What are the measured DNS response times that you're seeing and are cloudflares and google's response times in accordance with the recommended times.
Any DNS query needs to allow at least a response time to the other side of the planet and then some. There are some recommended values in some RFC's using a metric based on the number of servers etc.
I don't think that Google and cloudflare honour these conventions which is unfortunate.
Kind Regards
-----Original Message-----
Subject: [Freeipa-users] Re: Dnssec rejected by Cloudflair, Google, accepted by Verizon, AT&T
Date: Mon, 1 Aug 2022 12:20:50 -0500
TL;Dr: Freeipa's DNS (especially with dnssec enabled) can appear to be
working well and pass accuracy tests, yet generate failures depending on
the client's dns provider's response timeout settings. You can tell
whether you're as 'online as you think you are' using this tool:
https://dnschecker.org/
Freeipa's dns response latency times are near the timeout/give-up bubble
of some of the world largest public / semi-public DNS resolvers. When
'over time', these large companies report the freeipa web sites &
related services do not exist. DNS resolvers in use by those 'near to'
the host generally have better timing generally and so give the
appearance of working.
Without DNSSEC enabled, the packet sizes and processing requirements are
less, so most services on the same continent as the host operate as
expected. Enabling DNSSec adds enough so that even the 'more local' dns
resolvers time out/report error -- and without notice to the freeipa
hosting organization. Cloudflare and Google in North America 'worked'
without dnssec in my case, but failed more often than it worked with
DNSSEC enabled.
I think the problem is the latency involved in the orchestration between
bind9 and dirsrv/ldap. Work arounds include "throwing faster computers
at it" and/or pointing internet NS records at slave resolvers that don't
depend on interprocess communications.
Hope this helps other folks.
Harry Coin
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure