Re: Improvements in name resolution, DNS and HTTPS RR and SVCB future usage

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 21/10/2024 14:51, Lennart Poettering wrote:
On Mo, 21.10.24 12:38, Petr Menšík (pemensik@xxxxxxxxxx) wrote:

Okay. It might be better than D-Bus, but having to make separate connections
for every single resolution is still a bit wasteful.
Uh. I mean, if you want, kep the connections around aftre each
resolution and reuse them. But frankly, you are focussing on the wrong
things. Roundtrips are wasteful, and D-Bus is rife of them. A singular
bottleneck that the broker is is wasteful. But local AF_UNIX sockets
are not in comparison, not even remotely.
We have an agreement here. Passing complete resolution on general purpose broker like DBus is not a good idea. Having a separate socket is a better idea. I just think it does not have to implement generic IPC protocol, if we want it used for name resolution only. Which has already lightweight DNS protocol, which can be reused.
If we can keep some context between two resolutions, just a single
stream connection would be enough. If raw stream/TCP DNS is used, it
can deliver random ordered responses over single connection. That
seems even better option. Just use an unix socket for raw DNS. Of
course additional resolution via Varlink would be still possible,
but I would not propose them as a primary way.
Sure, reinvent IPC another time. Have fun!

Already said. I do not want to reinvent general purpose IPC. Although we have examples in bind9, unbound and countless of other server software, that specialized sockets for runtime configuration and monitoring are used.

I would propose something like /run/resolver.socket, which primary system cache would listen on. It would use the same protocol as we have on 127.0.0.53, port 53. Just unix domain socket and few advantages of it.

Reconfiguration can be done via DBus or Varlink, why not. But not common resolution queries.

I know you don't like systemd-resolved, but maybe you can at least
acknowledge that is does exist.
I never pretended systemd-resolved does not exist. It does. I just don't think it is the best implementation we could find. It has many advantages, but not only them.
Good luck with yet another C API.
Thank you!
Most of DNS RRsets are tiny. DNS can contain OPENPGPKEY records, which are
not so tiny. It can contain also DNSKEYs. Especially those of a post quantum
cryptography are rather large. Not something today's application is unable
to process, but not tiny. Large DNS responses might be up to 64 kB, but
sure, most of them are smaller than 1.2 kB.But mandatory base64 encoding and
decoding can be avoided. If it can be avoided, then I think it should be.
Sorry, but marhsalling is not where the cost is for local IPC. In
current Linux systems it's roundtrips, roundtrips, roundtrips. Forget
everything else.

Lennart

--
Lennart Poettering, Berlin

Marshalling is not free, but you are correct it is not a primary blocker. It depends what you mean by roundtrips. For example traffic monitoring tools like iptraf or tcpdump are likely to resolve often the same address.

I think in-application context would allow small cache inside the application. That would allow reusing recent response and do not bombard local cache service with repeated queries. But at the same time it needs to get information, how long it is allowed to cache records. It may set upper limit to TTL received, for example keeping a record max for 10s. Even if response contained 1 day. The rest would keep the cache service, which we can flush when needed.

But current APIs do not offer keeping context between resolutions. Nor expose TTL of received answer.

At least we have agreement it needs a separate socket service. Not so much what to use on such socket.

I would like to avoid information lost in translation. The less translation we need to make, the better for result correctness.

-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux