]> git.ipfire.org Git - thirdparty/systemd.git/commit
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 0128561) | patch
resolved: don't request the SOA for every dns label
authorRonan Pigott <ronan@rjp.ie>
Mon, 18 Mar 2024 01:02:22 +0000 (18:02 -0700)
committerRonan Pigott <ronan@rjp.ie>
Mon, 18 Mar 2024 22:10:07 +0000 (15:10 -0700)
commit47690634f157150e7b69c832d1f2d64d18b3f124
tree891b0295d0bf39adb8508e77c6ae0afec55016f1tree | snapshot
parent01285611b0f9ed9e2a0fc3e9e43d9c06b7fa6781commit | diff
resolved: don't request the SOA for every dns label

When validating insecure delegations we don't actually need to request
the SOA for every single dns label. We need the DS records for the zone,
and we can seek them by querying for DS directly (in case we are at a
zone cut) and then following the SOA referrals or the parent name until
we have found a chain of trust.

Extra transactions and roundtrips, especially transactions for RRs that
aren't actually needed to validate and therefore aren't likely to be in
the recursive resolver's own cache are a big slowdown during validation.

Consequently, this change results in an enourmous speed up in validating
most names from our own cold-cache (10x or more), by eliminating a large
number of superfluous dnssec transactions.
src/resolve/resolved-dns-transaction.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.