[Dev] Mirror DNS load balancing
Nicolás Reynolds
fauno at kiwwwi.com.ar
Tue Mar 18 12:49:09 GMT 2014
Michał Masłowski <mtjm at mtjm.eu> writes:
> Gaming4JC asked on #parabola for mirror efficiency improvement ideas,
> since parabola.goodgnus.com.ar has much traffic.
>
> My observations:
>
> - first mirror in /etc/pacman.d/mirrorlist is preferred;
> parabola.goodgnus.com.ar is first
> - IPv6-only mirrors lead to IPv4-only users getting mysterious errors
> - mirrors break, so users cannot get newer mirrorlist to use working
> ones
> - usually at least one of the Parabola servers works
> - distrowatch.com once linked to an ISO on my server using nearly all
> of my monthly bandwidth (improved since)
>
> Proposed solution:
>
> - have only one default mirror:
>
> # Parabola GNU/Linux-libre
>
> Server = http://mirror.parabola.nu/$repo/os/$arch
>
> - add mirror.parabola.nu NS records pointing to some slave servers,
> have master on a server running nsd
> - generate the zone file in this way:
> - use a master list of mirrors with responsible and location data
> - test each mirror: get e.g. libre/os/x86_64/libre.db, check if
> it's not too old, if this work, add its IPv4 address to an A
> record, IPv6 to AAAA
> - have small TTLs for these records and small slave refresh time
> - post a news item on https://parabolagnulinux.org/, ask users to
> update to the new mirror list
> - measure bandwidth use of mirrors, should be more uniform afterwards
+1 i'm using owns[1] to manage my zones on nsd and it needs a little
love :)
[1]: https://github.com/fauno/owns
> Expected results:
>
> - a random mirror is used by each user for some time
> - systems use IPv6 mirrors if the have IPv6, IPv4-only otherwise
> - broken mirrors won't be used after name servers update the zone
>
> Problems:
>
> - the master server needs IPv4 and IPv6, parabolagnulinux.org and
> repo.parabolagnulinux.org don't have IPv6; any plans to change this?
parabolagnulinux.org has ipv6 through librevpn (which gateways through
my node...)
> - one problem is intentionally missing from this list
D:
> - no HTTPS for mirrors; not needed for authenticity nor integrity:
> packages are signed; repo dbs should be signed too; is it needed for
> confidentiality? i.e. do standard traffic analysis attacks on
> public static data published over HTTPS work on it? do we need
> confidentiality for it?
it'd be nice if an attacker wouldn't know the software you use?
how's pacman behaving with http redirects?
--
:D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 619 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20140318/9860acd5/attachment.sig>
More information about the Dev
mailing list