On Fri, Feb 5, 2021, at 2:42 AM Hal Murray via devel <devel@ntpsec.org> wrote:
> > devel@ntpsec.org said: > > 1208. I stripped out all handling of the netlink socket and fixed around > the > > breaks I found. This would reduce NTPsec w/ NTS and IPv4/6 to 5 sockets. > They > > are UDP4, UPD6, TCP4, TCP6, and netlink which only spuriously trigger DNS > > retries. > > I scanned the patch file and didn't see what I was looking for. But it's > 3K > lines so I could easily have missed it. > What were you looking for in the branch? > How much testing have you done? I expect the easy cases will work. Did > you > test anything complicated? > > It takes more than one interface to generate the complicated cases. The > server side needs to use the dest address from the request as the source > address on the reply. The client side needs to check that the packet came > to > the correct dest address. That's the code I didn't see. The old code > with a > socket per interface let the kernel do that work. With only one > interface, > you can't get it wrong. > > To test that, you have to do something to make the packet arrive on the > wrong > interface. > I tested it using ntpdig on a couple of machines running Kubuntu 20.04 and one w/ macOS High Sierra. Nothing complicated though, I can't be bothered to think of and set up cases. > At least on some OSes, you can get one socket that covers both IPv4 and > IPv6. > Maybe that's only for TCP. Mumble. I had to set some magic flag in order > to > get both NTS listeners to work. The second listener on a second thread > seemed > like a simple way to get some multi-threading. > Ah, I wondered about that a little. I could get a single UDP6 to work in a robot dog but not in NTPsec. Going with separate sockets for IP4 and IP6 also allows me to skip writing/finding helpers to convert from IP6 namespace to IP4 namespace for file I/O. I'm sure that if IP4 addresses were banned tomorrow, everyone would gripe. > Your "spuriously trigger DNS retries" path is important. It handles the > case > where ntpd gets started before the link to the outside world is up and all > the > DNS lookups fail. It doesn't catch all the cases, but it got at least > one. > It won't recover from something like a home router being slow to start > after a > power fail, maybe because the owner didn't poke the power button until > late in > the recovery game. I think the case it did catch involved WiFi. > When combined with some other code in the DNS path it is wrong-headed. "let's retry DNS every 5 minutes or whenever someone acts on the netlink socket, and pack on extra pool servers until we have twenty." It will probably come back in a diminished form later. If you absolutely must dns_try_again periodically it a couple of single line fixes to ntp_io:837 and ntp_io:325, switching to true and maybe a new period respectively.
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
