On Wed, Nov 04, 2020 at 03:07:22PM +0100, Emeric Brun wrote: > Hi Dinko, > > > Sadly I haven't had Kube-DNS anywhere and i think that CoreDNS is supposed > > to be way to go from Kube-DNS. Hope this helps. > It does. > > Really appreciate!
Actually this tends to confirm our preliminary thoughts, which are that if some people absolutely want to load-balance DNS on haproxy, they'll have to comply with some supported features, or look for something else. I think it's a reasonable tradeoff because those who insist on this are also those who want to use so-called "modern" tools (placing "modern" and DNS in the same sentence always leaves me a strange feeling that something 37 years old is still modern). @Lukas, to respond to your concern, I don't like DNS either, but I much stronger hate the noise that some people regularly make about "UDP support" which when you ask is for syslog and dns (both being the wrong way to proceed, proving they don't even understand what they're asking for). Now with 2.3, syslog is handled like a proxy should do, which is not by blindly forwarding datagrams and causing trouble on the server, but instead by passing the messages, possibly re-encoding them according to the desired RFC level and adapting udp/tcp/stdout/whatever in any sense. The other one that remains now is DNS. I personally consider that it's stupid to want to LB inbound DNS with no added value, LVS will do it better and will scale better. In addition, if the reason is a matter of load, then one should really wonder if the LB will not reach limits before the server, having more than twice the work to do. However there could be a few compelling cases where doing it correctly could add some value. By correctly I mean that we'd typically receive mostly UDP datagrams and aggregate them over TCP connections. In this case it could make sense as a protocol accelerator/offloader/translator like haproxy already does for HTTP or TLS. In addition it might be possible to implement some short time caching to save on the internal bandwidth. Maybe later some of the DNSSEC job could be offloaded by haproxy, I don't know. So that's where I draw the frontier. Blind UDP, no, only morons want this in a userland proxy. Value-added UDP-based services, why not if it can be demonstrated that it does really bring some value and aligns well with what we already do around. Cheers, Willy