Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Subject: Re: DNS resolvers and root hints
From: Duncan Bellamy <a.16bit.sysop@me.com>
In-Reply-To: <20200326124654.1352edb8@ncopa-desktop.copa.dup.pw>
Date: Thu, 26 Mar 2020 18:58:41 +0000
Cc: Alpine develmopment <~alpine/devel@lists.alpinelinux.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8827C016-685C-4307-8339-45B5F12E5479@me.com>
References: <20200326124654.1352edb8@ncopa-desktop.copa.dup.pw>
To: Natanael Copa <ncopa@alpinelinux.org>

Hi
I volunteer to be a maintainer for number 3 if that is chosen.=20

> On 26 Mar 2020, at 11:46, Natanael Copa <ncopa@alpinelinux.org> wrote:
>=20
> Hi!
>=20
> We got a request[1] to remove dns-root-hints package, which has been a
> source of controversy in the past.
>=20
> The problem is that a DNS resolver needs the root hints to resolve and
> this data is not static, it changes over time. To fetch the updated
> root.hints you need an old version of it (eg it is a boot strap
> problem), so we ship a copy of root hints with our resolvers.
>=20
> [1]: https://gitlab.alpinelinux.org/alpine/aports/issues/11324
>=20
> There are two problems with this: The root.hints gets outdated and =
need
> to be maintained. We have been rightfully critizised for not maintain
> this well in the past. To solve this we provide a maintenance cron job
> that fetches it regularily. This leads to the second problem:
> Maintenance script requires gnupg to verify signature, so it =
introduces
> a big dependency chain for the resolvers.
>=20
> As I see we have the following options:
>=20
> 1) keep things as it currently is, provide a shared dns-root-hints =
with
> update script/cronjob.
> Pros:
>  - resolvers work out of the box, inclusive maintenance
>  - relatively low maintance for us. we only need keep the version in
>    git master updated. (update one branch once every 6 months)
> Cons:
>  - we have gnupg dependency for all resolvers, which may not be needed
>    for everyone.
>  - non trivial to remove gnupg if update script is not needed/used
>=20
>=20
>=20
> 2) keep dns-root-hints as optional package, but remove the hard =
dependency of it
> Pros:
>  - relatively low maintenance for us. we only need update git master
>    every six months.
>  - give flexibility to use own solution or use the dns-roots-hits
>    solution from alpine repos.
> Cons:
>  - resolvers may not work out of the box and users may need to
>    explicitly install the extra  dns-root-hints package. This needs to
>    be documented.
>  - we still need to maintain the optional dns-root-hints package.
>  - DNS resolving may break for users when they upgrade
>=20
>=20
>=20
> 3) keep dns-root-hints but exclude the update script
> Pros:
>  - resolvers will work out of the box
>  - we get rid of gnupg dependency
>  - backwards compatible. upgrades will not break anything
> Cons:
>  - more maintenance on us. we may need update the package every 6
>    months for our 5 maintained git branches. (master + 4 x 3.*-stable)
>=20
>=20
>=20
> 4) remove dns-root-hints and let user deal with it.
> Pros:
>  - saves us for lots of work
> Cons:
>  - resolvers will probably not work out of the box (at least unbound
>    ships with an internal root.hints so I think unbound will work)
>  - inconvenient for users who will have to write their own
>  - DNS resolving may break for users when they upgrade
>=20
>=20
>=20
> Do we have other options?
>=20
> What do you think we should do?
>=20
> Are there any volunteers to do maintenance (for option 3)?
>=20
>=20
> -nc