Summary

We're planning to integrate a DNS resolver into Gecko. Our primary motivation is performance, but we're also interested in a number of new security features such as DNSSEC.

For performance in particular we want better parallelism, access to TTL, better ordering of IPv4 and IPv6 queries.

Primary engineers:

• Steve Workman (Mozilla)
• Josh Aas (Mozilla)
• Wouter Wijngaards (NLNet Labs)

The current plan is to use NLNet's libunbound along with Chromium's OS configuration detection code. We estimate (very roughly) that this will total 100-150k lines of code.

Chromium's code for reading OS configurations lives in their "src/net/dns" directory. We're primarily interested in the list of DNS servers we should be using.

The libunbound code is developed by NLNet Labs. The libunbound site is unbound.net.

Code Structure

• netwerk/dns/* directories:
  • cache (code for caching results, likely using sqlite)
  • os-config (code from Chromium for OS configuration)
  • os-resolver (fallback code using operating system resolver)
  • resolver (libunbound)

Work Items

1. [Josh] Bring in system integration code from Chromium.
2. [Wouter] Add ability to configure libunbound to build only the library, not the daemon.
3. [Wouter/Brian] Make libunbound work with NSS instead of OpenSSL. Do this by making a build-time option to compile with NSS. Brian Smith from Mozilla will help.
4. [Josh] Configure libunbound to use minimal threads with 256 query max per thread.
5. [Josh] Detect errors using libunbound and fall back to using the OS resolver.
6. [Josh] Optimize caching values within libunbound, add subsystem to cache to disk.
7. [?] Eliminate unnecessary code and dependencies, perhaps even the entirety of ldns.
8. [?] Turn on DNSSEC.