Re: DNS name resolution should not be done during configuration parsing.

From: David Kerr <david@kerr.net>
To: wireguard@lists.zx2c4.com
Subject: Re: DNS name resolution should not be done during configuration parsing.
Date: Tue, 19 Feb 2019 09:58:16 -0500	[thread overview]
Message-ID: <CAJJxGdGLeg+O2Z3CjfHxKjbJdudMzGRFHF2pnoA89UiOQLEGbQ@mail.gmail.com> (raw)
In-Reply-To: <8f46738a-35bd-8d48-ab0a-aa0c9ed40e8d@trustiosity.com>

[-- Attachment #1.1: Type: text/plain, Size: 3055 bytes --]

I agree.  Wireguard should never terminate because of DNS failure, and
should continue to parse config files for links that may be able to get
established in absence of DNS.  Wireguard also has a significant startup
delay when DNS fails, several seconds while DNS times out, which should be
avoided.

David

On Tue, Feb 19, 2019 at 12:04 AM zrm <zrm@trustiosity.com> wrote:

> On 2/16/19 23:08, Jeffrey Walton wrote:
> > On Sat, Feb 16, 2019 at 10:35 PM David Kerr <david@kerr.net> wrote:
> >>
> >> Erik, see here for a proposed fix.  No response from the WireGuard team
> yet.
> >>
> >> https://lists.zx2c4.com/pipermail/wireguard/2019-January/003842.html
> >>
> >> Recently I had a power outage and both my gateway and cable modem went
> offline. On power recovery both devices start up, but the gateway completes
> startup before the cable modem completes its protocol negotiations, so
> initially the external network (eth0) is not functional.  That comes online
> say one minute later and all is well.
> >>
> >> Except that all is not well.  Wireguard failed to start up because I
> have Endpoint=<a URL> instead of a IP address.  And because external
> interface is not live yet, DNS lookup fails and Wireguard does not
> gracefully handle it.  This is really important because Wireguard may be my
> only way into my local network.
> >>
> >> As work-around I replaced the URL with the IP address... but that is
> not a long term solution if the endpoint is not a static IP address.
> >>
> >> Wireguard needs to handle the situation where external network may not
> have stabilized at the time it starts up.  The above link proposed a fix.
> >
> > Forgive my ignorance... Should init just retry the service start?
> > Something like this (from Systemd):
> >
> >      [Unit]
> >      StartLimitInterval=360
> >      StartLimitBurst=5
> >
> > The statements above say to retry 5 times within 360 seconds.
> >
> > Jeff
>
> The issue is that the service shouldn't terminate over failure to
> resolve an individual endpoint.
>
> Suppose name resolution fails because of a DNS failure rather than a
> network failure. If there are other endpoints configured by address that
> are still reachable, should we give up entirely and not even connect the
> ones that we can? What if one of the endpoints configured by IP address
> is the DNS server?
>
> Pushing this onto init would imply something like separate unit files
> per endpoint, which may complicate things more than simplify them.
>
> It seems like the conflict is that on the one hand, we want to resolve
> the name at connection time rather than configuration time, but on the
> other hand we don't want a DNS resolver in the kernel. How hard would it
> be to call out to a trivial userspace DNS client? This shouldn't be very
> performance sensitive, the results could be cached for the TTL which is
> typically hours or at least minutes.
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #1.2: Type: text/html, Size: 4190 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard