Re: Patch for fixing the slow DNS lookup issue
On Fri, Jul 25, 2014 at 12:03:27PM +0200, Nikos Mavrogiannopoulos wrote: > On Fri, 2014-07-25 at 11:13 +0200, Jakub Hrozek wrote: > > > > https://github.com/bagder/c-ares/pulls > > > > https://github.com/bagder/c-ares/pull/16 - I will ask my RH colleagues > > about this. There is an effort around DNSSEC in Red Hat development now, > > but I admit my DNSSEC knowledge is very limited, so I don't feel > > qualified for a review. As a general note, this should be discussed with > > the libc folks at the libc-alpha list. > > The co-ordination with the glibc folks would be nice to occur in order > to have a consistent way to read the trusted nameservers for dnssec. > These servers need to be marked separately in order to allow the system > administrator to trust the local verifying unbound server, and not the > dns server of the hotel he just got DHCP, for dnssec verification. This > is important as the patch adds non-validating dnssec support and relies > on the upstream server to do validation; the advantage is that it avoids > any crypto dependencies. > > Unfortunately the (months-long) discussion on libc-alpha didn't end in > anything productive, hence I implemented what I thought best, i.e., a > separate resolv-sec.conf file. That part is separated from the rest of > the functionality (the last patch in pull request), and I'd be happy to > update it if you have a better idea. > > If you have better communication skills than me you may want to resume > the discussion in libc-alpha (or some other libc people like the > freebsd). I will first try to talk to Petr Spacek, who is the DNS guy on our team before talking to the glibc people.. > Nevertheless, in glibc my understanding is that they don't > plan to implement anything dnssec related anytime soon, so even if an > agreement is made that may not binding to them. Overall, I think it > would be nice for c-ares to have that functionality even if glibc > doesn't. Right, last time I heard, even systemd folks were dabbling with the idea. I personally don't have a problem with out-of-glibc implementation, after all, c-ares is a parallel DNS stack as well. What I would like to avoid is a scenario where you would configure DNSSEC by following steps A,B,C for c-ares and steps X,Y,Z for systemd/glibc/whatever.
Re: Patch for fixing the slow DNS lookup issue
On Fri, 2014-07-25 at 11:13 +0200, Jakub Hrozek wrote: > > https://github.com/bagder/c-ares/pulls > > https://github.com/bagder/c-ares/pull/16 - I will ask my RH colleagues > about this. There is an effort around DNSSEC in Red Hat development now, > but I admit my DNSSEC knowledge is very limited, so I don't feel > qualified for a review. As a general note, this should be discussed with > the libc folks at the libc-alpha list. The co-ordination with the glibc folks would be nice to occur in order to have a consistent way to read the trusted nameservers for dnssec. These servers need to be marked separately in order to allow the system administrator to trust the local verifying unbound server, and not the dns server of the hotel he just got DHCP, for dnssec verification. This is important as the patch adds non-validating dnssec support and relies on the upstream server to do validation; the advantage is that it avoids any crypto dependencies. Unfortunately the (months-long) discussion on libc-alpha didn't end in anything productive, hence I implemented what I thought best, i.e., a separate resolv-sec.conf file. That part is separated from the rest of the functionality (the last patch in pull request), and I'd be happy to update it if you have a better idea. If you have better communication skills than me you may want to resume the discussion in libc-alpha (or some other libc people like the freebsd). Nevertheless, in glibc my understanding is that they don't plan to implement anything dnssec related anytime soon, so even if an agreement is made that may not binding to them. Overall, I think it would be nice for c-ares to have that functionality even if glibc doesn't. regards, Nikos
Re: Patch for fixing the slow DNS lookup issue
On Fri, Jul 25, 2014 at 10:50:47AM +0200, Daniel Stenberg wrote: > On Fri, 25 Jul 2014, David Drysdale wrote: > > >Pushed. Hopefully it might help a bit. > > Speaking of that, we have three old pull requests pending: > > https://github.com/bagder/c-ares/pulls https://github.com/bagder/c-ares/pull/16 - I will ask my RH colleagues about this. There is an effort around DNSSEC in Red Hat development now, but I admit my DNSSEC knowledge is very limited, so I don't feel qualified for a review. As a general note, this should be discussed with the libc folks at the libc-alpha list. https://github.com/bagder/c-ares/pull/17 - This one requires Windows.. https://github.com/bagder/c-ares/pull/18 - I don't like this one tbh, there are platforms that don't have socklen_t (old Solaris, old HP-UX). Because I don't have access to either of these, I can't test the patch, but the text at the bottom of "man 2 accept" seems to suggest we might break these old platforms..
Re: Patch for fixing the slow DNS lookup issue
On Fri, 25 Jul 2014, David Drysdale wrote: Pushed. Hopefully it might help a bit. Speaking of that, we have three old pull requests pending: https://github.com/bagder/c-ares/pulls -- / daniel.haxx.se
Re: Patch for fixing the slow DNS lookup issue
On Fri, Jul 25, 2014 at 09:34:23AM +0100, David Drysdale wrote: > How about the attached? > > From ede0f84b8e9cfe4eeaafb1c90e5fea006e19fe5e Mon Sep 17 00:00:00 2001 > From: David Drysdale > Date: Fri, 25 Jul 2014 09:28:46 +0100 > Subject: [PATCH] CONTRIBUTING: add file to indicate mailing list is preferred Looks good to me! (Although I'm not a native speaker) > > --- > CONTRIBUTING | 11 +++ > 1 file changed, 11 insertions(+) > create mode 100644 CONTRIBUTING > > diff --git a/CONTRIBUTING b/CONTRIBUTING > new file mode 100644 > index ..c7dda05db014 > --- /dev/null > +++ b/CONTRIBUTING > @@ -0,0 +1,11 @@ > +Contributing to c-ares > +== > + > +The c-ares developers prefer patches to be sent to the c-ares mailing list > +rather than receiving pull requests via GitHub. So for suggested changes > +please: > + > + - Subscribe to the mailing list at: > + http://cool.haxx.se/mailman/listinfo/c-ares > + - Use 'git format-patch' to generate patch files. > + - Send the patches to the mailing list at c-ares@cool.haxx.se > -- > 2.0.0.526.g5318336 >
