Work in progress
Aim: Add a DNS hostname resolver that we can manage ourselves
Access to TTL
From Patrick: "Right now our ttl is generally too short at 3 minutes - leading to the potential performance problem of having to block on a lookup of an expired entry... We use the conservative number because some actual TTLs are smaller than that. Generally stuff associated with global load balancers. None of that is expected to work precisely, so I'm ok with 3 minutes but I'd want to think hard before making it a lot larger than that carte blanche. real TTLs mean we don't have to do it carte blanche."
Note: According to Microsoft, Windows XP considers TTL in its OS cache. The article suggests that the lesser of the real TTL or a max TTL value is used for the time to expiration in the OS's DNS cache. The max TTL value defaults to 1 day. Firefox makes use of this cache, so TTL may already be covered indirectly in the Windows XP case.
Note: bug 151929 Has a discussion on including TTL in our DNS cache.
Concurrency without multiple threads
- Potential performance regression risk by supporting DNSSEC.
- How to respond when DNSSEC rejects requests. Why the rejection and what information should be communicated to the UI?
- Check DNSSEC reliability
Support for SRV, MX, and TXT records
... (in that order of priority) in addition to A and AAAA which we have now.
- Must respect OS DNS configuration, e.g. changing wifi network config at OS level must be reflected in host resolver config.
- Must work on all platforms (check libunbound on Windows).
- Not restricted by OS cache size
- Flesh out desirable attributes in terms of rationale (i.e. desired benefits), work required in addition to adding/changing the host resolver and negative imapct as well as potential mitigations.
- Summarise available host resolvers in terms of how they meet desired criteria, or how they could be changed to meet criteria.
DNS Resolvers under consideration
- libresolv/libc/Bionic (already included in Android apk)
- SPARTA DNSSEC-enabled DNS resolver.
- From Brian: "Open-source patches already available, and they are willing to work with us on this. However, their motivation is DNSSEC support. I don't know how willing they would be to rip out or disable the DNSSEC support."