Skip EDNS Cookies in the packet cache #8993
Conversation
|
|
||
| if (!skip) { | ||
| /* hash the option code, length and content */ | ||
| currentHash = burtle(reinterpret_cast<const unsigned char*>(&packet.at(pos)), 4 + optionLen, currentHash); |
There was a problem hiding this comment.
An option having the same opcode but different length does not hash the same.
If options are variable length, this would miss some cache hits. But I guess that's ok, since the equality test also does considers them inequal. Actually, do variable length options exist?
They do exist, e.g. subnet IPv4 vs ECS IPv6, but those should never compare equal. So this is all good.
There was a problem hiding this comment.
Yes, it was intended for options with the same opcode but different lengths to compare differently, as the content simply can't be the same. That might change, however, if/when we decide to skip EDNS padding in queries. I guess we would need to special case the EDNS padding option to skip the size of the content.
There was a problem hiding this comment.
I wonder if it would make sense to skip the length of all options right now. It would make sense for EDNS padding and would also mean that we would fully ignore the content of EDNS Client Subnet options, including the size of the source, which seems like a win when we really do want to ignore ECS.
There was a problem hiding this comment.
That might actually be an issue for ECS source zero 1, which is a way for the client to ask that no EDNS value be sent to authoritative servers. So we don't want to ignore that one, I guess..
rgacogne
force-pushed
the
packetcache-cookies
branch
from
b632bfb to
52f89b6
Compare
|
Pushed a few changes:
I had to rebase but the first two commits are unchanged (up to and excluding "Make conversion to uint16_t explicit, as suggested by Otto"). |
|
Hi, for the time being (and hopefully going forward), pdns master is running the check-spelling action. In order to avoid a ❌ when merged jsoref@03669c0#commitcomment-39229219, please see jsoref@03669c0#commitcomment-39229308 -- you'll need to rebase onto |
rgacogne
force-pushed
the
packetcache-cookies
branch
from
52f89b6 to
4ee81eb
Compare
|
Rebased to fix conflicts. |
rgacogne
force-pushed
the
packetcache-cookies
branch
from
4ee81eb to
4c0b1e2
Compare
|
Rebased to fix a conflict. |
|
I'll try to do more performance testing of this PR then the numbers look good I'd like to get it merged, since it might have a very nice impact on our packet cache hit ratio. |
|
I've done a fair number of tests, and for all products there does not seem to be any measurable slowdown when there is no EDNS options present (or no EDNS at all). As expected there is a small slowdown when EDNS options are present (it doesn't seem noticeable in the rec when only one option is present, since we were already looking for ECS), I measured around 7% when three EDNS options are present. On dnsdist this is completely eclipsed by the gains from #9420. |
Detected by OSS-Fuzz. Also make sure that we don't try to parse packets smaller than 12 bytes in the fuzzing target, those are usually dropped earlier.
rgacogne
force-pushed
the
packetcache-cookies
branch
from
4c0b1e2 to
3e35ea9
Compare
|
Thanks Otto! I guess I'll merge this PR once an "auth-4.4.x" branch has been created, then :-) |
I am fine with this for auth 4.4.0. I did not review the code, though. |
Short description
This PR changes how our packet caches operate with regard to EDNS Cookies:
cookieHashing=trueto thenewPacketCache()function. Doing so is needed if at least one of the backend return responses containing EDNS cookies. EDNS Client Subnet values are still hashed ;This PR could use a serious review (or several :)) and should not be merged lightly!
Fixes #5131.
Checklist
I have: