lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Apr 2020 12:07:26 -0500 From: Steve French <smfrench@...il.com> To: Jeff Layton <jlayton@...nel.org> Cc: David Howells <dhowells@...hat.com>, linux-nfs <linux-nfs@...r.kernel.org>, CIFS <linux-cifs@...r.kernel.org>, linux-afs@...ts.infradead.org, ceph-devel@...r.kernel.org, keyrings@...r.kernel.org, Network Development <netdev@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, fweimer@...hat.com Subject: Re: What's a good default TTL for DNS keys in the kernel On Wed, Apr 15, 2020 at 8:22 AM Jeff Layton <jlayton@...nel.org> wrote: > > On Tue, 2020-04-14 at 15:20 +0100, David Howells wrote: > > Since key.dns_resolver isn't given a TTL for the address information obtained > > for getaddrinfo(), no expiry is set on dns_resolver keys in the kernel for > > NFS, CIFS or Ceph. AFS gets one if it looks up a cell SRV or AFSDB record > > because that is looked up in the DNS directly, but it doesn't look up A or > > AAAA records, so doesn't get an expiry for the addresses themselves. > > > > I've previously asked the libc folks if there's a way to get this information > > exposed in struct addrinfo, but I don't think that ended up going anywhere - > > and, in any case, would take a few years to work through the system. > > > > For the moment, I think I should put a default on any dns_resolver keys and > > have it applied either by the kernel (configurable with a /proc/sys/ setting) > > or by the key.dnf_resolver program (configurable with an /etc file). > > > > Any suggestion as to the preferred default TTL? 10 minutes? > > > > Typical DNS TTL values are on the order of a day but it can vary widely. > There's really no correct answer for this, since you have no way to tell > how long the entry has been sitting in the DNS server's cache before you > queried for it. > > So, you're probably down to just finding some value that doesn't hammer > the DNS server too much, but that allows you to get new entries in a > reasonable amount of time. > > 10 mins sounds like a reasonable default to me. I would lean toward slightly longer (20 minutes?) but aren't there usually different timeouts for 'static' vs. 'dynamic' DNS records (so static records would have longer timeouts)? -- Thanks, Steve
Powered by blists - more mailing lists