Expose TTLs on lookups

[hawkw]

This PR changes the trust-dns-resolver API to expose the TTLs of DNS
lookups, which is needed downstream in Conduit (linkerd/linkerd2#711).

Reviewers should note the following:

• In some cases, Lookups were constructed in places where the TTL is not
  known or there is no TTL (e.g. for localhost in lookup_state.rs).
  Therefore, I made the TTL field on Lookup optional, and added a new
  Lookup::new_with_ttl constructor, to avoid breaking existing code.
• When appending two Lookups, if both have known TTLs, the returned
  Lookup has the lower of the two TTLs. Thus, the appended Lookup
  should time out when the shorter-lived of either of its constituents
  does. This seemed like the correct behaviour to me, so that append
  doesn't become a way for short-lived Lookups to escape their TTLs,
  but I wasn't sure about this --- please let me know if this intuition
  is incorrect!
• I've added a simple unit test for the added TTL function in lookup.rs.

Signed-off-by: Eliza Weisman eliza@buoyant.io

[briansmith]

1. It seems better for Trust-DNS to expose an expiration time (a deadline, an Instant) instead of the TTL (a Duration). In the case where the response is not from the internal cache then the time from which it should be measured is the time the query was sent. In the case where the response is from the internal cache then the time from which it should be measured is the time of the original query. How is the application supposed to know which of those two times to use?

2. In the case the Trust-DNS cache is active, how would the caller use this API to guarantee that its next request's response isn't served from the cache?

[briansmith]

It seems like we need to compare the expiration times, not the TTLs, here.

[bluejekyll]

It depends on what you want to track here. The raw TTL, or the time in which the the record is no longer valid. The RFCs definitely recommend the latter.

[bluejekyll]

This all looks great. Thanks for the PR! I’ll merge this in once the tests pass.

---

Edit: I missed @briansmith comments. let's work that out.

[briansmith]

It would be good to have a test for CNAME, in particular where the CNAME expires earlier than the A records.

It would also be good to have a test for NXDOMAIN that shows how this works for NXDOMAIN. In particular, "The remaining of the current meanings, of being the TTL to be used for negative responses, is the new defined meaning of the SOA minimum field." from https://tools.ietf.org/html/rfc2308; see https://tools.ietf.org/html/rfc2308#section-5.

[bluejekyll]

There are some tests for TTLs as they relate to CNAME: https://github.com/bluejekyll/trust-dns/blob/master/resolver/src/lookup_state.rs#L946

We might have a gap on the NXDOMAIN/NoData responses, in regards to TTL.

[codecov]

Codecov Report

Merging #444 into master will increase coverage by 0.1%.
The diff coverage is 100%.

@@            Coverage Diff            @@
##           master     #444     +/-   ##
=========================================
+ Coverage   86.54%   86.64%   +0.1%     
=========================================
  Files         133      133             
  Lines       13391    13399      +8     
=========================================
+ Hits        11589    11610     +21     
+ Misses       1802     1789     -13

Impacted Files	Coverage Δ
resolver/src/lookup_ip.rs	90.37% <ø> (ø)	⬆️
resolver/src/hosts.rs	95.53% <100%> (ø)	⬆️
resolver/src/lookup.rs	68.71% <100%> (+2.23%)	⬆️
resolver/src/dns_lru.rs	100% <100%> (ø)	⬆️
resolver/src/resolver_future.rs	72.05% <100%> (ø)	⬆️
server/src/config.rs	83.33% <0%> (+1.05%)	⬆️
client/src/rr/dnssec/signer.rs	98.95% <0%> (+1.36%)	⬆️
resolver/src/name_server_pool.rs	86.92% <0%> (+1.93%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 97afd93...1dfc697. Read the comment docs.

[bluejekyll]

per @briansmith recommendation, it seems ttl_until is what is wanted here, no? I missed that before

[hawkw]

@briansmith

It seems better for Trust-DNS to expose an expiration time (a deadline, an Instant) instead of the TTL (a Duration). In the case where the response is not from the internal cache then the time from which it should be measured is the time the query was sent. In the case where the response is from the internal cache then the time from which it should be measured is the time of the original query. How is the application supposed to know which of those two times to use?

I agree, that seems much more correct. In 75cbbcd and ffc9cae, I've modified this PR so that the new field represents the expiration time for the lookup rather than the TTL.

