Bug 4089 - Unbound should hold open TLS connections
Unbound should hold open TLS connections
Status: ASSIGNED
Product: unbound
Classification: Unclassified
Component: server
1.7.0
Other Linux
: P5 enhancement
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-16 04:45 CEST by Pascal
Modified: 2018-09-25 05:58 CEST (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Pascal 2018-04-16 04:45:49 CEST
Currently unbound closes the connection immediately after it receives a response.

From RFC7858 (Specification for DNS over TLS):
   In order to amortize TCP and TLS connection setup costs, clients and
   servers SHOULD NOT immediately close a connection after each
   response.  Instead, clients and servers SHOULD reuse existing
   connections for subsequent queries as long as they have sufficient
   resources.  In some cases, this means that clients and servers may
   need to keep idle connections open for some amount of time.
https://tools.ietf.org/html/rfc7858

My config file includes:
ssl-upstream: yes
forward-zone:
 name: "."
 forward-addr: 1.1.1.1@853
 forward-addr: 1.0.0.1@853
Comment 1 Wouter Wijngaards 2018-04-18 07:19:21 CEST
Hi Pascal,

Yes that is a good idea.  For the forwarding case, realistically.  Also for TCP.

Best regards, Wouter
Comment 2 Eric Luehrsen 2018-09-25 05:58:13 CEST
Hi Wouter,
Holding TLS connections open rather than always starting a new one could help with:  https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4149 or at least potentially improve diagnosing it. I know it would probably only delay the problem, and not fix it. Anything might be worth a try though.
Thanks
Eric