smoketest #6 of cerowrt is go for testing
Dave Taht
dave.taht at gmail.com
Sun Jul 17 08:34:33 EDT 2011
On Sat, Jul 16, 2011 at 10:35 PM, Dave Hart <
davehart_gmail_exchange_tee at davehart.net> wrote:
> On Sun, Jul 17, 2011 at 00:02 UTC, Rick Jones <rick.jones2 at hp.com> wrote:
> > If you configure ntpd with bare IP addresses rather than names, will the
> > getaddrinfo() return without attempting any DNS in the first place?
>
> Yes, basically. ntpd might not even call getaddrinfo() in that case
> (it may use inet_pton() or similar to convert the IP address to binary
> representation). At any rate, using only numeric IPv4 or IPv6
> addresses will avoid any DNS lookups.
>
While there is one group that is finally providing ntp time via anycast -
which is a good solution to a large extent! - there is only the one (small)
group doing so, rather than the needed '3'.
http://news.ntppool.org/2011/03/expanding-the-anycast-dns-serv.html
And I'm reluctant, given the sordid history of hard coding ntp IP addresses,
http://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse
to hard code *any* until far more anycast servers are online.
To take a step backwards on this, there are extensive notes on the circular
dependencies between time and dnssec logged here.
http://www.bufferbloat.net/issues/205
I'd implemented a hack to try to address these circular depenencies last
week in the named-latest package repo, while also coping with
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464
I think I addressed the latter issue, but *good*. :) The 'fix' for the
ntp/dnssec/bind/network dependencies seems to have some problems, however,
notably really slow startup in general.
To step further back on this:
I had implemented ntp (with 7 contacted servers in the conf file!) in the
first place due to the "cosmic background bufferbloat detector" idea
extensively discussed on the comp.protocols.ntp newsgroup, and because I
wanted to be able to compare large sample data sets against known-to-be
accurate time, with a large deployment of client routers that had a
configuration I could trust to be accurate, talking to a yet-to-be-deployed
string of ntp servers (via hopefully a helpful operator) that could work on
this with us.
We had implemented dnssec in the first place because we wanted more people
to be using it, and ironing out problems (among other things, I planned to
use it to ensure valid updates to the routers), and because of nonsense
about DNS censorship happing all over the world, such as the recent
shenanagans in Australia.
once all these circular dependencies are resolved on boot, which doesn't
always happen and seems to take minutes, regardless, dnssec works pretty
darn good. Seeing it actually work at all after a decade of discussion makes
me really, really happy, but making it work *well*, somehow, would be best.
It's also my hope to implement this fix to bind, in the next rc release of
cerowrt.
http://www.isc.org/community/blog/201107/major-improvement-bind-9-startup-performance
> Cheers,
> Dave Hart
>
--
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://the-edge.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/bloat-devel/attachments/20110717/228af75b/attachment-0002.html>
More information about the Bloat-devel
mailing list