[Resolvconf-devel] Bug#318464: resolvconf: Cascaded dnscache incompatibility

Tobias Reckhard tobias.reckhard at secunet.com
Mon Feb 5 09:12:57 CET 2007 

Package: resolvconf
Version: 1.37
Followup-For: Bug #318464


Hi

The behaviour of the dnscache script in the resolvconf package is
incompatible with systems using two (or more) cascaded dnscaches. Here
is a brief explanation of the setup:

  * A system has a dnscache with a small cache on its externally
    reachable IP address. This dnscache is configured as a FORWARDONLY
    cache by means of the env/FORWARDONLY file, instructing it to
    forward all of the requests it can't answer from its cache to the
    parent server(s) listed in the file root/servers/@. However, it
    still obeys locally configured redirections in the directory
    root/servers, meaning that it will e.g. query the DNS server at
    1.2.3.4 for DNS info regarding www.example.com if there is a file
    root/servers/example.com containing "1.2.3.4" (minus the quotes).

    In this case, the @ file contains the IP address of the second
    dnscache instance (see below), in my case 127.0.0.3.

  * The system has a second dnscache instance on another IP address, in
    my case 127.0.0.3, with a large chache. It is an iterative resolver,
    meaning that env/FORWARDONLY does not exist and it's got the list of
    root servers in the file root/servers/@.

  * /etc/resolv.conf contains the address of the forward-only-cache,
    i.e. a line containing "nameserver 1.2.3.4" in this example.

The advantage of this setup over one with only one dnscache is that you
can make changes to the dnscache redirection configuration, which
requires a restart of dnscache to take effect, without losing your cache
of DNS data, because the dnscache instance with the large cache needn't
be restarted.

The dnscache script in the resolvconf package breaks this setup by
overwriting the root/servers/@ file of the forward-only-dnscache with
its own address, leading to a forwarding loop. This effectively breaks
all DNS reolution on the system.

If resolvconf is to continue to manage the root/servers/@ file of all
forward-only dnscache instances on a host, it would make sense to modify
only those which do not point to the host itself, i.e. to an address
within 127/8 or to one of the host's own IP addresses, such as 1.2.3.4
in the example above.

Could you please consider this option?

Best regards,
Tobias Reckhard

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-386
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages resolvconf depends on:
ii  coreutils                     5.97-5     The GNU core utilities
ii  debconf [debconf-2.0]         1.5.8      Debian configuration management sy
ii  lsb-base                      3.1-22     Linux Standard Base 3.1 init scrip

resolvconf recommends no packages.

-- debconf information:
  resolvconf/bad-pppconfig-hook:
  resolvconf/linkify-resolvconf: true
  resolvconf/disable-bad-hooks: true
  resolvconf/bad-pppoeconf-hook:
* resolvconf/downup-interfaces:
  resolvconf/link-tail-to-original: false
  resolvconf/bad-xisp-hook:

More information about the Resolvconf-devel mailing list