-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Wouter.
On Wed 13 Aug 2014 04:57:22 PM CEST, W.C.A. Wijngaards wrote: > Hi Pavel, > > On 08/13/2014 04:31 PM, Pavel Simerda wrote: >> Hi, > >> just found where the problem with not using the fallback >> configuration was. All the details are in the Fedora bugzilla >> ticket[1]. I didn't do any more extensive research but it >> basically seems that after planning the direct probe we need to >> also plan the tcpdns probe *before* the direct probe finishes and >> prevents the tcpdns one from being planned. > > You seem to want dnssec-trigger to probe in a different sequence of > fallback methods? > > At the design time the direct method was thought to be a better method > than using a public-recursor fallback. The traffic on authority > servers was not considered a problem. > > The bugzilla ticket is solving something which is not a bug but a > feature. Designed in, as the order of the probes performed. > > The aim for the initial design was also to reduce load on that public > resolver (hosted by us in the generic package). > > The direct (direct to authority servers) method works very often. And > when it does it is very likely to produce DNSSEC support. For some reason I thought that fall-back servers were used before the root servers. However I can see that it is the other way around when reading the dnssec-trigger project page. We consider offloading root servers a good thing. I agree with you that in this case it is more of a feature request. Maybe it could be made configurable. We have own Fedora infrastructure, so we will not increase the load on your servers. The problem I see is the situation when you want to use DNS over SSL, because full recursion is blocked. Then it would make sense to actually try the fall-back configuration first. However Pavel will know more, since he debugged the daemon to find the cause in source. > Your patch also seems to have a race condition, I think, since you > spawn both the direct and the dnstcp probes at the same time. > > Best regards, > Wouter > >> Pavel > >> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1109292 > > Thanks. Regards, - -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJT64hvAAoJEMWIetUdnzwtCeUH/iLA5ZiXght/q/h9jYnguuIi iddIrQkwyg1jbAua9okfvGQlHpUJI05TQVjEmoT/30HWpA4v5UYJUe2XFr7cKz/3 GyCbjYK3ZZn3Jf3UR1gofCRAtRLr1XM+Fp5Qa2IJgkpLuoA595S1ss/2dyJeyGNi PTr7e1MLLOxBl9JvM/BIlvsiiy+A+sjb9EKLnc0vRgiel7wJkXOn294Bcx1W3S6R xjzGmRGStAPFKmCiuQfthgLB5Bk6McROWqXzPR8RGGUGDfWSBErfq43ymUuoA5CV 1izvkEm7K02F9ljG9/jOORs7pLhQJs+TS7hGEWUWbCMdqx28WSDNptEFGwBqjVI= =5P1U -----END PGP SIGNATURE----- _______________________________________________ dnssec-trigger mailing list dnssec-trigger@NLnetLabs.nl http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger