Merge pull request #253 from DNSCrypt/dependabot/cargo/sieve-cache-0.2.0

Bump sieve-cache from 0.1.4 to 0.2.0

.github/workflows/release.yml

@@ -7,18 +7,36 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-20.04, windows-latest]
+        include:
+          - os: ubuntu-20.04
+            target: x86_64-unknown-linux-gnu
+            target_alias: linux-x86_64
+            bin_suffix: ''
+            archive_suffix: '.tar.bz2'
+          - os: windows-latest
+            target: x86_64-pc-windows-msvc
+            target_alias: win-x86_64-msvc
+            bin_suffix: '.exe'
+            archive_suffix: '.zip'
+    defaults:
+      run:
+        shell: bash
+    env:
+      ARCHIVE_PATH: encrypted-dns_${{ github.ref_name }}_${{ matrix.target_alias }}${{ matrix.archive_suffix }}
 
     steps:
-      - name: Get the version
-        id: get_version
-        run: echo ::set-output name=VERSION::${GITHUB_REF#refs/tags/}
+      - uses: actions/checkout@v4
 
-      - uses: actions/checkout@master
+      - uses: goto-bus-stop/setup-zig@v2
 
-      - uses: hecrj/setup-rust-action@master
+      - uses: hecrj/setup-rust-action@v2
         with:
           rust-version: stable
+          targets: ${{ matrix.target }}
 
       - name: Check Cargo availability
         run: cargo --version
@@ -26,50 +44,54 @@ jobs:
       - name: Check Rustup default toolchain
         run: rustup default | grep stable
 
-      - name: Install cargo-deb
-        run: cargo install --debug cargo-deb
-
       - name: Build
         run: |
           echo 'lto = "fat"' >> Cargo.toml
-          env RUSTFLAGS="-C link-arg=-s" cargo build --release
+          env RUSTFLAGS="-C strip=symbols" cargo build --release
           mkdir encrypted-dns
-          mv target/release/encrypted-dns encrypted-dns/
+          cp target/release/encrypted-dns${{ matrix.bin_suffix }} encrypted-dns/
           cp README.md example-encrypted-dns.toml encrypted-dns/
-          tar cjpf encrypted-dns_${{ steps.get_version.outputs.VERSION }}_linux-x86_64.tar.bz2 encrypted-dns
-      - name: Debian package
+          if [ "${{ matrix.os }}" = "ubuntu-20.04" ]; then
+            tar cjpf ${ARCHIVE_PATH} encrypted-dns
+          elif [ "${{ matrix.os }}" = "windows-latest" ]; then
+            "/C/Program Files/7-Zip/7z" a ${ARCHIVE_PATH} encrypted-dns
+          fi
+
+      - name: Install cargo-deb and build Debian package
+        if: ${{ matrix.os == 'ubuntu-20.04' }}
         run: |
-          cargo deb
+          cargo install cargo-deb
+          cargo deb --output=encrypted-dns_${{ github.ref_name }}_amd64.deb --no-build
 
-      - name: Create release
-        id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/upload-artifact@v4
         with:
-          tag_name: ${{ github.ref }}
-          release_name: Release ${{ github.ref }}
-          draft: true
-          prerelease: false
+          name: encrypted-dns_${{ matrix.target_alias }}
+          path: ${{ env.ARCHIVE_PATH }}
 
-      - name: Upload Debian package
-        id: upload-release-asset-debian
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/upload-artifact@v4
+        if: ${{ matrix.os == 'ubuntu-20.04' }}
         with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_name: "encrypted-dns_${{ steps.get_version.outputs.VERSION }}_amd64.deb"
-          asset_path: "target/debian/encrypted-dns_${{ steps.get_version.outputs.VERSION }}_amd64.deb"
-          asset_content_type: application/x-debian-package
+          name: encrypted-dns_deb-amd64
+          path: encrypted-dns_${{ github.ref_name }}_amd64.deb
+
+  release:
+    if: startsWith(github.ref, 'refs/tags/')
+    needs:
+      - build
+    runs-on: ubuntu-20.04
+
+    steps:
+      - uses: actions/download-artifact@v4
 
