change response cache ttl (--enable-cache-ttl)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

change response cache ttl (--enable-cache-ttl)

Sukmoon Lee
Hello Sirs,

I am Sukmoon Lee, a software developer and network engineer in South Korea.

Recently, most clients(smart phone) have a local DNS cache.
The Cache DNS TTL  affects the client cache expiration time domain. So many clients have caused a burst DNS traffic.
In order to solve this issue made the following patches for 9.9.9-P2 ISC BIND.

It was modified so as not to affect the original code as much as possible.
This function is working using '--enable-cache-ttl' option.
So cache DNS responses a stored cache TTL.

My question is wondering whether to require this function.
So, please check code that there are no problems.

Thank you.

Sukmoon Lee






diff -Nur bind-9.9.9-P2/bin/named/query.c bind-9.9.9-P2-ttl/bin/named/query.c
--- bind-9.9.9-P2/bin/named/query.c 2016-07-14 08:54:33.000000000 +0900
+++ bind-9.9.9-P2-ttl/bin/named/query.c 2016-07-27 11:05:46.414020726 +0900
@@ -2302,11 +2302,15 @@
  dns_rdatalist_init(dns64_rdatalist);
  dns64_rdatalist->rdclass = dns_rdataclass_in;
  dns64_rdatalist->type = dns_rdatatype_aaaa;
+#ifdef USE_CACHE_STORED_TTL
+ dns64_rdatalist->ttl = rdataset->base_ttl;
+#else
  if (client->query.dns64_ttl != ISC_UINT32_MAX)
  dns64_rdatalist->ttl = ISC_MIN(rdataset->ttl,
        client->query.dns64_ttl);
  else
  dns64_rdatalist->ttl = ISC_MIN(rdataset->ttl, 600);
+#endif
 
  if (RECURSIONOK(client))
  flags |= DNS_DNS64_RECURSIVE;
@@ -2360,6 +2364,9 @@
  result = dns_rdatalist_tordataset(dns64_rdatalist, dns64_rdataset);
  if (result != ISC_R_SUCCESS)
  goto cleanup;
+#ifdef USE_CACHE_STORED_TTL
+ dns64_rdataset->base_ttl = rdataset->base_ttl;
+#endif
  client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
  dns64_rdataset->trust = rdataset->trust;
  query_addrdataset(client, mname, dns64_rdataset);
@@ -5456,7 +5463,11 @@
  dns_rdataset_current(&rdataset, &rdata);
  result = dns_rdata_tostruct(&rdata, &soa, NULL);
  RUNTIME_CHECK(result == ISC_R_SUCCESS);
+#ifdef USE_CACHE_STORED_TTL
+ ttl = ISC_MIN(rdataset.base_ttl, soa.minimum);
+#else
  ttl = ISC_MIN(rdataset.ttl, soa.minimum);
+#endif
 
 cleanup:
  if (dns_rdataset_isassociated(&rdataset))
@@ -6984,10 +6995,14 @@
  * decremented to zero or if there was no negative cache
  * ttl in the answer.
  */
+#ifdef USE_CACHE_STORED_TTL
+ client->query.dns64_ttl = rdataset->base_ttl;
+#else
  if (rdataset->ttl != 0)
  client->query.dns64_ttl = rdataset->ttl;
  else if (dns_rdataset_first(rdataset) == ISC_R_SUCCESS)
  client->query.dns64_ttl = 0;
+#endif
  query_releasename(client, &fname);
  dns_db_detachnode(db, &node);
  rdataset = NULL;
@@ -7510,7 +7525,11 @@
  */
  client->query.dns64_aaaa = rdataset;
  client->query.dns64_sigaaaa = sigrdataset;
+#ifdef USE_CACHE_STORED_TTL
+ client->query.dns64_ttl = rdataset->base_ttl;
+#else
  client->query.dns64_ttl = rdataset->ttl;
+#endif
  query_releasename(client, &fname);
  dns_db_detachnode(db, &node);
  rdataset = NULL;
diff -Nur bind-9.9.9-P2/config.h.in bind-9.9.9-P2-ttl/config.h.in
--- bind-9.9.9-P2/config.h.in 2016-07-14 08:54:33.000000000 +0900
+++ bind-9.9.9-P2-ttl/config.h.in 2016-07-27 08:35:55.669404673 +0900
@@ -159,6 +159,9 @@
 /* Define to enable the "filter-aaaa-on-v4" option. */
 #undef ALLOW_FILTER_AAAA_ON_V4
 
