Comments (4)
Do you get the behavior you want when you disable retry over TCP?
Not really because it's expected for us to support TCP fallback. My crate has retry over TCP enabled for everyone by default with an optional config option for someone to toggle it off.
SRV queries on Matrix can have large responses which only TCP fallback can provide, and if a user has exhausted UDP resources then retrying on TCP is not a bad default to have. We just don't want it to be amplifying unnecessary amounts of DNS queries by retrying on NXDOMAIN.
from trust-dns.
it seems like this should really say
if e.is_no_connections() || (opts.try_tcp_on_error && e.is_io())
I don't know all the cases where it makes sense to retry TCP on error except for too large DNS responses (e.g. SRV records), and UDP I/O error yeah, but on the surface this makes sense to me.
from trust-dns.
Do you get the behavior you want when you disable retry over TCP?
from trust-dns.
I do wonder if after a few of these revisions if this config value isn’t actually doing what should be the expected behavior. That is, we retry tcp no matter what in certain cases right now.
it seems like this should really say if e.is_no_connections() || (opts.try_tcp_on_error && e.is_io())
as I think you’re right that DNS failures shouldn’t the retried. I’d have to look for past issues in this area to understand how we ended up here. It’s possible that there are some odd configurations in the wild where local DNS servers are improperly responding to queries, though that really shouldn’t be handled in this location.
from trust-dns.
Related Issues (20)
- Resolver takes a long time to resolve NXDOMAIN HOT 7
- test that AD bit is set when valid answer includes DNSSEC records
- test that RRSIG signature expiration / validation fields are respected HOT 1
- test caching behavior on DO=0 query followed by DO=1 query
- dns-test: spurious test failure `tshark::tests::nameserver` HOT 4
- Random test failing that sends request to Google's DNS server HOT 3
- test what the AD should be set to when all the answer sections are empty
- return SERVFAIL when DNSSEC validation fails and CD bit is not set
- add DNSSEC validation to the recursive resolver tool HOT 3
- DNSSEC validation fails for `NS nameservers.com.` in test environment HOT 1
- `dig DS .` / `dig A .` return zero records instead of some authority records
- `cargo doc -p hickory-recursor` fails HOT 1
- test that validating resolver sets the TTL field to a value smaller than `now() - signature_expiration_time`
- make validating `Recursor` cache intermediate DNSSEC validations HOT 1
- (perf) skip DNSSEC validation altogether on CD=1 queries
- address CVE-2024-33655 DOS attack (DNSBomb) HOT 1
- `dig +dnssec NS nameservers.com.` does not include RRSIG records
- implement RFC 8914 (Extended DNS errors)
- hickory as validating resolver times out against bind security aware name server HOT 3
- test 'Serial Number arithmetic' edge cases involving RRSIG's `{inception,expiration}`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trust-dns.