Anand Buddhdev
2016-Jan-04 14:59 UTC
[nsd-users] NSD doing 3 IXFR queries in rapid succession
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/01/16 14:09, W.C.A. Wijngaards wrote: Hi Wouter,> NSD wants to fetch an update for the zone. The server does not > provide one. NSD tries all masters several times to find the > update. This is where this server sees multiple requests.This is the part that does not make sense. When the SOA refresh timer expires, NSD should of course try and update the zone. However, I think *one* query against *one* master should be enough. I do not think that sending 3 queries in rapid succession to the same master is beneficial. If a master does not have a newer copy of the zone now, it is unlikely to have a newer copy just a few milliseconds later. If I have 4 masters configured for a zone, NSD is making 12 TCP connections in total, just to try and update *one* zone. Then, it moves on to the next zone. This is rather wasteful, don't you think? A slave that has a large number of zones is going to end up making far too many queries for refreshing these zones (well, at least 3 times as many). I think the correct behaviour should be that when the SOA refresh timer expires, NSD should try to refresh the zone from one of the configured masters, and if the serial number hasn't changed, then accept that, and move on to other tasks. In the case of a NOTIFY message, a slightly different behaviour is desirable. NSD should attempt to refresh the zone from the master that sent it the NOTIFY message (because it is almost certain to have a newer copy of the zone), and if that fails, then try the other masters, once each. Here, I define failure as one of: 1. Same serial number (instead of an expected newer serial) 2. REFUSED 3. SERVFAIL 4. Timeout> The reason for fetching it may be the SOA refresh timer or a > NOTIFY. > > Load balancers, and the server may be in the process of loading > the data, so the third query may return a different result. Also, > the code, currently, just retries in the face of no result, which > makes for simpler code.The case of multiple masters behind a load balancer is rare. I would even go as far as to say that it is not a good configuration, because it confuses the hell out of a client attempting to refresh zones from the master(s). Have you actually had any reports of people running master servers behind load balancers, and asking for slaves to try refresh 3 times? None of the alternative servers I know of (BIND, Knot, YADIFA) try to refresh a zone with multiple queries and connections. Regards, Anand -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWiojbAAoJEBXgoyUMySoFYXwP/RJRjuK7w2RNDZeqOiVMOhwc uH0eco3mGqzRKeUV/ixX7uGml1IcNTHUm39xDUyI68JDM9iEN8Mq1CLEaNui9wv0 AjUozOtMHcDr5rX/11IMmSzcadn9q8Gz63u6zfaVIjNMAahsnSBtHdVfeexsSLed +RhqYczGIhM0XJlgt0ObJEReAgjFqVtJglO905WZ4fKZ7OtMTecz103VJ0rkdLpm XAgIxApoqCjXMDp0bfllRBwPi51BP+151dOmAKyHBk8X/4LZQ2J9xcfBOg3+4g7Y jUUFA6lvwzn1BVnkjV6LUZ5e7ZYEOEIZefLLONJ6BD4WLTucNdhtMxwF7gD/Og7O zRsyAguMqHhuyIb1PwSj06zG6gPFxwunCZFmBwjd8CvrJXxqGaF2c8v4zEvfvryb 4Jry73GA+DgZyGqCLvBO+3SVW/Ln5zMwElBA4U28AbFh/iuadazJysaNCLOjyH04 HMdZqz4NjHKHoCVwxAedPEbKuzSwPZ8Uk2G2R1SiEsBqydmPUB02hMvAtn3IVXuj kqJmZ0ScQwO4a/8GiqYx81zxKj6Qwih8iK+Pczb7kLAKbtYm7qxDNVa0U0EWXU7i c+cbW7fgdr1CYXLJsNyCK+SpdjmOpdFGyKD+97epAlVDz10kcpgwwW89YJ3B72ss k8PkxplCeWRYZQg5CRfc =JFae -----END PGP SIGNATURE-----
Anand Buddhdev
2016-Jan-15 15:24 UTC
[nsd-users] NSD doing 3 IXFR queries in rapid succession
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Wouter (and any other users) Have you had a chance to think about my thoughts (repeated below) about NSD's refresh strategy? Anand On 04/01/16 15:59, Anand Buddhdev wrote:> On 04/01/16 14:09, W.C.A. Wijngaards wrote: > > Hi Wouter, > >> NSD wants to fetch an update for the zone. The server does not >> provide one. NSD tries all masters several times to find the >> update. This is where this server sees multiple requests. > > This is the part that does not make sense. When the SOA refresh > timer expires, NSD should of course try and update the zone. > However, I think *one* query against *one* master should be > enough. > > I do not think that sending 3 queries in rapid succession to the > same master is beneficial. If a master does not have a newer copy > of the zone now, it is unlikely to have a newer copy just a few > milliseconds later. If I have 4 masters configured for a zone, NSD > is making 12 TCP connections in total, just to try and update *one* > zone. Then, it moves on to the next zone. This is rather wasteful, > don't you think? A slave that has a large number of zones is going > to end up making far too many queries for refreshing these zones > (well, at least 3 times as many). > > I think the correct behaviour should be that when the SOA refresh > timer expires, NSD should try to refresh the zone from one of the > configured masters, and if the serial number hasn't changed, then > accept that, and move on to other tasks. > > In the case of a NOTIFY message, a slightly different behaviour is > desirable. NSD should attempt to refresh the zone from the master > that sent it the NOTIFY message (because it is almost certain to > have a newer copy of the zone), and if that fails, then try the > other masters, once each. Here, I define failure as one of: > > 1. Same serial number (instead of an expected newer serial) 2. > REFUSED 3. SERVFAIL 4. Timeout > >> The reason for fetching it may be the SOA refresh timer or a >> NOTIFY. > >> Load balancers, and the server may be in the process of loading >> the data, so the third query may return a different result. >> Also, the code, currently, just retries in the face of no result, >> which makes for simpler code. > > The case of multiple masters behind a load balancer is rare. I > would even go as far as to say that it is not a good configuration, > because it confuses the hell out of a client attempting to refresh > zones from the master(s). > > Have you actually had any reports of people running master servers > behind load balancers, and asking for slaves to try refresh 3 > times? > > None of the alternative servers I know of (BIND, Knot, YADIFA) try > to refresh a zone with multiple queries and connections. > > Regards, Anand _______________________________________________ > nsd-users mailing list nsd-users at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/nsd-users >-----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWmQ8SAAoJEBXgoyUMySoF4XUQALK+VXhRBheJfRGXqtbSoNV4 P1k7PMS+dcl4rPlY2GRC/xfKrSjEkfMZ3Y04+hO8rx+vaGb6mwLCmRhE0jGPWXpS cH3gjuQXI5dHdd7T6/bTVv3Vnc0eOgxna7ArF3N/3EXC/+CPwW7XMONqESUbDd4v 0bzg528nbMN3Rx0VmJFSR3VobffiLRwhWy/Ta8mAVrmnrSXEoUk++9EASOVHVEtZ kS7rXY0+q/mK7JsVtch+HsmNkMB2XAA/ROUPRClkiJ6mhsNRt7AADuJxwpv7DV0F UrzQ2Wjzay8B/s58uID9HAaI0MJluAxh6WjIjW16hmVULqSWM9DMxdh2PtCRGLVw nIchrzOTB+7VkYtjlVf9BItKzFvfbXqSk1XByjons3j/wjgGKUWbCYxVGiK9YLro R7x9UtR30TqbQ+zBTLd80dNq9TiYwNWiHyLrvyhvO1zttG+KTmZMbpb26tF2OqOx LS7o+ef62P3Z9shBOXAWE9g2k+M3bBKG2mzTl1zuc8YJ5nOBKqmnFEO+IJZRlS9W sMmtMqbb9XUr5BvjJ8Bl7EHLzWyLTjZuGm4habqcQ82uSmU+aY0DUTCxWCi5g1E5 05Ojx4Lz3ycP+QGBmsPusaBbc79wQSWMwCADgTrL+a6L63kADa2i9Oyk0wRxGNc9 d1dRFcoc5fQXQ+dsC8wK =2LjS -----END PGP SIGNATURE-----