-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
irc.hashbang.sh geoDNS setup is unreliable #70
Comments
PS: That would be way easier if IRC had |
Could we respond with both irc servers sorted by geoDNS? Dunno if it's available or not. |
@mayli Not sure what you mean by “sorted” in that case. |
You don't "sort" DNS anything. You just respond with what is needed. With DNS it's easy, because the geo-part is built in. Servers from EU only respond with European servers, US DNS only responds with US servers, simple as that. Using Route53 I'm sure allows for this? What I mean is, why not just ask for irc.hashbang.sh, and let that entry be different depending on the geographical DNS locations. This way, a server from EU will respond faster in EU than a US server will in EU, hence only the EU entries are used by people located there. |
That is what we currently do; however, we've come up with a few issues because of this, as was pointed out above. If a TLS certificate is invalid, the server must be removed from the DNS |
@KellerFuchs by "sorted" I mean, entries in DNS respond has an sorted "answer field" eg. In the client side, it usually will try connect each entry by the order in the response. |
That was exactly what was in place. |
@mayli Except that ressource records are not ordered, or rather, quoting RFC 1034, 3.6, “the order of RRs in a set is not significant, and need not be preserved by name servers, resolvers, or other parts of the DNS”. In practice, many DNS resolvers randomize the order in a RRset, to prevent broken clients (cough Windows cough) from always hitting the “first” server. The correct way to implement that would be SRV records (RFC 2782), but of course that's not a thing for IRC... |
So, currently the best solution is:
|
This could also be relevant: https://gist.github.com/ahupowerdns/1e8bfbba95a277a4fac09cb3654eb2ac |
FYI, using PowerDNS for GeoDNS means that we point everyone at our own DNS server, which isn't great for latency or reliability. OTOH, AWS supports SSL healthchecks, which ought to be enough. |
But it also means relying on AWS. I figured we were hopefully going for something more "independent"? Testing such things on a local system would be harder without a builtin DNS setup. |
@RyanSquared In principle, I would love us to run our own DNS infra. As far as I can tell, we can pick 2 out of 3 from:
Frankly, I would be quite OK dropping GeoDNS in favor of the first two, esp. given how limited Route53's builtin healthchecks are, but that definitely would be a longer-term project. |
@KellerFuchs how freenode solve this problem? |
By not doing GeoDNS. |
@mayli Freenode, Esper, and many other servers just have a set of records that point to all their servers, independent of location. If users have an issue, it is recommended to instead set your client to a server (or to select from a list of servers) that works best for the user. Not all servers might be listed (at the same time, or even in general) on the public interface, though. However, for our setup, it should be fine to just list them all. Plus, nothing against Freenode, but until recently their network management has been a bit clunky. |
So, can we return all records as well? This seems the simple & stupid solution that works without too much effort. And we'd better use our bandwidth to focus on more important stuff, like userdb and other things. |
Yes. That is the "default" way most DNS servers return multiple results for one name. |
Yes, endless discussion about a thing that is currently a non-issue is indeed consuming bandwidth... |
In order to close this issue - is the DNS setup in general still an issue? If we add a server are we going to have GeoIP enabled for it? If so, how should we remove this configuration? |
We currently have an outage where
lon1.irc.hashbang.sh
fails all TLS handshakes.All users in Europe are only sent a record for
lon1
.The text was updated successfully, but these errors were encountered: