DNS resolver cache does not expire

DNS resolver cache does not expire

[Grazvydas Ignotas]

Hello,

one of our slave servers have changed it's address, and I can no
longer access it's shares that are forwarded to by the main server
using DFS redirection. The slave server resolves correctly when trying
to access it directly, but when trying to access through a mount on
the main server, cifsFYI shows dns_resolve_server_name_to_ip returns
the old address. I've verified slave server names match and windows
clients can access those DFS shares correctly. It has been several
days since server address change. I'm running 2.6.38.2 kernel on
Ubuntu 10.04.

Any way to clear that dns_resolver cache? I have no desire to reboot
the machine.

-- 
Gražvydas

Re: DNS resolver cache does not expire

[Pavel Shilovsky]

2011/6/23 Grazvydas Ignotas <notasas-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>:
> Hello,
>
> one of our slave servers have changed it's address, and I can no
> longer access it's shares that are forwarded to by the main server
> using DFS redirection. The slave server resolves correctly when trying
> to access it directly, but when trying to access through a mount on
> the main server, cifsFYI shows dns_resolve_server_name_to_ip returns
> the old address. I've verified slave server names match and windows
> clients can access those DFS shares correctly. It has been several
> days since server address change. I'm running 2.6.38.2 kernel on
> Ubuntu 10.04.
>
> Any way to clear that dns_resolver cache? I have no desire to reboot
> the machine.
>

It seems that dns_resolver sets expiry timeout to zero here
(http://lxr.free-electrons.com/source/security/keys/key.c#L310) and
doesn't change it - so, it always returns cached value.

David, can you comment on this problem, please?

-- 
Best regards,
Pavel Shilovsky.

Re: DNS resolver cache does not expire

[Steve French]

Ideally we would want to toss a cached mapping of an ip address to hostname if
we get a EHOSTDOWN or equivalent on the socket connection request
(although in some cases NFS server may be exporting on one port, but not Samba
or vice versa - still better to remove a cached mapping).

On Thu, Jun 23, 2011 at 2:15 PM, Pavel Shilovsky <piastryyy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> 2011/6/23 Grazvydas Ignotas <notasas-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>:
>> Hello,
>>
>> one of our slave servers have changed it's address, and I can no
>> longer access it's shares that are forwarded to by the main server
>> using DFS redirection. The slave server resolves correctly when trying
>> to access it directly, but when trying to access through a mount on
>> the main server, cifsFYI shows dns_resolve_server_name_to_ip returns
>> the old address. I've verified slave server names match and windows
>> clients can access those DFS shares correctly. It has been several
>> days since server address change. I'm running 2.6.38.2 kernel on
>> Ubuntu 10.04.
>>
>> Any way to clear that dns_resolver cache? I have no desire to reboot
>> the machine.
>>
>
> It seems that dns_resolver sets expiry timeout to zero here
> (http://lxr.free-electrons.com/source/security/keys/key.c#L310) and
> doesn't change it - so, it always returns cached value.
>
> David, can you comment on this problem, please?
>
> --
> Best regards,
> Pavel Shilovsky.
>



-- 
Thanks,

Steve

Re: DNS resolver cache does not expire

[Jeff Layton]

On Thu, 23 Jun 2011 23:15:29 +0400
Pavel Shilovsky <piastryyy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:

> 2011/6/23 Grazvydas Ignotas <notasas-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>:
> > Hello,
> >
> > one of our slave servers have changed it's address, and I can no
> > longer access it's shares that are forwarded to by the main server
> > using DFS redirection. The slave server resolves correctly when trying
> > to access it directly, but when trying to access through a mount on
> > the main server, cifsFYI shows dns_resolve_server_name_to_ip returns
> > the old address. I've verified slave server names match and windows
> > clients can access those DFS shares correctly. It has been several
> > days since server address change. I'm running 2.6.38.2 kernel on
> > Ubuntu 10.04.
> >
> > Any way to clear that dns_resolver cache? I have no desire to reboot
> > the machine.
> >
> 
> It seems that dns_resolver sets expiry timeout to zero here
> (http://lxr.free-electrons.com/source/security/keys/key.c#L310) and
> doesn't change it - so, it always returns cached value.
> 
> David, can you comment on this problem, please?
> 

I think the right thing to do here is probably to tie the lifetime of
the key to the record's TTL. Getting that info may be a little tricky
though since it's not generally available via getaddrinfo and such.

