[systemd-devel] resolved: does DNSSEC=allow-downgrade affect caching?
Ran Benita
ran234 at gmail.com
Wed Apr 13 11:05:45 UTC 2016
Hey,
I read in the v229 NEWS that it is now possible to specify
DNSSEC=allow-downgrade and decided to try it. Note that I use my local
home router's DNS server which certainly does not support DNSSEC. I
configured the system to use resolved by changing "dns" to "resolve" in
nsswitch.conf. I use systemd v229.
I use the following simple python to test the DNS response time:
import time, socket;
before = time.time(); socket.gethostbyname('google.com'); after = time.time()
print((after - before) * 1000)
With resolved stopped entirely (systemctl stop), I get around ~22ms for
all queries.
With resolved started, and setting DNSSEC=no, I get ~22ms first time,
and ~2m in subsequent queries.
With resolved started, and setting DNSSEC=allow-downgrade, I get ~22ms
consistently after a few times.
So it seems like with allow-downgrade, local caching isn't performed? Is
this expected behavior for this option? Or maybe I did something wrong?
(I am lazy and didn't try to investigate with wireshark and/or the
code).
Ran
More information about the systemd-devel
mailing list