Page MenuHomePhabricator

Wikidough: Upgrade to dnsdist 1.6.0
Closed, ResolvedPublic


The first alpha version of dnsdist 1.6.0 was released today:

While it's too early for us to consider upgrading to 1.6.0, we should start preparing for this release by documenting the changes since 1.5.1, and also help the dnsdist developers with testing this release. (The last bit I feel is more important at this stage.)

Notables changes in this release so far include:

  • Out-of-order processing for TCP and DoT (for both queries from client to dnsdist and dnsdist to pdns-recursor)
    • Probably the most important feature!
  • Changes to Proxy Protocol, that we don't currently use
  • Custom web endpoints in Lua
    • How does this compare to what we are currently doing with getDOHFrontend and setResponsesMap? Probably when the query is intercepted...
  • Some actions and console commands have been renamed; on a casual look, it seems we are not affected but need to confirm
  • webserver has been renamed to setWebserverConfig, including some other changes such as making the password parameter optional
  • Our patch to prioritize ChaCha20 has been merged in 1.6.0, which means we should remove it during our dnsdist package build

Event Timeline

BBlack subscribed.

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

Mentioned in SAL (#wikimedia-operations) [2021-11-04T11:01:03Z] <sukhe> upload dnsdist 1.6.1-1wm1 to apt.wm.o (buster) - T273679

On doh1001,

$ dnsdist --version
dnsdist 1.6.1 (Lua 5.1.4 [LuaJIT 2.1.0-beta3])
kdig @ +tls-ca  +nsid
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 64498
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR
;; NSID: 646F6831303031 "doh1001"

;;      		IN	A

;; ANSWER SECTION:      	600	IN	A

;; Received 69 B
;; Time 2021-11-04 07:21:48 EDT
;; From in 149.1 ms

knead-wikidough tests are also passing:

tests/[] PASSED                                                               [  5%]
tests/[] PASSED                                                               [ 10%]
tests/[] PASSED                                   [ 15%]
tests/[] PASSED                                  [ 21%]
tests/[] PASSED            [ 26%]
tests/[] PASSED                                         [ 31%]
tests/[] PASSED                                     [ 36%]
tests/[] PASSED                             [ 42%]
tests/ PASSED                                                                                       [ 47%]
tests/ PASSED                                                                            [ 52%]
tests/[] PASSED                                      [ 57%]
tests/[853-None] PASSED                                                                             [ 63%]
tests/[443-None] PASSED                                                                             [ 68%]
tests/[853] PASSED                                                                                  [ 73%]
tests/[443] PASSED                                                                                  [ 78%]
tests/[443-TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384] PASSED                    [ 89%]
tests/ PASSED                                                                          [ 94%]
tests/ PASSED                                                                                  [100%]

========================================================= 19 passed in 2.23s =========================================================
===== NODE GROUP =====                                                                                                                
(10) doh[1001-1002,2001-2002,3001-3002,4001-4002,5001-5002]                                                             
----- OUTPUT of 'dnsdist --version' -----                                                                                             
dnsdist 1.6.1 (Lua 5.1.4 [LuaJIT 2.1.0-beta3])                                                                                        
Enabled features: cdb dns-over-tls(openssl) dns-over-https(DOH) dnscrypt ebpf fstrm ipcipher libsodium lmdb protobuf re2 recvmmsg/sendmmsg snmp systemd