From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-vb0-f43.google.com (mail-vb0-f43.google.com [209.85.212.43]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id EFA1B200A76 for ; Mon, 20 Aug 2012 11:43:21 -0700 (PDT) Received: by vbbfq11 with SMTP id fq11so14138765vbb.16 for ; Mon, 20 Aug 2012 11:43:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ucjIUMTOtJ8Xd8sPJCo31nROumgxmnsFDie81o92Jfc=; b=W8wUbf0A8ww4+MIvk8AfUEBlsxYe7nNTUz7+5PJYhNISr0QSlncP/yqaDtfbneSr91 KH7IsNRgb8piek4z1qq9S9bWfZ65KDMfdl5SnsRiXraryEXQskwY02lxj/6IJ/vl13OL MRi+0WZrhZUpbhwxnTy3rgr4tsvf+a/inhw3lVeXMwXbhZzKMQ6Jhl0kEKLwQ0v/PT/5 5Fu3h+7Bfe55X3Z05yKPvI8rNQc1RDPOw39i/o9c0seSq/qxHdMZ+EF8aT4oc+cfUzik dcU3W0l8syXl6feyVhYHqm5EFUrDiV630iajMljhTx2OmNMLzYVKs4aIs8PjyL3GtROM pCWA== MIME-Version: 1.0 Received: by 10.220.107.198 with SMTP id c6mr11125524vcp.54.1345488200399; Mon, 20 Aug 2012 11:43:20 -0700 (PDT) Received: by 10.58.231.234 with HTTP; Mon, 20 Aug 2012 11:43:19 -0700 (PDT) In-Reply-To: References: Date: Mon, 20 Aug 2012 14:43:19 -0400 Message-ID: From: George Lambert To: Dave Taht Content-Type: multipart/alternative; boundary=f46d0438ee5b3bfa5f04c7b6e251 Cc: Evan Hunt , cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] thoughts toward improving cerowrt's DNS and DNSSEC in the next release X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 18:43:22 -0000 --f46d0438ee5b3bfa5f04c7b6e251 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable We have been working on DNS stuff and I will make some DNS Recommendations within the next couple of days - if that would help. Bind is an unnecessary waste of memory. UnBound is too slow. We are making custom modifications to MaraDNS to make it have the right low memory footprint and optimizations for a router. George. On Mon, Aug 20, 2012 at 2:25 PM, Dave Taht wrote: > The ongoing DNS issues bug me. For most uses these days I disable bind > entirely, as the 12-20MB it uses up are better used for packets. I do > use it on 3800s but not on 3700v2s. > > 0) the circular time issue (bug #113) remains a PITA. I was really > scarred by trying to fix that one last year and keep hoping someone > else will fix it... > > 1) The luci gui has hooks for dnsmasq's "use dns servers advertised by > peer" and "use custom dns servers", which are not tied into the bind > configuration. > > This is confusing users. The way to do that manually is to get the > advertisement once, validate that those servers do NXDOMAIN and > DNSSEC, and toss them into forwarders.conf and enable forwarders.conf > > 2) Going the the DNS roots with bind, is OK, but it is always faster, > and more reliable to use the ISP provided DNS servers, if they can be > trusted to send DNSSEC information. Comcast's (if you are on comcast) > are fast as heck. I also recently discovered that google DNS does > indeed do dnssec, and although much further away than comcast on the > networks I have access to, they are universally available. > > So I am thinking of enabling forwarding by default to google DNS. This > reduces enabling forwarding to another set of servers provided by the > ISP, if usable.... > > I would like a test of some sort that would prove a delegated ISP's > DNS server was "worthy", this test would include NXDOMAIN, DNSSEC, and > whatever else would be required to validate it as a potential > forwarder to overwrite the forwarders.conf file with that information. > > I wouldn't mind establishing a global white/blacklist of DNS servers > that did NXDOMAIN/DNSSEC right/wrong somewhere, either... > > dnsmasq may gain DNSSEC by the winter, btw.... > > 3) A related problem is that when behind many walled gardens (a hotel, > for example), going to the DNS roots via bind doesn't work at all, > neither do things like google dns, and usually the forwarder is pretty > crappy in the first place. dnsmasq works in this scenario just fine... > > 4) A final alternative is to drop bind by default and install it > optionally. While this would lose DNSSEC, and split views and local > delegations, it would buy the integration with dnsmasq, which includes > things like AAAA naming, etc., and get some memory back. (I note that > the OOM issues we're encountering are USEFUL to encounter in that > optimizing for memory use throughout the system is very important, and > I have similar issues on 32MB routers like the picostation/nanostation > even without bind) > > Given the amount of time, energy, and money (all 0) I personally have > to deal with these issues, I'm mostly tempted to save on hair by > making dnsmasq the default going forward, and write off bind for now. > Certainly continue to make it available for advanced users, but > install it optionally. > > The advantages of having something closer to full blown dns in the > home are not apparent without tighter integration with dhcp, dhcpv6, > ahcp, etc, than presently exists anywhere. > > -- > Dave T=E4ht > http://www.bufferbloat.net/projects/cerowrt/wiki - "3.3.8-17 is out > with fq_codel!" > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > --=20 P THINK BEFORE PRINTING: is it really necessary? This e-mail and its attachments are confidential and solely for the intended addressee(s). Do not share or use them without approval. If received in error, contact the sender and delete them. --f46d0438ee5b3bfa5f04c7b6e251 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
We have been working on DNS stuff and I will make some DNS Recommendat= ions=A0
within the next couple of days - if that would help.=A0

