<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 19.02.19 16:45, Vincent Wiemann
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ce051517-9325-824c-3299-ba08138e7912@ironai.com">
<pre class="moz-quote-pre" wrap="">A kernel VPN module should not depend
on a user space daemon for doing regular checks or a daemon running at
all.</pre>
</blockquote>
<p>It doesn't. You only need userspace when the external IP address
changes *and* the other side either doesn't initiate a link to us,
or can no longer reach us due to firewall or NAT issues. This is
already orders of magnitude better than OpenVPN.<br>
</p>
<p>DNS is a complex protocol that's nontrivial to implement
securely, DNSSEC even more so. You do not want that in the kernel.
I'd wager a large chunk of money that neither does Linus Torvalds.<br>
</p>
<blockquote>
<blockquote type="cite" style="color: #000000;">
<pre class="moz-quote-pre" wrap="">One could build up on
<a class="moz-txt-link-freetext" href="https://www.kernel.org/doc/Documentation/networking/dns_resolver.txt">https://www.kernel.org/doc/Documentation/networking/dns_resolver.txt</a> ,
but it's a lot of work and shouldn't be a goal before WireGuard becomes
an upstream kernel module.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">I'm pretty sure that's the way to go long-term.
</pre>
</blockquote>
<p>Umm … you might want to read that. It specifies upcalling to
userspace. How is that better than running a WG daemon?</p>
<p>We'd also lose flexibility. I might want to teach that WG daemon
to get the new address from somewhere else, like a secure
connection to a VPN server (given that DNS timeouts might be too
long), or to use that netlink callback to trigger an alert or to
activate a fallback connection.<br>
</p>
<pre class="moz-signature" cols="72">--
-- Matthias Urlichs</pre>
</body>
</html>