Skip to content

unbound: optionally support DNS-over-HTTPS #108151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Feb 25, 2021
Merged

unbound: optionally support DNS-over-HTTPS #108151

merged 3 commits into from
Feb 25, 2021
+28 −2

Conversation

nagy
Copy link
Member

@nagy nagy commented Jan 1, 2021

Motivation for this change

unbound can be used as a DNS-over-HTTPS (DoH) server.

This is a blog post introducing the feature:

https://www.nlnetlabs.nl/news/2020/Oct/08/unbound-1.12.0-released/

Notify Maintainers

cc @ehmry @fpletz @globin

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Jan 1, 2021
@SuperSandro2000
Copy link
Member

Build on linux amd64.

@nagy nagy requested a review from SuperSandro2000 January 2, 2021 00:44
SuperSandro2000
SuperSandro2000 approved these changes Jan 10, 2021
View reviewed changes
Copy link
Member

@SuperSandro2000 SuperSandro2000 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

other than that LGTM

@mweinelt
Copy link
Member

mweinelt commented Feb 8, 2021

This looks good.

Are you possibly interested in adding a small test case to the existing nixos/tests/unbound.nix? This would help us validate the functionality of this feature going forward.

@nagy
Copy link
Member Author

nagy commented Feb 8, 2021

Are you possibly interested in adding a small test case to the existing nixos/tests/unbound.nix? This would help us validate the functionality of this feature going forward.

It would be my first nixos test but I can give it a try.

@nagy
Copy link
Member Author

nagy commented Feb 13, 2021

The introduced withDoH argument default to false, meaning that the feature itself would not be built without overriding the package.

The test in nixos/test/unbound.nix tests the default package ( which makes sense to me). Do you want to switch withDoH to `true by default or would you rather override the package in the testsuite ?

@andir
Copy link
Member

andir commented Feb 13, 2021

The introduced withDoH argument default to false, meaning that the feature itself would not be built without overriding the package.

The test in nixos/test/unbound.nix tests the default package ( which makes sense to me). Do you want to switch withDoH to `true by default or would you rather override the package in the testsuite ?

The NixOS module is using the unbound-with-systemd package by default. We could rename that package to unbound-full (or whatever) and add DoH support to it. The reason we wouldn't do this to the default unbound package is that is a common dependency for a ton of packages (including everything that somewhere in the tree depends on systemd or udev).

nagy added 3 commits February 13, 2021 23:21
@nagy
unbound: optionally support DNS-over-HTTPS

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
Learn about vigilant mode
e66cdee 
unbound can be used as a DNS-over-HTTPS (DoH) server.

This is a blog post introducing the feature:

https://www.nlnetlabs.nl/news/2020/Oct/08/unbound-1.12.0-released/
@nagy
unbound-full: init

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
2e503a4
@nagy
nixos/test/unbound: add tests for DNS over HTTPS
86f1509
@nagy
Copy link
Member Author

nagy commented Feb 13, 2021

I have drafted out something which seems to pass. Do you have any suggested changes ?

@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: package (new) This PR adds a new package labels Feb 13, 2021
@ofborg ofborg bot requested review from globin, ehmry and fpletz February 13, 2021 22:34
@ofborg ofborg bot removed the 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux label Feb 13, 2021
@tomberek tomberek merged commit 930e367 into NixOS:master Feb 25, 2021
@nagy nagy deleted the unbound-doh branch February 26, 2021 10:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mweinelt mweinelt

@SuperSandro2000 SuperSandro2000

@globin globin

@ehmry ehmry

@fpletz fpletz

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@nagy @SuperSandro2000 @mweinelt @andir @ehmry @tomberek