Refactor DNS to pass full messages up to the VA (#8513)

Change the exported methods of the bdns package to have consistent
arguments and return values. Specifically:
- Split LookupHost into two more specific methods, LookupA and
LookupAAAA.
- Since each method now returns the results of a single DNS query,
update all four Lookup methods to return only a single resolver, rather
than a slice of resolver addresses.
- Create a new generic "Result" type, which embeds the upstream
miekg/dns.Msg type, and also helpfully extracts all the answer records
of a specific type. This embedding is important for the future, since we
want to extract this result's Authenticated Data bit and all CNAME hops
for logging in the VA.
- Use this new type as the return type for all four Lookup methods,
removing the custom pre-processing (e.g. producing a dig-like string for
CAA lookups, or filtering out Restricted IP addresses) from each method.

This unification and simplification allows us to streamline the body of
bdns.exchangeOne, to reduce code duplication around incrementing metrics
and clarify the retry loop's exit condition. Importantly, bdns.Exchange
(which actually performs the DoH network calls) remains untouched.

As a result of the changes to LookupA and LookupAAAA, move most of
LookupHost's old logic into the VA's getAddrs function. We're still
doing the exact same merging and filtering of IP addresses, just within
the VA rather than within the DNS abstraction layer. This also moves
usage of the `allowRestrictedAddrs` boolean from bdns.Client to va.impl,
and allows us to remove bdns.NewTest.

These interface changes require extensive test changes to match. Strip
the bdns.MockClient down to almost nothing, because its guts had far too
much knowledge of the desires of specific tests in a wholly different
package (the VA). Instead, break the MockClient down into three much
smaller fakes, and move them into the VA test files that actually need
them. Have each test case explicitly specify which fake it is using,
encouraging the use of smaller and more test-specific fakes in the
future. Finally, use this opportunity to turn multiple linear tests into
table-driven tests.

Part of #2700

Author: aarongable

bdns/dns.go

@@ -3,159 +3,29 @@ package bdns
 import (
 	"context"
 	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-	"os"
 
 	"github.com/miekg/dns"
-
-	blog "github.com/letsencrypt/boulder/log"
 )
 
 // MockClient is a mock
-type MockClient struct {
-	Log blog.Logger
-}
+type MockClient struct{}
 
