Currently there is one timeout option we pass to c-ares. However, that option is per-nameserver. I guess that makes sense from a resolver library POV - as a resolver library you want to control how long you talk to each name server.

We have been mostly OK with this because in most situations the resolver can't connect the socket to the name server at all at times out immediatelly. Problems arise when the server is very slow to respond, drops packets.

To solve this in SSSD we need to have control over how long a name resolution takes regardless of the number of name servers and also regardless of the number of servers in failover.

The failover in SSSD has the concept of "services". LDAP is a service, Kerberos is a service etc. From back end you don't care and don't know how many servers there are in a service. From fail over we don't know and don't care how many name servers there are.

My proposal is to:

- change the current "dns_resolver_timeout" to be per-service, so the semantics would be "How long to wait until we get an LDAP server IP address" for example
- introduce a new option, something like "dns_resolver_server_timeout", that would control a per-server timeout. This option could maybe be undocumented, it seems quite low-level.
- hide the per-nameserver resolver timeout (only #define it). It is too low level.