[reSIProcate] DNS greylisting
Byron Campen
bcampen at estacado.net
Tue Feb 20 11:20:50 CST 2007
There has been some discussion in the past about what the stack
should do if a request times out, or gets a 503 without a Retry-
After. I have argued that it is not appropriate to blacklist in these
cases, but it is generally agreed that DNS results that have been
found non-responsive should be prioritized lower than other DNS
results. I proposed the idea of "greylisting", where a DNS result
would be de-prioritized, but not removed from the candidate set.
Greylisted targets would only be tried if there were no non-
greylisted targets left to try. (see [reSIProcate] DNS not returning
entries after 408?)
I have looked at the code that presently handles whitelisting, and
it looks pretty easy to add the responsibility for greylisting. For
those who aren't familiar with the code, to accomplish the
whitelisting effect, DnsStub keeps an instance of class RRVip (RRVip
derives from DnsStub::ResultTransform, a functor responsible for
transforming incoming DNS result-sets in an arbitrary fashion). RRVip
holds onto a map of functors (RRVip::Transform) that are keyed by
resource-record type(A, AAAA, SRV, NAPTR), and resource name. Right
now the only thing RRVip::Transform and its subclasses do is sort.
Each time a result is whitelisted, we create an instance of
RRVip::Transform (or an appropriate subclass, depending on what
resource type we're talking about; A, SRV, etc), and place it in the
map maintained by RRVip. When RRVip is asked to process a result-set,
it finds the appropriate functor in the map, this functor will look
through the result-set for the whitelisted result, and place this
result at the beginning of the result-set. (If we do not find the
whitelisted result, RRVip removes this functor from the map).
So, to implement greylisting, we have a couple of obvious choices:
1) Build greylisting into RRVip, leave everything else as-is.
2) Write another subclass of DnsStub::ResultTransform (say,
RRGreylist) and a simple functor-composition class (say,
DnsStub::ResultTransformComposition), and compose an RRVip and an
RRGreylist into a single functor.
The first choice is quicker, easier, but less modular. Is modularity
important enough in this particular case (DNS result transformations)
to warrant the extra effort?
Best regards,
Byron Campen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20070220/846a295b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2423 bytes
Desc: not available
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20070220/846a295b/attachment.bin>
More information about the resiprocate-devel
mailing list