bin/62139: User cannot login through telnet or ssh because of
reverse resolving delay
Yar Tikhiy
yar at FreeBSD.org
Thu Sep 30 03:00:49 PDT 2004
The following reply was made to PR bin/62139; it has been noted by GNATS.
From: Yar Tikhiy <yar at FreeBSD.org>
To: Rostislav Krasny <rosti_bsd at yahoo.com>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: bin/62139: User cannot login through telnet or ssh because of reverse resolving delay
Date: Thu, 30 Sep 2004 13:50:37 +0400
On Thu, Sep 16, 2004 at 01:51:56PM -0700, Rostislav Krasny wrote:
>
> > > Finally I add a custom "options" settings line in /etc/resolv.conf
> > > file:
> > >
> > > options attempts:1
> > >
> > > With this option my box is sending 2 "A? yahoo.com" requests. With
> > > 'attempts:2' it sends 4 requests, with 'attempts:3' it sends 6
> > > requests, with 'attempts:5' it sends 10 requests... and so on. Why
> > > the numbers of actual requests are double of the defined numbers?
> >
> > It means that ping seems to call the resolver twice each time.
>
> In my test program a gethostbyname(3) function is called only once.
I suspect that gethostbyname(3) may call resolver more than once.
gethostbyname(3) is a "multiplexor" for many name resolution
interfaces, e.g., DNS, hosts(5), NIS, etc. When it does its job
it has to canonize the name etc. This may lead to more than 1 call
to underlying mechanisms, e.g., the DNS resolver library.
> > > What is the default value of the 'attempts' option? The resolver(5)
> > > man page states that the default value is defined by RES_DFLRETRY
> in
> > > <resolv.h>. But there is no RES_DFLRETRY in /usr/include/resolv.h
> > > file. In other systems the RES_DFLRETRY is defined as 2.
> >
> > RES_MAXRETRY. 5. The man page seems to give a wrong name there.
> > I'll fix it later.
>
> Thank you for the fixing. I've seen your commits:
>
> http://docs.freebsd.org/cgi/mid.cgi?200409091739.i89HdlwM019548
> http://docs.freebsd.org/cgi/mid.cgi?200409091742.i89HgIan019681
> http://docs.freebsd.org/cgi/mid.cgi?200409091719.i89HJRGu019026
>
> According to them the default value of the 'attempts' option was and
> still is 4 and RES_DFLRETRY is the right name. But most of UNIX and
> UNIX-like operating systems that I checked have RES_DFLRETRY defined as
> 2, not as 4. They are: Solaris, AIX, Linux and even NetBSD. Only
> OpenBSD have it hardcoded as 4.
>
> > > IMHO the default value of the 'attempts' option should be 2 and it
> > > must not be doubled. With the default value of 'timeout' option
> > > (5 seconds) it should take no more than 10 seconds to decide that
> > > one DNS is unreachable or not.
> >
> > You are misinterpreting the `timeout' option. See RFC 1536 or the
> > code. And `attempts' is not doubled, that is a consequence of the
> > application behaviour.
>
> Maybe I was wrong with the `timeout' option but I think I was right
> with the `attempts' one.
>
> > I feel that losing all DNS servers is just slightly better
> > than losing the network connection at all. Therefore console
> > access to such machine is the answer. Trying to overcome that
> > in software is too risky, at least for the default configuration.
> > I'd rather close this PR.
>
> The point is that the default configuration of resolver(5) in FreeBSD
> is different from most of other Unices and even NetBSD. Why it is
> different? Also the double number of DNS requests is not clear for me yet.
If you believe the default configuration should be adjusted,
please feel free to conduct a discussion on a FreeBSD mailing
list, e.g., freebsd-net or freebsd-hackers. Personally I don't
feel like touching the default configuration, but even if I did,
our two votes wouldn't be enough.
--
Yar
More information about the freebsd-bugs
mailing list