-      - name: Upload tarball
-        id: upload-release-asset-tarball
-        uses: actions/upload-release-asset@v1
+      - name: Create release
+        uses: softprops/action-gh-release@v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_name: "encrypted-dns_${{ steps.get_version.outputs.VERSION }}_linux-x86_64.tar.bz2"
-          asset_path: "encrypted-dns_${{ steps.get_version.outputs.VERSION }}_linux-x86_64.tar.bz2"
-          asset_content_type: application/x-tar
+          name: Release ${{ github.ref_name }}
+          draft: true
+          prerelease: false
+          files: |
+            encrypted-dns_deb-amd64/*.deb
+            encrypted-dns_linux-x86_64/*.tar.bz2
+            encrypted-dns_win-x86_64-msvc/*.zip

.github/workflows/test.yml

@@ -4,11 +4,14 @@ on: [push]
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest]
 
     steps:
-      - uses: actions/checkout@master
-      - uses: hecrj/setup-rust-action@master
+      - uses: actions/checkout@v4
+      - uses: hecrj/setup-rust-action@v2
         with:
           rust-version: nightly
       - name: Check Cargo availability

.gitignore

@@ -1,6 +1,7 @@
 **/*.rs.bk
 *~
 /target/
-Cargo.lock
 encrypted-dns.state
 encrypted-dns.toml
+a.rb
+sizes.txt

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "encrypted-dns"
-version = "0.9.7"
+version = "0.9.15"
 authors = ["Frank Denis <github@pureftpd.org>"]
 edition = "2018"
 description = "A modern encrypted DNS server (DNSCrypt v2, Anonymized DNSCrypt, DoH)"
@@ -12,59 +12,58 @@ categories = ["asynchronous", "network-programming", "command-line-utilities"]
 readme = "README.md"
 
 [dependencies]
-anyhow = "1.0.58"
-byteorder = "1.4.3"
-clap = { version = "3.2.8", default-features = false, features = [
+anyhow = "1.0.86"
+byteorder = "1.5.0"
+clap = { version = "3.2.25", default-features = false, features = [
   "std",
   "cargo",
   "wrap_help",
 ] }
-clockpro-cache = "0.1.10"
-coarsetime = "0.1.22"
+coarsetime = "0.1.34"
 daemonize-simple = "0.1.5"
 derivative = "2.2.0"
 dnsstamps = "0.1.9"
-env_logger = { version = "0.9.0", default-features = false, features = [
+env_logger = { version = "0.11.3", default-features = false, features = [
   "humantime",
 ] }
-futures = { version = "0.3.21", features = ["async-await"] }
-hyper = { version = "0.14.19", default_features = false, features = [
+futures = { version = "0.3.30", features = ["async-await"] }
+hyper = { version = "0.14.28", default-features = false, features = [
   "server",
   "http1",
 ], optional = true }
 ipext = "0.1.0"
-libsodium-sys-stable = "1.19.22"
-log = { version = "0.4.17", features = ["std", "release_max_level_debug"] }
-mimalloc = { version = "0.1.29", default-features = false }
-socket2 = "0.4.4"
-parking_lot = "0.12.1"
+libsodium-sys-stable = "1.20.8"
+log = { version = "0.4.21", features = ["std", "release_max_level_debug"] }
+mimalloc = { version = "0.1.42", default-features = false }
+socket2 = "0.5.7"
+parking_lot = "0.12.2"
 rand = "0.8.5"
-rlimit = "0.8.3"
+rlimit = "0.10.1"
 rustc-hash = "1.1.0"
-serde = "1.0.137"
-serde_derive = "1.0.137"
-serde-big-array = "0.4.1"
-siphasher = "0.3.10"
-slabigator = "0.1.4"
-tokio = { version = "1.19.2", features = [
+serde = "1.0.202"
+serde_derive = "1.0.202"
+serde-big-array = "0.5.1"
+sieve-cache = "0.2.0"
+siphasher = "1.0.1"
+slabigator = "0.9.2"
+tokio = { version = "1.37.0", features = [
   "net",
   "io-std",
   "io-util",
   "fs",
   "time",
-  "rt-multi-thread",
-  "parking_lot",
+  "rt-multi-thread"
 ] }
-toml = "0.5.9"
+toml = "0.8.13"
 
 [target.'cfg(target_family = "unix")'.dependencies]
-privdrop = "0.5.2"
+privdrop = "0.5.4"
 
 [dependencies.prometheus]
 optional = true
 package = "prometheus-32bitfix"
 version = "0.13.1"
-default_features = false
+default-features = false
 features = ["process"]
 
 [features]

