[Dnssec-trigger] patch to fix the dnssec-trigger fallback issue

[Tomas Hozza]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Wouter.

On Wed 13 Aug 2014 04:57:22 PM CEST, W.C.A. Wijngaards wrote:
> Hi Pavel,
> 
> On 08/13/2014 04:31 PM, Pavel Simerda wrote:
>> Hi,
> 
>> just found where the problem with not using the fallback
>> configuration was. All the details are in the Fedora bugzilla
>> ticket[1]. I didn't do any more extensive research but it
>> basically seems that after planning the direct probe we need to
>> also plan the tcpdns probe *before* the direct probe finishes and
>> prevents the tcpdns one from being planned.
> 
> You seem to want dnssec-trigger to probe in a different sequence of
> fallback methods?
> 
> At the design time the direct method was thought to be a better method
> than using a public-recursor fallback.  The traffic on authority
> servers was not considered a problem.
> 
> The bugzilla ticket is solving something which is not a bug but a
> feature.  Designed in, as the order of the probes performed.
>
> The aim for the initial design was also to reduce load on that public
> resolver (hosted by us in the generic package).
> 
> The direct (direct to authority servers) method works very often.  And
> when it does it is very likely to produce DNSSEC support.

For some reason I thought that fall-back servers were used before the
root servers. However I can see that it is the other way around when
reading the dnssec-trigger project page.

We consider offloading root servers a good thing. I agree with you that
in this case it is more of a feature request. Maybe it could be made
configurable. We have own Fedora infrastructure, so we will not increase
the load on your servers.

The problem I see is the situation when you want to use DNS over SSL,
because full recursion is blocked. Then it would make sense to actually
try the fall-back configuration first.

However Pavel will know more, since he debugged the daemon to find the
cause in source.

> Your patch also seems to have a race condition, I think, since you
> spawn both the direct and the dnstcp probes at the same time.
> 
> Best regards,
>    Wouter
> 
>> Pavel
> 
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1109292
> 
> 

Thanks.

Regards,
- -- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.                               http://cz.redhat.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJT64hvAAoJEMWIetUdnzwtCeUH/iLA5ZiXght/q/h9jYnguuIi
iddIrQkwyg1jbAua9okfvGQlHpUJI05TQVjEmoT/30HWpA4v5UYJUe2XFr7cKz/3
GyCbjYK3ZZn3Jf3UR1gofCRAtRLr1XM+Fp5Qa2IJgkpLuoA595S1ss/2dyJeyGNi
PTr7e1MLLOxBl9JvM/BIlvsiiy+A+sjb9EKLnc0vRgiel7wJkXOn294Bcx1W3S6R
xjzGmRGStAPFKmCiuQfthgLB5Bk6McROWqXzPR8RGGUGDfWSBErfq43ymUuoA5CV
1izvkEm7K02F9ljG9/jOORs7pLhQJs+TS7hGEWUWbCMdqx28WSDNptEFGwBqjVI=
=5P1U
-----END PGP SIGNATURE-----