Comments (6)
Do you need Openssl?
Not personally no. It was just an observation when I was trying to identify why cargo-binstall
was failing to resolve DNS while other programs had no issue. During that troubleshooting I tried both openssl and rustls but it didn't seem specific to either AFAIK.
What I did find was their trust-dns
/ hickory-dns
feature (old project name is a feature alias) was the culprit. Specifically when the hickory-dns/dnssec-ring
feature is enabled. As reported above, when I tried building this crate with that feature as a static build and with openssl (default) this failed. I looked into it and the only way for static build with openssl to work reliably across environments seems to require vendored
to build from source, especially for cross-compilation to other targets.
Despite addressing that concern, the resolve
utility was still working successfully like a dynamic linked build. I'm not sure what is different between that CLI and the cargo-binstall
project, perhaps I wasn't actually using the feature via the resolve
CLI just by enabling it at build 😓
I may try investigate that further to track down if the downstream failure encountered with cargo-binstall
is reproducible with resolve
CLI and then if that's specific to the ring
crate, but I'm not sure if I'll have the time with my inexperience across these crates.
We've been trying to direct people to use the ring and rustls defaults.
Perhaps consider switching to those as the defaults in the future? If you do not think this concern with openssl and static build support is worth addressing, no worries, I just wanted to report my findings for others to benefit 👍
Feel free to close this issue if you like :)
from hickory-dns.
Thank you for spending the time on this, I appreciate that.
from hickory-dns.
This can be resolved by adjusting the openssl
dep to use the vendored
feature, which will build OpenSSL from source:
Lines 61 to 63 in cffc3fa
openssl = { version = "0.10.55", features = ["vendored"] }
The above reproduction environments in all three containers can then successfully build the project.
It is then possible to opt-out via OPENSSL_NO_VENDOR=1
. AFAIK, there doesn't appear to be support for opt-in via ENV, hence I don't think there is no nice workaround available? (should be possible via editing a downstream project's Cargo.toml
to override this deps openssl
features.. but that seems a little brittle?)
As long as something in a downstream project opts in to vendored
feature elsewhere, it also seems to have the same effect of building vendored, so it's not a feature you can control with explicit opt-out on a crate I think? Only at build time via the mentioned opt-out ENV?
I assume a potential drawback/side-effect for non-static builds is that vendoring in your own build of openssl into the binary instead of dynamically linking to openssl?
from hickory-dns.
Sounds like this is specific to openssl. Do you need Openssl? We've been trying to direct people to use the ring and rustls defaults.
from hickory-dns.
Since Quinn 0.11 has been released with ring 0.17, I think the factors preventing static compilation have been resolved.
from hickory-dns.
Well, only after #2107 (or something like it) has been merged (see also #2206).
from hickory-dns.
Related Issues (20)
- `hickory-dns` resolver does not honor the DO bit in client's queries HOT 2
- [RFC] DNSSEC validation: configuration syntax HOT 11
- [RFC] re-structure `named.toml` syntax to reject invalid configurations HOT 3
- TCP fallback is not always used and forcing it is not ergonomic HOT 3
- 0.25 Release HOT 10
- `DnssecDnsHandle` does not appear to validate RRSIG's signature {inception,expiration} fields HOT 1
- malformed query can cause assertion failure at encoder.rs:234 HOT 1
- should `proto::rr::resource::Record.rdata` really be an `Option`? HOT 6
- `just clippy` does not catch warnings produced by `just dnssec-openssl` HOT 5
- DNS Resolver rotate feature HOT 5
- [Featture] Expose Path Parameter for DoH Client HOT 1
- Allow passing in a custom client UDP socket to send data from HOT 5
- `just no-default-features` fails with an ICE using latest nightly HOT 1
- Default dns timeout of 5 seconds is excessive (causes 40s of time being wasted in mongodb) HOT 5
- hickory-resolver retries NXDOMAINs over TCP if using `try_tcp_on_error` HOT 4
- tag/publish a 0.25 pre-release? HOT 4
- What is the reason for NextRandomUdpSocket? HOT 6
- add DNSSEC validation to `Recursor` HOT 1
- what's the use case for `Recursor::resolve(Query::query(not_fully_qualified_name, ..), ..)`? / bug in `Recursor::resolve` with `security_aware = false`? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hickory-dns.