Tuesday 31 May 2016

Re: ANN: DNS resolver changes in yakkety

On Tue, May 31, 2016 at 09:38:51PM +0200, Martin Pitt wrote:
> > In the past, resolved would use a single shared cache for the whole
> > system, which would allow for local cache poisoning by unprivileged
> > users on the system. That's the reason why the dnsmasq instance we spawn
> > with Network Manager doesn't have caching enabled and that becomes even
> > more critical when we're talking about doing the same change on servers.

> Indeed Tony mentioned this in today's meeting with Mathieu and me --
> this renders most of the efficiency gain of having a local DNS
> resolver moot.

However, reducing the number of DNS queries with caching is not a
requirement. The request was for the local resolver to cache information
about upstream resolvers being *available*, so that each process would not
have to find out for itself that the primary DNS server is offline and fail
over (with annoying timeouts).

Running a cache with the local resolver causes problems that we don't have
solutions for. Correct is more important than fast, we should run without
caching.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org