[Q] backend with dynamic address

[beelze]

One of my configurations includes backend server that may sometimes change its ip address. It is relatively rare (a couple times a week) but I need to restart pound every time it happens.

I understand that resolving symbolic server name every time is expensive and even not needed (in most cases), but sometimes it may be convenient (low load, "cheap" local resolve). Is there any possibility to mark backend address "dynamic"? Or maybe add appropriate config directive?

[graygnuorg]

That could be done, of course, but it would take some time to be implemented. I'll let you know when I have something tangible to test. In the meantime, you can try the following watchdog. It restarts pound when the host name given as argument changes its IP. The script uses at to schedule its next startup time and rounds it up to the nearest minute, which should be enough for most real-time ttls. However, it should be easy to modify it to run with the second precision as well. It uses systemctl to restart pound, edit it if you use some other command:

#!/bin/sh

host=${1:?}
prev=$2

set -- $(dig +noall +answer $host|awk '$4 == "A" || $4 == "AAAA" {print $2 " " $5}'|head -1)
if [ $# -ne 2 ]; then
    echo >&2 "$0: failed to resolve $host"
    exit 1
fi
if [ "$prev" != $2 ]; then
    echo >&2 "$0: $host changed IP from $prev to $2"
    prev=$2
    systemctl restart pound
fi
n=$(( ( $1 + 59 ) / 60 ))
echo "$0 $host $prev" | at now + $n minute 2>&1 | \
    sed -e '/^warning: commands will be executed using/d' \
        -e '/^job [0-9][0-9]* at/d'

[beelze]

Thanks in advance!

[graygnuorg]

Please clone and compile the resolver branch. See the file NEWS for detailed instructions on how to compile and use it (so far it is the only documentation on the new features).

Any feedback will be much appreciated.

[beelze]

@graygnuorg, undoubtedly you did a lot of brilliant work regarding this issue! I'll test it in a day or two.

one question:

Dynamic backends will be updated periodically, when the TTL of the corresponding DNS records expires.

what exactly corresponding record is when CNAME involved? I believe A/AAAA?

[graygnuorg]

what exactly corresponding record is when CNAME involved? I believe A/AAAA?

Yes, the A or AAAA it points to.

[beelze]

Finally I did some tests. In particular, having Resolve first and

 pound   IN  CNAME  pound1
 pound1  30  IN     A       $addr1
 pound2  30  IN     A       $addr2
 pound3  30  IN     A       $addr3

... and changing pound between poundN. All went fine.

Secondly, having Resolve all and multiply addresses for pound A record, balancing was ok.

During the tests I discovered that some dns cachers/forwarders can change TTL. In particular, unbound have a default setting of serve-original-ttl of no, resulting to always return 2m TTL instead of 30s – and corresponding delays in first test. Though, using Resolver/ConfigFile with nameserver $authoritative_server_address fixed this. But it made be think of usecases when user not allowed to change TTL – maybe having something like TTLOverride option may help in these cases?

Also, it would be nice to see actual ttl value with poundctl list I believe. And again, thanks for your work!

[graygnuorg]

Thanks for the feedback!

But it made be think of usecases when user not allowed to change TTL -- maybe having something like TTLOverride option may help in these cases?

Yes, that makes sense.

Also, it would be nice to see actual ttl value with poundctl list I believe. And again, thanks for your work!

Ah, I thought about that. The patch will be available soon. I'm currently working on the implementation of SRV-based backends, so perhaps the two will be combined. As usual, I'll let you know when it is available.

[graygnuorg]

Hi. I have finished the SRV implementation and added expiration timestamp to the poundctl output (TTLOverride not implemented yet). Please pull and give it a try.

[graygnuorg]

I merged the changes to master.