-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle UDP responses that overflow with TC bit with test case #6100
Conversation
Please just make a reference to the original PR instead of copy-pasting the original PR description. In the description, please make it clear that you are copying the code of from @phealy's PR, which appears to have stalled. Please also review all outstanding feedback on the original PR, and list the changes you have made to address that feedback. Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the PR
plugin/pkg/proxy/connect.go
Outdated
// Instead of returning an error, return an empty response with TC bit set. This will make the | ||
// client retry over TCP (if that's supported) or at least receive a clean | ||
// error. The connection is still good so we break before the close. | ||
if proto == "udp" && strings.Contains(err.Error(), "overflow") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a question regarding if we should create types for these errors, searching for the string "overflow" seems a bit dangerous to me: https://github.com/coredns/coredns/pull/6003/files#r1156333895
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have create an issue here - miekg/dns#1463 and will have to wait before I can update this code - if proto == "udp" && ((strings.Contains(err.Error(), "overflow")) || dnsErrBufOccured)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created a PR for this - miekg/dns#1465
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! In that PR, maybe put a blank line between ErrTime
and ErrOverflowUnpackingA
, that way indentation doesn't change on existing set of errors, and the diff looks cleaner.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chrisohaver , @gcs278 - While waiting for this PR miekg/dns#1465 to be reviewed, I wanted to check with you if I need to check for all the overflow errors exported here - https://github.com/miekg/dns/pull/1465/files. Because Overflow error due to 512 cache size can occur due to any of the reasons.
For example -
if errors.Is(err, dns.ErrOverflowHeaderSize)
if errors.Is(err, dns.ErrOverflowPackingUint8)
if errors.Is(err, dns.ErrBuf) .... so on
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@miekg - Any suggestions will be appreciated. I will look forward to hearing from you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chrisohaver - Do you have any suggestions here ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chrisohaver @miekg - I kindly request your review and suggest on what we can do here to move forward on this change. We need to fix this to move forward with upcoming releases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Miek is on indefinite sabbatical from the CoreDNS project, for about a year now.
Looks like miekg/dns#1465 was rejected.
Based on the comment, I would suggest re-submitting it with following changes:
Don't create new class variables for every possible overflow case.
Create a single public overflow error type that implements error, and raise this error for overflows.
You can make the error text different per overflow case, but the error type would be the same for all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @chrisohaver - I have submitted a PR with the changes here - miekg/dns#1475, waiting for it to be reviewed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for picking this up!
- In the description, please make it clear that you are copying the code of from @phealy's PR, and the reason (it appears to have stalled)
- Please also review all outstanding feedback on the original PR, and list the changes you have made to address that feedback. (e.g. I see that you added a unit test, but there was also other feedback that does not appear to be addressed)
Signed-off-by: Sri Harsha <sharsha@microsoft.com>
Signed-off-by: Sri Harsha <sharsha@microsoft.com>
Signed-off-by: Sri Harsha <sharsha@microsoft.com>
Signed-off-by: Sri Harsha <sharsha@microsoft.com>
Signed-off-by: Sri Harsha <sharsha@microsoft.com>
@@ -142,6 +143,10 @@ func (p *Proxy) Connect(ctx context.Context, state request.Request, opts Options | |||
|
|||
// Clear AD bit in case request had set the AD bit. The empty response is not authenticated. | |||
newRet.AuthenticatedData = false | |||
|
|||
// Clear AA bit in case request had set the AA bit. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you clear the AA bit?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that means that this request isn't an authoritative (i.e. that server owns the final answer) response. Since it's not a complete answer, it's good to keep it set to false. @chrisohaver - Please let me know if you see any concerns here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool, no concerns. Please add that description to the existing comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's good to keep it set to false
Actually, are you basing that on common sense, or an RFC requirement?
We may want to follow what is done for actual truncated responses.
If RFC says AA should be set to false when replying with a truncated response, then we should definitely do that here.
if not, then we need to discuss pros/cons. E.g. what's is the negative of leaving AA bit as it was.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I couldn't find any specific RFC that directly addresses the handling of the authorization bit (AA) in truncated DNS responses. There is no specific handling or interpretation defined for the authorization bit (AA) in truncated responses
RFC 1035 does not specifically cover the handling of the AA bit in truncated responses
https://tools.ietf.org/html/rfc1035
https://datatracker.ietf.org/doc/html/rfc1035#section-4.2.1
When a response is truncated, the focus is on addressing the truncation itself and ensuring the complete response is obtained. The authorization bit is not directly related to handling truncation but rather serves as an indicator of authority.
The authorization bit is considered meaningful only in non-truncated responses, where it signifies the authoritative nature of the responding server.
AFAIK - It is better to keep it set to false here.
1. Why is this pull request needed and what does it do?
Description in this PR - #6003
Code changes in plugin/pkg/proxy/connect.go file is copied from above PR - #6003
2. Which issues (if any) are related?
#5953
#5998
3. Which documentation changes (if any) need to be made?
Not sure. I didn't see any.
4. Does this introduce a backward incompatible change or deprecation?
No.