Opened 15 years ago
Last modified 9 years ago
#76 new defect
innd doesn't honor DNS TTLs
Reported by: | eagle | Owned by: | eagle |
---|---|---|---|
Priority: | low | Milestone: | 2.7.0 |
Component: | innd | Version: | |
Severity: | normal | Keywords: | compliance |
Cc: |
Description
A long-standing problem with innd is that it stores the DNS lookup results for everything in incoming.conf when it starts up and then never rechecks DNS. Most sites periodically reload incoming.conf to work around this, but it still breaks the DNS requirement to honor TTL.
Unfortunately, there's no way to do asynchronous DNS lookups using the getaddrinfo() interface, which is required to support /etc/hosts and other non-DNS sources of IP information, and we can't do the blocking calls since they can block for a long time.
That leaves, as a solution, doing DNS resolution in a child process and then asynchronously filling in the results. This will require putting incoming connections to sleep until the DNS resolution finishes, and then waking them up to do permission checking.
Change History (3)
comment:1 Changed 15 years ago by
Keywords: | compliance added |
---|
comment:2 Changed 12 years ago by
Milestone: | → 2.6.0 |
---|
Using libevent would allow asynchronous DNS queries.
comment:3 Changed 9 years ago by
Milestone: | 2.6.0 → 2.7.0 |
---|
RFC 3977 says:
innd caches DNS lookups when reading incoming.conf and doesn't refresh its knowledge of DNS except when incoming.conf is reloaded.
Impact: An explicit reload is required whenever the IP address of any peer changes, and in the presence of network renumbering innd is vulnerable to spoofing if DNS is the only authentication mechanism used.
Suggested fix: This is hard to fix without unacceptable performance impact. The only good fix is to either fork a separate helper process to do DNS lookups (since gethostbyname may block for essentially an arbitrarily long period) or to use the direct resolver library so that one
can get access to a file descriptor and throw it into the select loop. Either way, this requires keeping a DNS file descriptor in the main select loop and updating knowledge of DNS periodically, which is a substantial amount of additional complexity.