[dns-operations] Using IP_RECVERR/IPV6_RECVERR on resolver client sockets
paul at redbarn.org
Tue Jan 8 15:49:10 UTC 2019
Florian Weimer wrote:
> Someone noticed that the Linux kernel only puts some networking-related
> errors on the socket error queue for connected UDP sockets:
> The impact is that the UDP client doesn't notice that the network is
> unreachable even if there's an ICMP message (host-related ICMP messages
> are typically enqueued and cause a read error). Instead, name servers
> are only switched after a timeout.
as explained again most recently by the QUIC people, pushing network
stack details into the operating system kernel often makes them
evolution-resistant, sometimes makes them perform poorly, usually adds
more #ifdef's to network applications, makes kernels fragile, and
increases the severity of any eventual bugs and vulnerabilities.
dns initiators should open the ICMP socket, read through all the dreck
they find there, locate their own messages, parse those, and behave
accordingly. i once went so far as to do UDP in user mode when freebsd
on a 1.4GHz opteron gave me ~20K PPS whereas using libpcap was 10X that,
and the "netmap" team has taken that idea radically further.
the above report is basically "somebody tried to do something smart and
got it wrong and nobody noticed for a really long time" and foreshadows
future similar results. every offered complexity should be weighed
against its lifetime costs and risks. this one fails that test.
More information about the dns-operations