* Petr Menšík:

>> Fedora made the decision to promote systemd-resolved as a local DNS
>> cache.  To me, that means that we can gradually remove other DNS caches
>> from the distribution.

> I maintain also dnsmasq and I doubt there is reason to remove it from
> the distribution. I would oppose if anyone intented to do it.

dnsmasq has other uses in the distribution, see e.g. libvirt.  We don't
quite see that for nscd anymore.

>> There seem to be a lot of misconceptions about what nscd does and which
>> benefits it brings (see the claim about increased privacy).  So I think
>> it's important to be precise here.

> I expect it would only cache simple name:ip pairs, nothing more. No, I
> doubt nscd can bring any additional privacy.

Ahem.  Name/sets of addresses, which covers negative caching as well.

>> 
>> From my point of view, nscd is not a very satisfactory solution for DNS
>> caching because it can't do DNSSEC, it can't do recursion, it can't do
>> prefetching, it doesn't have a good way to detect dead servers, it can't
>> inject local stub zones, and so on.

> We can argue whether people need DNSSEC. Systemd-resolved cannot work
> with it correctly and it actively BREAKS its usage. Just like dnsmasq,
> nscd just caches and no more. It usually does not break anything. I
> think it preserves most features of libnss_dns.so behaviour. No
> recursion, dead servers detection or injecting local zones is required.
> It is not done without the cache anyway. Dead servers detection could be
> improved I think.

Dead server detection is what people expect that have migrated from
other systems.  dnsmasq has a rudimentary form of it:

          /* In strict_order mode, always try servers in the order 
             specified in resolv.conf, if a domain is given 
             always try all the available servers,
             otherwise, use the one last known to work. */

I think that probably covers 80% of the use cases.

(This really needs a separate daemon that centralizes the state, so that
processes that just do one DNS query and exit can pick the right
upstream server for the query.)

>> I also think that not changing /etc/resolv.conf isn't a feasible goal
>> because that's the file applications use to locate the system DNS
>> resolver if they can't use the glibc interfaces for some reason.

> Sure. If they can't use glibc interface, they would not use nscd. That
> clearly its advantage!

Typically, they still want a reliable DNS service, and in some
deployment scenarios, that basically needs a local caching stub that
does some rudimentary form of dead-server detection.

> It does not have to implement dnssec or edns0, because getaddrinfo api
> does not include such flags. If clients needs advanced usage, unlike
> systemd-resolved, it does not stand in the way. I think this is the
> greatest advantage. Advanced uses can work around only a simple
> service without problem. They don't collide.

They still suffer from the lack of local cache.  I think the local cache
is highly beneficially and important to Fedora, so I'm excited that we
finally got one by default in Fedora 33.

>> The big one is the general cache instability:
>> 
>>   nscd: Concurrency issues with cache.
>>   <https://sourceware.org/bugzilla/show_bug.cgi?id=25888>
>> 
>> (Internal bug #1172792.)
> This bug reminds me bug #1740511 [1], which was very hard for me. Later,
> mlichvar discovered real reason for it. Atomic operations required
> different flags to atomic operations. ppc64le platform has different
> memory ordering than x86_64, where it worked flawlessly. It crashed
> often just on ppc64le. Our fix was to switch to memory_order_acquire,
> where integrity was enforced properly. I have seen relaxed in bug
> attached patches, would recommend checking it out.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1740511
> https://en.cppreference.com/w/c/atomic/memory_order

We had someone look at this who literally has a PhD in this area
(software transactional memory).  And yet here were are. 8-(

>> Related to DNS data, there are bunch of issues that need investigating
>> or fixing:
>> 
>>   getaddrinfo drops ipv6 V4MAPPED addresses from ncsd results
>>   <https://sourceware.org/bugzilla/show_bug.cgi?id=26630>
>> 
>>   Problems with nscd and systemd-resolved interactions on IPv6 network.
>>   <https://sourceware.org/bugzilla/show_bug.cgi?id=23546>
>> 
>>   nscd doesn't cache record containing more than one IP address.
>>   <https://sourceware.org/bugzilla/show_bug.cgi?id=15862>
>> 
>>   Reload nscd cache entry even if its timeout is equal to the current time
>>   <https://sourceware.org/bugzilla/show_bug.cgi?id=13931>
>> 
>>   hosts caching does not respect TTL, and caches old IP's
>>   <https://sourceware.org/bugzilla/show_bug.cgi?id=4428>

> Is there any design document about nscd?

Not really, it's necessary to reconstruct this from the implementation.

> How are interfaces to cache implemented from glibc? Is connection to
> nscd hardocoded in gethostbyname and getaddrinfo functions?

It's code under USE_NSCD conditionals.  The NSS functions in glibc are
mostly generated through template files put through the C preprocessor
(nss/getXXbyYY_r.c).

It's certainly non-trivial to fix all this.  And Fedora still defaults
to systemd-resolved even if we continue to ship a fixed nscd.  As I said
before, the hosts cache is the weakest part of nscd, and where many
alternatives exist, so if you approach nscd from this angle, I'm not
sure if this is a good way to spend your resources.

Thanks,
Florian
-- 
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Reply via email to