Re: Improvements in name resolution, DNS and HTTPS RR and SVCB future usage

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Is there any API description of the Varlink API, which you are referring to?

I have found:

- https://systemd.io/WRITING_RESOLVER_CLIENTS/
- https://www.freedesktop.org/software/systemd/man/latest/org.freedesktop.resolve1.html
- https://systemd.io/USER_GROUP_API/

None of that mentions the raw mode you have mentioned, related to hostname resolution.

On 18. 10. 24 9:50, Lennart Poettering wrote:
On Do, 17.10.24 18:11, Petr Menšík (pemensik@xxxxxxxxxx) wrote:

I certainly have answered the questions you raised for *myself*,
though I am pretty sure you are not going to like my answer: I think
the Varlink IPC APIs that systemd-resolved implements are the way to
go. There's work going on to add ALPN and stuff hooked into
systemd-resolved already. It provides simple SRV resolution APIs
already, asynchronously.

Lennart

--
Lennart Poettering, Berlin
There is not anything wrong with Varlink IPC itself. There needs to be a
decent encoding of every information shared back into the application. If
DNS protocol should not be used for that, then there needs to be some other
protocol to encode and decode that information. I want received information
complex, at least (simple) possibility of it. That means the information
transferred would not be simple anyway. It might need to be structured,
possibly quite complex.As is HTTPS and SVCB record. Sure, SRV is relatively
trivial in comparison. New records have arbitrary key-value parameters,
which are future extensible.
resolved offers you "cooked" and "raw" interfaces. If you opt for the
"raw" interface you will get the data in DNS serialization (minus
label compression and such), in the IPC replies.

Is this described somewhere? I haven't found it.

Does User/group


I think the problem is Varlink needs a new protocol for the name resolution.
I have seen only DBus API for systemd-resolved. It is fine for some things,
not working for others. But Varlink is the new API, which you say is not
necessary anymore. Network BSD sockets are still handled by applications
themselves, often made easier with some toolkits on top. If people still
need socket handles, then they need something like struct sockaddr address
for it. Ideally with a way to get additional information with it. Like TTL,
servername, priority or weight.
I cannot parse what you are writing here. Let me just say that D-Bus
is problematic for doing DNS resolution with because DNS is really
basic stuff that should work during earliest boot already. D-Bus is a
late boot concept and in fact assumes that certain other OS
functionality already works, such as user database resolution and
logging services, both of which in turn might require host name
resolution to already work. That makes D-Bus a poor choice as IPC for
doing host name resolution. Varlink being much simpler and not
requiring a broker always works, hence that's what we do.

Applications calling connect(2) call need struct sockaddr, obtained by getaddrinfo(3). They may use varlink to get that data, but still need some way to obtain that. That means some API to client applications.

But yes, we have realized we may need encrypted resolution already in Anaconda, which makes D-Bus activation quite early. Network Manager needs it. On the other hand, until you have working some network connectivity, the only data ready at that time can be provided by nss-files or nss-myhostname plugin. Other services do not have a way, how to fetch other usable information at that time. If they can use some plugins without specialized service, then that service needs to be up only when network is ready at least partially.


      
I think we could still use unix domain socket in some standard path and send
queries from applications to local daemons over it. DNS protocol is
compressed enough and binary already. I am not sure if translating DNS
message into varlink structures will make it actually simpler to parse. It
would require completely new code on side of applications. I would use
simplified DNS protocol on local pipe for IPC. That is close enough to what
some applications already implemented or have libraries for. Though we need
to pass AF_UNSPEC address request in single query, not like separate A+AAAA
requests arriving to cache service.
First of all, as mentioned "raw" RR lookups done via the Varlink IPC
interface encode the RR data in DNS serialization.

I think using the DNS protocol itself is highly problematic however,
because the protocol is just so complex these days with multiple
transports, and time-out/repeat behaviour that is just a complete mess
when applied to local IPC.
It depends. Of course handling timeouts and retransmissions is a pain. However, you can just rely on the service doing that. Except dnsmasq all other services should emit SERVFAIL, if it takes too long. The client should handle just simple pipe, stream or datagram, to a service. Ideally it should have simple way of obtaining minimal functionality provided from the service.
Dunno. Varlink is a trivial IPC. In systemd-resolved we support it
side-by-side with D-Bus. I have zero interest in adding a 3rd IPC
interface, hence whatever you come up with, expect us to be very cool
on the idea on adding more.

That sounds like Vendor Lock-in approach. Either you use our protocol or you are screwed. There are already multiple implementations doing DNS service. I think we need common interface for them to be interoperable, without forcing clients to support multiple interfaces for each. That is why I want to discuss it with wider audience. I can design my own API, but if it would be just one of many alternatives, it won't help. It would not improve overall experience, but just fragment implemented/able solutions.

I am looking for a generic interface, which could be served by multiple implementations. Even systemd-resolved. But at least DBus API does not make switching between different services simple. We have to mask systemd-resolved.service to be able to take its DBus name from dnsconfd. That is definitely not a best practice to recommend. Can you describe API, which can offer both systemd-resolved and also other service? Where the user can freely choose, which service suits him/her the best? To ensure client applications do not need modification or rebuild, when such service is changed?

The most important problem of existing system interface are blocking only
calls. Every more complex program runs some kind of event loop, capable of
handling multiple sockets and timeouts in a single thread. But that is not
possible with API systems provide today. Modern programs are asynchronous
for a good reason. I think providing them low-level building blocks still
makes sense. They may be used inside higher level languages. I don't think
DBus should be used, just because it has already existing integration to
toolkits. It does not seem to be high-speed enough.
D-Bus might not be great for "high-speed", but uh, it's still a
a lot faster than a DNS lookup would require it. So, what can I
say. There are good reasons to avoid D-Bus for this (see above), but
"performance" really isn't it.

Lennart

--
Lennart Poettering, Berlin

DBus is common building blocks of GUI applications written in GTK or Qt. But I haven't seen many server implementations with decent DBus support. If you would like to observe busy (multi)gigabit link with tcpdump, there might be a lot of queries coming, per second. DNS itself is a quite efficient binary protocol, often already implemented in clients relying on it. I trust you know about D-Bus much more than me and that it can pass binary encoded and structured information too. But I am not sure whether complete name resolution history on machine should pass via DBus. In whatever form.

The problem I see with DBus is that none of a good open source dns servers have DBus interface implemented in it. Yet they are done by masters of the DNS protocols, who often wrote RFC defining how they should behave. Using DNS compatible messages would allow to reuse their expertise. Translating DNS message responses to Varlink interpretation might lose important information and create not necessary translation layers. I think ideally each client should be able to select, how complex information it understands or wants. getaddrinfo(3) is a good thing for basic things, but should be expanded and modernized a bit. For more detailed answers something DNS-like should work.

-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux