| View previous topic :: View next topic |
| Author |
Message |
plate
Bodhisattva
Joined: 25 Jul 2002
Posts: 1663
Location: Berlin
|
 Posted: Tue Mar 11, 2003 1:31 am Post subject: |
 |
|
I can only suspect it's the provider who blocks TCP/53, I'm not doing it. And it's not even my access provider, the DNS I'm using is outside of their reach. I'm friendly with the DNS admin, but his say in what the network settings at the server location are is limited, too. Anyway, given the number of people who ran into this problem, can anyone think of a solution that doesn't involve searching for a more permissive DNS?
If somebody had said to me six months ago that I'd be worrying about UDP overspill one day...  |
|
| Back to top |
|
 |
aja
l33t
Joined: 26 Aug 2002
Posts: 705
Location: Edmonton, Canada
|
| Posted: Tue Mar 11, 2003 2:01 am Post subject: |
|
|
I've been doing a bit of reading. It seems that the practice of blocking TCP port 53 is done by some providers/routers/ISPs to block zone transfer attacks by script kiddies. This practice is consdered 'acceptable' by said organizations because most normal DNS queries are UDP. This is, as near as I can tell, considered the wrong thing because:
(1) The problem with fall-over to TCP for large DNS responses (what is biting us).
(2) TCP is used by DNS to handly lossy network conditions
(3) Some country domains require TCP/53 on name servers.
(4) It doesn't necessarily solve the zone transfers problem because there are protocols for UDP zone transfer.
And -- here's the big one -- RFC1035 (the DNS spec) specifically describes the fall-back to tcp for large DNS responses - so blocking TCP53 violates the DNS spec.
Looks to me like the TCP/53 blocking that is going on is a classic Microsoft-style response to a security problem - disable or cripple the service rather than resolve the issue.
That being said, I realize I'm being a bit of a purist (which is easy, because I'm not experiencing the problem). Do we want to put our standards hat on and tell people to take it to their ISPs or do we want to find a way to keep the DNS responses down at the UDP size to help our poor benighted brethren?
It seems to me that, with the amount of stuff that we are downloading to people during a typical emerge sync, we could feed them an updated server list and have some sort of client-side resolution of which rsync server to use (randomize? based on geography? based on current load downloaded from a central source?. The problem there is that we need to trust people (or at least most of them) not to spoof it to ensure that the load stays balanced.
Of course, that's just my opinion, I could be wrong...  |
|
| Back to top |
|
|
CJayNC
n00b
Joined: 09 Mar 2003
Posts: 11
Location: Lexington, SC
|
| Posted: Tue Mar 11, 2003 3:07 am Post subject: |
|
|
Hi,
Just wanted to say thanks to everyone for your explanations. I'm not blocking TCP/53 either, but I imagine my ISP is...
The reduction in the number of servers that klieber mentioned has allowed sync to work for me again, but now that I know of the "preferred", possibly long-term solution (use the country-code-/continent- based domains), I'll gladly use that.
Thanks again,
CJ |
|
| Back to top |
|
|
perry
Tux's lil' helper
Joined: 18 Nov 2002
Posts: 142
Location: Cornfields of Indiana
|
| Posted: Tue Mar 11, 2003 4:12 am Post subject: |
|
|
| CJayNC wrote: | | The reduction in the number of servers that klieber mentioned has allowed sync to work for me again, but now that I know of the "preferred", possibly long-term solution (use the country-code-/continent- based domains), I'll gladly use that. |
Is this going to be the "official" resolution when the servers are added back in? If so, I'll just add the country code and avoid any future problems.
I'm not behind a firewall of any sort locally (slaps myself on the hand), and I was having troubles last night. I guess reducing the number of mirrors did it for my ISP's (Comcast) nameserver. If I thought it would do any good, I'd complain to them, but I haven't had any luck asking them anything technical in the past. If I told them that blocking TCP/53 was stopping me from using Linux, their solution would be to use Windows...
I think telling us "tough luck, complain to your ISP" would be a Bad Thing... Seems like there are a number of people that have this problem, and it'd probably turn them off from using Gentoo if they couldn't sync. Telling new users to find a new ISP would certainly slow down the growth of Gentoo. |
|
| Back to top |
|
|
axxackall
l33t
Joined: 06 Nov 2002
Posts: 651
Location: Toronto, Ontario, 3rd Rock From Sun
|
| Posted: Tue Mar 11, 2003 4:41 am Post subject: |
|
|
Adding the country code to SYNC variable worked for me. Although I don't understand, why so much of fighting instead of extending the functionality of mirrorselct by handling the mirror setting also for rsync (in addition to setting of mirrors for downloading as mirrorselect is already doing today).
