From: Tim Hockin <thockin@google.com>
To: musl@lists.openwall.com
Subject: Re: Re: Would love to see reconsideration for domain and search
Date: Thu, 22 Oct 2015 22:13:18 -0700 [thread overview]
Message-ID: <CAO_RewaUW85fGNd9VC6W1oFMm9wScshVhXKXCSzH07ketAuuMA@mail.gmail.com> (raw)
In-Reply-To: <20151023042720.GE8645@brightrain.aerifal.cx>
On Thu, Oct 22, 2015 at 9:27 PM, Rich Felker <dalias@libc.org> wrote:
> On Thu, Oct 22, 2015 at 04:37:18PM -0700, Tim Hockin wrote:
>> On Thu, Oct 22, 2015 at 4:00 PM, Josiah Worcester <josiahw@gmail.com> wrote:
>> > On Thu, Oct 22, 2015 at 3:37 PM Tim Hockin <thockin@google.com> wrote:
>> >>
>> >> On Thu, Oct 22, 2015 at 2:56 PM, Rich Felker <dalias@libc.org> wrote:
>> >> > On Thu, Oct 22, 2015 at 02:24:11PM -0700, Tim Hockin wrote:
>> >> >> Hi all,
>> >> >>
>> >> >> I saw this thread on the web archive but am not sure how to respond to
>> >> >> the thread directly as a new joinee of the ML. I hope this finds its
>> >> >> way...
>> >> >
>> >> > No problem; just starting a new thread like this and quoting the old
>> >> > one is fine.
>> >> >
>> >> >> I am one of the developers of Kubernetes and I own the DNS portion, in
>> >> >> particular. I desperately want to use Alpine Linux (based on musl)
>> >> >> but for now I have to warn people NOT to use it because of this issue.
>> >> >>
>> >> >> On Fri, Sep 04, 2015 at 02:04:29PM -0400, Rich Felker wrote:
>> >> >> > On Fri, Sep 04, 2015 at 12:11:36PM -0500, Andy Shinn wrote:
>> >> >> >> I'm writing the wonderful musl project today to open discussion
>> >> >> >> about the future possibility of DNS search and domain keyword
>> >> >> >> support. We've been using musl libc (by way of Alpine Linux) for
>> >> >> >> new development of applications as containers that discover each
>> >> >> >> other through DNS and other software defined networking.
>> >> >> >>
>> >> >> >> In particular, we are starting to use applications like SkyDNS,
>> >> >> >> Consul, and Kubernetes, all of which rely on local name
>> >> >> >> resolution in some way using search paths. Many users of the
>> >> >> >> Alpine Linux container image have also expressed their desire for
>> >> >> >> this feature at
>> >> >> >> https://github.com/gliderlabs/docker-alpine/issues/8.
>> >> >> >>
>> >> >> >> On the functional differences between glibc page, the domain and
>> >> >> >> search keyword "Support may be added in the future if there is
>> >> >> >> demand". So please consider this request an addition to whatever
>> >> >> >> demand for the feature already exists.
>> >> >> >>
>> >> >> >> Thank you for your time and great work on the musl libc project!
>> >> >> >
>> >> >> > I think this is a reasonable request. I'll look into it more.
>> >> >> >
>> >> >> > One property I do not want to break is deterministic results, so
>> >> >> > when a search is performed, if any step of the search ends with
>> >> >> > an error rather than a positive or negative result, the whole
>> >> >> > lookup needs to stop and report the error rather than falling
>> >> >> > back. Falling back is not safe and creates a situation where DoS
>> >> >> > can be used to control which results are returned.
>> >> >>
>> >> >> I understand your point, though the world at large tends to disagree.
>> >> >> Everyone has a primary and secondary `nameserver` record (or should).
>> >> >> If the first one times out, try the second. Most resolver libs seem
>> >> >> to accept a SERVFAIL response or a timeout as a signal to try the next
>> >> >> server, and I would encourage you to do the same.
>> >> >
>> >> > musl intentionally does not do this because it yields abysmal
>> >> > performance. If the first nameserver is overloaded or the packet is
>> >> > lost, you suffer several-second lookup latency.
>> >>
>> >> But at least it works eventually. You're faced with a choice. Wait 2
>> >> seconds for ns1 to timeout and then fail in a way that most apps don't
>> >> handle well or wait for 2 seconds and then (usually) get a fast
>> >> response from ns2.
>> >>
>> >> It seems better in every way to eventually succeed, though I agree
>> >> it's a bit less visible.
>> >
>> >
>> > With musl's current design, you get a request to ns1 and ns2, and the first
>> > authoritative response wins. So, if ns1 fails then all is well and
>> > performance isn't even notably impacted. What you are describing appears to
>> > be how you would *have* to implement it if you decide against considering
>> > all servers equal, but instead try and serve the union of their responses
>> > (that is, wait for timeout and then fail).
>>
>> The authoritative-ness is a dimension I had not considered. I could
>> believe that the first authoritative answer wins, but what if you only
>> get a non-authoritative answer? from ns1 and ns2 never responds?
>
> I don't think Josiah's use of "authoritative" here is consistent with
> what musl actually does, and it's likely not a useful dimension. A
> stub resolver is generally not intended to communicate with
> authoritative nameservers. The current behavior is that a positive or
> negative (nxdomain) result is treated as concluding the query, and
> other results (servfail, refused, etc.) are treated as inconclusive
> and allow the query to continue until it times out. (Also, servfail
> results in a limited number of immediate retries; this behavior was
> arrived at based on the behavior of nameservers that fail with
> servfail.)
>
>> > Consider what would happen if ns1 and ns2 have different responses, but ns1
>> > for whatever reason times out (potentially an attacker). Then you get the
>> > results for ns2, even though ns1 is intended to override it.
>>
>> I agree in theory. And yet this is how most resolvers work today.
>> Are they all broken?
>
> No, the resolvers are not broken. The configuration is, at least the
> way I see it. The intent of the resolvers is that they're
> communicating with redundant servers, not a sequence of overlaid
> hostname databases. If that assumption is satisfied, there's no
> problem.
The way you see it is not how everyone sees it, obviously. And
there's not a standard or spec here that I know of. That said, as
before, We can probably live with this assumption.
> BTW I think there are other strong reasons to move to a model based on
> a local nameserver that does the unioning, not just performance. The
> most compelling is DNSSEC, which requires a trusted channel between
> the nameserver and the stub resolver in order for results to be
> meaningful/trusted. In the future everybody should be running a
> nameserver on localhost to do DNSSEC signature validation. In that
> scheme, resolv.conf would just contain 127.0.0.1 (or could be omitted
> entirely since that's the default, at least on musl).
I can see a local nameserver doing resolution, but doing search
expansion seems like a stretch (and superfluous since it is local).
next prev parent reply other threads:[~2015-10-23 5:13 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-22 21:24 Tim Hockin
2015-10-22 21:56 ` Rich Felker
2015-10-22 22:36 ` Tim Hockin
2015-10-22 23:00 ` Josiah Worcester
2015-10-22 23:37 ` Tim Hockin
2015-10-23 4:27 ` Rich Felker
2015-10-23 5:13 ` Tim Hockin [this message]
2015-10-23 5:31 ` Rich Felker
2015-10-23 5:37 ` Tim Hockin
2015-10-23 6:00 ` Rich Felker
2015-10-23 6:04 ` Tim Hockin
2016-01-29 0:57 ` Rich Felker
2015-10-27 0:30 ` Rich Felker
2015-10-27 0:37 ` Tim Hockin
2015-10-27 0:45 ` Rich Felker
2015-10-27 8:11 ` u-uy74
2015-11-28 22:48 ` Jan Broer
2015-11-28 23:20 ` Rich Felker
2015-11-29 3:06 ` Jan Broer
2016-01-29 0:58 ` Rich Felker
2015-10-26 2:14 ` Re: Would not " John Levine
2015-10-26 5:14 ` Tim Hockin
2015-10-26 16:16 ` Rich Felker
2015-10-26 17:41 ` John Levine
2015-10-26 18:08 ` Rich Felker
2015-10-23 8:12 ` Re: Would " u-uy74
2015-10-23 9:35 ` Laurent Bercot
2015-10-23 12:23 ` Laurent Bercot
2015-10-23 15:57 ` Tim Hockin
2015-10-23 5:26 ` Kurt H Maier
2015-10-24 21:33 ` Tim Hockin
2015-10-24 21:57 ` Kurt H Maier
2015-10-24 23:31 ` Rich Felker
2015-10-24 22:02 ` Rich Felker
2015-10-24 22:32 ` Tim Hockin
2015-10-25 8:20 ` u-uy74
2015-10-25 13:06 ` Jan Broer
2015-10-25 13:19 ` u-uy74
2015-10-25 13:39 ` Jan Broer
2015-10-25 14:08 ` u-uy74
2015-10-25 19:08 ` Rich Felker
2015-10-26 1:26 ` Isaac Dunham
2015-10-26 15:35 ` Rich Felker
2015-10-23 15:30 Jan Broer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAO_RewaUW85fGNd9VC6W1oFMm9wScshVhXKXCSzH07ketAuuMA@mail.gmail.com \
--to=thockin@google.com \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).