* Petr Menšík: >> Fedora made the decision to promote systemd-resolved as a local DNS >> cache. To me, that means that we can gradually remove other DNS caches >> from the distribution.
> I maintain also dnsmasq and I doubt there is reason to remove it from > the distribution. I would oppose if anyone intented to do it. dnsmasq has other uses in the distribution, see e.g. libvirt. We don't quite see that for nscd anymore. >> There seem to be a lot of misconceptions about what nscd does and which >> benefits it brings (see the claim about increased privacy). So I think >> it's important to be precise here. > I expect it would only cache simple name:ip pairs, nothing more. No, I > doubt nscd can bring any additional privacy. Ahem. Name/sets of addresses, which covers negative caching as well. >> >> From my point of view, nscd is not a very satisfactory solution for DNS >> caching because it can't do DNSSEC, it can't do recursion, it can't do >> prefetching, it doesn't have a good way to detect dead servers, it can't >> inject local stub zones, and so on. > We can argue whether people need DNSSEC. Systemd-resolved cannot work > with it correctly and it actively BREAKS its usage. Just like dnsmasq, > nscd just caches and no more. It usually does not break anything. I > think it preserves most features of libnss_dns.so behaviour. No > recursion, dead servers detection or injecting local zones is required. > It is not done without the cache anyway. Dead servers detection could be > improved I think. Dead server detection is what people expect that have migrated from other systems. dnsmasq has a rudimentary form of it: /* In strict_order mode, always try servers in the order specified in resolv.conf, if a domain is given always try all the available servers, otherwise, use the one last known to work. */ I think that probably covers 80% of the use cases. (This really needs a separate daemon that centralizes the state, so that processes that just do one DNS query and exit can pick the right upstream server for the query.) >> I also think that not changing /etc/resolv.conf isn't a feasible goal >> because that's the file applications use to locate the system DNS >> resolver if they can't use the glibc interfaces for some reason. > Sure. If they can't use glibc interface, they would not use nscd. That > clearly its advantage! Typically, they still want a reliable DNS service, and in some deployment scenarios, that basically needs a local caching stub that does some rudimentary form of dead-server detection. > It does not have to implement dnssec or edns0, because getaddrinfo api > does not include such flags. If clients needs advanced usage, unlike > systemd-resolved, it does not stand in the way. I think this is the > greatest advantage. Advanced uses can work around only a simple > service without problem. They don't collide. They still suffer from the lack of local cache. I think the local cache is highly beneficially and important to Fedora, so I'm excited that we finally got one by default in Fedora 33. >> The big one is the general cache instability: >> >> nscd: Concurrency issues with cache. >> <https://sourceware.org/bugzilla/show_bug.cgi?id=25888> >> >> (Internal bug #1172792.) > This bug reminds me bug #1740511 [1], which was very hard for me. Later, > mlichvar discovered real reason for it. Atomic operations required > different flags to atomic operations. ppc64le platform has different > memory ordering than x86_64, where it worked flawlessly. It crashed > often just on ppc64le. Our fix was to switch to memory_order_acquire, > where integrity was enforced properly. I have seen relaxed in bug > attached patches, would recommend checking it out. > > https://bugzilla.redhat.com/show_bug.cgi?id=1740511 > https://en.cppreference.com/w/c/atomic/memory_order We had someone look at this who literally has a PhD in this area (software transactional memory). And yet here were are. 8-( >> Related to DNS data, there are bunch of issues that need investigating >> or fixing: >> >> getaddrinfo drops ipv6 V4MAPPED addresses from ncsd results >> <https://sourceware.org/bugzilla/show_bug.cgi?id=26630> >> >> Problems with nscd and systemd-resolved interactions on IPv6 network. >> <https://sourceware.org/bugzilla/show_bug.cgi?id=23546> >> >> nscd doesn't cache record containing more than one IP address. >> <https://sourceware.org/bugzilla/show_bug.cgi?id=15862> >> >> Reload nscd cache entry even if its timeout is equal to the current time >> <https://sourceware.org/bugzilla/show_bug.cgi?id=13931> >> >> hosts caching does not respect TTL, and caches old IP's >> <https://sourceware.org/bugzilla/show_bug.cgi?id=4428> > Is there any design document about nscd? Not really, it's necessary to reconstruct this from the implementation. > How are interfaces to cache implemented from glibc? Is connection to > nscd hardocoded in gethostbyname and getaddrinfo functions? It's code under USE_NSCD conditionals. The NSS functions in glibc are mostly generated through template files put through the C preprocessor (nss/getXXbyYY_r.c). It's certainly non-trivial to fix all this. And Fedora still defaults to systemd-resolved even if we continue to ship a fixed nscd. As I said before, the hosts cache is the weakest part of nscd, and where many alternatives exist, so if you approach nscd from this angle, I'm not sure if this is a good way to spend your resources. Thanks, Florian -- Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org