[briansmith]

I suggest renaming things to be consistent. Your new API functions is called valid_until. I suggest renaming the ttl_util variable here the same thing. I also suggest renaming Lookup::new_with_ttl to Lookup::new_valid_until. Then it becomes easier to understand the code holistically.

[briansmith]

ttl should be renamed valid_until.

[briansmith]

It isn't clear that this logic is correct when mixing Some(ttl) and None. What's the rationale here? Is it even possible that this could happen for lookup_ip or is this something that could only happen for other kinds of queries?

OTOH maybe RFC 2308 means we should always have a TTL; if not from the record, then from the overall response? I'm not sure since I don't know all the DNS details.

Regardless, we should write down the reasoning, at least.

[hawkw]

As far as I can tell, the only time Lookup::append is called on a Lookup that doesn't have a TTL is here:
https://github.com/bluejekyll/trust-dns/blob/97afd93b007e0ba4140be4f09ba7245f821f1fa9/resolver/src/hosts.rs#L63-L76

In this case, it seems that the empty lookups are only created as placeholders and should be immediately overwritten with the new lookup, so in this case, the logic seems correct. Everywhere else where Lookup::append is called, the lookups are actual responses to a DNS query and should always have a TTL.

I'd be happy to add a comment explaining this in the method, if you like.

[bluejekyll]

hosts is an interesting case. It's driven by a file, as opposed to an actual lookup. I wonder if we could remove the optional, and just pick the max_ttl in this case. At the moment, we don't support live reloading of the hosts file. So if this is indeed the only case, then I say we get rid of it by giving it a better default.

[hawkw]

I believe the other main case whereLookups are constructed without a TTL are the loopbacks. Do you think it's okay for localhost to appear to have MAX_TTL?

[bluejekyll]

I just double checked the code, yes, I believe this is safe. My only concern was if this could have some effect on the LRU cache, but I think both of these code paths return before cache is either used. So we don't have to worry about what that would mean.

So yes, I think we can safely simplify this to default to MAX_TTL and thus get rid of the Option on TTL.

[hawkw]

@bluejekyll okay, sounds good! I'll make that change shortly.

[hawkw]

@bluejekyll: changed in 526b8d7

[briansmith]

I think we should switch every caller to use new_with_deadline and have them pass in valid_until. That way we don't accidentally default when we shouldn't. Is that practical or is there something that makes that awkward?

(NIT: Are we really going to do this trailing comma in arguments thing in rustfmt?)

[hawkw]

I think we should switch every caller to use new_with_deadline and have them pass in valid_until. That way we don't accidentally default when we shouldn't. Is that practical or is there something that makes that awkward?

I don't think there's anything that makes that particularly difficult. I originally chose to leave the new constructor as-is and make it default because I wanted to keep the diff small, but I'm happy to change this so the caller is responsible for defaulting if you think that's better.

[briansmith]

Is there an Instant::MAX or something like it that can be used instead?
Instant::now() is relatively expensive (potentially a syscall). MAX_TTL is for parsing/validating input on the wire.

If there's no Instant::MAX or equivalent then maybe we should use something like enum Validity { ValidUntil(Instant), Forever }, isomorphic to Option, with comparison semantics such that ValidUntil(x) < Forever for all x.

[hawkw]

@briansmith

If there's no Instant::MAX or equivalent then maybe we should use something like enum Validity { ValidUntil(Instant), Forever }, isomorphic to Option, with comparison semantics such that ValidUntil(x) < Forever for all x.

I like this approach (and you're correct that there's no Instant::MAX).

However, I would like to get @bluejekyll's opinion on whether we should do something like this rather than using MAX_TTL (which he suggested in https://github.com/bluejekyll/trust-dns/pull/444#discussion_r185392627) before I make more changes.

[bluejekyll]

Personally I’m fine with MAX_TTL. I understand the concern @briansmith has, but I don’t feel like we need to over complicate this. As long as we guarantee that the correct TTL is used on insert.

Forcing the caller to pick a good value, rather than a decent default, seems potentially error prone as well. We could change ‘new’ to ‘with_max_ttl’ to make it more explicit.

[hawkw]

@bluejekyll It looks to me like the test failures on the most recent build of this branch are unrelated to my changes, do you agree that seems to be the case?

[bluejekyll]

I just kicked them off again. There are a couple of tests that have some races between server startup and the test running. I need to track those down and fix them.

Not your issue.

[briansmith]

LGTM.

[bluejekyll]

Thanks for the great work and the contribution!

[hawkw]

@bluejekyll thank you (and @briansmith) for all your guidance and feedback! :)