On 11/04/11 21:29, Fabian Hugelshofer wrote:
Hi Squid developpers,
Using Squid 3.1.9 with the internal resolver and IPv6 support enabled I
stumbled across a problem:
Squid sends AAAA DNS queries probably while checking the ACLs. There are
broken DNS servers that do not reply to AAAA queries. If this happens,
then Squid hangs for quite some time while waiting for a reply without
asking for an A record.
In our setup, there is a local DNS server that sends SERVFAIL after 30s
without a reply. In this case Squid hangs for 90s. Without the SERVFAIL,
Squid hangs for 3*dns_retransmit_interval + dns_timeout (45s with
default values). Using a parent proxy does not change this behaviour.
After waiting for a reply, Squid sends an A query that is answered
immediately and then everything works fine until the AAAA queries are
sent again after negative_dns_ttl.
There are is a bug report in Debian that is probably related:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604566
Do you see a way and a need to improve this behaviour for sites with
broken DNS servers? Fixing the remote DNS servers, disabling IPv6
support or reducing the DNS timeouts help, but might not be feasible
solutions in every case.
There was a discussion about parallel AAAA/A queries last year. Are
there any plans in implementing this (especially for ACLs)?
Thread:
http://www.mail-archive.com/[email protected]/msg12801.html
A test URL is e.g. https://ibol18.ibb.ubs.com. The same problem persists
in 3.2.0.5. DNS or HTTP traces can be provided if requested.
Best regards,
Fabian Hugelshofer
PS: Please include my email address in replies as I am not member of the
list.
Thanks for the reminder Fabian,
We have a good idea of what need to be done to implement parallel
lookups. Unfortunately none of us currently have the time to do the
alterations.
Life and other commitments appear to have taken away Henrik who was
going to do it earlier. It remains way down on my todo list after a long
list of other bugs.
Meanwhile this is helping to highlight the broken sites and aid in their
fixes. Fixing the global DNS connectivity is the highest priority. The
"ipocalypse" is already hitting networks on this side of the world even
though we have several weeks left before formally reaching the end of
IPv4 availability.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.6
