Commit 201d9958 authored Feb 15, 2017 by Lennart Poettering

resolved: cache SERVFAIL responses for 30s

Some domains (such as us.ynuf.alipay.com) almost appear as if they actively
want to sabotage our DNSSEC work. Specifically, they unconditionally
return SERVFAIL on SOA lookups and always only after a 1s delay (at
least). This is pretty bad for our validation logic, as we use SOA
lookups to distuingish zones from non-terminal names. Moreover, SERVFAIL
is an error that is typically returned if we send requests a server
doesn't grok, and thus is reason for us to downgrade our protocol and
try again. In case of these zones this means we'll accept the SERVFAIL
response only after a full iterative downgrade to our lowest feature
level: TCP. In combination with the 1s delays this has the effect of
making us hit our transaction timeout way to easily.

As first attempt to improve the situation: let's start caching SERVFAIL
responses in our cache, after the full downgrade for a short period of
time.

Conceptually this is exposed as "weird rcode" caching, but for now we
only consider SERVFAIL a "weird rcode" worthy of caching. Later on we
might want to add more.

parent dc349f5f

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 9e5bf687
· Jan 27, 2021

mentioned in commit 9e5bf687

mentioned in commit 9e5bf68702a0d39eebd40e55fc2bdf847b0c49c7

Toggle commit list
mirror @mirror
mentioned in commit c4df6681
· Jan 27, 2021

mentioned in commit c4df6681

mentioned in commit c4df66816b6d0403c572a638c2cd393d7f0056d0

Toggle commit list

Please register or to comment