Historic archive of defunct list bloat-devel@lists.bufferbloat.net
 help / color / mirror / Atom feed
From: Dave Taht <dave.taht@gmail.com>
To: Dave Hart <davehart_gmail_exchange_tee@davehart.net>
Cc: bismark-bootcamp@projectbismark.net,
	bloat-devel <bloat-devel@lists.bufferbloat.net>,
	Evan Hunt <ethanol@gmail.com>,
	bismark-devel@projectbismark.net
Subject: Re: smoketest #6 of cerowrt is go for testing
Date: Sun, 17 Jul 2011 06:34:33 -0600	[thread overview]
Message-ID: <CAA93jw7AhfsDUCWJ1rpEz-w8PD_tUx17-gx6oreZaNPm4ETvww@mail.gmail.com> (raw)
In-Reply-To: <CAMbSiYBFNteUdRhBH2CgPL-SOEA2_DPgymK9VPHM_gAPYH=TVA@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3125 bytes --]

On Sat, Jul 16, 2011 at 10:35 PM, Dave Hart <
davehart_gmail_exchange_tee@davehart.net> wrote:

> On Sun, Jul 17, 2011 at 00:02 UTC, Rick Jones <rick.jones2@hp.com> wrote:
> > If you configure ntpd with bare IP addresses rather than names, will the
> > getaddrinfo() return without attempting any DNS in the first place?
>
> Yes, basically.  ntpd might not even call getaddrinfo() in that case
> (it may use inet_pton() or similar to convert the IP address to binary
> representation).  At any rate, using only numeric IPv4 or IPv6
> addresses will avoid any DNS lookups.
>

While there is one group that is finally providing ntp time via anycast -
which is a good solution to a large extent! - there is only the one (small)
group doing so, rather than the needed '3'.

http://news.ntppool.org/2011/03/expanding-the-anycast-dns-serv.html

And I'm reluctant, given the sordid history of hard coding ntp IP addresses,


http://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse

to hard code *any* until far more anycast servers are online.

To take a step backwards on this, there are extensive notes on the circular
dependencies between time and dnssec logged here.

http://www.bufferbloat.net/issues/205

I'd implemented a hack to try to address these circular depenencies last
week in the named-latest package repo, while also coping with

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464

I think I addressed the latter issue, but *good*. :) The 'fix' for the
ntp/dnssec/bind/network dependencies seems to have some problems, however,
notably really slow startup in general.


To step further back on this:

I had implemented ntp (with 7 contacted servers in the conf file!) in the
first place due to the "cosmic background bufferbloat detector" idea
extensively discussed on the comp.protocols.ntp newsgroup, and because I
wanted to be able to compare large sample data sets against known-to-be
accurate time, with a large deployment of client routers that had a
configuration I could trust to be accurate, talking to a yet-to-be-deployed
string of ntp servers (via hopefully a helpful operator) that could work on
this with us.


We had implemented dnssec in the first place because we wanted more people
to be using it, and ironing out problems (among other things, I planned to
use it to ensure valid updates to the routers), and because of nonsense
about DNS censorship happing all over the world, such as the recent
shenanagans in Australia.

once all these circular dependencies are resolved on boot, which doesn't
always happen and seems to take minutes, regardless, dnssec works pretty
darn good. Seeing it actually work at all after a decade of discussion makes
me really, really happy, but making it work *well*, somehow, would be best.

It's also my hope to implement this fix to bind, in the next rc release of
cerowrt.

http://www.isc.org/community/blog/201107/major-improvement-bind-9-startup-performance


> Cheers,
> Dave Hart
>



-- 
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://the-edge.blogspot.com

[-- Attachment #2: Type: text/html, Size: 4250 bytes --]

  reply	other threads:[~2011-07-17 11:55 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-16  2:40 Dave Taht
2011-07-16  4:05 ` Dave Hart
2011-07-17  0:02   ` Rick Jones
2011-07-17  4:35     ` Dave Hart
2011-07-17 12:34       ` Dave Taht [this message]
2011-07-17 15:50         ` Fwd: " Dave Hart
2011-07-17 20:40           ` Evan Hunt
2011-07-18 17:40       ` Rick Jones
2011-07-17  0:01 ` Rick Jones

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAA93jw7AhfsDUCWJ1rpEz-w8PD_tUx17-gx6oreZaNPm4ETvww@mail.gmail.com \
    --to=dave.taht@gmail.com \
    --cc=bismark-bootcamp@projectbismark.net \
    --cc=bismark-devel@projectbismark.net \
    --cc=bloat-devel@lists.bufferbloat.net \
    --cc=davehart_gmail_exchange_tee@davehart.net \
    --cc=ethanol@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox