resolved: Avoid multiple SSL writes per DoT packet
In the DoT case, dns_stream_writev decomposed an iovec into multiple
dnstls_stream_write calls, which resulted in multiple SSL writes and multiple
TLS records. This can be checked from a network capture, e.g. using socat:
socat -v -x openssl-listen:853,reuseaddr,fork,cert=my.cert,key=my.key,verify=0 openssl:8.8.8.8:853
Instead, propagate the iovec as-is into the DoT handling code. For GnuTLS, the
library provides support for buffering ('corking') a record. OpenSSL has no
such facility, so we join the iovec into a single buffer then call SSL_write.
socat capture of `resolvectl -4 query --cache=no example.com` before the commit:
> 2022/01/30 13:35:52.194200 length=2 from=0 to=1
00 28 .(
--
> 2022/01/30 13:35:52.194253 length=40 from=2 to=41
1e b2 01 00 00 01 00 00 00 00 00 01 07 65 78 61 .............exa
6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 00 00 29 mple.com.......)
ff e4 00 00 00 00 00 00 ........
--
< 2022/01/30 13:35:52.232798 length=58 from=0 to=57
00 38 1e b2 81 80 00 01 00 01 00 00 00 01 07 65 .8.............e
78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 c0 xample.com......
0c 00 01 00 01 00 00 53 6f 00 04 5d b8 d8 22 00 .......So..]..".
00 29 02 00 00 00 00 00 00 00 .)........
socat capture of `resolvectl -4 query --cache=no example.com` after the commit:
> 2022/01/30 13:34:47.598099 length=42 from=504 to=545
00 28 37 86 01 00 00 01 00 00 00 00 00 01 07 65 .(7............e
78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 00 xample.com......
00 29 ff e4 00 00 00 00 00 00 .)........
--
< 2022/01/30 13:34:47.613203 length=58 from=756 to=813
00 38 37 86 81 80 00 01 00 01 00 00 00 01 07 65 .87............e
78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 c0 xample.com......
0c 00 01 00 01 00 00 52 5e 00 04 5d b8 d8 22 00 .......R^..]..".
00 29 02 00 00 00 00 00 00 00 .)........
(cherry picked from commit
aa892849d50e9dd5da03a628463ccf6c55ff1b44)
projects / systemd / .git / commit