[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: nscd: Was Re: long delays with LDAP nss/pam

G'day,

From: "Russell Coker" <russell@coker.com.au>
> On Fri, 29 Oct 2004 09:56, "Donovan Baarda" <abo@minkirri.apana.org.au>
wrote:
> > I actually run pdnsd. I find it leaner and simpler than named. However,
is
> > "run named on all hosts" really better than "run nscd on all hosts"?
>
> That's debatable.  Some people will say that DNS servers are too much of a
> security risk.  However another issue is that nscd uses different cache
> algorithms to DNS servers and is likely to either give worse performance
or
> less accurate results than using a DNS server.

I'd say that sounds like a bug in nscd :-)

Seriously, does nscd really not correctly handle dns caching/expiry
properly? I thought the dns caching stuff was well thought out and
defined... not implementing it properly would be dumb.

> Try pinging smtp.sws.net.au (my mail server) and www.coker.com.au (my web
> server).  Note that the repeated reverse lookups only occur on
> www.coker.com.au, it seems that the repeated lookups only occur if forward
> and reverse DNS don't match (but I haven't checked the source code to
verify
[...]

I don't think that it's that simple... I seem to be getting lookups for both
of those. Are you sure you didn't just have smtp.sws.net.au in your hosts
file?

> > This is when I first noticed this behaviour... ping was taking ~10secs
> > between each ping packet... it turns out waiting for nslookups to time
out
> > before trying the second nameserver between each ping.
>
> I think that ping is buggy in this regard.  I think that it should just
keep
> using the first DNS result that it gets, if the user wants ping to re-do
the
> DNS lookups then they will press ^C and re-start it!  Would you like to
file
> the bug report or shall I?

There may be reasons that it doesn't.... round robin DNS? Dynamic DNS
"flapping"? dunno.

> If there was a choice between running only nscd or only named then nscd
might
> be a reasonable option.  But given that every serious network will need a
> caching DNS proxy (for which task it's unfortunate that there is nothing
> better than BIND) it doesn't seem to be a problem to me that you run it on
> several machines instead of just one.
>
> If you have only a single machine connected to an ISP then maybe nscd will
be
> the best choice.  However that scenario is becoming increasingly rare.

I prefer to run a caching dns server on one machine, and nscd on all the
clients. In my case I'm using libnss-ldap on the clients so I kinda need to
run it anyway.

The other reason either a caching dns or nscd is a better idea than multiple
nameservers in resolve.conf is the timeout waits on every lookup when the
first nameserver is down.

----------------------------------------------------------------
Donovan Baarda                http://minkirri.apana.org.au/~abo/
----------------------------------------------------------------
Reply to: