NetworkManager & caching-nameserver/bind problem and solution



Hi,

So, there are a couple reasons Colina and I switched to using the bind
+caching-nameserver situation, even though it's definitely not a great
option due to the security history of bind.  First, a simple 'nscd -i
hosts' doesn't cover all the cases of reloading nameserver information
and doesn't work sometimes, albeit I haven't been able to debug when it
simply fails to reload.  In any case, nscd -i hosts doesn't interrupt
in-progress calls for name resolution, which means that every app on
your system will time out and pop up a warning dialog if they were in
the middle of a resolver call when you switched networks.  This happens
more often than you may think, wireless networks are finicky and if
you're at the edge of the network its a toss-up how much traffic gets
through, let along DNS.  glibc guys are aware of this issue and are
thinking about how to fix it.

The second _large_ problem with nscd is that it's not smart about name
resolution.  When, a bit later this year, we integrate VPN clients with
NetworkManager, we'll need to resolve only *.redhat.com addresses, for
example, through the nameservers that the Red Hat VPN concentrators
reports to us, but all other addresses through the local nameserver.
'nscd' simply cannot do this, bind+caching-nameserver can.  glibc guys
strongly disagree that making 'nscd' itself smarter is the way to fix
this.  Instead, we're going to add another card to the house:

Since nobody really _wants_ to run bind on their desktop, a quick
conference with the glibc guys (roland, jakub, uli, etc) came up with
the following solution:  use the 'lwresd' program from the bind
packages, and the 'nss_lwres' module from glibc to do a light-weight
caching nameserver that does NOT use bind code.  However, changes &
updates need to be made to both these programs, first so that nss_lwres
respects DNS TTL times, and second so that lwresd can actually do what
we want here.  When these changes are done, we'll switch over to using
lwresd rather than bind itself.  This is expected to take at least a
month of on-and-off work.

For the moment, you do NOT need to use bind if you don't want to, simply
leave off the "--with-named" argument to configure.  This works as
expected, and is what is being done in the current Fedora Core 3 Updates
packages.  Fedora Core Rawhide will continue to use caching-nameserver
+bind until we get lwresd up to speed.

Hope this explains some things.

Cheers,
Dan




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]