On Wed, Mar 23, 2022 at 10:42 PM Shyam Prasad N <nspmangalore@xxxxxxxxx> wrote: > > Hi David, > > I was recently working on validating the recent fixes in cifs.ko and > key.dns_resolver. > However, I've stumbled on a different issue now. > > The call to dns_query from cifs initially upcalls into userspace and > key.dns_resolver seems to resolve the name to IPv4 address. This comes > back with an expiry value of 5 sec; so the key is set a timeout of 5s. > > However, at some later point, the IPv4 address changes for this DNS > name. The resolution in userspace happens just fine, and I get the new > IP address. However, I can see that the dns_query call from cifs is > not upcalling to userspace anymore. And the dns_query calls are > returning -127 (EKEYEXPIRED). > > I also tried to "keyctl describe KEY", and it also says "Key has expired". > > 1. How can I debug this further? > 2. Is this a known issue? If so, what's the issue? > 3. I see that afs.ko calls dns_query with invalidate passed in as > true. What was the reason for not using the dns cache in the kernel > keyring? Was it once used and later changed? If so, can you please > explain why? cifs.ko does not set invalidate=true during dns_query > calls today. I'd like to understand if there are any risks associated > with this? > > -- > Regards, > Shyam Did some more digging into this. It looks like cifs.ko may sometimes end up doing very frequent dns_query calls. David: Do you know if making frequent calls to dns_query can possibly prevent expired keys from being cleaned up? -- Regards, Shyam
