From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/8744 Path: news.gmane.org!not-for-mail From: Jan Broer Newsgroups: gmane.linux.lib.musl.general Subject: Re: Re: Would love to see reconsideration for domain and search Date: Fri, 23 Oct 2015 17:30:32 +0200 Message-ID: Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=001a113ed43cccbfb30522c74a4f X-Trace: ger.gmane.org 1445614259 11215 80.91.229.3 (23 Oct 2015 15:30:59 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 23 Oct 2015 15:30:59 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-8757-gllmg-musl=m.gmane.org@lists.openwall.com Fri Oct 23 17:30:52 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1ZpeIs-0002s7-MX for gllmg-musl@m.gmane.org; Fri, 23 Oct 2015 17:30:50 +0200 Original-Received: (qmail 17423 invoked by uid 550); 23 Oct 2015 15:30:48 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 16366 invoked from network); 23 Oct 2015 15:30:43 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=kla2IffH3+v1NoXs713R5tFVTlJUqNS2vULRnFAKjGs=; b=Oq76Ja9adCpV/oOzTXt9wUi614N1oHnfZZiNE35Jah6YndmmfZuIueyvTq1VlAWBxW YSQ2u6jzLV33ExXtNECZ1lSo554W7dmINDyzqsyTCu3nFxEau4SVXqJh3ZIZZFQslk3K M2IfnupyL1FpVJIkxQ7/Kaea+oywIRlNHgBCCwh2IOuZC0DUvHHC844YsmlFe/GN0RL/ mepWQlgDopitMzz0igRYspI489ZQlD5BCKXWPaK9yEr7IuHHV6B3qTJjjUHb0c6wE5RO INDRyGemC/gaQR3mGwSZ7RehOs8zJqcRMWq9LjHRfLOdQaMor6wXjYxLWcAYG8AeRCgW XM0Q== X-Received: by 10.107.137.66 with SMTP id l63mr22053304iod.112.1445614232320; Fri, 23 Oct 2015 08:30:32 -0700 (PDT) Xref: news.gmane.org gmane.linux.lib.musl.general:8744 Archived-At: --001a113ed43cccbfb30522c74a4f Content-Type: text/plain; charset=UTF-8 A very interesting discussion going on here. > You can't query all nameservers and just take > the first NXDOMAIN to respond. You can only accept NXDOMAIN if all of > the higher-priority (listed first in resolv.conf) nameservers have > timed out or SERVFAIL'ed. You can issue queries in parallel, but you > must process responses in order, which is what you describe below. GNU libc resolver gives priority to the primary nameserver because it assumes that this is the one with the lowest RTT / highest availability. This priorization was never understood as meaning that the primary's servers records are more "authorative" than those of secondary nameservers. > My view has always been that multiple > nameservers in resolv.conf are for redundancy, not for serving > conflicting records. I agree. >I have to disagree. Some non-forwarding DNS servers use SERVFAIL to >indicate "I am not serving for that domain" specifically to make the >client move to their next nameserver. if ns1 returns SERVFAIL, try >ns2. If ns1 times out, try ns2. Otherwise what good is ns2? This kind of result unioning you want from musl-libs isn't even supported by GNU libc resolver. Yes it works for you - but this is because your DNS server is breaking DNS RFC specs: SERVFAIL is not a technically legal response for "I am not serving for that domain". It's just WRONG. When an authorative server (which the Kubernetes DNS server is) doesn't serve a specific zone it has to respond with NXDOMAIN. Of course if your server would follow the rules than that type of result unioning doesn't work because GNU libc resolver does not failover to secondary servers when the response is NXDOMAIN. It's just a weak argument to essentially say: "The GNU libc resolver does exactly what i want when i point it to my broken DNS server, why can't musl-libc?". The bottom line: Leave nameserver querying logic as it is: Check! Implement search paths: Check! Consider ndots option in resolv.conf: Check! query name <= ndots: search first query name > ndots : never search LGTM! Jan --001a113ed43cccbfb30522c74a4f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
A very interesting discussion going on here.

> You can't query all nameservers and just take
> the first NXDOMAIN to respond.=C2=A0 You can only accept NXDOMA= IN if all of
> the higher-priority (listed first in resolv.con= f) nameservers have
> timed out or SERVFAIL'ed.=C2=A0 You = can issue queries in parallel, but you
> must process response= s in order, which is what you describe below.

GNU = libc resolver gives priority to the primary nameserver because it assumes t= hat this is the one with the lowest RTT / highest availability. This priori= zation was never understood as meaning that the primary's servers recor= ds are more "authorative" than those of secondary nameservers.

> My view has always been that multiple
> nameservers in resolv.conf are for redundancy, not for serving
<= div>> conflicting records.

I agree.
<= br>
>I have to disagree.=C2=A0 Some non-forwarding DNS servers= use SERVFAIL to
>indicate "I am not serving for that dom= ain" specifically to make the
>client move to their next = nameserver. =C2=A0if ns1 returns SERVFAIL, try
>ns2.=C2=A0 If = ns1 times out, try ns2.=C2=A0 Otherwise what good is ns2?

This kind of result unioning you want from musl-libs isn't even= supported by GNU libc resolver. Yes it works for you - but this is because= your DNS server is breaking DNS RFC specs: SERVFAIL is not a technically l= egal response for =C2=A0"I am not serving for that domain". It= 9;s just WRONG. When an authorative server (which the Kubernetes DNS server= is) doesn't serve a specific zone it has to respond with =C2=A0NXDOMAI= N. Of course if your server would follow the rules than that type of result= unioning doesn't work because GNU libc resolver does not failover to s= econdary servers when the response is NXDOMAIN.
It's just a w= eak argument to essentially say: "The GNU libc resolver does exactly w= hat i want when i point it to my broken DNS server, why can't musl-libc= ?".

The bottom line:=C2=A0

Leave nameserver querying logic as it is: Check!
Implement= search paths: Check!
Consider ndots option in resolv.conf: Check= !

query name <=3D ndots: search first
query name > ndots : never search

LGTM!
<= div>
Jan
--001a113ed43cccbfb30522c74a4f--