Antw: [EXT] Re: Extend systemd-resolved service to override DNS response

"Ulrich Windl" <Ulrich.Windl@xxxxxxxxxxxxxxxxxxxx> · Thu, 16 Feb 2023 08:02:16 +0100

>>> Barry Scott <barry@xxxxxxxxxxxxxxxx> schrieb am 15.02.2023 um 15:29 in
Nachricht <9CE7D348-327C-4C22-9A54-C57FEF4DFAFD@xxxxxxxxxxxxxxxx>:

> 
>> On 15 Feb 2023, at 10:31, Aditya Sharma <aditya.sharma1128@xxxxxxxxx> wrote:
>> 
>> Hi Kevin,
>> 
>> When the TTLs expire, those records in the cache become 'stale', and are 
> normally purged. Your request is to have an option in systemd-resolved to 
> *not* purge those records, but to continue serving them in case it is unable 
> to communicate with the configured recursive resolver(s).
>> 
>> Sorry for the ambiguity.
>> What I meant was to keep serving the record after the resolvers are not 
> operational or during some outage.
>> We were thinking of an approach where we keep on serving the last known good 
> FQDNs even after the TTL has expired (only when we are unable to communicate 
> with the resolvers). For that, we need to intercept the DNS calls and 
> maintain some kind of local cache. So, wanted to understand how we can extend 
> systemd-resolved service to serve the purpose.
> 
> I would be worried that breaking the TTL caching rules will create more 
> problems then it solves.
> Isn't the underlying issue that you have unreliable DNS servers that are 
> important to your application?

I also thought it might be an "x y problem"; so what problem are you actually trying to fix?

> 
> Barry
> 
> 
> 
>> 
>> Thanks
>> Aditya
>> 
>> 
>> On Tue, 14 Feb 2023 at 16:46, Kevin P. Fleming 
> <lists.systemd-devel@xxxxxxxxxxxxx <mailto:lists.systemd-devel@xxxxxxxxxxxxx>> 
> wrote:
>>> On Tue, Feb 14, 2023, at 04:04, Aditya Sharma wrote:
>>>> Hi Kevin,
>>>> 
>>>> If what you mean is that you want to serve 'stale' records from a cache when 
> their TTLs have expired and the authoritative servers which provided them are 
> not reachable, that's something that a number of existing recursive resolvers 
> are able to do and it could be logical for systemd-resolved to offer it too.
>>>> We are looking to prepare a solution similar to this, to serve back records 
> for FQDNs in case of timeout from the DNS server.
>>>> We want to understand how we can extend systemd-resolved to override 
> response from DNS server in case of timeouts/failures.
>>> 
>>> Again, you need to be very specific in your request.
>>> 
>>> systemd-resolved communicates with one or more recursive resolvers (what you 
> are calling "DNS server", but that term is ambiguous). If those resolvers are 
> not operational, systemd-resolved will continue serving records from its 
> cache (if the cache is enabled), until their TTLs expire.
>>> 
>>> When the TTLs expire, those records in the cache become 'stale', and are 
> normally purged. Your request is to have an option in systemd-resolved to 
> *not* purge those records, but to continue serving them in case it is unable 
> to communicate with the configured recursive resolver(s).
>>> 
>>> In your original message you referred to a 'negative response' from the "DNS 
> server", but that's a completely different situation.
>>> 