diff options
| author | Lennart Poettering <lennart@poettering.net> | 2017-02-15 18:28:23 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2017-02-17 10:25:15 +0100 |
| commit | 201d99584ed7af8078bb243ce2587e5455074713 (patch) | |
| tree | 499106637de75c4b1f6d2838cee7ad20b27d86d9 /src/resolve/resolved-dns-transaction.c | |
| parent | dc349f5f7a833233aebd08e30e662d6298f854e3 (diff) | |
resolved: cache SERVFAIL responses for 30s
Some domains (such as us.ynuf.alipay.com) almost appear as if they actively
want to sabotage our DNSSEC work. Specifically, they unconditionally
return SERVFAIL on SOA lookups and always only after a 1s delay (at
least). This is pretty bad for our validation logic, as we use SOA
lookups to distuingish zones from non-terminal names. Moreover, SERVFAIL
is an error that is typically returned if we send requests a server
doesn't grok, and thus is reason for us to downgrade our protocol and
try again. In case of these zones this means we'll accept the SERVFAIL
response only after a full iterative downgrade to our lowest feature
level: TCP. In combination with the 1s delays this has the effect of
making us hit our transaction timeout way to easily.
As first attempt to improve the situation: let's start caching SERVFAIL
responses in our cache, after the full downgrade for a short period of
time.
Conceptually this is exposed as "weird rcode" caching, but for now we
only consider SERVFAIL a "weird rcode" worthy of caching. Later on we
might want to add more.
Diffstat (limited to 'src/resolve/resolved-dns-transaction.c')
0 files changed, 0 insertions, 0 deletions