Of course I expect such patch for mirrorselect from rsync sysadmins, unless they still insist that the problem is on the client side and we users should do it ourself. |
|
| Back to top |
|
|
aja
l33t
Joined: 26 Aug 2002
Posts: 705
Location: Edmonton, Canada
|
| Posted: Tue Mar 11, 2003 7:23 am Post subject: |
|
|
| axxackall wrote: |
Of course I expect such patch for mirrorselect from rsync sysadmins, unless they still insist that the problem is on the client side and we users should do it ourself. |
(1) I should clarify (as one of those insisting that the problem is on the client side) that I am not in any way involved with or have responsibility for administration of said servers.
(2) The problem IS on the client-side. The gentoo servers are returning valid (according to RFC1035) DNS query responses. If they are being blocked by systems downstream, that is a client-side problem. Lambasting the site admins for stating what is the truth and implying they have incompetently configured their servers is, I think, counter-productive.
(3) That being said, I think the question is whether (given that this client-side problem seems common) alternative solutions should be considered. I expect that they will, given the history that gentoo, its developers and community have shown toward supporting one another. But this (if it happens) won't be fixing a mistake the admins made - this will be the admins finding a way to help people burdened with ISPs or firewall policies that block properly configured responses - and they should be appluaded. |
|
| Back to top |
|
|
batty-work
n00b
Joined: 19 Feb 2003
Posts: 5
Location: Northampton
|
| Posted: Tue Mar 11, 2003 8:17 am Post subject: |
|
|
I completely agree that the Sys Admins will be helping the rest of us out of a hole (ISP's blocking TCP/53).
Though I may be biased cos I'm a sys admin myself.
I hadn't realised the UDP DNS query spilled over into TCP. I will be having a word with my ISP shortly. I'll let people know if I have any luck.
I think a feature improvement to extend the use of mirrorselect would be a benefit.
_________________
Cheers!
Batty:)
Do not meddle in the affairs of sysadmins, for they are subtle and quick to anger. |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Tue Mar 11, 2003 10:13 am Post subject: |
|
|
| perry wrote: | | Is this going to be the "official" resolution when the servers are added back in? If so, I'll just add the country code and avoid any future problems. |
We don't know what the "official" solution is just yet, simply because we're still exploring options. However, we do plan to continue supporting and extending the country-code and continent-code feautures of the rsync.gentoo.org round robin system, so this isn't just a quick hack.
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
DaFire
n00b
Joined: 07 Nov 2002
Posts: 25
|
| Posted: Tue Mar 11, 2003 10:42 am Post subject: |
|
|
It was definitly not a firewall issue.
I had no problems resolving other host... just this rsync.gentoo.org could not get resolved.
why should changing the dns server in resolv.conf to an other dns server in the net fix an firewall issue ??
I guess it was a server problem since about 6 or 7 ebuild scripts i got during the upade were corruped ( missing brackets in the last line etc.) |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Tue Mar 11, 2003 1:24 pm Post subject: |
|
|
| DaFire wrote: | | I had no problems resolving other host... just this rsync.gentoo.org could not get resolved. |
And I'm willing to bet that all other *.gentoo.org domain names also resolved just fine, too?
| DaFire wrote: | | why should changing the dns server in resolv.conf to an other dns server in the net fix an firewall issue ?? |
Because something between you and the original DNS server was blocking TCP/53 packets from reaching your computer.
| DaFire wrote: | | I guess it was a server problem since about 6 or 7 ebuild scripts i got during the upade were corruped ( missing brackets in the last line etc.) |
Guys, it really isn't a question of what caused the problem. We know what caused the problem. Ever since I reduced the number of servers in the rotation to get it under the 512 byte max UDP packet size, the problem has disappeared. If I add them back in, the problem will reappear.
Folks -- if you want to continue speculating on what's already happened, then go ahead. However, what would be (much) more beneficial to *everyone* is if we can instead focus our efforts on finding a scalable solution.
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Tue Mar 11, 2003 1:42 pm Post subject: |
|
|
OK, I've been doing some testing related to various solutions. In an effort to put this whole "what caused the problem???" issue to rest, I invite people who were experiencing the problem before to try the following: (note: you need the bind-tools package emerged on your system in order for 'host' to work)
| Code: | | host rsync.gentoo.org |
I'm willing to bet this will work just fine for everyone out there.
Now, try:
| Code: | | host toobig.testing.gentoo.org |
I'm willing to bet that anyone who noticed the problem before with rsync.gentoo.org will now notice the same problem with this name. (obviously, make sure you're using the same DNS server, firewall settings, etc. as you were when you had the problem with rsync.gentoo.org
Can we put this issue to rest now and focus on the solution?
