forwarding policies should be able to specify DNS resolvers by name, not just IP address
An administrator might want to be able to specify a forwarding policy by name:
policy.FORWARD("dns.example.net")
This is clearly a little unusual because of the bootstrapping nature of the problem, but it's useful to express a simple, user-comprehensible intention. That is, it's a good model for configuring a kresd
instance to "do what i mean".
fwiw, I also want this for policy.TLS_FORWARD
(but i'll open a separate ticket about how i want policy.FORWARD
to be merged with policy.TLS_FORWARD
).
The primary question to make this work is: how should such a name be resolved to a set of IP addresses that can actually be used? I think there is only one sensible answer to this question: the resolver should do the lookup itself, using whatever policy is already in place. That means that any queries made to resolve the new policy object will not be applied through the specific policy itself. I think that's an OK tradeoff for the usability win. And, of course, administrators who want to hard-code IP addresses here (thereby not being subject to the uncertainty associated with this level of indirection) can still do so.
Some interesting questions likely to come up during implementation:
-
is it acceptable to load this information from the local cache? I think it is! This could mean no worries about a bootstrap across a reboot as long as the cache is well-populated and the downtime is minimal.
-
what should the policy object do when the TTL for the A or AAAA records expires? I think that a resolver with such a policy should aggressively prefetch these records (e.g. queue a lookup when the TTL is half-expired?) to ensure that they're current. Note that this implies that the IP addresses that the policy forwards to could change dynamically over time. I recommend logging these changes so that they're visible to the administrator.
-
what should the policy object do if the name→IP lookup fails, or returns no IP addresses? (e.g. what if this configuration is loaded before the network stack is up, or a
SERVFAIL
is returned?) In this case, i think such a NULL policy could temporarily convert to aPASS
(though a warning should probably be logged). In this case,kresd
should continue to attempt to look up the requested names, and to convert the policy back toFORWARD
once the names are resolved.