[Dev] Mirror DNS load balancing

Michał Masłowski mtjm at mtjm.eu
Tue Mar 18 10:43:50 GMT 2014 

Gaming4JC asked on #parabola for mirror efficiency improvement ideas,
since parabola.goodgnus.com.ar has much traffic.

My observations:

- first mirror in /etc/pacman.d/mirrorlist is preferred;
  parabola.goodgnus.com.ar is first
- IPv6-only mirrors lead to IPv4-only users getting mysterious errors
- mirrors break, so users cannot get newer mirrorlist to use working
  ones
- usually at least one of the Parabola servers works
- distrowatch.com once linked to an ISO on my server using nearly all
  of my monthly bandwidth (improved since)

Proposed solution:

- have only one default mirror:

# Parabola GNU/Linux-libre

Server = http://mirror.parabola.nu/$repo/os/$arch

- add mirror.parabola.nu NS records pointing to some slave servers,
  have master on a server running nsd
- generate the zone file in this way:
  - use a master list of mirrors with responsible and location data
  - test each mirror: get e.g. libre/os/x86_64/libre.db, check if
    it's not too old, if this work, add its IPv4 address to an A
    record, IPv6 to AAAA
- have small TTLs for these records and small slave refresh time
- post a news item on https://parabolagnulinux.org/, ask users to
  update to the new mirror list
- measure bandwidth use of mirrors, should be more uniform afterwards

Expected results:

- a random mirror is used by each user for some time
- systems use IPv6 mirrors if the have IPv6, IPv4-only otherwise
- broken mirrors won't be used after name servers update the zone

Problems:

- the master server needs IPv4 and IPv6, parabolagnulinux.org and
  repo.parabolagnulinux.org don't have IPv6; any plans to change this?
- one problem is intentionally missing from this list
- no HTTPS for mirrors; not needed for authenticity nor integrity:
  packages are signed; repo dbs should be signed too; is it needed for
  confidentiality?  i.e. do standard traffic analysis attacks on
  public static data published over HTTPS work on it?  do we need
  confidentiality for it?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20140318/2bb3a3cc/attachment.sig>

More information about the Dev mailing list