sock_dodtls: Initial import of a DNS over DTLS client

[miri64]

Contribution description

This introduces DNS over DTLS for RIOT, utilizing the sock API. It is still in an experimental stage, as some fallback features are not supported yet (and might never be):

1. EDNS(0) is required for Path-MTU negotiation, but our packets usually do not get that big, so that's why I left it out for now.
2. The RFC requires servers and clients to implement both DNS over DTLS and DNS over TLS to have a secure fallback if a satisfying Path-MTU cannot be found. Apart from my reasoning for omitting 1. also applying here, I don't think this is a realistic fallback for RIOT. Rather, if for whatever reason DNS over DTLS is not possible due to Path MTU issues, we should recommend the user to use DoC (gcoap_dns: initial import of a DNS over CoAP (DoC) client #16705) instead, once that is in a stable enough state.

Testing procedure

There is a test application, but there is no automation yet (given that scapy does not support DTLS yet, it is also not as easy as with the DNS counter-part). I tested it with my own DNS over DTLS proxy, but there are also other proxies and servers (e.g. https://github.com/folbricht/routedns) that should work with this client. For my proxy, install aiodnsprox and run it with a DTLS frontend:

pip install git+https://github.com/anr-bmbf-pivot/aiodnsprox/
echo "dtls_credentials:
  client_identity: Client_identity
  psk: secretPSK
upstream_dns:
  host: 9.9.9.9" > config.yaml
sudo ip addr add 2001:db8::1 dev tapbr0
sudo ip route add 2001:db8::/64 via fe80::e0bc:7dff:fecb:f550 dev tapbr0
sudo aiodns-prox -C config.yaml -d 2001:db8::1

Just establish a session with the server and try to resolve a name e.g. on native with

> ifconfig 5 add 2001:db8::2
ifconfig 5 add 2001:db8::2
success: added 2001:db8::2/64 to interface 5
> ifconfig
ifconfig
Iface  5  HWaddr: E2:BC:7D:CB:F5:50 
          L2-PDU:1500  MTU:1500  HL:64  Source address length: 6
          Link type: wired
          inet6 addr: fe80::e0bc:7dff:fecb:f550  scope: link  VAL
          inet6 addr: 2001:db8::2  scope: global  VAL
          inet6 group: ff02::1
          inet6 group: ff02::1:ffcb:f550
          inet6 group: ff02::1:ff00:2

> nib route add 5 default fe80::dc1a:a8ff:fe09:45b3
nib route add 5 default fe80::dc1a:a8ff:fe09:45b3
> dodtls server [2001:db8::1] 5853 Client_identity secretPSK
dodtls server [2001:db8::1] 5853 Client_identity secretPSK
DNS server: [2001:db8::1%5]:853
> dodtls request riot-os.org inet6
dodtls request riot-os.org inet6
riot-os.org resolves to 2001:67c:254:b0b0::1

Issues/PRs references

Companion to #16705 but can be merged independently.

[miri64]

Arghs, that was supposed to be a draft PR... Oh well, I did set the WIP label :-)

[chrysn]

Arghs, that was supposed to be a draft PR... Oh well, I _did_ set the WIP label :-)

That button *is* incredibly easy to overlook; took me serious time until I realized how to submit things as a draft in the first place rather than switching over later. Anyway, happy to be subscribed to the issue, although I probably won't get around to a serious look in the next few days.

…

-- To use raw power is to make yourself infinitely vulnerable to greater powers. -- Bene Gesserit axiom

[miri64]

Rebased and adopted for current master. No longer WIP, this was well tested for the experimental evaluation in https://arxiv.org/abs/2207.07486 and I adapted the testing procedures to provide the setup steps for aiodnsprox.

[miri64]

May I squash? Are all comments sufficiently addressed?

[benpicco]

Looks good to me

[miri64]

Squashed