Re: squid3-ipv6 squid3/src cf.data.pre,1.68.2.40,1.68.2.41 dns_internal.cc,1.15.6.29,1.15.6.30 structs.h,1.66.2.32,1.66.2.33

Henrik Nordström wrote:
> Hmm.. I guess we can delay the A lookup until connection timeout, which
> would both improve performance and compliance.
>

Nice in principle, the problem becomes how to do it cleanly. Given that
timeout is known only to client/server side, and the whole ipcache
stands between the resolver and the point of most desirable lookup.

IFAICS it would require a whole new function chain into both ipcache and
resolver stub to clear existing cached IP and lookup new ones of a
specific type from the client-streams side instead of leaving it hidden
nicely in the resolver stub internals.

Amos

> ons 2007-10-10 klockan 00:10 -0600 skrev Adrian Chadd:
>> Interesting! I'd suggest leaving it on by default though and logging statistics
>> showing the number of requests which had an ipv6 reply but couldn't be connected
>> to, but could be connected to via ipv4.
>>
>> You want IPv6 support to be as transparent and functional as possible out of
>> the box so people don't just disable IPv6 at the first sign of instability.
>>
>>
>>
>> Adrian
>>
>> On Wed, Oct 10, 2007, Amos Jeffries wrote:
>>> Update of cvs.devel.squid-cache.org:/cvsroot/squid/squid3/src
>>>
>>> Modified Files:
>>> Tag: squid3-ipv6
>>> cf.data.pre dns_internal.cc structs.h
>>> Log Message:
>>> Following DNS best-practice will cause squid to deny some possible requests
>>>
>>> Can be caused by two things:
>>> 1) The tunnel / IPv6 access is down.
>>> 2) The remote server is broken. Advertising web service on a domain
>>> that resolves to addresses which can't accept it.
>>>
>>> This adds a slightly nasty option "dns_v4_fallback" ("on" or "off") which
>>> will force squid to break the standards and do both A and AAAA requests.
>>>
>>> pro: it seamlessly recovers from some IPv6 breakages in the local network.
>>> or at least hides the error from clients and converts to IPv4.
>>>
>>> cons:
>>> doubles the DNS queries per request that squid does.
>>> will start using all IPv4 and IPv6 addresses as equal in its IP balancing.
>>> (standards behaviour is to prefer IPv6 when given, ignoring IPv4).
>>>
>>> Default for this is OFF by design and should stay that way.
>>> I leave it to individual admin to turn on if they judge their network
>>> fundamentally unfixable enough to warrant it.
>>>
>>>
>>> Index: structs.h
>>> ===================================================================
>>> RCS file: /cvsroot/squid/squid3/src/structs.h,v
>>> retrieving revision 1.66.2.32
>>> retrieving revision 1.66.2.33
>>> diff -C2 -d -r1.66.2.32 -r1.66.2.33
>>> *** structs.h 6 Oct 2007 15:17:07 -0000 1.66.2.32
>>> --- structs.h 10 Oct 2007 00:51:42 -0000 1.66.2.33
>>> ***************
>>> *** 547,550 ****
>>> --- 547,551 ----
>>> int httpd_suppress_version_string;
>>> int global_internal_static;
>>> + int dns_require_A;
>>> }
>>>
>>>
>>> Index: dns_internal.cc
>>> ===================================================================
>>> RCS file: /cvsroot/squid/squid3/src/dns_internal.cc,v
>>> retrieving revision 1.15.6.29
>>> retrieving revision 1.15.6.30
>>> diff -C2 -d -r1.15.6.29 -r1.15.6.30
>>> *** dns_internal.cc 7 Aug 2007 08:44:47 -0000 1.15.6.29
>>> --- dns_internal.cc 10 Oct 2007 00:51:41 -0000 1.15.6.30
>>> ***************
>>> *** 1001,1011 ****
>>>
>>> #if USE_IPV6
>>> ! if(n <= 0 && q->need_A)
>>> {
>>> /* ERROR or NO AAAA exist. Failover to A records. */
>>> if(n == 0)
>>> debugs(78, 3, "idnsGrokReply: " << q->name << " has no AAAA records. Looking up A record instead.");
>>> ! else
>>> debugs(78, 3, "idnsGrokReply: " << q->name << " AAAA query failed. Trying A now instead.");
>>>
>>> idnsDropMessage(message, q);
>>> --- 1001,1013 ----
>>>
>>> #if USE_IPV6
>>> ! if(q->need_A && (Config.onoff.dns_require_A == 1 || n <= 0 ) )
>>> {
>>> /* ERROR or NO AAAA exist. Failover to A records. */
>>> if(n == 0)
>>> debugs(78, 3, "idnsGrokReply: " << q->name << " has no AAAA records. Looking up A record instead.");
>>> ! else if(q->need_A)
>>> debugs(78, 3, "idnsGrokReply: " << q->name << " AAAA query failed. Trying A now instead.");
>>> + else // admin requested this.
>>> + debugs(78, 3, "idnsGrokReply: " << q->name << " AAAA query done. Configured to retrieve A now also.");
>>>
>>> idnsDropMessage(message, q);
>>> ***************
>>> *** 1448,1451 ****
>>> --- 1450,1454 ----
>>> }
>>>
>>> + /* PTR does not do inbound A/AAAA */
>>> q->need_A = false;
>>>
>>>
>>> Index: cf.data.pre
>>> ===================================================================
>>> RCS file: /cvsroot/squid/squid3/src/cf.data.pre,v
>>> retrieving revision 1.68.2.40
>>> retrieving revision 1.68.2.41
>>> diff -C2 -d -r1.68.2.40 -r1.68.2.41
>>> *** cf.data.pre 30 Sep 2007 16:13:29 -0000 1.68.2.40
>>> --- cf.data.pre 10 Oct 2007 00:51:41 -0000 1.68.2.41
>>> ***************
>>> *** 5035,5038 ****
>>> --- 5035,5058 ----
>>> DOC_END
>>>
>>> + NAME: dns_v4_fallback
>>> + TYPE: onoff
>>> + DEFAULT: off
>>> + LOC: Config.onoff.dns_require_A
>>> + DOC_START
>>> + Standard practice with DNS is to lookup either A or AAAA records
>>> + and use the results if it succeeds. Only looking up the other if
>>> + the first attempt fails or otherwise produces no results.
>>> + By default squid internal DNS follows that policy.
>>> +
>>> + That policy however will cause squid to produce error pages for some
>>> + servers that advertise AAAA but are unreachable over IPv6.
>>> +
>>> + Turning this ON will force squid to always lookup both AAAA and A.
>>> +
>>> + WARNING: There are some possibly unwanted side-effects with this on:
>>> + *) Doubles the load placed by squid on the DNS network.
>>> + *) May negatively impact connection delay times.
>>> + DOC_END
>>> +
>>> NAME: ipcache_size
>>> COMMENT: (number of entries)

-- 
Please use Squid 2.6STABLE17 or 3.0STABLE1.
There are serious security advisories out on all earlier releases.