Re: (ITS#8979) The -l <timelimit> or -o nettimeout=<timelimit> don't limit DNS lookup time
=C3=86var Arnfj=C3=B6r=C3=B0 Bjarmason wrote:
On Mon, Feb 18, 2019 at 5:18 PM Howard Chu hyc@symas.com wrote:
avarab@gmail.com wrote:
Full_Name: .var Arnfj.r. Bjarmason Version: 2.4.44-21 OS: CentOS 7.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (5.57.21.154)
On a setup where you have a blackholed DNS server:
$ grep ^name /etc/resolv.conf nameserver 1.2.3.4
Running e.g.:
$ time ldapsearch -l 2 -o nettimeout=3D1 [...]
Will (on my system) eventually return:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
real 0m24.039s user 0m0.004s sys 0m0.007s
It'll take around 48 seconds if I have two DNS servers. Running strac=
e(1) on it
reveals that it's sitting in a socket/connect/poll loop trying to loo=
kup the
hostname of the LDAP server I'm trying to talk to.
Instead one of these options should limit time spent on DNS lookups, =
or there
should be another option, so that you can run ldapsearch with a combi=
nation of
these options and be sure that it'll run in at most the <timeout> you=
give it.
The current code in libldap uses gethostbyname() and this API doesn't =
offer
any parameters for setting a timeout. You can configure a timeout in y=
our
system's /etc/resolv.conf or using RES_OPTIONS environment variable. R=
ead your
system's resolver(5) manpage.
If you know of any widely available resolver API that allows specifyin=
g a timeout
on individual queries, you're welcome to submit a patch supporting thi=
s feature.
The standard -lresolv doesn't provide such an interface.
=20 That resolv.conf had "options timeout:2". That it didn't kick in is probably a bug somewhere else, but it would still be handy if ldapsearch had this itself, since the timeout you use for general resolutions might not be what you want for ldapsearch.
If all you need is a timeout in the ldapsearch command, wrap it in a scri= pt that sets the RES_OPTIONS environment variable.
But implementing that is a mess. This SO post has a summary: https://stackoverflow.com/questions/24403435/socket-hostname-lookup-tim=
eout-how-to-implement-it
=20 So e.g. there could be a probe for getaddrinfo_a() on GNU systems. =20
Closing this ITS.
=20 Fair enough, but is that a "we don't want this ever" or "if someone submitted a patch for (possibly OS-specific) DNS timeout we'd be interested".
Generally not fond of features that aren't available cross-platform, part= icularly if that means it can only be tested on a particular OS. I guess for GNU e= xtensions that are easily detected and widely supported it may be OK.
We already use getaddrinfo() if it's available, so adding getaddrinfo_a()= may not be too messy.
--=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
-
hyc@symas.com