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2019-2022 Frank Denis
+Copyright (c) 2019-2024 Frank Denis
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,5 +1,5 @@
 # ![Encrypted DNS Server](logo.png)
-![Github CI status](https://img.shields.io/github/workflow/status/jedisct1/encrypted-dns-server/Rust)
+![Github CI status](https://img.shields.io/github/actions/workflow/status/jedisct1/encrypted-dns-server/test.yml?branch=master)
 [![Gitter chat](https://badges.gitter.im/gitter.svg)](https://gitter.im/dnscrypt-operators/Lobby)
 
 An easy to install, high-performance, zero maintenance proxy to run an encrypted DNS server.
@@ -18,9 +18,9 @@ All of these can be served simultaneously, on the same port (usually port 443).
 
 ## Installation
 
-### Option 1: precompiled binary for Linux
+### Option 1: precompiled x86_64 binary
 
-Precompiled tarballs and Debian packages for Linux/x86_64 [can be downloaded here](https://github.com/jedisct1/encrypted-dns-server/releases/latest).
+Debian packages, archives for Linux and Windows [can be downloaded here](https://github.com/jedisct1/encrypted-dns-server/releases/latest).
 
 Nothing else has to be installed. The server doesn't require any external dependencies.
 
@@ -97,7 +97,7 @@ Putting it in a directory that is only readable by the super-user is not a bad i
 
 ## Filtering
 
-Domains can be filtered directly by the proxy, see the `[filtering]` section of the configuration file.
+Domains can be filtered directly by the proxy, see the `[filtering]` section of the configuration file. Note: Filtering only works with the DNSCrypt protocol and does not apply to DNS-over-HTTP (DoH) forwarding.
 
 ## Access control
 

src/cache.rs

@@ -1,8 +1,8 @@
 use std::sync::Arc;
 
-use clockpro_cache::ClockProCache;
 use coarsetime::{Duration, Instant};
 use parking_lot::{Mutex, MutexGuard};
+use sieve_cache::SieveCache;
 
 use crate::dns;
 
@@ -55,7 +55,7 @@ impl CachedResponse {
 #[derivative(Debug)]
 pub struct Cache {
     #[derivative(Debug = "ignore")]
-    cache: Arc<Mutex<ClockProCache<u128, CachedResponse>>>,
+    cache: Arc<Mutex<SieveCache<u128, CachedResponse>>>,
     pub ttl_min: u32,
     pub ttl_max: u32,
     pub ttl_error: u32,
@@ -63,13 +63,13 @@ pub struct Cache {
 
 impl Cache {
     pub fn new(
-        clockpro_cache: ClockProCache<u128, CachedResponse>,
+        sieve_cache: SieveCache<u128, CachedResponse>,
         ttl_min: u32,
         ttl_max: u32,
         ttl_error: u32,
     ) -> Self {
         Cache {
-            cache: Arc::new(Mutex::new(clockpro_cache)),
+            cache: Arc::new(Mutex::new(sieve_cache)),
             ttl_min,
             ttl_max,
             ttl_error,
@@ -77,7 +77,7 @@ impl Cache {
     }
 
     #[inline]
-    pub fn lock(&self) -> MutexGuard<'_, ClockProCache<u128, CachedResponse>> {
+    pub fn lock(&self) -> MutexGuard<'_, SieveCache<u128, CachedResponse>> {
         self.cache.lock()
     }
 }

src/config.rs

@@ -131,8 +131,8 @@ impl State {
         let mut fpb = tokio::fs::OpenOptions::new();
         let fpb = fpb.create(true).write(true);
         let mut fp = fpb.open(&path_tmp).await?;
-        let state_bin = toml::to_vec(&self)?;
-        fp.write_all(&state_bin).await?;
+        let state_str = toml::to_string(&self)?;
+        fp.write_all(state_str.as_bytes()).await?;
         fp.sync_data().await?;
         mem::drop(fp);
         tokio::fs::rename(path_tmp, path).await?;
@@ -140,8 +140,8 @@ impl State {
     }
 
     pub fn from_file(path: impl AsRef<Path>, key_cache_capacity: usize) -> Result<Self, Error> {
-        let state_bin = fs::read(path)?;
-        let mut state: State = toml::from_slice(&state_bin)?;
+        let state_str = fs::read_to_string(path)?;
+        let mut state: State = toml::from_str(&state_str)?;
         for params_set in &mut state.dnscrypt_encryption_params_set {
             params_set.add_key_cache(key_cache_capacity);
         }

src/dns.rs

@@ -294,7 +294,7 @@ fn skip_name(packet: &[u8], offset: usize) -> Result<usize, Error> {
                 break;
             }
             label_len => label_len,
-        } as usize;
+        };
         ensure!(label_len < 0x40, "Long label");
         ensure!(
             packet_len - offset - 1 > label_len,
@@ -423,7 +423,7 @@ fn add_edns_section(packet: &mut Vec<u8>, max_payload_size: u16) -> Result<(), E
         "Packet would be too large to add a new record"
     );
     arcount_inc(packet)?;
-    packet.extend(&opt_rr);
+    packet.extend(opt_rr);
     Ok(())
 }
 
@@ -483,7 +483,7 @@ pub fn serve_certificates<'t>(
     if !qname.eq_ignore_ascii_case(expected_qname) {
         return Ok(None);
     }
-    let mut packet = (&client_packet[..offset + 4]).to_vec();
+    let mut packet = client_packet[..offset + 4].to_vec();
     an_ns_ar_count_clear(&mut packet);
     authoritative_response(&mut packet);
     let dnscrypt_encryption_params = dnscrypt_encryption_params_set

src/dnscrypt.rs

@@ -46,7 +46,7 @@ pub const DNSCRYPT_TCP_RESPONSE_MAX_SIZE: usize =
 pub fn decrypt(
     wrapped_packet: &[u8],
     dnscrypt_encryption_params_set: &[Arc<DNSCryptEncryptionParams>],
-) -> Result<(SharedKey, [u8; DNSCRYPT_FULL_NONCE_SIZE as usize], Vec<u8>), Error> {
+) -> Result<(SharedKey, [u8; DNSCRYPT_FULL_NONCE_SIZE], Vec<u8>), Error> {
     ensure!(
         wrapped_packet.len()
             >= DNSCRYPT_QUERY_MAGIC_SIZE
@@ -67,7 +67,7 @@ pub fn decrypt(
         .find(|p| p.client_magic() == client_magic)
         .ok_or_else(|| anyhow!("Client magic not found"))?;
 
-    let mut nonce = [0u8; DNSCRYPT_FULL_NONCE_SIZE as usize];
+    let mut nonce = [0u8; DNSCRYPT_FULL_NONCE_SIZE];
     nonce[..DNSCRYPT_QUERY_NONCE_SIZE].copy_from_slice(client_nonce);
 
     let cached_shared_key = {
@@ -106,7 +106,7 @@ pub fn decrypt(
 pub fn encrypt(
     packet: Vec<u8>,
     shared_key: &SharedKey,
-    nonce: &[u8; DNSCRYPT_FULL_NONCE_SIZE as usize],
+    nonce: &[u8; DNSCRYPT_FULL_NONCE_SIZE],
     max_packet_size: usize,
 ) -> Result<Vec<u8>, Error> {
     let mut wrapped_packet = Vec::with_capacity(DNS_MAX_PACKET_SIZE);
@@ -126,3 +126,7 @@ pub fn encrypt(
     )?;
     Ok(wrapped_packet)
 }
+
+pub fn may_be_quic(packet: &[u8]) -> bool {
+    !packet.is_empty() && ((80..=127).contains(&packet[0]) || (192..=255).contains(&packet[0]))
+}

src/dnscrypt_certs.rs

@@ -4,10 +4,10 @@ use std::sync::Arc;
 use std::time::SystemTime;
 
 use byteorder::{BigEndian, ByteOrder};
-use clockpro_cache::ClockProCache;
 use parking_lot::Mutex;
 use rand::prelude::*;
 use serde_big_array::BigArray;
+use sieve_cache::SieveCache;
 
 use crate::anonymized_dns::*;
 use crate::config::*;
@@ -108,7 +108,7 @@ pub struct DNSCryptEncryptionParams {
     resolver_kp: CryptKeyPair,
     #[serde(skip)]
     #[derivative(Debug = "ignore")]
-    pub key_cache: Option<Arc<Mutex<ClockProCache<[u8; DNSCRYPT_QUERY_PK_SIZE], SharedKey>>>>,
+    pub key_cache: Option<Arc<Mutex<SieveCache<[u8; DNSCRYPT_QUERY_PK_SIZE], SharedKey>>>>,
 }
 
