Re: squid3-ipv6 squid3/src cf.data.pre,1.68.2.40,1.68.2.41 dns_internal.cc,1.15.6.29,1.15.6.30 structs.h,1.66.2.32,1.66.2.33

[Amos Jeffries]

Henrik Nordström wrote:
Hmm.. I guess we can delay the A lookup until connection timeout, which
would both improve performance and compliance.

Nice in principle, the problem becomes how to do it cleanly. Given that 
timeout is known only to client/server side, and the whole ipcache 
stands between the resolver and the point of most desirable lookup.

IFAICS it would require a whole new function chain into both ipcache and 
resolver stub to clear existing cached IP and lookup new ones of a 
specific type from the client-streams side instead of leaving it hidden 
nicely in the resolver stub internals.

Amos

ons 2007-10-10 klockan 00:10 -0600 skrev Adrian Chadd:
Interesting! I'd suggest leaving it on by default though and logging statistics
showing the number of requests which had an ipv6 reply but couldn't be connected
to, but could be connected to via ipv4.

You want IPv6 support to be as transparent and functional as possible out of
the box so people don't just disable IPv6 at the first sign of instability.



Adrian

On Wed, Oct 10, 2007, Amos Jeffries wrote:
Update of cvs.devel.squid-cache.org:/cvsroot/squid/squid3/src

Modified Files:
      Tag: squid3-ipv6
	cf.data.pre dns_internal.cc structs.h 
Log Message:
Following DNS best-practice will cause squid to deny some possible requests

Can be caused by two things:
 1) The tunnel / IPv6 access is down.
 2) The remote server is broken. Advertising web service on a domain
    that resolves to addresses which can't accept it.

This adds a slightly nasty option "dns_v4_fallback" ("on" or "off") which
will force squid to break the standards and do both A and AAAA requests.

pro: it seamlessly recovers from some IPv6 breakages in the local network.
     or at least hides the error from clients and converts to IPv4.

cons:
 doubles the DNS queries per request that squid does.
 will start using all IPv4 and IPv6 addresses as equal in its IP balancing.
 (standards behaviour is to prefer IPv6 when given, ignoring IPv4).

Default for this is OFF by design and should stay that way.
I leave it to individual admin to turn on if they judge their network
fundamentally unfixable enough to warrant it.


Index: structs.h
===================================================================
RCS file: /cvsroot/squid/squid3/src/structs.h,v
retrieving revision 1.66.2.32
retrieving revision 1.66.2.33
diff -C2 -d -r1.66.2.32 -r1.66.2.33
*** structs.h   6 Oct 2007 15:17:07 -0000       1.66.2.32
--- structs.h   10 Oct 2007 00:51:42 -0000      1.66.2.33
***************
*** 547,550 ****
--- 547,551 ----
          int httpd_suppress_version_string;
          int global_internal_static;
+         int dns_require_A;
      }
  

Index: dns_internal.cc
===================================================================
RCS file: /cvsroot/squid/squid3/src/dns_internal.cc,v
retrieving revision 1.15.6.29
retrieving revision 1.15.6.30
diff -C2 -d -r1.15.6.29 -r1.15.6.30
*** dns_internal.cc     7 Aug 2007 08:44:47 -0000       1.15.6.29
--- dns_internal.cc     10 Oct 2007 00:51:41 -0000      1.15.6.30
***************
*** 1001,1011 ****
  
  #if USE_IPV6
!     if(n <= 0 && q->need_A)
      {
          /* ERROR or NO AAAA exist. Failover to A records. */
          if(n == 0)
              debugs(78, 3, "idnsGrokReply: " << q->name << " has no AAAA records. 
Looking up A record instead.");
!         else
              debugs(78, 3, "idnsGrokReply: " << q->name << " AAAA query failed. 
Trying A now instead.");
  
          idnsDropMessage(message, q);
--- 1001,1013 ----
  
  #if USE_IPV6
!     if(q->need_A && (Config.onoff.dns_require_A == 1 || n <= 0 ) )
      {
          /* ERROR or NO AAAA exist. Failover to A records. */
          if(n == 0)
              debugs(78, 3, "idnsGrokReply: " << q->name << " has no AAAA records. 
Looking up A record instead.");
!         else if(q->need_A)
              debugs(78, 3, "idnsGrokReply: " << q->name << " AAAA query failed. 
Trying A now instead.");
+         else // admin requested this.
+             debugs(78, 3, "idnsGrokReply: " << q->name << " AAAA query done. 
Configured to retrieve A now also.");
  
          idnsDropMessage(message, q);
***************
*** 1448,1451 ****
--- 1450,1454 ----
      }
  
+     /* PTR does not do inbound A/AAAA */
      q->need_A = false;
  

Index: cf.data.pre
===================================================================
RCS file: /cvsroot/squid/squid3/src/cf.data.pre,v
retrieving revision 1.68.2.40
retrieving revision 1.68.2.41
diff -C2 -d -r1.68.2.40 -r1.68.2.41
*** cf.data.pre 30 Sep 2007 16:13:29 -0000      1.68.2.40
--- cf.data.pre 10 Oct 2007 00:51:41 -0000      1.68.2.41
***************
*** 5035,5038 ****
--- 5035,5058 ----
  DOC_END
  
+ NAME: dns_v4_fallback
+ TYPE: onoff
+ DEFAULT: off
+ LOC: Config.onoff.dns_require_A
+ DOC_START
+       Standard practice with DNS is to lookup either A or AAAA records
+       and use the results if it succeeds. Only looking up the other if
+       the first attempt fails or otherwise produces no results.
+       By default squid internal DNS follows that policy.
+ 
+ 	That policy however will cause squid to produce error pages for some
+       servers that advertise AAAA but are unreachable over IPv6.
+ 
+ 	Turning this ON will force squid to always lookup both AAAA and A.
+ 
+ 	WARNING: There are some possibly unwanted side-effects with this on:
+               *) Doubles the load placed by squid on the DNS network.
+               *) May negatively impact connection delay times.
+ DOC_END
+ 
  NAME: ipcache_size
  COMMENT: (number of entries)


--
Please use Squid 2.6STABLE17 or 3.0STABLE1.
There are serious security advisories out on all earlier releases.