[dns-operations] Using IP_RECVERR/IPV6_RECVERR on resolver client sockets

Florian Weimer fweimer at redhat.com
Tue Jan 8 16:08:54 UTC 2019


* Paul Vixie:

> Florian Weimer wrote:
>> Someone noticed that the Linux kernel only puts some networking-related
>> errors on the socket error queue for connected UDP sockets:
>>
>>    <https://sourceware.org/bugzilla/show_bug.cgi?id=24047>
>>
>> The impact is that the UDP client doesn't notice that the network is
>> unreachable even if there's an ICMP message (host-related ICMP messages
>> are typically enqueued and cause a read error).  Instead, name servers
>> are only switched after a timeout.
>> ...
>
> as explained again most recently by the QUIC people, pushing network
> stack details into the operating system kernel often makes them
> evolution-resistant, sometimes makes them perform poorly, usually adds
> more #ifdef's to network applications, makes kernels fragile, and
> increases the severity of any eventual bugs and vulnerabilities.

Well, the flip side is that we are talking about DNS.  The protocol
doesn't provide a way to check the availability of a server because
there is no query you can send that is guaranteed to elicit a response,
so we have to resort hacks anyway.

> dns initiators should open the ICMP socket, read through all the dreck
> they find there, locate their own messages, parse those, and behave
> accordingly. i once went so far as to do UDP in user mode when freebsd
> on a 1.4GHz opteron gave me ~20K PPS whereas using libpcap was 10X
> that, and the "netmap" team has taken that idea radically further.

UDP is generally neglected in performance work.

But with a connected socket, the kernel already does the parsing work
for you.  It's just that without IP_RECVERR/IPV6_RECVERR, the specs
require that some of the data is ignored.  I was just wondering if we
should use that data going forward.  I think the importance of using a
connected socket for error detection is generally recognized.  But it
seems to me that the need to specify IP_RECVERR/IPV6_RECVERR has been
missed so far.  And if not and I'm wrong about this, I would like to
know the reason why implementers do not use it.

Thanks,
Florian



More information about the dns-operations mailing list