[Nix-dev] bind root hints

Tim Barbour trb at categorical.net
Sat Oct 19 08:10:52 CEST 2013


Peter Simons writes:
 > personally, I think it's okay to use fetchurl because it guarantees that
 > we notice updates in the cache file.

How will we notice ? When bind fails to install ?

 > The named.cache file does contain a
 > version number (i.e. a date stamp), so can reliably detect that a change
 > checksum change was caused by an upstream update.

You are right, it does. But I was wishing for a version number in the
filename, which would allow us to fetch the file in a referentially
transparent way (as with version numbers in the names of source tarballs).

According to my understanding, once the named.root file is in the store,
fetchurl will get it from there (the store acting as a cache), and will not
check the source; thus even when the source file changes, it will not notice.

I think the change will only be apparent when trying to install bind where the
store does not already contain a *matching* copy of the named.root file. This
will happen if the checksum in the source is not updated, or much worse, when
someone tries to install from an old version (e.g. stable) version of the
source. The latter amounts to gratuitous bitrot, and it is the reason why I
think this is the wrong approach. I do not think it can be acceptable for a
package that used to install correctly to stop doing so, just because of a
change in the named.root file.

It would be easy enough to use wget to fetch the file every time preStart
runs, but that would put unnecessary load on the internic.net
server. Futhermore, it would not guarantee changes would be noticed (consider
a stable bind installation that is not restarted for months or years).

The DNS HOWTO (http://www.tldp.org/HOWTO/DNS-HOWTO-8.html) recommends using
dig to get the root hints. Since dig is included with bind, it should be
available by the time preStart runs, so I think we could use dig in preStart
to fetch the root hints each time preStart runs. Unfortunately, that approach
does not provide the version number information (being in a comment, which dig
will not return), but it should still work.

The DNS HOWTO also recommends using a monthly cron job to update the root
hints. I suppose we could arrange for nixos to install such a cron job
automatically whenever bind is installed with rootHints true, but I am not
sure of the right way to do this.

 > Yes, the file should probably be used by default. I don't see much a
 > downside.

Okay, I will make the option default to true. The only downside I can see is
when someone wants a DNS with roots different to the Internet ones. In that
(rare) case, they need to explicitly set the option false.

Tim
---
GPG public key available at: 
	 http://phasechangeit.com/~trb/gpg-key  or 
	 http://subkeys.pgp.net:11371


More information about the nix-dev mailing list