 impl DNSCryptEncryptionParams {
@@ -140,7 +140,7 @@ impl DNSCryptEncryptionParams {
             }
             if now >= ts_start {
                 let dnscrypt_cert = DNSCryptCert::new(provider_kp, &resolver_kp, ts_start);
-                let cache = ClockProCache::new(key_cache_capacity).unwrap();
+                let cache = SieveCache::new(key_cache_capacity).unwrap();
                 active_params.push(DNSCryptEncryptionParams {
                     dnscrypt_cert,
                     resolver_kp,
@@ -154,7 +154,7 @@ impl DNSCryptEncryptionParams {
             let ts_start = now - (now % DNSCRYPT_CERTS_RENEWAL);
             let resolver_kp = CryptKeyPair::from_seed(seed);
             let dnscrypt_cert = DNSCryptCert::new(provider_kp, &resolver_kp, ts_start);
-            let cache = ClockProCache::new(key_cache_capacity).unwrap();
+            let cache = SieveCache::new(key_cache_capacity).unwrap();
             active_params.push(DNSCryptEncryptionParams {
                 dnscrypt_cert,
                 resolver_kp,
@@ -165,7 +165,7 @@ impl DNSCryptEncryptionParams {
     }
 
     pub fn add_key_cache(&mut self, cache_capacity: usize) {
-        let cache = ClockProCache::new(cache_capacity).unwrap();
+        let cache = SieveCache::new(cache_capacity).unwrap();
         self.key_cache = Some(Arc::new(Mutex::new(cache)));
     }
 

src/main.rs

@@ -49,7 +49,6 @@ use blacklist::*;
 use byteorder::{BigEndian, ByteOrder};
 use cache::*;
 use clap::Arg;
-use clockpro_cache::ClockProCache;
 use config::*;
 use crypto::*;
 use dns::*;
@@ -57,6 +56,7 @@ use dnscrypt::*;
 use dnscrypt_certs::*;
 use dnsstamps::{InformalProperty, WithInformalProperty};
 use errors::*;
+use future::Either;
 use futures::join;
 use futures::prelude::*;
 use globals::*;
@@ -65,6 +65,7 @@ use parking_lot::RwLock;
 #[cfg(target_family = "unix")]
 use privdrop::PrivDrop;
 use rand::prelude::*;
+use sieve_cache::SieveCache;
 use siphasher::sip128::SipHasher13;
 use slabigator::Slab;
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
@@ -195,23 +196,31 @@ async fn handle_client_query(
             Ok(x) => x,
             Err(_) => {
                 let packet = encrypted_packet;
-                if let Some(synth_packet) = serve_certificates(
+                match serve_certificates(
                     &packet,
                     &globals.provider_name,
                     &dnscrypt_encryption_params_set,
-                )? {
-                    return encrypt_and_respond_to_query(
-                        globals,
-                        client_ctx,
-                        packet,
-                        synth_packet,
-                        original_packet_size,
-                        None,
-                        None,
-                    )
-                    .await;
-                }
-                bail!("Unencrypted query");
+                ) {
+                    Ok(Some(synth_packet)) => {
+                        return encrypt_and_respond_to_query(
+                            globals,
+                            client_ctx,
+                            packet,
+                            synth_packet,
+                            original_packet_size,
+                            None,
+                            None,
+                        )
+                        .await
+                    }
+                    Ok(None) => return Ok(()),
+                    Err(_) => {
+                        if may_be_quic(&packet) {
+                            bail!("Likely a QUIC packet") // RFC 9443
+                        }
+                        bail!("Unencrypted query or different protocol")
+                    }
+                };
             }
         };
     ensure!(packet.len() >= DNS_HEADER_SIZE, "Short packet");
@@ -339,12 +348,22 @@ async fn tcp_acceptor(globals: Arc<Globals>, tcp_listener: TcpListener) -> Resul
         };
         let fut_abort = rx;
         let fut_all = tokio::time::timeout(timeout, future::select(fut.boxed(), fut_abort));
-        runtime_handle.spawn(fut_all.map(move |_| {
+        runtime_handle.spawn(fut_all.map(move |either| {
             let _count = concurrent_connections.fetch_sub(1, Ordering::Relaxed);
             #[cfg(feature = "metrics")]
             varz.inflight_tcp_queries.set(_count.saturating_sub(1) as _);
-            let mut active_connections = active_connections.lock();
-            _ = active_connections.remove(tx_channel_index);
+
+            if let Ok(Either::Right(e)) = either {
+                // Removing the active connection was already done during
+                // cancellation.
+                debug!("TCP query canceled: {:?}", e.0)
+            } else {
+                let mut active_connections = active_connections.lock();
+                _ = active_connections.remove(tx_channel_index);
+                if let Ok(Either::Left(e)) = either {
+                    debug!("TCP query error: {:?}", e.0)
+                }
+            }
         }));
     }
 }
@@ -394,12 +413,22 @@ async fn udp_acceptor(
         let fut = handle_client_query(globals, client_ctx, packet);
         let fut_abort = rx;
         let fut_all = tokio::time::timeout(timeout, future::select(fut.boxed(), fut_abort));
-        runtime_handle.spawn(fut_all.map(move |_| {
+        runtime_handle.spawn(fut_all.map(move |either| {
             let _count = concurrent_connections.fetch_sub(1, Ordering::Relaxed);
             #[cfg(feature = "metrics")]
             varz.inflight_udp_queries.set(_count.saturating_sub(1) as _);
-            let mut active_connections = active_connections.lock();
-            _ = active_connections.remove(tx_channel_index);
+
+            if let Ok(Either::Right(e)) = either {
+                // Removing the active connection was already done during
+                // cancellation.
+                debug!("UDP query canceled: {:?}", e.0)
+            } else {
+                let mut active_connections = active_connections.lock();
+                _ = active_connections.remove(tx_channel_index);
+                if let Ok(Either::Left(e)) = either {
+                    debug!("UDP query error: {:?}", e.0)
+                }
+            }
         }));
     }
 }
@@ -544,16 +573,6 @@ fn set_limits(config: &Config) -> Result<(), Error> {
 }
 
