[Twisted-Python] New TLS Code *Could* Cause Problems

Phil Mayers p.mayers at imperial.ac.uk
Tue Jul 19 05:16:21 MDT 2011

On 07/19/2011 10:51 AM, Reza Lotun wrote:

> would be resolved, bombarding amazon's dns servers with requests. After
> diving in, I learned all Twisted connect* calls go through
> socket.gethostbyname, which apparently does not do any DNS caching (much
> to my surprise) unless something like nscd or a local caching nameserver
> is running (we ended up using BIND).

socket.gethostbyname is just a wrapper around the libc implementation, 
and you're correct that it does no caching unless the NSS layer does, or 
the DNS query you're talking to does.

> Now, since we never ran a local caching nameserver before I wondered

How did anything work then if you had no local DNS?

> what changed. Could it have been that using the _newtls code (with
> PyOpenSSL 0.12) removed some element of DNS caching that OpenSSL was
> performing behind the scene? Is this possible? If so, then I just wanted

A quick 10-line connectSSL script on my box running 10.1 does a DNS 
lookup per-connection. Are you sure this behaviour has changed?

> to make sure everyone was aware that if you make a lot of DNS calls in a
> Twisted server running this code, you too could experience problems if
> you're not running a local caching nameserver.

Well, TBH if you're not running a local caching nameserver, I am failing 
to see how anything works!

More information about the Twisted-Python mailing list