[Dnssec-trigger] patch to fix the dnssec-trigger fallback issue

Tomas Hozza thozza at redhat.com
Wed Aug 13 15:46:55 UTC 2014

Hash: SHA1

Hi Wouter.

On Wed 13 Aug 2014 04:57:22 PM CEST, W.C.A. Wijngaards wrote:
> Hi Pavel,
> On 08/13/2014 04:31 PM, Pavel Simerda wrote:
>> Hi,
>> just found where the problem with not using the fallback
>> configuration was. All the details are in the Fedora bugzilla
>> ticket[1]. I didn't do any more extensive research but it
>> basically seems that after planning the direct probe we need to
>> also plan the tcpdns probe *before* the direct probe finishes and
>> prevents the tcpdns one from being planned.
> You seem to want dnssec-trigger to probe in a different sequence of
> fallback methods?
> At the design time the direct method was thought to be a better method
> than using a public-recursor fallback.  The traffic on authority
> servers was not considered a problem.
> The bugzilla ticket is solving something which is not a bug but a
> feature.  Designed in, as the order of the probes performed.
> The aim for the initial design was also to reduce load on that public
> resolver (hosted by us in the generic package).
> The direct (direct to authority servers) method works very often.  And
> when it does it is very likely to produce DNSSEC support.

For some reason I thought that fall-back servers were used before the
root servers. However I can see that it is the other way around when
reading the dnssec-trigger project page.

We consider offloading root servers a good thing. I agree with you that
in this case it is more of a feature request. Maybe it could be made
configurable. We have own Fedora infrastructure, so we will not increase
the load on your servers.

The problem I see is the situation when you want to use DNS over SSL,
because full recursion is blocked. Then it would make sense to actually
try the fall-back configuration first.

However Pavel will know more, since he debugged the daemon to find the
cause in source.

> Your patch also seems to have a race condition, I think, since you
> spawn both the direct and the dnstcp probes at the same time.
> Best regards,
>    Wouter
>> Pavel
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1109292


- -- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

Red Hat Inc.                               http://cz.redhat.com
Version: GnuPG v1


More information about the dnssec-trigger mailing list