lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 14 Apr 2020 16:16:05 -0400
From:   Jeff Layton <jlayton@...nel.org>
To:     David Howells <dhowells@...hat.com>, linux-nfs@...r.kernel.org,
        linux-cifs@...r.kernel.org, linux-afs@...ts.infradead.org,
        ceph-devel@...r.kernel.org
Cc:     keyrings@...r.kernel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, fweimer@...hat.com
Subject: Re: What's a good default TTL for DNS keys in the kernel

On Tue, 2020-04-14 at 15:20 +0100, David Howells wrote:
> Since key.dns_resolver isn't given a TTL for the address information obtained
> for getaddrinfo(), no expiry is set on dns_resolver keys in the kernel for
> NFS, CIFS or Ceph.  AFS gets one if it looks up a cell SRV or AFSDB record
> because that is looked up in the DNS directly, but it doesn't look up A or
> AAAA records, so doesn't get an expiry for the addresses themselves.
> 
> I've previously asked the libc folks if there's a way to get this information
> exposed in struct addrinfo, but I don't think that ended up going anywhere -
> and, in any case, would take a few years to work through the system.
> 
> For the moment, I think I should put a default on any dns_resolver keys and
> have it applied either by the kernel (configurable with a /proc/sys/ setting)
> or by the key.dnf_resolver program (configurable with an /etc file).
> 
> Any suggestion as to the preferred default TTL?  10 minutes?
> 

Typical DNS TTL values are on the order of a day but it can vary widely.
There's really no correct answer for this, since you have no way to tell
how long the entry has been sitting in the DNS server's cache before you
queried for it.

So, you're probably down to just finding some value that doesn't hammer
the DNS server too much, but that allows you to get new entries in a
reasonable amount of time.

10 mins sounds like a reasonable default to me.
-- 
Jeff Layton <jlayton@...nel.org>

Powered by blists - more mailing lists