What are the measured DNS response times that you're seeing and are
cloudflares and google's response times in accordance with the
recommended times.
Any DNS query needs to allow at least a response time to the other side
of the planet and then some. There are some recommended values in some
RFC's using a metric based on the number of servers etc.
I don't think that Google and cloudflare honour these conventions which
is unfortunate.
Kind Regards
-----Original Message-----
From: Harry G. Coin via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org>
Reply-To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Harry G. Coin <hgcoin(a)gmail.com>
Subject: [Freeipa-users] Re: Dnssec rejected by Cloudflair, Google,
accepted by Verizon, AT&T
Date: Mon, 1 Aug 2022 12:20:50 -0500
TL;Dr: Freeipa's DNS (especially with dnssec enabled) can appear to be
working well and pass accuracy tests, yet generate failures depending
on the client's dns provider's response timeout settings. You can tell
whether you're as 'online as you think you are' using this tool:
https://dnschecker.org/
Freeipa's dns response latency times are near the timeout/give-up
bubble of some of the world largest public / semi-public DNS
resolvers. When 'over time', these large companies report the freeipa
web sites & related services do not exist. DNS resolvers in use by
those 'near to' the host generally have better timing generally and so
give the appearance of working.
Without DNSSEC enabled, the packet sizes and processing requirements
are less, so most services on the same continent as the host operate as
expected. Enabling DNSSec adds enough so that even the 'more local'
dns resolvers time out/report error -- and without notice to the
freeipa hosting organization. Cloudflare and Google in North America
'worked' without dnssec in my case, but failed more often than it
worked with DNSSEC enabled.
I think the problem is the latency involved in the orchestration
between bind9 and dirsrv/ldap. Work arounds include "throwing faster
computers at it" and/or pointing internet NS records at slave resolvers
that don't depend on interprocess communications.
Hope this helps other folks.
Harry Coin
_______________________________________________FreeIPA-users mailing
list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure