Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added SOA configuration for DNS settings. #4714

Merged
merged 8 commits into from
Oct 10, 2018

Conversation

pierresouchay
Copy link
Contributor

@pierresouchay pierresouchay commented Sep 26, 2018

This will allow to fine TUNE SOA settings sent by Consul in DNS responses,
for instance to be able to control negative ttl.

Will fix: #4713

Example

Override all settings:

  • min_ttl: 0 => 60s
  • retry: 600 (10m) => 300s (5 minutes),
  • expire: 86400 (24h) => 43200 (12h)
  • refresh: 3600 (1h) => 1800 (30 minutes)
consul agent -dev -hcl 'dns_config={soa={min_ttl=60,retry=300,expire=43200,refresh=1800}}'

Result:

dig +multiline @localhost -p 8600 service.consul

; <<>> DiG 9.12.1 <<>> +multiline @localhost -p 8600 service.consul
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36557
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;service.consul.		IN A

;; AUTHORITY SECTION:
consul.			0 IN SOA ns.consul. hostmaster.consul. (
				1537959133 ; serial
				1800       ; refresh (30 minutes)
				300        ; retry (5 minutes)
				43200      ; expire (12 hours)
				60         ; minimum (1 minute)
				)

;; Query time: 4 msec
;; SERVER: 127.0.0.1#8600(127.0.0.1)
;; WHEN: Wed Sep 26 12:52:13 CEST 2018
;; MSG SIZE  rcvd: 93

This will allow to fine TUNE SOA settings sent by Consul in DNS responses,
for instance to be able to control negative ttl.
@wdauchy
Copy link

wdauchy commented Sep 28, 2018

👍 being able to control negative TTL is super crucial when it comes to a user requesting over and over the same bad entry. It would help to protect our consul servers against that kind of behavior.

@pierresouchay
Copy link
Contributor Author

@mkeeler that would really improve our situation to allow controlling this, and this is not very intrusive, we currently have a real situation in one of our clusters and this would really help

@mkeeler mkeeler requested a review from a team October 5, 2018 18:20
Copy link
Member

@mkeeler mkeeler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pierresouchay Looks great. Just the two minor updates to the documentation but when those are in I can go ahead and merge this.

website/source/docs/agent/options.html.md Outdated Show resolved Hide resolved
website/source/docs/guides/dns-cache.html.md Outdated Show resolved Hide resolved
@pierresouchay
Copy link
Contributor Author

@mkeeler all DONE

@mkeeler
Copy link
Member

mkeeler commented Oct 5, 2018

@pierresouchay Just trying to see some travis tests passing before merging this. Hopefully restarting the job will fix it.

@pierresouchay
Copy link
Contributor Author

@mkeeler That's also why I fixed this unit test: 8a16dce -> in order to have passing tests :-) (I cannot retrigger tests myself, hence my new commit)

@pierresouchay
Copy link
Contributor Author

@mkeeler If you are in the mood for DNS, there is also this one: #4605 :-)

@pierresouchay
Copy link
Contributor Author

@mkeeler We are good now, Bonus: Yet Another Unstable Unit Test Fixed :-)

On DNS recursors, the min-ttl is gonna be invalidated if SOA is invalided.
Thus, we have to ensure the SOA TTL is the same as the minimum TTL,
otherwise the SOA is purged after 0 seconds and also the negative TTL.

This change does not change anything to default Consul settings and
will apply ONLY to SOA TTL.
@pierresouchay
Copy link
Contributor Author

pierresouchay commented Oct 9, 2018

@wdauchy @pearkes @mkeeler Impact of the patch on our preprod cluster (mainly non-existing AAAA records are not constantly queried) on a given service (those are RPC per second on servers) with a min_ttl = 30s:

screen shot 2018-10-09 at 14 13 32

And here is the impact on bandwidth of DNS recursor following queries on Consul (just as a reminer, this is a "small" cluster of preprod, only with less than 1k nodes:

screen shot 2018-10-09 at 14 24 49

@mkeeler mkeeler added this to the 1.3.0 milestone Oct 9, 2018
Copy link
Member

@banks banks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Will merge this soon once f-envoy feature branch is merged assuming it's all clean.

@mkeeler mkeeler merged commit 251156e into hashicorp:master Oct 10, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[DNS] Allow DNS SOA settings in Consul
4 participants