[24.0 backport] libnetwork: just forward the external DNS response #45573
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes to the DNS resolver in #44664 fixed some bugs, including load-bearing bugs which masked other bugs. One bug not fixed by the aforementioned PR is that the resolver handles non-authoritative NXDOMAIN responses by failing over to the next external DNS server in the list. That behaviour does not make sense as authoritative responses only come from the authoritative name servers for a domain, and most of the time none of the servers in the list will be authoritative. What would make sense for handling a non-authoritative NXDOMAIN is to recursively resolve up to the authoritative name servers to get an authoritative answer to cache. But our DNS resolver is a stub resolver, not a recursive resolver, so there is no good reason for it to treat any NXDOMAIN response differently from a NOERROR response. (If you depended on this fail-over behaviour to successfully resolve domains because the first external DNS server in your list returns NXDOMAIN for the public internet, that DNS server is broken and needs to be fixed. If we can make a split-horizon DNS resolver which resolves public domain names by forwarding, so can you.)
Commit 9cf8c4f fixed a bug in the fail-over behaviour by replying SERVFAIL if none of the external name servers provided a successful response instead of falling through to forward the last non-successful response received. Unfortunately that was a load-bearing bug which masked the aforementioned NXDOMAIN issue.
- What I did
Our resolver is just a forwarder for external DNS—a stub resolver—so it should act like it. Unless it's a server failure or refusal, take the response at face value and forward it along to the client. RFC 8020 is only applicable to caching recursive name servers and our resolver is neither caching nor recursive.
- How I did it
Deleted code which had no business existing in a DNS stub resolver.
- How to verify it
v24.0.0:
This PR:
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)