+/* Define to enable the "cache-ttl" option. */
+#undef USE_CACHE_STORED_TTL
+
 /* define if ATF unit tests are to be built. */
 #undef ATF_TEST
 
diff -Nur bind-9.9.9-P2/configure bind-9.9.9-P2-ttl/configure
--- bind-9.9.9-P2/configure 2016-07-14 08:54:33.000000000 +0900
+++ bind-9.9.9-P2-ttl/configure 2016-07-27 08:33:08.743618406 +0900
@@ -1024,6 +1024,7 @@
 with_dlz_stub
 with_make_clean
 enable_full_report
+enable_cache_ttl
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1690,6 +1691,7 @@
   [default=no]
   --enable-querytrace     enable very verbose query trace logging [default=no]
   --enable-full-report  report values of all configure options
+  --enable-cache-ttl  use response a stored cache ttl [default=no]
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -11442,6 +11444,7 @@
  test "${enable_fetchlimit+set}" = set || enable_fetchlimit=yes
  test "${enable_warn_error+set}" = set || enable_warn_error=yes
  test "${enable_warn_shadow+set}" = set || enable_warn_shadow=yes
+ test "${enable_cache_ttl+set}" = set || enable_cache_ttl=yes
  ;;
 esac
 #
@@ -13211,6 +13214,26 @@
 
 
 #
+# check if we want Stored Cache TTL
+#
+# Check whether --enable-cache-ttl was given.
+if test "${enable_cache_ttl+set}" = set; then :
+  enableval=$enable_cache_ttl;
+fi
+
+case "$enable_cache_ttl" in
+yes)
+
+$as_echo "#define USE_CACHE_STORED_TTL 1" >>confdefs.h
+
+ ;;
+*)
+ ;;
+esac
+
+
+
+#
 # check if we have kqueue
 #
 # Check whether --enable-kqueue was given.
@@ -23531,6 +23554,8 @@
 test "$want_querytrace" = "yes" && \
     echo "    Very verbose query trace logging (--enable-querytrace)"
 test "$atf" = "no" || echo "    Automated Testing Framework (--with-atf)"
+test "$enable_cache_ttl" = "yes" && \
+    echo "    Stored cache TTL (--enable-cacht-ttl)"
 
 # these lines are only printed if run with --enable-full-report
 if test "$enable_full_report" = "yes"; then
@@ -23590,6 +23615,8 @@
     echo "    ECDSA algorithm support (--with-ecdsa)"
 test "X$PYTHON" = "X" && echo "    Python tools (--with-python)"
 test "X$libxml2_libs" = "X" && echo "    XML statistics (--with-libxml2)"
+test "$enable_cacht_ttl" = "yes" || \
+    echo "    Stored cache TTL (--enable-cache-ttl)"
 
 if test "X$ac_unrecognized_opts" != "X"; then
     echo
diff -Nur bind-9.9.9-P2/lib/dns/include/dns/rdataset.h bind-9.9.9-P2-ttl/lib/dns/include/dns/rdataset.h
--- bind-9.9.9-P2/lib/dns/include/dns/rdataset.h 2016-07-14 08:54:33.000000000 +0900
+++ bind-9.9.9-P2-ttl/lib/dns/include/dns/rdataset.h 2016-07-27 08:33:28.849073731 +0900
@@ -137,6 +137,9 @@
  dns_rdataclass_t rdclass;
  dns_rdatatype_t type;
  dns_ttl_t ttl;
+#ifdef USE_CACHE_STORED_TTL
+ dns_ttl_t base_ttl;
+#endif
  dns_trust_t trust;
  dns_rdatatype_t covers;
  /*
diff -Nur bind-9.9.9-P2/lib/dns/rbtdb.c bind-9.9.9-P2-ttl/lib/dns/rbtdb.c
--- bind-9.9.9-P2/lib/dns/rbtdb.c 2016-07-14 08:54:33.000000000 +0900
+++ bind-9.9.9-P2-ttl/lib/dns/rbtdb.c 2016-07-27 08:33:49.981554223 +0900
@@ -342,6 +342,9 @@
  */
  rbtdb_serial_t                  serial;
  dns_ttl_t                       rdh_ttl;
+#ifdef USE_CACHE_STORED_TTL
+ dns_ttl_t                       base_ttl;
+#endif
  rbtdb_rdatatype_t               type;
  isc_uint16_t                    attributes;
  dns_trust_t                     trust;
@@ -2948,6 +2951,9 @@
  rdataset->type = RBTDB_RDATATYPE_BASE(header->type);
  rdataset->covers = RBTDB_RDATATYPE_EXT(header->type);
  rdataset->ttl = header->rdh_ttl - now;
+#ifdef USE_CACHE_STORED_TTL
+ rdataset->base_ttl = header->base_ttl;
+#endif
  rdataset->trust = header->trust;
  if (NEGATIVE(header))
  rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE;
@@ -6676,6 +6682,13 @@
  newheader = (rdatasetheader_t *)region.base;
  init_rdataset(rbtdb, newheader);
  set_ttl(rbtdb, newheader, rdataset->ttl + now);
+#ifdef USE_CACHE_STORED_TTL
+ if (rdataset->type==0) { // ncache for dns64
+ newheader->base_ttl = rdataset->ttl;
+ } else {
+ newheader->base_ttl = rdataset->base_ttl;
+ }
+#endif
  newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
  rdataset->covers);
  newheader->attributes = 0;
@@ -6862,6 +6875,13 @@
  newheader = (rdatasetheader_t *)region.base;
  init_rdataset(rbtdb, newheader);
  set_ttl(rbtdb, newheader, rdataset->ttl);
+#ifdef USE_CACHE_STORED_TTL
+ if (rdataset->type==0) { // ncache for dns64
+ newheader->base_ttl = rdataset->ttl;
+ } else {
+ newheader->base_ttl = rdataset->base_ttl;
+ }
+#endif
  newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
  rdataset->covers);
  newheader->attributes = 0;
diff -Nur bind-9.9.9-P2/lib/dns/rdataset.c bind-9.9.9-P2-ttl/lib/dns/rdataset.c
--- bind-9.9.9-P2/lib/dns/rdataset.c 2016-07-14 08:54:33.000000000 +0900
+++ bind-9.9.9-P2-ttl/lib/dns/rdataset.c 2016-07-27 10:49:36.011035374 +0900
@@ -70,6 +70,9 @@
  rdataset->rdclass = 0;
  rdataset->type = 0;
  rdataset->ttl = 0;
+#ifdef USE_CACHE_STORED_TTL
+ rdataset->base_ttl = 0;
+#endif
  rdataset->trust = 0;
  rdataset->covers = 0;
  rdataset->attributes = 0;
@@ -99,6 +102,9 @@
  rdataset->rdclass = 0;
  rdataset->type = 0;
  rdataset->ttl = 0;
+#ifdef USE_CACHE_STORED_TTL
+ rdataset->base_ttl = 0;
+#endif
  rdataset->trust = 0;
  rdataset->covers = 0;
  rdataset->attributes = 0;
@@ -126,6 +132,9 @@
  rdataset->rdclass = 0;
  rdataset->type = 0;
  rdataset->ttl = 0;
+#ifdef USE_CACHE_STORED_TTL
+ rdataset->base_ttl = 0;
+#endif
  rdataset->trust = 0;
  rdataset->covers = 0;
  rdataset->attributes = 0;
@@ -488,7 +497,15 @@
  isc_buffer_putuint16(target, rdataset->type);
  isc_buffer_putuint16(target, rdataset->rdclass);
  if (!question) {
+#ifdef USE_CACHE_STORED_TTL
+ if (rdataset->type==dns_rdatatype_a || rdataset->type==dns_rdatatype_aaaa) {
+ isc_buffer_putuint32(target, rdataset->base_ttl);
+ } else {
+ isc_buffer_putuint32(target, rdataset->ttl);
+ }
+#else
  isc_buffer_putuint32(target, rdataset->ttl);
+#endif
 
  /*
  * Save space for rdlen.
diff -Nur bind-9.9.9-P2/lib/dns/resolver.c bind-9.9.9-P2-ttl/lib/dns/resolver.c
--- bind-9.9.9-P2/lib/dns/resolver.c 2016-07-14 08:54:33.000000000 +0900
+++ bind-9.9.9-P2-ttl/lib/dns/resolver.c 2016-07-27 10:46:42.692031770 +0900
@@ -5119,6 +5119,13 @@
  if (rdataset->ttl > res->view->maxcachettl)
  rdataset->ttl = res->view->maxcachettl;
 
+#ifdef USE_CACHE_STORED_TTL
+ /*
+ * Save a stored cache TTL.
+ */
+ rdataset->base_ttl = rdataset->ttl;
+
+#endif
  /*
  * Find the SIG for this rdataset, if we have it.
  */
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: change response cache ttl (--enable-cache-ttl)

Kevin Darcy
"many client have caused a burst DNS traffic" is not much of a problem statement, honestly.

What does this patch add, of value, that isn't already covered by "max-cache-ttl"?

If you're trying to allow the operators of intermediate resolvers to override the intentions of the data owner, by enforcing a *minimum* TTL, then I have to say that's a really bad idea. The data owner sets their TTL for a reason, and if it's low, it's probably because the infrastructure is very dynamic. Forcing data to be kept after the data owners' TTL, risks keeping "stale" data in the client, and this will likely have a negative impact on the user experience. It might even have security implications, because maybe that resource (e.g. IP address) isn't trusted any more. You don't want clients connecting to an untrusted resource, do you? Who would have legal or criminal liability, if that happened?

                                                - Kevin


-----Original Message-----
From: bind-users [mailto:[hidden email]] On Behalf Of SUKMOON LEE
Sent: Thursday, August 04, 2016 7:25 AM
To: [hidden email]
Subject: change response cache ttl (--enable-cache-ttl)

Hello Sirs,

I am Sukmoon Lee, a software developer and network engineer in South Korea.

Recently, most clients(smart phone) have a local DNS cache.
The Cache DNS TTL  affects the client cache expiration time domain. So many clients have caused a burst DNS traffic.
In order to solve this issue made the following patches for 9.9.9-P2 ISC BIND.

It was modified so as not to affect the original code as much as possible.
This function is working using '--enable-cache-ttl' option.
So cache DNS responses a stored cache TTL.

My question is wondering whether to require this function.
So, please check code that there are no problems.

Thank you.

Sukmoon Lee






diff -Nur bind-9.9.9-P2/bin/named/query.c bind-9.9.9-P2-ttl/bin/named/query.c
--- bind-9.9.9-P2/bin/named/query.c 2016-07-14 08:54:33.000000000 +0900
+++ bind-9.9.9-P2-ttl/bin/named/query.c 2016-07-27 11:05:46.414020726 +0900
@@ -2302,11 +2302,15 @@
  dns_rdatalist_init(dns64_rdatalist);
  dns64_rdatalist->rdclass = dns_rdataclass_in;
  dns64_rdatalist->type = dns_rdatatype_aaaa;
+#ifdef USE_CACHE_STORED_TTL
+ dns64_rdatalist->ttl = rdataset->base_ttl; #else
  if (client->query.dns64_ttl != ISC_UINT32_MAX)
  dns64_rdatalist->ttl = ISC_MIN(rdataset->ttl,
        client->query.dns64_ttl);
  else
  dns64_rdatalist->ttl = ISC_MIN(rdataset->ttl, 600);
+#endif
 
  if (RECURSIONOK(client))
  flags |= DNS_DNS64_RECURSIVE;
@@ -2360,6 +2364,9 @@
  result = dns_rdatalist_tordataset(dns64_rdatalist, dns64_rdataset);
  if (result != ISC_R_SUCCESS)
  goto cleanup;
+#ifdef USE_CACHE_STORED_TTL
+ dns64_rdataset->base_ttl = rdataset->base_ttl; #endif
  client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
  dns64_rdataset->trust = rdataset->trust;
  query_addrdataset(client, mname, dns64_rdataset); @@ -5456,7 +5463,11 @@
  dns_rdataset_current(&rdataset, &rdata);
  result = dns_rdata_tostruct(&rdata, &soa, NULL);
  RUNTIME_CHECK(result == ISC_R_SUCCESS);
+#ifdef USE_CACHE_STORED_TTL
+ ttl = ISC_MIN(rdataset.base_ttl, soa.minimum); #else
  ttl = ISC_MIN(rdataset.ttl, soa.minimum);
+#endif
 
 cleanup:
  if (dns_rdataset_isassociated(&rdataset))
@@ -6984,10 +6995,14 @@
  * decremented to zero or if there was no negative cache
  * ttl in the answer.
  */
+#ifdef USE_CACHE_STORED_TTL
+ client->query.dns64_ttl = rdataset->base_ttl; #else
  if (rdataset->ttl != 0)
  client->query.dns64_ttl = rdataset->ttl;
  else if (dns_rdataset_first(rdataset) == ISC_R_SUCCESS)
  client->query.dns64_ttl = 0;
+#endif
  query_releasename(client, &fname);
  dns_db_detachnode(db, &node);
  rdataset = NULL;
@@ -7510,7 +7525,11 @@
  */
  client->query.dns64_aaaa = rdataset;
  client->query.dns64_sigaaaa = sigrdataset;
+#ifdef USE_CACHE_STORED_TTL
+ client->query.dns64_ttl = rdataset->base_ttl; #else
  client->query.dns64_ttl = rdataset->ttl;
+#endif
  query_releasename(client, &fname);
  dns_db_detachnode(db, &node);
  rdataset = NULL;
diff -Nur bind-9.9.9-P2/config.h.in bind-9.9.9-P2-ttl/config.h.in
--- bind-9.9.9-P2/config.h.in 2016-07-14 08:54:33.000000000 +0900
+++ bind-9.9.9-P2-ttl/config.h.in 2016-07-27 08:35:55.669404673 +0900
@@ -159,6 +159,9 @@
 /* Define to enable the "filter-aaaa-on-v4" option. */  #undef ALLOW_FILTER_AAAA_ON_V4
 
+/* Define to enable the "cache-ttl" option. */ #undef
+USE_CACHE_STORED_TTL
+
 /* define if ATF unit tests are to be built. */  #undef ATF_TEST
 
diff -Nur bind-9.9.9-P2/configure bind-9.9.9-P2-ttl/configure
--- bind-9.9.9-P2/configure 2016-07-14 08:54:33.000000000 +0900
+++ bind-9.9.9-P2-ttl/configure 2016-07-27 08:33:08.743618406 +0900
@@ -1024,6 +1024,7 @@
 with_dlz_stub
 with_make_clean
 enable_full_report
+enable_cache_ttl
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1690,6 +1691,7 @@
   [default=no]
   --enable-querytrace     enable very verbose query trace logging [default=no]
   --enable-full-report  report values of all configure options
+  --enable-cache-ttl  use response a stored cache ttl [default=no]
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -11442,6 +11444,7 @@
  test "${enable_fetchlimit+set}" = set || enable_fetchlimit=yes
  test "${enable_warn_error+set}" = set || enable_warn_error=yes
  test "${enable_warn_shadow+set}" = set || enable_warn_shadow=yes
+ test "${enable_cache_ttl+set}" = set || enable_cache_ttl=yes
  ;;
 esac
 #
@@ -13211,6 +13214,26 @@
 
 
 #
+# check if we want Stored Cache TTL
+#
+# Check whether --enable-cache-ttl was given.
+if test "${enable_cache_ttl+set}" = set; then :
+  enableval=$enable_cache_ttl;
+fi
+
+case "$enable_cache_ttl" in
+yes)
+
+$as_echo "#define USE_CACHE_STORED_TTL 1" >>confdefs.h
+
+ ;;
+*)
+ ;;
+esac
+
+
+
+#
 # check if we have kqueue
 #
 # Check whether --enable-kqueue was given.
@@ -23531,6 +23554,8 @@
 test "$want_querytrace" = "yes" && \
     echo "    Very verbose query trace logging (--enable-querytrace)"
 test "$atf" = "no" || echo "    Automated Testing Framework (--with-atf)"
+test "$enable_cache_ttl" = "yes" && \
+    echo "    Stored cache TTL (--enable-cacht-ttl)"
 
 # these lines are only printed if run with --enable-full-report  if test "$enable_full_report" = "yes"; then @@ -23590,6 +23615,8 @@
     echo "    ECDSA algorithm support (--with-ecdsa)"
 test "X$PYTHON" = "X" && echo "    Python tools (--with-python)"
 test "X$libxml2_libs" = "X" && echo "    XML statistics (--with-libxml2)"
+test "$enable_cacht_ttl" = "yes" || \
+    echo "    Stored cache TTL (--enable-cache-ttl)"
 
 if test "X$ac_unrecognized_opts" != "X"; then
     echo
diff -Nur bind-9.9.9-P2/lib/dns/include/dns/rdataset.h bind-9.9.9-P2-ttl/lib/dns/include/dns/rdataset.h
--- bind-9.9.9-P2/lib/dns/include/dns/rdataset.h 2016-07-14 08:54:33.000000000 +0900
+++ bind-9.9.9-P2-ttl/lib/dns/include/dns/rdataset.h 2016-07-27 08:33:28.849073731 +0900
@@ -137,6 +137,9 @@
  dns_rdataclass_t rdclass;
  dns_rdatatype_t type;
  dns_ttl_t ttl;
+#ifdef USE_CACHE_STORED_TTL
+ dns_ttl_t base_ttl;
+#endif
  dns_trust_t trust;
  dns_rdatatype_t covers;
  /*
diff -Nur bind-9.9.9-P2/lib/dns/rbtdb.c bind-9.9.9-P2-ttl/lib/dns/rbtdb.c
--- bind-9.9.9-P2/lib/dns/rbtdb.c 2016-07-14 08:54:33.000000000 +0900
+++ bind-9.9.9-P2-ttl/lib/dns/rbtdb.c 2016-07-27 08:33:49.981554223 +0900
@@ -342,6 +342,9 @@
  */
  rbtdb_serial_t                  serial;
  dns_ttl_t                       rdh_ttl;
+#ifdef USE_CACHE_STORED_TTL
+ dns_ttl_t                       base_ttl;
+#endif
  rbtdb_rdatatype_t               type;
  isc_uint16_t                    attributes;
  dns_trust_t                     trust;
@@ -2948,6 +2951,9 @@
  rdataset->type = RBTDB_RDATATYPE_BASE(header->type);
  rdataset->covers = RBTDB_RDATATYPE_EXT(header->type);
  rdataset->ttl = header->rdh_ttl - now;
+#ifdef USE_CACHE_STORED_TTL
+ rdataset->base_ttl = header->base_ttl; #endif
  rdataset->trust = header->trust;
  if (NEGATIVE(header))
  rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE; @@ -6676,6 +6682,13 @@
  newheader = (rdatasetheader_t *)region.base;
  init_rdataset(rbtdb, newheader);
  set_ttl(rbtdb, newheader, rdataset->ttl + now);
+#ifdef USE_CACHE_STORED_TTL
+ if (rdataset->type==0) { // ncache for dns64
+ newheader->base_ttl = rdataset->ttl;
+ } else {
+ newheader->base_ttl = rdataset->base_ttl;
+ }
+#endif
  newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
  rdataset->covers);
  newheader->attributes = 0;
@@ -6862,6 +6875,13 @@
  newheader = (rdatasetheader_t *)region.base;
  init_rdataset(rbtdb, newheader);
  set_ttl(rbtdb, newheader, rdataset->ttl);
+#ifdef USE_CACHE_STORED_TTL
+ if (rdataset->type==0) { // ncache for dns64
+ newheader->base_ttl = rdataset->ttl;
+ } else {
+ newheader->base_ttl = rdataset->base_ttl;
+ }
+#endif
  newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
  rdataset->covers);
  newheader->attributes = 0;
diff -Nur bind-9.9.9-P2/lib/dns/rdataset.c bind-9.9.9-P2-ttl/lib/dns/rdataset.c
--- bind-9.9.9-P2/lib/dns/rdataset.c 2016-07-14 08:54:33.000000000 +0900
+++ bind-9.9.9-P2-ttl/lib/dns/rdataset.c 2016-07-27 10:49:36.011035374 +0900
@@ -70,6 +70,9 @@
  rdataset->rdclass = 0;
  rdataset->type = 0;
  rdataset->ttl = 0;
+#ifdef USE_CACHE_STORED_TTL
+ rdataset->base_ttl = 0;
+#endif
  rdataset->trust = 0;
  rdataset->covers = 0;
  rdataset->attributes = 0;
@@ -99,6 +102,9 @@
  rdataset->rdclass = 0;
  rdataset->type = 0;
  rdataset->ttl = 0;
+#ifdef USE_CACHE_STORED_TTL
+ rdataset->base_ttl = 0;
+#endif
  rdataset->trust = 0;
  rdataset->covers = 0;
  rdataset->attributes = 0;
@@ -126,6 +132,9 @@
  rdataset->rdclass = 0;
  rdataset->type = 0;
  rdataset->ttl = 0;
+#ifdef USE_CACHE_STORED_TTL
+ rdataset->base_ttl = 0;
+#endif
  rdataset->trust = 0;
  rdataset->covers = 0;
  rdataset->attributes = 0;
@@ -488,7 +497,15 @@
  isc_buffer_putuint16(target, rdataset->type);
  isc_buffer_putuint16(target, rdataset->rdclass);
  if (!question) {
+#ifdef USE_CACHE_STORED_TTL
+ if (rdataset->type==dns_rdatatype_a || rdataset->type==dns_rdatatype_aaaa) {
+ isc_buffer_putuint32(target, rdataset->base_ttl);
+ } else {
+ isc_buffer_putuint32(target, rdataset->ttl);
+ }
+#else
  isc_buffer_putuint32(target, rdataset->ttl);
+#endif
 
  /*
  * Save space for rdlen.
diff -Nur bind-9.9.9-P2/lib/dns/resolver.c bind-9.9.9-P2-ttl/lib/dns/resolver.c
--- bind-9.9.9-P2/lib/dns/resolver.c 2016-07-14 08:54:33.000000000 +0900
+++ bind-9.9.9-P2-ttl/lib/dns/resolver.c 2016-07-27 10:46:42.692031770 +0900
@@ -5119,6 +5119,13 @@
  if (rdataset->ttl > res->view->maxcachettl)
  rdataset->ttl = res->view->maxcachettl;
 
+#ifdef USE_CACHE_STORED_TTL
+ /*
+ * Save a stored cache TTL.
+ */
+ rdataset->base_ttl = rdataset->ttl;
+
+#endif
  /*
  * Find the SIG for this rdataset, if we have it.
  */
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: change response cache ttl (--enable-cache-ttl)

Kevin Darcy
So, fix the TTLs on the RBLs, sheesh! Pathological use cases don't warrant deviation from standard.

                                                                        - Kevin


-----Original Message-----
From: Reindl Harald [mailto:[hidden email]]
Sent: Thursday, August 04, 2016 2:32 PM
To: Darcy Kevin (FCA); [hidden email]
Subject: Re: change response cache ttl (--enable-cache-ttl)



Am 04.08.2016 um 20:27 schrieb Darcy Kevin (FCA):
> "many client have caused a burst DNS traffic" is not much of a problem statement, honestly.
>
> What does this patch add, of value, that isn't already covered by "max-cache-ttl"?
>
> If you're trying to allow the operators of intermediate resolvers to override the intentions of the data owner, by enforcing a *minimum* TTL, then I have to say that's a really bad idea. The data owner sets their TTL for a reason, and if it's low, it's probably because the infrastructure is very dynamic. Forcing data to be kept after the data owners' TTL, risks keeping "stale" data in the client, and this will likely have a negative impact on the user experience. It might even have security implications, because maybe that resource (e.g. IP address) isn't trusted any more. You don't want clients connecting to an untrusted resource, do you? Who would have legal or criminal liability, if that happened?

no, it is not by definition, it depends as always on the use-case

on a public MX (inbound mail) hence most people are using unbound instead of named because it *has* such a setting to overcome the sort TTL of 5 secods from many RBL's and if your resolver has a specific usecase on a specific workload it's clearly OK to set this to 60 seconds or so

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: change response cache ttl (--enable-cache-ttl)

