Received: from mx1.tetrasec.net (mx1.tetrasec.net [66.245.176.36])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 4E43D781AEB
	for <~alpine/devel@lists.alpinelinux.org>; Fri, 27 Mar 2020 15:13:42 +0000 (UTC)
Received: from mx1.tetrasec.net (mail.local [127.0.0.1])
	by mx1.tetrasec.net (Postfix) with ESMTP id 49BBC61CBD;
	Fri, 27 Mar 2020 15:13:41 +0000 (UTC)
Received: from ncopa-desktop.copa.dup.pw (67.63.200.37.customer.cdi.no [37.200.63.67])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: alpine@tanael.org)
	by mx1.tetrasec.net (Postfix) with ESMTPSA id D14F961CBC;
	Fri, 27 Mar 2020 15:13:39 +0000 (UTC)
Date: Fri, 27 Mar 2020 16:13:29 +0100
From: Natanael Copa <ncopa@alpinelinux.org>
To: Duncan Bellamy <a.16bit.sysop@me.com>
Cc: Alpine develmopment <~alpine/devel@lists.alpinelinux.org>
Subject: Re: DNS resolvers and root hints
Message-ID: <20200327161329.6ff931bb@ncopa-desktop.copa.dup.pw>
In-Reply-To: <8827C016-685C-4307-8339-45B5F12E5479@me.com>
References: <20200326124654.1352edb8@ncopa-desktop.copa.dup.pw>
	<8827C016-685C-4307-8339-45B5F12E5479@me.com>
X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Thu, 26 Mar 2020 18:58:41 +0000
Duncan Bellamy <a.16bit.sysop@me.com> wrote:

> Hi
> I volunteer to be a maintainer for number 3 if that is chosen. 

That is great. Personally I think option 3 would be the most convenient
for end users. It is not much work but it needs to be done every 6
months or so, and can be scripted. Could for example have a script to
create an MR or similar.

-nc

> 
> > On 26 Mar 2020, at 11:46, Natanael Copa <ncopa@alpinelinux.org>
> > wrote:
> > 
> > Hi!
> > 
> > We got a request[1] to remove dns-root-hints package, which has
> > been a source of controversy in the past.
> > 
> > The problem is that a DNS resolver needs the root hints to resolve
> > and this data is not static, it changes over time. To fetch the
> > updated root.hints you need an old version of it (eg it is a boot
> > strap problem), so we ship a copy of root hints with our resolvers.
> > 
> > [1]: https://gitlab.alpinelinux.org/alpine/aports/issues/11324
> > 
> > There are two problems with this: The root.hints gets outdated and
> > need to be maintained. We have been rightfully critizised for not
> > maintain this well in the past. To solve this we provide a
> > maintenance cron job that fetches it regularily. This leads to the
> > second problem: Maintenance script requires gnupg to verify
> > signature, so it introduces a big dependency chain for the
> > resolvers.
> > 
> > As I see we have the following options:
> > 
> > 1) keep things as it currently is, provide a shared dns-root-hints
> > with update script/cronjob.
> > Pros:
> >  - resolvers work out of the box, inclusive maintenance
> >  - relatively low maintance for us. we only need keep the version in
> >    git master updated. (update one branch once every 6 months)
> > Cons:
> >  - we have gnupg dependency for all resolvers, which may not be
> > needed for everyone.
> >  - non trivial to remove gnupg if update script is not needed/used
> > 
> > 
> > 
> > 2) keep dns-root-hints as optional package, but remove the hard
> > dependency of it Pros:
> >  - relatively low maintenance for us. we only need update git master
> >    every six months.
> >  - give flexibility to use own solution or use the dns-roots-hits
> >    solution from alpine repos.
> > Cons:
> >  - resolvers may not work out of the box and users may need to
> >    explicitly install the extra  dns-root-hints package. This needs
> > to be documented.
> >  - we still need to maintain the optional dns-root-hints package.
> >  - DNS resolving may break for users when they upgrade
> > 
> > 
> > 
> > 3) keep dns-root-hints but exclude the update script
> > Pros:
> >  - resolvers will work out of the box
> >  - we get rid of gnupg dependency
> >  - backwards compatible. upgrades will not break anything
> > Cons:
> >  - more maintenance on us. we may need update the package every 6
> >    months for our 5 maintained git branches. (master + 4 x
> > 3.*-stable)
> > 
> > 
> > 
> > 4) remove dns-root-hints and let user deal with it.
> > Pros:
> >  - saves us for lots of work
> > Cons:
> >  - resolvers will probably not work out of the box (at least unbound
> >    ships with an internal root.hints so I think unbound will work)
> >  - inconvenient for users who will have to write their own
> >  - DNS resolving may break for users when they upgrade
> > 
> > 
> > 
> > Do we have other options?
> > 
> > What do you think we should do?
> > 
> > Are there any volunteers to do maintenance (for option 3)?
> > 
> > 
> > -nc  
>