Also, for name records that come from /etc/hosts or yp, or some other
mechanism you'll need to pick a default TTL since those mechanisms
don't provide one.

-- 
Jeff Layton <jlayton-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org>

Re: DNS resolver cache does not expire

[David Howells]

Pavel Shilovsky <piastryyy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:

> It seems that dns_resolver sets expiry timeout to zero here
> (http://lxr.free-electrons.com/source/security/keys/key.c#L310) and
> doesn't change it - so, it always returns cached value.

That's not the DNS resolver you've provided a pointer to - that's where the
key allocator initialises a new key.

> David, can you comment on this problem, please?

It's not much of a problem.  Userspace needs to set the key timeout before
instantiating the key:

http://git.kernel.org/?p=linux/kernel/git/dhowells/keyutils.git;a=blob;f=key.dns_resolver.c;h=ab9b87875bcd94dae3083b2711207f87ceea7df1;hb=faabd7c8464502becd01972b1a76ab1dfa1906cc#l502

David

Re: DNS resolver cache does not expire

[Pavel Shilovsky]

2011/6/27 David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>:
> Pavel Shilovsky <piastryyy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
>> It seems that dns_resolver sets expiry timeout to zero here
>> (http://lxr.free-electrons.com/source/security/keys/key.c#L310) and
>> doesn't change it - so, it always returns cached value.
>
> That's not the DNS resolver you've provided a pointer to - that's where the
> key allocator initialises a new key.

Yes, I meant, that dns_query calls request_key -> request_key_and_link
-> construct_key_and_link -> construct_alloc_key -> key_alloc and
there expiry timeout is set to zero. I don't noticed any other places
where this value changes while request_key is being processing. If I
miss something, point me, please!

>
>> David, can you comment on this problem, please?
>
> It's not much of a problem.  Userspace needs to set the key timeout before
> instantiating the key:
>
> http://git.kernel.org/?p=linux/kernel/git/dhowells/keyutils.git;a=blob;f=key.dns_resolver.c;h=ab9b87875bcd94dae3083b2711207f87ceea7df1;hb=faabd7c8464502becd01972b1a76ab1dfa1906cc#l502
>
> David
>

That makes the problem with setting expiry time to zero clear. Thanks!

-- 
Best regards,
Pavel Shilovsky.

Re: DNS resolver cache does not expire

[David Howells]

Pavel Shilovsky <piastryyy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:

> Yes, I meant, that dns_query calls request_key -> request_key_and_link
> -> construct_key_and_link -> construct_alloc_key -> key_alloc and
> there expiry timeout is set to zero. I don't noticed any other places
> where this value changes while request_key is being processing. If I
> miss something, point me, please!

request_key() upcalls to userspace.  The userspace application should call
keyctl_set_timeout() before calling keyctl_instantiate().

David

Re: DNS resolver cache does not expire

[Grazvydas Ignotas]

On Mon, Jun 27, 2011 at 10:42 PM, David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
> Pavel Shilovsky <piastryyy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
>> Yes, I meant, that dns_query calls request_key -> request_key_and_link
>> -> construct_key_and_link -> construct_alloc_key -> key_alloc and
>> there expiry timeout is set to zero. I don't noticed any other places
>> where this value changes while request_key is being processing. If I
>> miss something, point me, please!
>
> request_key() upcalls to userspace.  The userspace application should call
> keyctl_set_timeout() before calling keyctl_instantiate().

So in my case it's cifs.upcall that doesn't set the timeout I guess,
as contents of my /etc/request-key.conf are:
create	cifs.spnego	*	*		/usr/sbin/cifs.upcall -c %k
create	dns_resolver	*	*		/usr/sbin/cifs.upcall %k

Re: DNS resolver cache does not expire

[David Howells]

Grazvydas Ignotas <notasas-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:

> So in my case it's cifs.upcall that doesn't set the timeout I guess,
> as contents of my /etc/request-key.conf are:

Indeed.  In any case, the kernel doesn't know about the TTL userspace received
received from the DNS server, so userspace has to tell the kernel somehow.

David