Received: from mx1.tetrasec.net (mx1.tetrasec.net [66.245.176.36])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 8DECE781A15
	for <~alpine/devel@lists.alpinelinux.org>; Thu, 26 Mar 2020 11:47:02 +0000 (UTC)
Received: from mx1.tetrasec.net (mail.local [127.0.0.1])
	by mx1.tetrasec.net (Postfix) with ESMTP id E73996041E
	for <~alpine/devel@lists.alpinelinux.org>; Thu, 26 Mar 2020 11:47:00 +0000 (UTC)
Received: from ncopa-desktop.copa.dup.pw (67.63.200.37.customer.cdi.no [37.200.63.67])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: alpine@tanael.org)
	by mx1.tetrasec.net (Postfix) with ESMTPSA id A55696041D
	for <~alpine/devel@lists.alpinelinux.org>; Thu, 26 Mar 2020 11:47:00 +0000 (UTC)
Date: Thu, 26 Mar 2020 12:46:54 +0100
From: Natanael Copa <ncopa@alpinelinux.org>
To: Alpine develmopment <~alpine/devel@lists.alpinelinux.org>
Subject: DNS resolvers and root hints
Message-ID: <20200326124654.1352edb8@ncopa-desktop.copa.dup.pw>
X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Hi!

We got a request[1] to remove dns-root-hints package, which has been a
source of controversy in the past.

The problem is that a DNS resolver needs the root hints to resolve and
this data is not static, it changes over time. To fetch the updated
root.hints you need an old version of it (eg it is a boot strap
problem), so we ship a copy of root hints with our resolvers.

[1]: https://gitlab.alpinelinux.org/alpine/aports/issues/11324

There are two problems with this: The root.hints gets outdated and need
to be maintained. We have been rightfully critizised for not maintain
this well in the past. To solve this we provide a maintenance cron job
that fetches it regularily. This leads to the second problem:
Maintenance script requires gnupg to verify signature, so it introduces
a big dependency chain for the resolvers.

As I see we have the following options:

1) keep things as it currently is, provide a shared dns-root-hints with
update script/cronjob.
Pros:
  - resolvers work out of the box, inclusive maintenance
  - relatively low maintance for us. we only need keep the version in
    git master updated. (update one branch once every 6 months)
Cons:
  - we have gnupg dependency for all resolvers, which may not be needed
    for everyone.
  - non trivial to remove gnupg if update script is not needed/used



2) keep dns-root-hints as optional package, but remove the hard dependency of it
Pros:
  - relatively low maintenance for us. we only need update git master
    every six months.
  - give flexibility to use own solution or use the dns-roots-hits
    solution from alpine repos.
Cons:
  - resolvers may not work out of the box and users may need to
    explicitly install the extra  dns-root-hints package. This needs to
    be documented.
  - we still need to maintain the optional dns-root-hints package.
  - DNS resolving may break for users when they upgrade



3) keep dns-root-hints but exclude the update script
Pros:
  - resolvers will work out of the box
  - we get rid of gnupg dependency
  - backwards compatible. upgrades will not break anything
Cons:
  - more maintenance on us. we may need update the package every 6
    months for our 5 maintained git branches. (master + 4 x 3.*-stable)



4) remove dns-root-hints and let user deal with it.
Pros:
  - saves us for lots of work
Cons:
  - resolvers will probably not work out of the box (at least unbound
    ships with an internal root.hints so I think unbound will work)
  - inconvenient for users who will have to write their own
  - DNS resolving may break for users when they upgrade



Do we have other options?

What do you think we should do?

Are there any volunteers to do maintenance (for option 3)?


-nc