[Dnsmasq-discuss] DNSSEC and all-servers

tobias+dnsmasq at trds.de tobias+dnsmasq at trds.de
Fri Oct 8 06:40:52 UTC 2021 

On 2021-10-07 23:01, Simon Kelley wrote:
> On 07/10/2021 10:59, Tobias via Dnsmasq-discuss wrote:
>> when "dnssec" and "all-servers" are set, according to the log it seems
>> queries are usually forwarded to all upstream servers as expected, but
>> the internal "dnssec-query"s are not, they are only sent to one, which
>> is unexpected with "all-servers". (They are also not balanced but more
>> like 16:1 sent to the first upstream server, which is usually the faster
>> one, I assume that's why?)>
>> Another issue, probably not related to "all-servers", and maybe not even
>> DNSSEC: When there's an A query followed by an AAAA query, the log shows
>> two identical consecutive internal DS/DNSKEY queries (to the same
>> upstream, verified via upstream log), isn't that unnecessary/excessive?
> 
> What version are you running? Your second point was addressed in release
> 2.86, so I guess something earlier.

That's correct, I'm still at 2.85. (I see it's in the Changelog, should
have checked that, sorry.)

> The code for determining which server to use for DNSSEC queries was also
> touched in 2.86, but the principle remains the same. The code tries hard
> to use the same server as provided the answer being validated.  This may
> not be possible in some circumstances, and if that server doesn't
> respond, the strategy for picking another server changed in 2.86, but in
> general it's true.
> 
> That explains your observation. The original query gets sent to all the
> servers and whichever answers first has its answer used, and gets the
> subsidiary queries for DNSSEC. A single server may often be the fastest,
> or it might just be that the query is always sent to the servers in the
> same order, so the first one to receive it normally wins.

My reason for using "all-servers" is, that I have two upstream servers,
one that is usually notably faster, but with occasional timeouts, and
one that is slower but also more stable. So if DNSSEC queries are sent
to the first upstream server only, they are much more likely to time
out, so I'd guess sending them to both upstreams should be preferred in
this case. Or am I using it wrongly?

On the other hand, what would be the rational to treat DNSSEC queries
differently than other queries under "all-servers"? For which use case
would this be better? (If the current behavior is to be kept, I suggest
adjusting the documentation, in particular this part: "Setting this flag
forces dnsmasq to send all queries to all available servers." Thanks!)

More information about the Dnsmasq-discuss mailing list