[Dnssec-trigger] patch to fix the dnssec-trigger fallback issue
thozza at redhat.com
Wed Aug 13 15:46:55 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
On Wed 13 Aug 2014 04:57:22 PM CEST, W.C.A. Wijngaards wrote:
> Hi Pavel,
> On 08/13/2014 04:31 PM, Pavel Simerda wrote:
>> just found where the problem with not using the fallback
>> configuration was. All the details are in the Fedora bugzilla
>> ticket. I didn't do any more extensive research but it
>> basically seems that after planning the direct probe we need to
>> also plan the tcpdns probe *before* the direct probe finishes and
>> prevents the tcpdns one from being planned.
> You seem to want dnssec-trigger to probe in a different sequence of
> fallback methods?
> At the design time the direct method was thought to be a better method
> than using a public-recursor fallback. The traffic on authority
> servers was not considered a problem.
> The bugzilla ticket is solving something which is not a bug but a
> feature. Designed in, as the order of the probes performed.
> The aim for the initial design was also to reduce load on that public
> resolver (hosted by us in the generic package).
> The direct (direct to authority servers) method works very often. And
> when it does it is very likely to produce DNSSEC support.
For some reason I thought that fall-back servers were used before the
root servers. However I can see that it is the other way around when
reading the dnssec-trigger project page.
We consider offloading root servers a good thing. I agree with you that
in this case it is more of a feature request. Maybe it could be made
configurable. We have own Fedora infrastructure, so we will not increase
the load on your servers.
The problem I see is the situation when you want to use DNS over SSL,
because full recursion is blocked. Then it would make sense to actually
try the fall-back configuration first.
However Pavel will know more, since he debugged the daemon to find the
cause in source.
> Your patch also seems to have a race condition, I think, since you
> spawn both the direct and the dnstcp probes at the same time.
> Best regards,
>>  https://bugzilla.redhat.com/show_bug.cgi?id=1109292
Software Engineer - EMEA ENG Developer Experience
Red Hat Inc. http://cz.redhat.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the dnssec-trigger