[dns-operations] Using IP_RECVERR/IPV6_RECVERR on resolver client sockets
Florian Weimer
fweimer at redhat.com
Tue Jan 8 16:08:54 UTC 2019
* Paul Vixie:
> Florian Weimer wrote:
>> Someone noticed that the Linux kernel only puts some networking-related
>> errors on the socket error queue for connected UDP sockets:
>>
>> <https://sourceware.org/bugzilla/show_bug.cgi?id=24047>
>>
>> The impact is that the UDP client doesn't notice that the network is
>> unreachable even if there's an ICMP message (host-related ICMP messages
>> are typically enqueued and cause a read error). Instead, name servers
>> are only switched after a timeout.
>> ...
>
> as explained again most recently by the QUIC people, pushing network
> stack details into the operating system kernel often makes them
> evolution-resistant, sometimes makes them perform poorly, usually adds
> more #ifdef's to network applications, makes kernels fragile, and
> increases the severity of any eventual bugs and vulnerabilities.
Well, the flip side is that we are talking about DNS. The protocol
doesn't provide a way to check the availability of a server because
there is no query you can send that is guaranteed to elicit a response,
so we have to resort hacks anyway.
> dns initiators should open the ICMP socket, read through all the dreck
> they find there, locate their own messages, parse those, and behave
> accordingly. i once went so far as to do UDP in user mode when freebsd
> on a 1.4GHz opteron gave me ~20K PPS whereas using libpcap was 10X
> that, and the "netmap" team has taken that idea radically further.
UDP is generally neglected in performance work.
But with a connected socket, the kernel already does the parsing work
for you. It's just that without IP_RECVERR/IPV6_RECVERR, the specs
require that some of the data is ignored. I was just wondering if we
should use that data going forward. I think the importance of using a
connected socket for error detection is generally recognized. But it
seems to me that the need to specify IP_RECVERR/IPV6_RECVERR has been
missed so far. And if not and I'm wrong about this, I would like to
know the reason why implementers do not use it.
Thanks,
Florian
More information about the dns-operations
mailing list