-
Notifications
You must be signed in to change notification settings - Fork 435
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
on REFUSED
response, fall back to other nameservers
#1513
on REFUSED
response, fall back to other nameservers
#1513
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, I think it makes sense for us to apply this change. Thanks for upstreaming the patch!
Yes, I think this is reasonable. (We may in fact want to become even more lax about this)
Yes, I think it would be great to add a mocked test there, as we won't want to accidentally remove this in the future. |
Codecov Report
@@ Coverage Diff @@
## main #1513 +/- ##
=======================================
Coverage 84.43% 84.43%
=======================================
Files 171 171
Lines 16888 16876 -12
=======================================
- Hits 14259 14249 -10
+ Misses 2629 2627 -2 |
@peterthejohnston, do you think you'll have time to add the testcase you mentioned? |
Definitely, sorry for the delay—I got caught up in other things but will be back at work Tuesday 6/29 and will update this PR then if that works. |
No pressure at all, I just wanted to make sure we were both on the same page. Thanks again for these changes. |
I'd like to make this Edit: I've also added an integration test. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These changes all look good to me. Thanks for adding the test and cleaning up the match cases.
Sorry for the delay on the review. These changes all look good, assuming tests pass, I'll merge in. |
The beta test failure appears to be unrelated to this change. Merging. Thanks for this PR! |
In using trust-dns-resolver as the DNS resolver for Fuchsia, we noticed that there are some authoritative DNS name servers that respond with a
REFUSED
response when they don't know the domain (e.g., it wasn't on an allowlist of hosts it'd respond to queries about).We have a mitigation for this to our current version of trust-dns-resolver (0.19.2): https://fuchsia-review.googlesource.com/c/fuchsia/+/545423/17/third_party/rust_crates/vendor/trust-dns-resolver/src/name_server/name_server.rs
I'd like to contribute a similar fix here, if you think it makes sense. The intention of this patch is essentially to add
REFUSED
to the list of "retryable" errors—errors that should not lead to a terminal query failure. I looked into the precedent for this and found this issue whereSERVFAIL
being a terminal error led to failed queries where the resolver should have continued on to other name servers. I also saw this TODO which suggests it might be appropriate to consider continuing a query after aREFUSED
response.I have a couple of questions: