Remove deprecated Temporary() usage in DNS retry logic

[sheurich]

Summary

Replace deprecated Temporary() with Timeout() in DNS retry logic per golang/go#45729.

Change

• Check net.Error.Timeout() instead of deprecated Temporary()
• Only retry timeout errors, not all transient network errors

[beautifulentropy]

Some context we should review when reviewing this PR, courtesy of @pgporada:

• proposal: net: add ErrRetryableAcceptError golang/go#66252
• net/url: (*Error).Timeout and (*Error).Temporary methods should use errors.As instead of type assertion golang/go#60578
• Remove use of deprecated net.Error.Temporary miekg/dns#1589
  • and the reversion in Revert "Remove use of deprecated net.Error.Temporary (#1589)" miekg/dns#1594

[aarongable]

Without commenting on whether we should retry all errors (I'm still contemplating), I think that if we do go this direction, we should take this minor simplification a step further: I'd remove the isRetryable boolean altogether and simplify the conditionals on lines 276 and 283.

[jsha]

Hi @sheurich! Thanks for the contribution. I'm glad to be getting rid of the deprecated call to .Temporary().

As a side note, can I ask if you are using AI to generate your PR descriptions? If so, could you provide the prompt you used, or how you generated it (i.e. what are the inputs)? In particular I'd love to discuss the Rationale but I first want to make sure those are your words and not an AI's.

My takeaway from golang/go#45729 is that Temporary is a superset of Timeout, and:

The cases where Temporary does not imply Timeout are surprising and not particularly useful.

So a smaller change here would be to simply replace Temporary with Timeout, which is not deprecated. I'd prefer that change, in part because it avoids masking surprising behavior behind retries.

As an example: in Unbound 1.20, a few new options were introduced, including discard-timeout (defaults to 1900 ms): https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-discard-timeout. From experimentation, I believe the default discard-timeout results in unexpected EOF errors from our DoH client when a resolution takes more than 1.9 seconds. We'll be disabling that, at least for now (discard-timeout: 0).

That unexpected EOF is not a Boulder-side timeout, but arguably should be retried in this scenario since we know it represents an Unbound-side timeout. But I'd rather implement that specifically within our dohExchanger instead of retying all errors unconditionally.

As an example of a non-retryable error: a certificate validation failure for one out of a pool of DoH servers. If we retry all errors, we might never notice that one server has a broken config, because we would automatically retry on a different server¹. Yes, this would be more resilient, but it would also be masking brokenness, possibly until the brokenness gets worse.

So, overall, I'm in favor of switching this to use .Timeout(), and possibly, as a separate PR, handling unexpected EOF (net.ErrUnexpectedEOF) in dohExchanger and turning into something that implements .Timeout() { return true }.

Footnotes

1. Note that we might switch to a 1:1 VA<->Unbound relationship, which would change this example, but the spirit holds. ↩

[sheurich]

Hi @sheurich! Thanks for the contribution. I'm glad to be getting rid of the deprecated call to .Temporary().

As a side note, can I ask if you are using AI to generate your PR descriptions? If so, could you provide the prompt you used, or how you generated it (i.e. what are the inputs)? In particular I'd love to discuss the Rationale but I first want to make sure those are your words and not an AI's.

The description was generated from the results of investigation into DoH errors that were not classified as retryable based on Temporary() output. Discovery of the go 1.18 Temporary() deprecation came out of this work.

I use Claude Code (and to a small extent Roo Code) as a coding assistant. For this PR, there wasn't a traditional "prompt". My workflow was:

1. I made the code change to address the deprecated Temporary() call
2. Asked Claude to generate a PR description from the diff
3. Claude expanded on the rationale based on the deprecation notices

• these are not valid rationale for this change

My takeaway from golang/go#45729 is that Temporary is a superset of Timeout, and:

The cases where Temporary does not imply Timeout are surprising and not particularly useful.

So a smaller change here would be to simply replace Temporary with Timeout, which is not deprecated. I'd prefer that change, in part because it avoids masking surprising behavior behind retries.

As an example: in Unbound 1.20, a few new options were introduced, including discard-timeout (defaults to 1900 ms): unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-discard-timeout. From experimentation, I believe the default discard-timeout results in unexpected EOF errors from our DoH client when a resolution takes more than 1.9 seconds. We'll be disabling that, at least for now (discard-timeout: 0).

We were seeing 'unexpected EOF' errors in VA DoH requests. Your comment about Unbound’s discard-timeout was incredibly helpful and led us to discover that our pre-1.20 Unbound package has this feature backported for the DNSBomb CVE and enabled by default. Disabling the discard-timeout eliminated these errors. Thank you!

That unexpected EOF is not a Boulder-side timeout, but arguably should be retried in this scenario since we know it represents an Unbound-side timeout. But I'd rather implement that specifically within our dohExchanger instead of retying all errors unconditionally.

This makes sense. I have an alternate proposal that trades some additional configuration complexity to allow for fine-grained operator control of DNS retry behavior: #8443

I agree that replacing Temporary() with Timeout() is the correct minimal fix. The deprecation of Temporary() indicates we need better visibility into what's retryable, but your point about not masking errors like cert validation failures is good. Retry-all could hide critical failures (although the logging should still note this).

As an example of a non-retryable error: a certificate validation failure for one out of a pool of DoH servers. If we retry all errors, we might never notice that one server has a broken config, because we would automatically retry on a different server1. Yes, this would be more resilient, but it would also be masking brokenness, possibly until the brokenness gets worse.

So, overall, I'm in favor of switching this to use .Timeout(), and possibly, as a separate PR, handling unexpected EOF (net.ErrUnexpectedEOF) in dohExchanger and turning into something that implements .Timeout() { return true }.

I can change this right away and then either move forward with something like #8443 if that makes sense or more like your suggestion.

I'll update this PR to the simple Temporary() → Timeout() replacement as you suggested.

Thanks!

[sheurich]

@jsha I appreciate the visibility vs. resilience trade-off discussion. While I agree with moving forward with Timeout() as the minimal fix, I wanted to share my operational perspective:

Even mature deployment practices can't eliminate all transient connection errors. Network path transitions and process/container orchestration events routinely cause brief connection-refused/reset errors that are genuinely transient and not misconfigurations. In production CA operations, failing customer certificate issuance for these routine events feels like the wrong trade-off.

I think retry-all (or at least retry-connection-errors) with proper logging/alerting provides the best of both worlds: resilience for customers and visibility for operators. That said, I respect the fail-fast philosophy and understand the operational debt concerns. I'm happy to stick with the Timeout() change as implemented here and we can revisit retry strategy in future PRs if operational experience suggests it's needed.

[jsha]

You make good points about transient errors in the connection between VA and Unbound. Can you add some detail about what your setup is like, what specific errors you're getting, and how often?

[jsha]

Can you explain why this became a net.Error? *url.Error also offers .Timeout().

[sheurich]

They are functionally identical; http.Client.Do() returns *url.Error, which implements net.Error. Both errors.As checks match the same object and call the same .Timeout() method.

I changed to net.Error because we only need the .Timeout() method, not *url.Error-specific fields like .Op or .URL.

[sheurich]

Can you add some detail about what your setup is like, what specific errors you're getting, and how often?

Unbound and boulder-va run in separate containers, communicating over Docker networking.

Current error rates (% of validations):

• "Client.Timeout exceeded": 0-1%
• "connect: connection refused": 1%
• "unexpected EOF": ~0.1% (5-30% before the Unbound fix)