[Dev] Mirror DNS load balancing
Michał Masłowski
mtjm at mtjm.eu
Tue Mar 18 10:43:50 GMT 2014
Gaming4JC asked on #parabola for mirror efficiency improvement ideas,
since parabola.goodgnus.com.ar has much traffic.
My observations:
- first mirror in /etc/pacman.d/mirrorlist is preferred;
parabola.goodgnus.com.ar is first
- IPv6-only mirrors lead to IPv4-only users getting mysterious errors
- mirrors break, so users cannot get newer mirrorlist to use working
ones
- usually at least one of the Parabola servers works
- distrowatch.com once linked to an ISO on my server using nearly all
of my monthly bandwidth (improved since)
Proposed solution:
- have only one default mirror:
# Parabola GNU/Linux-libre
Server = http://mirror.parabola.nu/$repo/os/$arch
- add mirror.parabola.nu NS records pointing to some slave servers,
have master on a server running nsd
- generate the zone file in this way:
- use a master list of mirrors with responsible and location data
- test each mirror: get e.g. libre/os/x86_64/libre.db, check if
it's not too old, if this work, add its IPv4 address to an A
record, IPv6 to AAAA
- have small TTLs for these records and small slave refresh time
- post a news item on https://parabolagnulinux.org/, ask users to
update to the new mirror list
- measure bandwidth use of mirrors, should be more uniform afterwards
Expected results:
- a random mirror is used by each user for some time
- systems use IPv6 mirrors if the have IPv6, IPv4-only otherwise
- broken mirrors won't be used after name servers update the zone
Problems:
- the master server needs IPv4 and IPv6, parabolagnulinux.org and
repo.parabolagnulinux.org don't have IPv6; any plans to change this?
- one problem is intentionally missing from this list
- no HTTPS for mirrors; not needed for authenticity nor integrity:
packages are signed; repo dbs should be signed too; is it needed for
confidentiality? i.e. do standard traffic analysis attacks on
public static data published over HTTPS work on it? do we need
confidentiality for it?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20140318/2bb3a3cc/attachment.sig>
More information about the Dev
mailing list