> Once we see different data from different nameservers,
> we can go to --strict-order mode, but the opposite is not
> true: the same answer for a particular query doesn't
> guarantee that the answers to future queries will always agree.
> There's no way to be sure that the nameservers are equivalent
> based on the history of returned queries. Unless we can assume
> that, we always need to wait for the first nameserver to reply
> (or a timeout) and have to stay in --strict-order mode forever.
Yes, but it's not so bad to stay in strict-order mode forever^Wuntil the list of nameserver addresses changes. The admin can take action to prevent dnsmasq from entering that mode, e.g., by configuring dnsmasq to direct certain lookups (e.g., of *.internal) to the appropriate nameservers.
> There is one possibility, which is to assume that nameservers
> are equivalent, but switch to --strict-order mode if conflicting
> replies are seen. When a query is forwarded to all available
> servers, and the first reply sent back to the original requestor,
> keep the record of the reply (at least, a bit indicating
> NODATA/NXDOMAIN or a valid reply. If another reply comes
> in later from another nameserver which conflicts, then switch
> to --strict-order mode.
Simon, your suggestion (call it "#18") differs from the suggestion in #17 in two ways. First, #18 sends the first-received reply back to the client without waiting for the results of comparison with other results whereas #17 does wait. Second, #18 switches to strict-order mode when *any* difference is found, whereas #17 proposed only looking for a particular pattern, that being: a NODATA/NXDOMAIN is received from a nameserver that is not listed first and an earlier-listed nameserver does return an address within the standard libc timeout period. In #17's defence... in #17 the client only has to wait for a reply in the case of a NODATA/NXDOMAIN from a non-first nameserver; the client does get the desired address from the earlier-listed nameserver if there is one --- even the first time; and dnsmasq only drops into strict-order mode under the circumstances when it is necessary for it to do so such that clients get needed addresses. There is no point, for example, in dropping into strict-order mode if it's the first nameserver returning NXDOMAIN and a later-listed nameserver returning an address!
What do you think about the possibility of implementing such ideas?
Simon in #18:
> Once we see different data from different nameservers,
> we can go to --strict-order mode, but the opposite is not
> true: the same answer for a particular query doesn't
> guarantee that the answers to future queries will always agree.
> There's no way to be sure that the nameservers are equivalent
> based on the history of returned queries. Unless we can assume
> that, we always need to wait for the first nameserver to reply
> (or a timeout) and have to stay in --strict-order mode forever.
Yes, but it's not so bad to stay in strict-order mode forever^Wuntil the list of nameserver addresses changes. The admin can take action to prevent dnsmasq from entering that mode, e.g., by configuring dnsmasq to direct certain lookups (e.g., of *.internal) to the appropriate nameservers.
> There is one possibility, which is to assume that nameservers
> are equivalent, but switch to --strict-order mode if conflicting
> replies are seen. When a query is forwarded to all available
> servers, and the first reply sent back to the original requestor,
> keep the record of the reply (at least, a bit indicating
> NODATA/NXDOMAIN or a valid reply. If another reply comes
> in later from another nameserver which conflicts, then switch
> to --strict-order mode.
Simon, your suggestion (call it "#18") differs from the suggestion in #17 in two ways. First, #18 sends the first-received reply back to the client without waiting for the results of comparison with other results whereas #17 does wait. Second, #18 switches to strict-order mode when *any* difference is found, whereas #17 proposed only looking for a particular pattern, that being: a NODATA/NXDOMAIN is received from a nameserver that is not listed first and an earlier-listed nameserver does return an address within the standard libc timeout period. In #17's defence... in #17 the client only has to wait for a reply in the case of a NODATA/NXDOMAIN from a non-first nameserver; the client does get the desired address from the earlier-listed nameserver if there is one --- even the first time; and dnsmasq only drops into strict-order mode under the circumstances when it is necessary for it to do so such that clients get needed addresses. There is no point, for example, in dropping into strict-order mode if it's the first nameserver returning NXDOMAIN and a later-listed nameserver returning an address!
What do you think about the possibility of implementing such ideas?