LLT-6364: Update trust-dns #1512
Conversation
mathiaspeters
temporarily deployed
to
Internal
GitHub Actions
Inactive
mathiaspeters
temporarily deployed
to
Internal
GitHub Actions
Inactive
mathiaspeters
force-pushed
the
LLT-6364_update_trust_dns
branch
from
bf05b37 to
c4011b6
Compare
mathiaspeters
temporarily deployed
to
Internal
GitHub Actions
Inactive
mathiaspeters
force-pushed
the
LLT-6364_update_trust_dns
branch
from
c4011b6 to
099641a
Compare
mathiaspeters
temporarily deployed
to
Internal
GitHub Actions
Inactive
mathiaspeters
temporarily deployed
to
Internal
GitHub Actions
Inactive
mathiaspeters
temporarily deployed
to
Internal
GitHub Actions
Inactive
mathiaspeters
force-pushed
the
LLT-6364_update_trust_dns
branch
from
788a084 to
6ea0d6b
Compare
mathiaspeters
temporarily deployed
to
Internal
GitHub Actions
Inactive
mathiaspeters
force-pushed
the
LLT-6364_update_trust_dns
branch
from
6ea0d6b to
d3f34a0
Compare
mathiaspeters
temporarily deployed
to
Internal
GitHub Actions
Inactive
crates/telio-dns/src/forward.rs
Outdated
| .map_err(|err| | ||
| match err.kind() { | ||
| ResolveErrorKind::Proto(proto) => { | ||
| match proto.kind() { | ||
| ProtoErrorKind::NoRecordsFound { | ||
| query: _, | ||
| soa: _, | ||
| ns: _, | ||
| negative_ttl: _, | ||
| response_code, | ||
| trusted: _, | ||
| authorities:_, | ||
| } => { | ||
| if *response_code == ResponseCode::NoError { | ||
| telio_log_debug!("Got an error response with NoError code for {name}, this should not happen so converting to ServFail"); | ||
| // Failed query with no error - convert that to a real error, | ||
| // otherwise the LookupError::from will panic in debug builds. | ||
| // If we use a number from the 'private use' range: | ||
| // https://datatracker.ietf.org/doc/html/rfc2929#section-2.3 like | ||
| // LookupError::from(ResponseCode::Unknown(3841)) | ||
| // the trust-dns will end up looping until the requests with some other error | ||
| // is returned. This will make the original dns request (eg. by nslookup or dig or some app) | ||
| // never complete. To avoid that, lets return ServFail which will produce | ||
| // an empty respones. | ||
| LookupError::from(ResponseCode::ServFail) | ||
| } else { | ||
| LookupError::from(*response_code) | ||
| } | ||
| } | ||
| // NOTE: this is probably incorrect, and should be at least 24, most likely | ||
| // in range 3841-4095 ('private use' range), instead of '0'. | ||
| _ => LookupError::from(ResponseCode::Unknown(0)), | ||
| } | ||
| } | ||
| } | ||
| // NOTE: this is probably incorrect, and should be at least 24, most likely | ||
| // in range 3841-4095 ('private use' range), instead of '0'. | ||
| _ => LookupError::from(ResponseCode::Unknown(0)), | ||
| }) | ||
| // NOTE: this is probably incorrect, and should be at least 24, most likely | ||
| // in range 3841-4095 ('private use' range), instead of '0'. | ||
| _ => LookupError::from(ResponseCode::Unknown(0)), | ||
| }); |
There was a problem hiding this comment.
Now that we have LookupControlFlow maybe we do not need this block with rather weird, and likely incorrect under some edge-cases, conversions and we can simply pass the result without map_err()'ing it?
There was a problem hiding this comment.
I looked into it and I think this will be staying, but I tried to clean it up at least a little bit
Basically, this is here to give us greater control over when we get an empty result and when the DNS request properly fails
There was a problem hiding this comment.
Could you elaborate a bit more? As this, looking at first glance, does not look correct error mapping 🤔
mathiaspeters
force-pushed
the
LLT-6364_update_trust_dns
branch
from
d3f34a0 to
19757ca
Compare
mathiaspeters
temporarily deployed
to
Internal
GitHub Actions
Inactive
mathiaspeters
force-pushed
the
LLT-6364_update_trust_dns
branch
from
19757ca to
a3609a7
Compare
mathiaspeters
temporarily deployed
to
Internal
GitHub Actions
Inactive
|
|
||
| // NOTE: this is probably incorrect, and should be at least 24, most likely | ||
| // in range 3841-4095 ('private use' range), instead of '0'. | ||
| LookupError::from(ResponseCode::Unknown(0)) |
There was a problem hiding this comment.
I think we are still converting any error other then err.kind() == ResolveErrorKind::Proto(...) to LookupError::ResponseCode which IMHO is incorrect.
IMHO we should convert to LookupError::ProtoError()`
There was a problem hiding this comment.
Generally I would agree with you, but this has a specific use case: https://github.com/NordSecurity/trust-dns/blob/release/0.25.2/crates/server/src/authority/catalog.rs#L837
The way this is handled in our fork of hickory is that we want to have certain errors actually result in an error and others resulting in an empty response. I believe this was initially set to Unknown so that we can have more control over when that happens, and this just copies that. We can change this to be one of the variants of ProtoError, but then I think it's more likely that the special handling of errors in our hickory fork might behave differently
There was a problem hiding this comment.
🤔 🤔 🤔
In the link you provided, in one of the cases - we are converting IO errors (hence DNS request was probably not even sent, or response not even received into empty response? As telio-dns is kind of transparent proxy - it means we should not respond as well 🤔. And definitely should not convert the response into empty, but successful response.
Additionally if we have unknown code (the other case) responded from upstream server - we should not convert it to successful response as well.
| name = "hickory-resolver" | ||
| version = "0.24.0" | ||
| source = "git+https://github.com/NordSecurity/trust-dns.git?tag=v3.0.1#88204024fd3ecdadccf4574eb7976167e7c52001" | ||
| version = "0.25.2" |
There was a problem hiding this comment.
Friendly reminder to close a dependabot issue after merging this PR since there's one for hickory-proto
Problem
Our trust-dns fork was much behind upstream
Solution
Update the fork from v0.24.0 to v0.25.2 and bump the reference in libtelio
The branch in trust-dns has 7 commits that can also be reviewed
☑️ Definition of Done checklist