[Dnssec-trigger] patch to fix the dnssec-trigger fallback issue

W.C.A. Wijngaards wouter at nlnetlabs.nl
Wed Aug 13 14:57:22 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Pavel,

On 08/13/2014 04:31 PM, Pavel Simerda wrote:
> Hi,
> 
> just found where the problem with not using the fallback 
> configuration was. All the details are in the Fedora bugzilla 
> ticket[1]. I didn't do any more extensive research but it
> basically seems that after planning the direct probe we need to
> also plan the tcpdns probe *before* the direct probe finishes and
> prevents the tcpdns one from being planned.

You seem to want dnssec-trigger to probe in a different sequence of
fallback methods?

At the design time the direct method was thought to be a better method
than using a public-recursor fallback.  The traffic on authority
servers was not considered a problem.

The bugzilla ticket is solving something which is not a bug but a
feature.  Designed in, as the order of the probes performed.

The aim for the initial design was also to reduce load on that public
resolver (hosted by us in the generic package).

The direct (direct to authority servers) method works very often.  And
when it does it is very likely to produce DNSSEC support.

Your patch also seems to have a race condition, I think, since you
spawn both the direct and the dnstcp probes at the same time.

Best regards,
   Wouter

> Pavel
> 
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1109292
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJT63zSAAoJEJ9vHC1+BF+NLI0P/1/x29/8kZv5H9hdI6VQJBvp
HjIVUZa5S/ajqLjwtPxXPoVTelwi5uLUSah+1kKc6tJA5oSMnPRuwy3xfVq1FD8J
hP136PzTs8pt/1n9gcU+LPFExWshHQUjC7CHBHgDBt8WSYVqth12aAxAJPgmjsY4
Jr+NmU4jRct/aoVn73fXNqEsJJ6lG0ByvmYETpobRhQncTX868fe0fxLMD5OjZjy
B+uWDokS4Glh2PP5V9/3SuZZBSSFf55HpsnWup5vC+Zt0xuUDpTd4J6Xl4plrJQF
dHaNUgyuiZfZd/osgnDK6PBTXlCH2mpxNo+w8qQx2+tiShmtaGXpq+Y2xQFs815I
z9ZLr6CUfTXvxjyqQKdmyPyGh3858+pLqts98pGq/02R7BbId7BndfxttWg3VnJY
O6a5HgXfbA5ogooQLY8AWgOvrp7maEYDYOfx1v7j1gSkEP4AMTga5IAC/HbBZu+O
nH2sAuuedZqYPsTT5bkApn2epedepji28M67BjYGv3YjgWza4FtrMkgwPlOG63TW
NjhpeLf6qE4MPrOW+PnJE1/mbVGIulhese5fTldjVI0ia4E3ZX0NpIRbJUpoi89s
HF66Cgv7mVogXvT4Nfnh3NHOMNRTMVSk2r2SDafesdqJqy2A48e/VgewR5jNkMgU
BNbOIR02lnHHduNGMKjB
=h46h
-----END PGP SIGNATURE-----

More information about the dnssec-trigger mailing list