* wg syncconf (and setconf) error when one or more endpoints is unresolvable
@ 2021-06-15 8:35 Christian McDonald
2021-06-15 10:52 ` Jason A. Donenfeld
0 siblings, 1 reply; 5+ messages in thread
From: Christian McDonald @ 2021-06-15 8:35 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: WireGuard mailing list
Jason,
Assume a tunnel with say 3 peers. Peer A is accessible via an IPv4
address, Peer B by some FQDN, and Peer C by some other FQDN. Let's
also assume that Peer C was misconfigured with an unresolvable FQDN.
wg syncconf (and setconf) fails with 'Name does not
resolve...Configuration parsing error'
Is it expected behavior in this case that *none* of the peer
configurations are actually applied? It seems like a more appropriate
behavior would be to go ahead and configure the remaining peers (Peer
A + B) but only fail on the peer with an unresolvable endpoint (Peer
C). It of course is completely possible to re-implement syncconf and
setconf using explicit `wg set` calls as a workaround.
Am I missing something here?
Thanks,
Christian
--
R. Christian McDonald
E: rcmcdonald91@gmail.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: wg syncconf (and setconf) error when one or more endpoints is unresolvable
2021-06-15 8:35 wg syncconf (and setconf) error when one or more endpoints is unresolvable Christian McDonald
@ 2021-06-15 10:52 ` Jason A. Donenfeld
2021-06-15 13:23 ` Lonnie Abelbeck
0 siblings, 1 reply; 5+ messages in thread
From: Jason A. Donenfeld @ 2021-06-15 10:52 UTC (permalink / raw)
To: Christian McDonald; +Cc: WireGuard mailing list
This is intended behavior. DNS resolution happens at config parsing time.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: wg syncconf (and setconf) error when one or more endpoints is unresolvable
2021-06-15 10:52 ` Jason A. Donenfeld
@ 2021-06-15 13:23 ` Lonnie Abelbeck
2021-06-15 15:07 ` Christian McDonald
0 siblings, 1 reply; 5+ messages in thread
From: Lonnie Abelbeck @ 2021-06-15 13:23 UTC (permalink / raw)
To: Christian McDonald; +Cc: WireGuard mailing list
> On Jun 15, 2021, at 5:52 AM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> This is intended behavior. DNS resolution happens at config parsing time.
Christian,
While I appreciate Jason's strict DNS requirement, for the last 2.5 years our project has implemented a trivial patch [1] to ignore endpoint DNS failure. On a DNS failure, essentially ignoring the (optional) Endpoint= dns-hostname peer entry.
This has worked well for our use case. WireGuard always starts.
Lonnie
[1] Ignore endpoint DNS failure
https://github.com/astlinux-project/astlinux/blob/master/package/wireguard-tools/wireguard-tools-0001-ignore-endpoint-dns-failure.patch
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: wg syncconf (and setconf) error when one or more endpoints is unresolvable
2021-06-15 13:23 ` Lonnie Abelbeck
@ 2021-06-15 15:07 ` Christian McDonald
2021-06-15 15:22 ` Jason A. Donenfeld
0 siblings, 1 reply; 5+ messages in thread
From: Christian McDonald @ 2021-06-15 15:07 UTC (permalink / raw)
To: Lonnie Abelbeck; +Cc: WireGuard mailing list
Lonnie,
Thanks for the quick response and the trivial fix! This is perfect
Best,
Christian
On Tue, Jun 15, 2021 at 9:24 AM Lonnie Abelbeck
<lists@lonnie.abelbeck.com> wrote:
>
>
> > On Jun 15, 2021, at 5:52 AM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> >
> > This is intended behavior. DNS resolution happens at config parsing time.
>
> Christian,
>
> While I appreciate Jason's strict DNS requirement, for the last 2.5 years our project has implemented a trivial patch [1] to ignore endpoint DNS failure. On a DNS failure, essentially ignoring the (optional) Endpoint= dns-hostname peer entry.
>
> This has worked well for our use case. WireGuard always starts.
>
> Lonnie
>
> [1] Ignore endpoint DNS failure
> https://github.com/astlinux-project/astlinux/blob/master/package/wireguard-tools/wireguard-tools-0001-ignore-endpoint-dns-failure.patch
>
--
R. Christian McDonald
E: rcmcdonald91@gmail.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: wg syncconf (and setconf) error when one or more endpoints is unresolvable
2021-06-15 15:07 ` Christian McDonald
@ 2021-06-15 15:22 ` Jason A. Donenfeld
0 siblings, 0 replies; 5+ messages in thread
From: Jason A. Donenfeld @ 2021-06-15 15:22 UTC (permalink / raw)
To: Christian McDonald; +Cc: Lonnie Abelbeck, WireGuard mailing list
Hi Christian,
I don't condone shipping patched binaries to your users, and I won't
provide support for that here. What I'd recommend instead, if you want
really fine grained control over DNS resolution, is to just resolve
your DNS names prior to calling wg(8), and then apply whatever policy
you want to the results of that prior resolution step, such as
retries, discards, fallbacks, and so forth.
Jason
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-06-15 15:23 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-15 8:35 wg syncconf (and setconf) error when one or more endpoints is unresolvable Christian McDonald
2021-06-15 10:52 ` Jason A. Donenfeld
2021-06-15 13:23 ` Lonnie Abelbeck
2021-06-15 15:07 ` Christian McDonald
2021-06-15 15:22 ` Jason A. Donenfeld
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).