[dns-operations] Using IP_RECVERR/IPV6_RECVERR on resolver client sockets

Paul Vixie paul at redbarn.org
Tue Jan 8 15:49:10 UTC 2019

Florian Weimer wrote:
> Someone noticed that the Linux kernel only puts some networking-related
> errors on the socket error queue for connected UDP sockets:
>    <https://sourceware.org/bugzilla/show_bug.cgi?id=24047>
> The impact is that the UDP client doesn't notice that the network is
> unreachable even if there's an ICMP message (host-related ICMP messages
> are typically enqueued and cause a read error).  Instead, name servers
> are only switched after a timeout.
> ...

as explained again most recently by the QUIC people, pushing network 
stack details into the operating system kernel often makes them 
evolution-resistant, sometimes makes them perform poorly, usually adds 
more #ifdef's to network applications, makes kernels fragile, and 
increases the severity of any eventual bugs and vulnerabilities.

dns initiators should open the ICMP socket, read through all the dreck 
they find there, locate their own messages, parse those, and behave 
accordingly. i once went so far as to do UDP in user mode when freebsd 
on a 1.4GHz opteron gave me ~20K PPS whereas using libpcap was 10X that, 
and the "netmap" team has taken that idea radically further.

the above report is basically "somebody tried to do something smart and 
got it wrong and nobody noticed for a really long time" and foreshadows 
future similar results. every offered complexity should be weighed 
against its lifetime costs and risks. this one fails that test.

P Vixie

More information about the dns-operations mailing list