Bug#318464: [Resolvconf-devel] Bug#318464: resolvconf: Cascaded dnscache incompatibility

Tobias Reckhard tobias.reckhard at secunet.com
Tue Feb 6 09:30:27 CET 2007

Hi Daniel

First of all, thanks a lot for the quick response.

Daniel Kahn Gillmor wrote the following on 05.02.2007 20:32:
> At 2007-02-05 09:12, tobias.reckhard at secunet.com said:
>>> The advantage of this setup over one with only one dnscache is that
>>> you can make changes to the dnscache redirection configuration,
>>> which requires a restart of dnscache to take effect, without losing
>>> your cache of DNS data, because the dnscache instance with the large
>>> cache needn't be restarted.
> interesting.  i'd never thought of using dnscache cascaded like this.

It's been talked about on the djbdns mailing list, however that was a
while ago.

> You're adding a layer of indirection (and caching most requests twice
> on your machine), but i can see how there's an advantage in what you
> describe, if you want to retain your dnscache between restarts.

This is especially the case if the contents of the root/servers
directory are rather fluctuative. In this specific case, some NAT idiocy
(IMHO) forces us to short-circuit many DNS paths using entries in the
root/servers directory. Any change to the latter previously lost us the
entire cache.

>>> The dnscache script in the resolvconf package breaks this setup by
>>> overwriting the root/servers/@ file of the forward-only-dnscache
>>> with its own address, leading to a forwarding loop. This effectively
>>> breaks all DNS reolution on the system.
> yuck.  That's no good at all.

Yep, you've said it.

>  How is your dnscache instance's IP
> address getting added to the nameserver list?

The forward-only dnscache's IP address ( in my example) is
defined as the nameserver in /etc/resolv.conf. If I understood it right,
the dnscache script in the resolvconf package looks for forward-only
dnscaches and overwrites their root/servers/@ with the nameserver
entries in /etc/resolv.conf.

>>> If resolvconf is to continue to manage the root/servers/@ file of
>>> all forward-only dnscache instances on a host, it would make sense
>>> to modify only those which do not point to the host itself, i.e. to
>>> an address within 127/8 or to one of the host's own IP addresses,
>>> such as in the example above.
> Can you try the following patch to /etc/resolvconf/update.d/dnscache
> and see if it works for you?  The logic is (or should be):
>    if the IP address this dnscache instance binds to is listed in the
>    set of nameservers, do not repoint its "@" reference.
> Does that sound right to you?

Yes, that's an alternative to the approach I outline. In fact, I came up
with the same idea later yesterday and had thought about telling you
about it. No need to do that anymore. :-)

I'll try the patch on another machine that's not in production use yet
but is otherwise almost identical.

> Thanks for your report,

Don't mention it. Thanks for your Quick help.


More information about the Resolvconf-devel mailing list