 fn main() -> Result<(), Error> {
-    env_logger::Builder::from_default_env()
-        .write_style(env_logger::WriteStyle::Never)
-        .format_module_path(false)
-        .format_timestamp(None)
-        .filter_level(log::LevelFilter::Info)
-        .target(env_logger::Target::Stdout)
-        .init();
-
-    crypto::init()?;
-    let time_updater = coarsetime::Updater::new(1000).start()?;
     let matches = clap::command!()
         .arg(
             Arg::new("config")
@@ -577,8 +596,31 @@ fn main() -> Result<(), Error> {
                 .takes_value(false)
                 .help("Only print the connection information and quit"),
         )
+        .arg(
+            Arg::new("debug")
+                .long("debug")
+                .takes_value(false)
+                .help("Enable debug logs"),
+        )
         .get_matches();
 
+    let log_level = if matches.is_present("debug") {
+        log::LevelFilter::Debug
+    } else {
+        log::LevelFilter::Info
+    };
+
+    env_logger::Builder::from_default_env()
+        .write_style(env_logger::WriteStyle::Never)
+        .format_module_path(false)
+        .format_timestamp(None)
+        .filter_level(log_level)
+        .target(env_logger::Target::Stdout)
+        .init();
+
+    crypto::init()?;
+    let time_updater = coarsetime::Updater::new(1000).start()?;
+
     let config_path = matches.value_of("config").unwrap();
     let config = Config::from_path(config_path)?;
     if let Err(e) = set_limits(&config) {
@@ -693,14 +735,14 @@ fn main() -> Result<(), Error> {
     let hasher = SipHasher13::new_with_keys(sh_k0, sh_k1);
 
     let cache = Cache::new(
-        ClockProCache::new(cache_capacity)
+        SieveCache::new(cache_capacity)
             .map_err(|e| anyhow!("Unable to create the DNS cache: [{}]", e))?,
         config.cache_ttl_min,
         config.cache_ttl_max,
         config.cache_ttl_error,
     );
     let cert_cache = Cache::new(
-        ClockProCache::new(RELAYED_CERT_CACHE_SIZE)
+        SieveCache::new(RELAYED_CERT_CACHE_SIZE)
             .map_err(|e| anyhow!("Unable to create the relay cert cache: [{}]", e))?,
         RELAYED_CERT_CACHE_TTL,
         RELAYED_CERT_CACHE_TTL,

undelegated.txt

@@ -111,6 +111,7 @@ domain
 envoy
 example
 f.f.ip6.arpa
+fritz.box
 grp
 gw==
 home
@@ -128,6 +129,7 @@ local
 localdomain
 localhost
 localnet
+mail
 modem
 mynet
 myrouter