Bind is an unnecessary waste of memory.=A0

UnBound is too slow.=A0

We are making c= ustom modifications to MaraDNS to make it=A0
have the right low m= emory footprint and optimizations for a router.=A0

George.=A0



On Mon, Aug 20, 2012 at 2= :25 PM, Dave Taht <dave.taht@gmail.com> wrote:
The ongoing DNS issues bug me. For most uses these days I disable bind
entirely, as the 12-20MB it uses up are better used for packets. I do
use it on 3800s but not on 3700v2s.

0) the circular time issue (bug #113) remains a PITA. I was really
scarred by trying to fix that one last year and keep hoping someone
else will fix it...

1) The luci gui has hooks for dnsmasq's "use dns servers advertise= d by
peer" and "use custom dns servers", which are not tied into = the bind
configuration.

This is confusing users. The way to do that manually is to get the
advertisement once, validate that those servers do NXDOMAIN and
DNSSEC, and toss them into forwarders.conf and enable forwarders.conf

2) Going the the DNS roots with bind, is OK, but it is always faster,
and more reliable to use the ISP provided DNS servers, if they can be
trusted to send DNSSEC information. Comcast's (if you are on comcast) are fast as heck. I also recently discovered that google DNS does
indeed do dnssec, and although much further away than comcast on the
networks I have access to, they are universally available.

So I am thinking of enabling forwarding by default to google DNS. This
reduces enabling forwarding to another set of servers provided by the
ISP, if usable....

I would like a test of some sort that would prove a delegated ISP's
DNS server was "worthy", this test would include NXDOMAIN, DNSSEC= , and
whatever else would be required to validate it as a potential
forwarder to overwrite the forwarders.conf file with that information.

I wouldn't mind establishing a global white/blacklist of DNS servers that did NXDOMAIN/DNSSEC right/wrong somewhere, either...

dnsmasq may gain DNSSEC by the winter, btw....

3) A related problem is that when behind many walled gardens (a hotel,
for example), going to the DNS roots via bind doesn't work at all,
neither do things like google dns, and usually the forwarder is pretty
crappy in the first place. dnsmasq works in this scenario just fine...

4) A final alternative is to drop bind by default and install it
optionally. While this would lose DNSSEC, and split views and local
delegations, it would buy the integration with dnsmasq, which includes
things like AAAA naming, etc., and get some memory back. (I note that
the OOM issues we're encountering are USEFUL to encounter in that
optimizing for memory use throughout the system is very important, and
I have similar issues on 32MB routers like the picostation/nanostation
even without bind)

Given the amount of time, energy, and money (all 0) I personally have
to deal with these issues, I'm mostly tempted to save on hair by
making dnsmasq the default going forward, and write off bind for now.
Certainly continue to make it available for advanced users, but
install it optionally.

The advantages of having something closer to full blown dns in the
home are not apparent without tighter integration with dhcp, dhcpv6,
ahcp, etc, than presently exists anywhere.

--
Dave T=E4ht
http://www.bufferbloat.net/projects/cerowrt/wiki - "3.3.8-17 i= s out
with fq_codel!"
_______________________________________________
Cerowrt-devel mailing list
Cerowrt-devel@lists.= bufferbloat.net
https://lists.bufferbloat.net/listinfo/cerowrt-devel



-- P THINK BEFORE PRINTING: is it really necessary?

This e-mail and i= ts attachments are confidential and solely for the
intended addressee(s)= . Do not share or use them without approval. If received in error, contact = the sender
and delete them.
--f46d0438ee5b3bfa5f04c7b6e251--