Re: [ANNOUNCE] haproxy-2.9-dev7

Tue, 10 Oct 2023 06:21:04 -0700 


On 10/10/2023 14:04, Aleksandar Lazic wrote:

...

Well this implies that always a dpapi should run together with HAProxy 
if you want something like DNS resolving for server or anything else? 



I don't think Willy meant removing this much; from a previous discussion 
with him on the topic, it sounds more like wanting to remove things like 
regular SRV records resolution for server-template directives for example.



I think that the DNS Stuff should be keep there and maybe be enhanced as
it looks to me some new Security Topics are using DNS more and more like
ESNI, ECH, SVB, ...



Neither of those really matter for HAProxy as a server though. ESNI/ECH 
merely has the relevant keys published on the domain's HTTPS or SVCB 
records, which (as far as I understand it) are there mostly to have more 
protocol hints baked into the preliminary DNS request (ie v4/v6 support, 
and which IPs for each; which ECH keys, what ports, what ALPNs, ...).



But all of this is baked into your public DNS zone, and not really 
something HAProxy (as a server, again) would ever use.



Now that said, if you mean using those between HAProxy and your 
backends... maybe. Though I'm a little bit dubious about the use-case, 
to be frank, since it's not expected for backend servers to use things 
like ECH.



That said, I do have some use-cases at the moment where I actively make 
use of SRV records on the backends internally, for which losing support 
would be a little annoying, so I can appreciate the will to keep them.



Should this be handled by dpapi and configured via socket api or any 
upcoming api in HAProxy

If dpapi is to become necessary for very dynamic configurations, I just 
hope it follows a standard rather than expecting users to write adapters 
around since it's unlikely that anything but xDS (or similar) will have 
significant adoption in the near future due to the rather high cost of 
supporting third-party APIs like those for various projects.



Somewhat the same reason why while the socket api is cool and useful, it 
doesn't really work out as nicely as it could when it comes to 
integrating it with other software.


Tristan



























					Reply via email to