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
perry
Tux's lil' helper
Joined: 18 Nov 2002
Posts: 142
Location: Cornfields of Indiana
|
| Posted: Tue Mar 11, 2003 11:56 pm Post subject: |
|
|
| klieber wrote: | | I'm willing to bet that anyone who noticed the problem before with rsync.gentoo.org will now notice the same problem with this name. (obviously, make sure you're using the same DNS server, firewall settings, etc. as you were when you had the problem with rsync.gentoo.org |
You're right. rsync.gentoo.org works just fine, toobig fails w/ the same error that I was getting before.
| Code: | perry@localhost perry $ host toobig.testing.gentoo.org
;; Truncated, retrying in TCP mode.
;; connection timed out; no servers could be reached
|
|
|
| Back to top |
|
|
plate
Bodhisattva
Joined: 25 Jul 2002
Posts: 1663
Location: Berlin
|
| Posted: Wed Mar 12, 2003 1:05 am Post subject: |
|
|
Yes. He knew that. 
Possible solution, but be very aware that I'm completely in the dark about how to implement this: Couldn't you create a cascading resolution scheme? rsync.gentoo.org points to rsync[1-5].gentoo.org or rsync.[continent].gentoo.org, which in turn point to a list of selected actual mirrors? The round-robin would still get to see them all, but doesn't blow out of proportion on the first resolution attempt. |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Wed Mar 12, 2003 1:39 am Post subject: |
|
|
| plate wrote: | | Possible solution, but be very aware that I'm completely in the dark about how to implement this: Couldn't you create a cascading resolution scheme? rsync.gentoo.org points to rsync[1-5].gentoo.org or rsync.[continent].gentoo.org, which in turn point to a list of selected actual mirrors? The round-robin would still get to see them all, but doesn't blow out of proportion on the first resolution attempt. |
That would be the ideal solution, but it won't work because you can't cascade CNAMES like that -- only A records. (a CNAME is simply a pointer to another domain name. An A record points to an actual IP address)
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
plate
Bodhisattva
Joined: 25 Jul 2002
Posts: 1663
Location: Berlin
|
| Posted: Wed Mar 12, 2003 2:15 am Post subject: |
|
|
Well, nice try, I guess. Hope you're having more promising strokes of genius than me... |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Wed Mar 12, 2003 2:18 am Post subject: |
|
|
| plate wrote: | | Well, nice try, I guess. Hope you're having more promising strokes of genius than me... |
It was a great idea and one that I've been frantically trying to find a way to make it work. unfortunately, I haven't had any luck so far...
Anyway, I do appreciate the ideas and suggestions --- that's what I'm hoping to get from this thread.
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
aja
l33t
Joined: 26 Aug 2002
Posts: 705
Location: Edmonton, Canada
|
| Posted: Thu Mar 13, 2003 3:39 pm Post subject: |
|
|
Is there a potential client-side solution?
What about the upthread suggestion to modify mirrorselect (axxackall, I think)?
Is there a way to use individual computer's localization settings (timezone?) to set a server (that might then round-robin a subset of the servers)?
Is my ignorance showing? |
|
| Back to top |
|
|
vericgar
Retired Dev
Joined: 13 Dec 2002
Posts: 79
Location: Spokane, WA
|
| Posted: Thu Mar 13, 2003 4:40 pm Post subject: |
|
|
ok, I hate to start this flame war, but what about migrating the rsync.gentoo.org nameservers to djbdns? when using a large round robin DNS it randomly chooses 8 of the servers and returns them in the UDP response. the next request will be another randomly generated 8 of the servers.
_________________
+~+ Sometimes a good ole loving kick is all it needs +~+ |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Thu Mar 13, 2003 4:51 pm Post subject: |
|
|
| aja wrote: | | What about the upthread suggestion to modify mirrorselect (axxackall, I think)? |
Well, mirrorselect still has to get the information from somewhere. We could have it retrieve the info via http (like it does now for distfile mirrors) but then we have to come up with an http distribution system that is as robust and scalable as DNS is. Currently, we don't have one.
| aja wrote: | | Is there a way to use individual computer's localization settings (timezone?) to set a server (that might then round-robin a subset of the servers)? |
Yes -- that's one of the proposed solutions. It would solve the issue entirely, but it would mitigate it to some extent.
It's important to note that much of the data surrounding the rsync mirrors *has* to be controlled server-side. Otherwise, we'd just drop a text file in the portage tree and have portage use that to randomly select from. However, when an rsync mirror goes bad (now there's a book title for you), we have to have a quick way to pull it out of the rotation. Right now, we can control that via a low TTL on the rsync.gentoo.org rrset. If the data were to reside client-side, we would have no easy way to yank mirrors out as needed. The net result would be our users would see far more rsync-related problems than they do now.
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Thu Mar 13, 2003 4:53 pm Post subject: |
|
|
| vericgar wrote: | | ok, I hate to start this flame war, but what about migrating the rsync.gentoo.org nameservers to djbdns? when using a large round robin DNS it randomly chooses 8 of the servers and returns them in the UDP response. the next request will be another randomly generated 8 of the servers. |
This is also one of the proposed solutions and it's what we'll do if we can't find another, better solution. The main disadvantage of this solution is that it locks us into one name server and *all* our secondaries must be running it as well. Right now, that's not the case and, since we don't control all of our own secondaries, it would be a bit of a headache to implement.
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
aja
l33t
Joined: 26 Aug 2002
Posts: 705
Location: Edmonton, Canada
|
| Posted: Thu Mar 13, 2003 5:29 pm Post subject: |
|
|
| klieber wrote: |
It's important to note that much of the data surrounding the rsync mirrors *has* to be controlled server-side. Otherwise, we'd just drop a text file in the portage tree and have portage use that to randomly select from. However, when an rsync mirror goes bad (now there's a book title for you), we have to have a quick way to pull it out of the rotation. Right now, we can control that via a low TTL on the rsync.gentoo.org rrset. If the data were to reside client-side, we would have no easy way to yank mirrors out as needed. The net result would be our users would see far more rsync-related problems than they do now.
|
Very good point, and one I hadn't fully considered.
Does anyone know of other organizations employing a large number of mirror servers on one Domain Name? Have they implemented solutions to this problem that we should consider? (I'm thinking along the lines of a load-balancing or virtual server package).
PS: How about "Bad rsync servers and the sysadmins who love them...." |
|
| Back to top |
|
|
FarcePest
n00b
Joined: 27 Jan 2003
Posts: 10
Location: Georgia, US
|
| Posted: Mon Mar 17, 2003 7:00 pm Post subject: |
|
|
| klieber wrote: | | vericgar wrote: | | ok, I hate to start this flame war, but what about migrating the rsync.gentoo.org nameservers to djbdns? when using a large round robin DNS it randomly chooses 8 of the servers and returns them in the UDP response. the next request will be another randomly generated 8 of the servers. |
This is also one of the proposed solutions and it's what we'll do if we can't find another, better solution. The main disadvantage of this solution is that it locks us into one name server and *all* our secondaries must be running it as well. Right now, that's not the case and, since we don't control all of our own secondaries, it would be a bit of a headache to implement.
--kurt |
You can delegate rsync.gentoo.org to a different set of servers if you don't want to migrate the entire gentoo.org domain to tinydns (from djbdns). I.e. add some NS records for rsync.gentoo.org that point to another set of servers. tinydns uses about 1.5 MB virtual and 300 KB resident, so the mirrors themselves could double as nameservers. And then you *could* have the zone information in the portage tree, and the mirrors themselves would use it in their DNS server. Or they could pull it by HTTP. It's not particularly sensitive information, so there's no need to have access restrictions. |
|
| Back to top |
|
|
tore-
n00b
Joined: 30 Sep 2002
Posts: 32
|
| Posted: Thu Mar 20, 2003 2:56 pm Post subject: |
|
|
I've got some problems with this to, i think.
At the boostrap process i get an error with the gcc-3.2.2(?) pack.
Im using 1.3_rc3 stage1, i have'nt access to a full error msg right now but is this error related to this problem? |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Thu Mar 20, 2003 3:01 pm Post subject: |
|
|
| tore- wrote: | I've got some problems with this to, i think.
At the boostrap process i get an error with the gcc-3.2.2(?) pack.
Im using 1.3_rc3 stage1, i have'nt access to a full error msg right now but is this error related to this problem? |
Well, you didn't post the error, so it's impossible to say for sure. However, the rsync issue is resolved at the moment, so I doubt very much it's causing the problem you're seeing.
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
co-D
n00b
Joined: 19 Mar 2003
Posts: 16
|
| Posted: Tue Apr 22, 2003 11:19 am Post subject: My same problem solved |
|
|
..after installing iptables, emerge sync would hang on the first line longer than i cared to find out,,, and i noticed it worked fine when i turned the firewall off.
after it not working today, i tried dmesg and i noticed DPT=873 blocked, opening that TCP port and trying emerge sync once again worked for me. |
|
| Back to top |
|
|
|
Portage & Programming
