Re: [Dnsmasq-discuss] DNSSEC and all-servers
On 2021-10-07 23:01, Simon Kelley wrote: > On 07/10/2021 10:59, Tobias via Dnsmasq-discuss wrote: >> when "dnssec" and "all-servers" are set, according to the log it seems >> queries are usually forwarded to all upstream servers as expected, but >> the internal "dnssec-query"s are not, they are only sent to one, which >> is unexpected with "all-servers". (They are also not balanced but more >> like 16:1 sent to the first upstream server, which is usually the faster >> one, I assume that's why?)> >> Another issue, probably not related to "all-servers", and maybe not even >> DNSSEC: When there's an A query followed by an query, the log shows >> two identical consecutive internal DS/DNSKEY queries (to the same >> upstream, verified via upstream log), isn't that unnecessary/excessive? > > What version are you running? Your second point was addressed in release > 2.86, so I guess something earlier. That's correct, I'm still at 2.85. (I see it's in the Changelog, should have checked that, sorry.) > The code for determining which server to use for DNSSEC queries was also > touched in 2.86, but the principle remains the same. The code tries hard > to use the same server as provided the answer being validated. This may > not be possible in some circumstances, and if that server doesn't > respond, the strategy for picking another server changed in 2.86, but in > general it's true. > > That explains your observation. The original query gets sent to all the > servers and whichever answers first has its answer used, and gets the > subsidiary queries for DNSSEC. A single server may often be the fastest, > or it might just be that the query is always sent to the servers in the > same order, so the first one to receive it normally wins. My reason for using "all-servers" is, that I have two upstream servers, one that is usually notably faster, but with occasional timeouts, and one that is slower but also more stable. So if DNSSEC queries are sent to the first upstream server only, they are much more likely to time out, so I'd guess sending them to both upstreams should be preferred in this case. Or am I using it wrongly? On the other hand, what would be the rational to treat DNSSEC queries differently than other queries under "all-servers"? For which use case would this be better? (If the current behavior is to be kept, I suggest adjusting the documentation, in particular this part: "Setting this flag forces dnsmasq to send all queries to all available servers." Thanks!) ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC and all-servers
On 07/10/2021 10:59, Tobias via Dnsmasq-discuss wrote: > Hi, > > when "dnssec" and "all-servers" are set, according to the log it seems > queries are usually forwarded to all upstream servers as expected, but > the internal "dnssec-query"s are not, they are only sent to one, which > is unexpected with "all-servers". (They are also not balanced but more > like 16:1 sent to the first upstream server, which is usually the faster > one, I assume that's why?)> > Another issue, probably not related to "all-servers", and maybe not even > DNSSEC: When there's an A query followed by an query, the log shows > two identical consecutive internal DS/DNSKEY queries (to the same > upstream, verified via upstream log), isn't that unnecessary/excessive? > What version are you running? Your second point was addressed in release 2.86, so I guess something earlier. The code for determining which server to use for DNSSEC queries was also touched in 2.86, but the principle remains the same. The code tries hard to use the same server as provided the answer being validated. This may not be possible in some circumstances, and if that server doesn't respond, the strategy for picking another server changed in 2.86, but in general it's true. That explains your observation. The original query gets sent to all the servers and whichever answers first has its answer used, and gets the subsidiary queries for DNSSEC. A single server may often be the fastest, or it might just be that the query is always sent to the servers in the same order, so the first one to receive it normally wins. Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] DNSSEC and all-servers
Hi, when "dnssec" and "all-servers" are set, according to the log it seems queries are usually forwarded to all upstream servers as expected, but the internal "dnssec-query"s are not, they are only sent to one, which is unexpected with "all-servers". (They are also not balanced but more like 16:1 sent to the first upstream server, which is usually the faster one, I assume that's why?) Another issue, probably not related to "all-servers", and maybe not even DNSSEC: When there's an A query followed by an query, the log shows two identical consecutive internal DS/DNSKEY queries (to the same upstream, verified via upstream log), isn't that unnecessary/excessive? Thanks! Tobias ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss