Maintained by: NLnet Labs

Trusted upstream resolver

Woodworth, John R
Thu Oct 29 17:29:06 CET 2015


Hello,

I am involved in a scenario where a satellite link is being used to serve an office and latency is of great concern.

The problem at hand is CNAME resolution which is followed by validation of provided A records.  I understand that under normal conditions the A records provided with the initial CNAME response can lead to cache poisoning so they are validated from an authority.  However, this leads to doubling the lookup time which typically exceeds 1.5 seconds.  Although the difference may seem trivial the additional ~650ms becomes very noticeable by the end users.  I've provided a short example below.

0.001 [Client]->[Resolver]->A?www.example.com
0.002       [Resolver]->X[Auth]->A?www.example.com
0.758       [Auth]->X[Resolver]->CNAME:www2.example.com+1.2.3.4
0.761       [Resolver]->X[Auth]->A?www2.example.com
1.622       [Auth]->X[Resolver]->A:1.2.3.4
1.625 [Resolver]->[Client]->A:1.2.3.4

NOTE: X == Satellite Link


My thought is to use another nameserver at the other end of the link which can provide this validation feature but is "trusted" by the near-end nameserver server reducing the RTT for local clients.  As an aside, the far-end nameserver already exists for other purposes.  I've provided a short example of this idea below.

0.001 [Client]->[Resolver]->A?www.example.com
0.002       [Resolver]->X[Resolver2]->A?www.example.com
0.288             [Resolver2]->[Auth]->A?www.example.com
0.290             [Auth]->[Resolver2]->CNAME:www2.example.com+1.2.3.4
0.292             [Resolver2]->[Auth]->A?www2.example.com
0.301             [Auth]->[Resolver2]->A:1.2.3.4
0.655       [Resolver2]->X[Resolver]->A:1.2.3.4
0.659 [Resolver]->[Client]->A:1.2.3.4

NOTE: X == Satellite Link

Is there a configuration option I am overlooking to disable these A record validations (from Resolver to Resolver2)?


Thanks,
John
--
John Woodworth                          CenturyLink, Inc.
  Q. Can BULK DNS Handle 18 Quintillion PTR Records??
  A. BULK CAN            (18,446,744,073,709,551,616 +)
[ http://tools.ietf.org/html/draft-woodworth-bulk-rr-00 ]

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20151029/a66e912d/attachment.html>