wg syncconf (and setconf) error when one or more endpoints is unresolvable

wg syncconf (and setconf) error when one or more endpoints is unresolvable

[Christian McDonald]

Jason,

Assume a tunnel with say 3 peers. Peer A is accessible via an IPv4
address, Peer B by some FQDN, and Peer C by some other FQDN. Let's
also assume that Peer C was misconfigured with an unresolvable FQDN.
wg syncconf (and setconf) fails with 'Name does not
resolve...Configuration parsing error'

Is it expected behavior in this case that *none* of the peer
configurations are actually applied? It seems like a more appropriate
behavior would be to go ahead and configure the remaining peers (Peer
A + B) but only fail on the peer with an unresolvable endpoint (Peer
C). It of course is completely possible to re-implement syncconf and
setconf using explicit `wg set` calls as a workaround.

Am I missing something here?

Thanks,
Christian
-- 
R. Christian McDonald
E: rcmcdonald91@gmail.com

Re: wg syncconf (and setconf) error when one or more endpoints is unresolvable

[Jason A. Donenfeld]

This is intended behavior. DNS resolution happens at config parsing time.

Re: wg syncconf (and setconf) error when one or more endpoints is unresolvable

[Lonnie Abelbeck]

> On Jun 15, 2021, at 5:52 AM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> 
> This is intended behavior. DNS resolution happens at config parsing time.

Christian,

While I appreciate Jason's strict DNS requirement, for the last 2.5 years our project has implemented a trivial patch [1] to ignore endpoint DNS failure.  On a DNS failure, essentially ignoring the (optional) Endpoint= dns-hostname peer entry.

This has worked well for our use case.  WireGuard always starts.

Lonnie

[1] Ignore endpoint DNS failure
https://github.com/astlinux-project/astlinux/blob/master/package/wireguard-tools/wireguard-tools-0001-ignore-endpoint-dns-failure.patch

Re: wg syncconf (and setconf) error when one or more endpoints is unresolvable

[Christian McDonald]

Lonnie,

Thanks for the quick response and the trivial fix! This is perfect

Best,
Christian

On Tue, Jun 15, 2021 at 9:24 AM Lonnie Abelbeck
<lists@lonnie.abelbeck.com> wrote:
>
>
> > On Jun 15, 2021, at 5:52 AM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> >
> > This is intended behavior. DNS resolution happens at config parsing time.
>
> Christian,
>
> While I appreciate Jason's strict DNS requirement, for the last 2.5 years our project has implemented a trivial patch [1] to ignore endpoint DNS failure.  On a DNS failure, essentially ignoring the (optional) Endpoint= dns-hostname peer entry.
>
> This has worked well for our use case.  WireGuard always starts.
>
> Lonnie
>
> [1] Ignore endpoint DNS failure
> https://github.com/astlinux-project/astlinux/blob/master/package/wireguard-tools/wireguard-tools-0001-ignore-endpoint-dns-failure.patch
>


-- 
R. Christian McDonald
E: rcmcdonald91@gmail.com

Re: wg syncconf (and setconf) error when one or more endpoints is unresolvable

[Jason A. Donenfeld]

Hi Christian,

I don't condone shipping patched binaries to your users, and I won't
provide support for that here. What I'd recommend instead, if you want
really fine grained control over DNS resolution, is to just resolve
your DNS names prior to calling wg(8), and then apply whatever policy
you want to the results of that prior resolution step, such as
retries, discards, fallbacks, and so forth.

Jason