[bind10-dev] recursor cache requirements - input required
Jerry Scharf
scharf at isc.org
Wed Dec 8 19:31:06 UTC 2010
Likun,
I like Shane's idea of one class per cache. Since the cache in not a
once per server entity (each view requires its own cache), if someone
wants hesiod queries (the only other class I know of) build a separate
cache for that. It will decrease the size and increase the speed of each
class in this case.
I do not think you should keep any message in the cache. I have been
involved in more than one recursive server and have never seen the
response message from the upstream cache fill or the answer created for
the client kept. You always have to regenerate the answer from the
validated data in the cache to prevent cache poisoning attacks, so
keeping the upstream message is a bad idea. You also have situations
where the answer from before is no longer correct. (a classic example of
this is that the first answer used the glue NS rrset for the authority
data and that rrset was later replaced by the authoritative zone NS
rrset or a new query within the zone included a new NS rrset in its
authority section.) You need to build everything you need from the
current cache information.
Getting the answer rrset or an error from cache is simple. You just walk
down the logical namespace hierarchy until you find the cache entry.
Building the authority section is not too hard either. You want to flag
any node that is a zone cut (apex) in the cache. As you walk down, you
remember the last zone cut you saw. When you get to the answer, you go
back to the nearest zone cut and get the NS rrset. There are some
differences on whether to put an optimization for finding/keeping the
associated A/AAAA records for the NS RRs for the additional section.
I've seen fast servers that did not have that and others that did.
jerry
More information about the bind10-dev
mailing list