0.0.1, which doesn't make a lot of sense). I hope we
can figure out the details together about these tradeoffs, so that we
can make the default configuration something more useful. happy to talk about this on-list as well, if you
prefer (presumably
knot-resolver-users(a)lists.nic.cz).
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869