Mark Andrews
In reply to this post by Kevin Darcy

In message <[hidden email]>, "Darcy Kevin (FCA)" writes:

> "many client have caused a burst DNS traffic" is not much of a problem
> statement, honestly.
>
> What does this patch add, of value, that isn't already covered by
> "max-cache-ttl"?
>
> If you're trying to allow the operators of intermediate resolvers to
> override the intentions of the data owner, by enforcing a *minimum* TTL,
> then I have to say that's a really bad idea. The data owner sets their
> TTL for a reason, and if it's low, it's probably because the
> infrastructure is very dynamic. Forcing data to be kept after the data
> owners' TTL, risks keeping "stale" data in the client, and this will
> likely have a negative impact on the user experience. It might even have
> security implications, because maybe that resource (e.g. IP address)
> isn't trusted any more. You don't want clients connecting to an untrusted
> resource, do you? Who would have legal or criminal liability, if that
> happened?
>
> - Kevin

The problem is when you have a million clients each with a local
cache they all expire the record simultaniously and if it is a
popular address then you get a million DNS queries in the second
after the ttl has expired as all those local caches refresh.

This is a attempt to distribute the query load from those caches
uniformly rather than have a peak load every ttl seconds.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [hidden email]
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: change response cache ttl (--enable-cache-ttl)

Kevin Darcy
That's only a problem if the clients are constantly looking up the name, right? If they're looking it up only _occasionally_, with some degree of entropy, then the query load gets spread out.

So, in those cases, implement something on the client side that pre-expires the cache entry with some degree of randomness factored in. Pre-expiring cache entries is entirely within the standards and the original concept of how DNS response caching works (since, after all, dumping one's cache can't be prevented if the client restarts or reboots). Sure, pre-expiration may result in an overall increase in query traffic, but it smooths out the spikes to the intermediate resolvers, which is what we're worried about here. In time, the data owners will catch on that their cache entries are being pre-expired; if they care about that, they'll bump up the TTLs to compensate, eventually we reach a point of equilibrium.

                                                                                                                - Kevin




-----Original Message-----
From: Mark Andrews [mailto:[hidden email]]
Sent: Thursday, August 04, 2016 7:47 PM
To: Darcy Kevin (FCA)
Cc: [hidden email]
Subject: Re: change response cache ttl (--enable-cache-ttl)


In message <[hidden email]>, "Darcy Kevin (FCA)" writes:

> "many client have caused a burst DNS traffic" is not much of a problem
> statement, honestly.
>
> What does this patch add, of value, that isn't already covered by
> "max-cache-ttl"?
>
> If you're trying to allow the operators of intermediate resolvers to
> override the intentions of the data owner, by enforcing a *minimum*
> TTL, then I have to say that's a really bad idea. The data owner sets
> their TTL for a reason, and if it's low, it's probably because the
> infrastructure is very dynamic. Forcing data to be kept after the data
> owners' TTL, risks keeping "stale" data in the client, and this will
> likely have a negative impact on the user experience. It might even
> have security implications, because maybe that resource (e.g. IP
> address) isn't trusted any more. You don't want clients connecting to
> an untrusted resource, do you? Who would have legal or criminal
> liability, if that happened?
>
> - Kevin

The problem is when you have a million clients each with a local cache they all expire the record simultaniously and if it is a popular address then you get a million DNS queries in the second after the ttl has expired as all those local caches refresh.

This is a attempt to distribute the query load from those caches uniformly rather than have a peak load every ttl seconds.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [hidden email]
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: change response cache ttl (--enable-cache-ttl)

Mark Andrews

In message <[hidden email]>, "Darcy Kevin (FCA)"
 writes:
> That's only a problem if the clients are constantly looking up the name,
> right? If they're looking it up only _occasionally_, with some degree of
> entropy, then the query load gets spread out.

Provided there isn't multiple caches involved.

> So, in those cases, implement something on the client side that
> pre-expires the cache entry with some degree of randomness factored in.
> Pre-expiring cache entries is entirely within the standards and the
> original concept of how DNS response caching works (since, after all,
> dumping one's cache can't be prevented if the client restarts or
> reboots). Sure, pre-expiration may result in an overall increase in query
> traffic, but it smooths out the spikes to the intermediate resolvers,
> which is what we're worried about here. In time, the data owners will
> catch on that their cache entries are being pre-expired; if they care
> about that, they'll bump up the TTLs to compensate, eventually we reach a
> point of equilibrium.

Or named reduces the ttl returned so it randomly hits in the prefetch
interval.  Or add a counter to the rdataset and once so many queries
for the rdataset have been made just prefetch it.  This will cause
the ttl to be renewed and desyncronise down stream caches.  Or both.

