[Dev] Mirror DNS load balancing

Tue Mar 18 12:49:09 GMT 2014

Michał Masłowski <mtjm at mtjm.eu> writes:

> Gaming4JC asked on #parabola for mirror efficiency improvement ideas,
> since parabola.goodgnus.com.ar has much traffic.
>
> My observations:
>
> - first mirror in /etc/pacman.d/mirrorlist is preferred;
>   parabola.goodgnus.com.ar is first
> - IPv6-only mirrors lead to IPv4-only users getting mysterious errors
> - mirrors break, so users cannot get newer mirrorlist to use working
>   ones
> - usually at least one of the Parabola servers works
> - distrowatch.com once linked to an ISO on my server using nearly all
>   of my monthly bandwidth (improved since)
>
> Proposed solution:
>
> - have only one default mirror:
>
> # Parabola GNU/Linux-libre
>
> Server = http://mirror.parabola.nu/$repo/os/$arch
>
> - add mirror.parabola.nu NS records pointing to some slave servers,
>   have master on a server running nsd
> - generate the zone file in this way:
>   - use a master list of mirrors with responsible and location data
>   - test each mirror: get e.g. libre/os/x86_64/libre.db, check if
>     it's not too old, if this work, add its IPv4 address to an A
>     record, IPv6 to AAAA
> - have small TTLs for these records and small slave refresh time
> - post a news item on https://parabolagnulinux.org/, ask users to
>   update to the new mirror list
> - measure bandwidth use of mirrors, should be more uniform afterwards

+1 i'm using owns[1] to manage my zones on nsd and it needs a little
love :)

[1]: https://github.com/fauno/owns

> Expected results:
>
> - a random mirror is used by each user for some time
> - systems use IPv6 mirrors if the have IPv6, IPv4-only otherwise
> - broken mirrors won't be used after name servers update the zone
>
> Problems:
>
> - the master server needs IPv4 and IPv6, parabolagnulinux.org and
>   repo.parabolagnulinux.org don't have IPv6; any plans to change this?

parabolagnulinux.org has ipv6 through librevpn (which gateways through
my node...)

> - one problem is intentionally missing from this list

D:

> - no HTTPS for mirrors; not needed for authenticity nor integrity:
>   packages are signed; repo dbs should be signed too; is it needed for
>   confidentiality?  i.e. do standard traffic analysis attacks on
>   public static data published over HTTPS work on it?  do we need
>   confidentiality for it?

it'd be nice if an attacker wouldn't know the software you use?

how's pacman behaving with http redirects?

-- 
:D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 619 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20140318/9860acd5/attachment.sig>