> - Kevin
>
>
>
>
> -----Original Message-----
> From: Mark Andrews [mailto:[hidden email]]
> Sent: Thursday, August 04, 2016 7:47 PM
> To: Darcy Kevin (FCA)
> Cc: [hidden email]
> Subject: Re: change response cache ttl (--enable-cache-ttl)
>
>
> In message <[hidden email]>, "Darcy Kevin (FCA
> )" writes:
> > "many client have caused a burst DNS traffic" is not much of a problem
> > statement, honestly.
> >
> > What does this patch add, of value, that isn't already covered by
> > "max-cache-ttl"?
> >
> > If you're trying to allow the operators of intermediate resolvers to
> > override the intentions of the data owner, by enforcing a *minimum*
> > TTL, then I have to say that's a really bad idea. The data owner sets
> > their TTL for a reason, and if it's low, it's probably because the
> > infrastructure is very dynamic. Forcing data to be kept after the data
> > owners' TTL, risks keeping "stale" data in the client, and this will
> > likely have a negative impact on the user experience. It might even
> > have security implications, because maybe that resource (e.g. IP
> > address) isn't trusted any more. You don't want clients connecting to
> > an untrusted resource, do you? Who would have legal or criminal
> > liability, if that happened?
> >
> > - Kevin
>
> The problem is when you have a million clients each with a local cache they all expi
> re the record simultaniously and if it is a popular address then you get a million D
> NS queries in the second after the ttl has expired as all those local caches refresh
> .
>
> This is a attempt to distribute the query load from those caches uniformly rather th
> an have a peak load every ttl seconds.
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: [hidden email]
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from t
> his list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [hidden email]
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: change response cache ttl (--enable-cache-ttl)

Sukmoon Lee


>
> In message <[hidden email]>, "Darcy
> Kevin (FCA)"
>  writes:
> > That's only a problem if the clients are constantly looking up the
> > name, right? If they're looking it up only _occasionally_, with some
> > degree of entropy, then the query load gets spread out.
>
> Provided there isn't multiple caches involved.
>
> > So, in those cases, implement something on the client side that
> > pre-expires the cache entry with some degree of randomness factored in.
> > Pre-expiring cache entries is entirely within the standards and the
> > original concept of how DNS response caching works (since, after all,
> > dumping one's cache can't be prevented if the client restarts or
> > reboots). Sure, pre-expiration may result in an overall increase in
> > query traffic, but it smooths out the spikes to the intermediate
> > resolvers, which is what we're worried about here. In time, the data
> > owners will catch on that their cache entries are being pre-expired;
> > if they care about that, they'll bump up the TTLs to compensate,
> > eventually we reach a point of equilibrium.
>
> Or named reduces the ttl returned so it randomly hits in the prefetch
> interval.  Or add a counter to the rdataset and once so many queries for
> the rdataset have been made just prefetch it.  This will cause the ttl to
> be renewed and desyncronise down stream caches.  Or both.


Thanks for answer.

I think that a prefetch cache is a good idea.
A prefetch cache will be update a cache TTL.
So it is split to a client query.

But I find a prefetch option over BIND 9.10. BIND 9.9 is not found prefetch option.
Under BIND 9.10, I will test to do it. (prefetch vs --enable-cache-ttl)

Sukmoon Lee

>
> > - Kevin
> >
> >
> >
> >
> > -----Original Message-----
> > From: Mark Andrews [mailto:[hidden email]]
> > Sent: Thursday, August 04, 2016 7:47 PM
> > To: Darcy Kevin (FCA)
> > Cc: [hidden email]
> > Subject: Re: change response cache ttl (--enable-cache-ttl)
> >
> >
> > In message <[hidden email]>,
> > "Darcy Kevin (FCA )" writes:
> > > "many client have caused a burst DNS traffic" is not much of a
> > > problem statement, honestly.
> > >
> > > What does this patch add, of value, that isn't already covered by
> > > "max-cache-ttl"?
> > >
> > > If you're trying to allow the operators of intermediate resolvers to
> > > override the intentions of the data owner, by enforcing a *minimum*
> > > TTL, then I have to say that's a really bad idea. The data owner
> > > sets their TTL for a reason, and if it's low, it's probably because
> > > the infrastructure is very dynamic. Forcing data to be kept after
> > > the data owners' TTL, risks keeping "stale" data in the client, and
> > > this will likely have a negative impact on the user experience. It
> > > might even have security implications, because maybe that resource
> > > (e.g. IP
> > > address) isn't trusted any more. You don't want clients connecting
> > > to an untrusted resource, do you? Who would have legal or criminal
> > > liability, if that happened?
> > >
> > > - Kevin
> >
> > The problem is when you have a million clients each with a local cache
> > they all expi re the record simultaniously and if it is a popular
> > address then you get a million D NS queries in the second after the
> > ttl has expired as all those local caches refresh .
> >
> > This is a attempt to distribute the query load from those caches
> > uniformly rather th an have a peak load every ttl seconds.
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: [hidden email]
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from t his list
> >
> > bind-users mailing list
> > [hidden email]
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: [hidden email]
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users