 // LookupTXT is a mock
-func (mock *MockClient) LookupTXT(_ context.Context, hostname string) ([]string, ResolverAddrs, error) {
-	// Use the example account-specific label prefix derived from
-	// "https://example.com/acme/acct/ExampleAccount"
-	const accountLabelPrefix = "_ujmmovf2vn55tgye._acme-challenge"
-
-	if hostname == accountLabelPrefix+".servfail.com" {
-		// Mirror dns-01 servfail behaviour
-		return nil, ResolverAddrs{"MockClient"}, fmt.Errorf("SERVFAIL")
-	}
-	if hostname == accountLabelPrefix+".good-dns01.com" {
-		// Mirror dns-01 good record
-		// base64(sha256("LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0"
-		//               + "." + "9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI"))
-		return []string{"LPsIwTo7o8BoG0-vjCyGQGBWSVIPxI-i_X336eUOQZo"}, ResolverAddrs{"MockClient"}, nil
-	}
-	if hostname == accountLabelPrefix+".wrong-dns01.com" {
-		// Mirror dns-01 wrong record
-		return []string{"a"}, ResolverAddrs{"MockClient"}, nil
-	}
-	if hostname == accountLabelPrefix+".wrong-many-dns01.com" {
-		// Mirror dns-01 wrong-many record
-		return []string{"a", "b", "c", "d", "e"}, ResolverAddrs{"MockClient"}, nil
-	}
-	if hostname == accountLabelPrefix+".long-dns01.com" {
-		// Mirror dns-01 long record
-		return []string{"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"}, ResolverAddrs{"MockClient"}, nil
-	}
-	if hostname == accountLabelPrefix+".no-authority-dns01.com" {
-		// Mirror dns-01 no-authority good record
-		// base64(sha256("LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0"
-		//               + "." + "9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI"))
-		return []string{"LPsIwTo7o8BoG0-vjCyGQGBWSVIPxI-i_X336eUOQZo"}, ResolverAddrs{"MockClient"}, nil
-	}
-	if hostname == accountLabelPrefix+".empty-txts.com" {
-		// Mirror dns-01 zero TXT records
-		return []string{}, ResolverAddrs{"MockClient"}, nil
-	}
-
-	if hostname == "_acme-challenge.servfail.com" {
-		return nil, ResolverAddrs{"MockClient"}, fmt.Errorf("SERVFAIL")
-	}
-	if hostname == "_acme-challenge.good-dns01.com" {
-		// base64(sha256("LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0"
-		//               + "." + "9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI"))
-		// expected token + test account jwk thumbprint
-		return []string{"LPsIwTo7o8BoG0-vjCyGQGBWSVIPxI-i_X336eUOQZo"}, ResolverAddrs{"MockClient"}, nil
-	}
-	if hostname == "_acme-challenge.wrong-dns01.com" {
-		return []string{"a"}, ResolverAddrs{"MockClient"}, nil
-	}
-	if hostname == "_acme-challenge.wrong-many-dns01.com" {
-		return []string{"a", "b", "c", "d", "e"}, ResolverAddrs{"MockClient"}, nil
-	}
-	if hostname == "_acme-challenge.long-dns01.com" {
-		return []string{"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"}, ResolverAddrs{"MockClient"}, nil
-	}
-	if hostname == "_acme-challenge.no-authority-dns01.com" {
-		// base64(sha256("LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0"
-		//               + "." + "9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI"))
-		// expected token + test account jwk thumbprint
-		return []string{"LPsIwTo7o8BoG0-vjCyGQGBWSVIPxI-i_X336eUOQZo"}, ResolverAddrs{"MockClient"}, nil
-	}
-	// empty-txts.com always returns zero TXT records
-	if hostname == "_acme-challenge.empty-txts.com" {
-		return []string{}, ResolverAddrs{"MockClient"}, nil
-	}
-
-	// Default fallback
-	return []string{"hostname"}, ResolverAddrs{"MockClient"}, nil
+func (mock *MockClient) LookupTXT(_ context.Context, hostname string) (*Result[*dns.TXT], string, error) {
+	return nil, "MockClient", errors.New("unexpected LookupTXT call on test fake")
 }
 
-// makeTimeoutError returns a a net.OpError for which Timeout() returns true.
-func makeTimeoutError() *net.OpError {
-	return &net.OpError{
-		Err: os.NewSyscallError("ugh timeout", timeoutError{}),
-	}
-}
-
-type timeoutError struct{}
-
-func (t timeoutError) Error() string {
-	return "so sloooow"
-}
-func (t timeoutError) Timeout() bool {
-	return true
+// LookupA is a fake
+func (mock *MockClient) LookupA(_ context.Context, hostname string) (*Result[*dns.A], string, error) {
+	return nil, "MockClient", errors.New("unexpected LookupA call on test fake")
 }
 
-// LookupHost is a mock
-func (mock *MockClient) LookupHost(_ context.Context, hostname string) ([]netip.Addr, ResolverAddrs, error) {
-	if hostname == "always.invalid" ||
-		hostname == "invalid.invalid" {
-		return []netip.Addr{}, ResolverAddrs{"MockClient"}, nil
-	}
-	if hostname == "always.timeout" {
-		return []netip.Addr{}, ResolverAddrs{"MockClient"}, &Error{dns.TypeA, "always.timeout", makeTimeoutError(), -1, nil}
-	}
-	if hostname == "always.error" {
-		err := &net.OpError{
-			Op:  "read",
-			Net: "udp",
-			Err: errors.New("some net error"),
-		}
-		m := new(dns.Msg)
-		m.SetQuestion(dns.Fqdn(hostname), dns.TypeA)
-		m.AuthenticatedData = true
-		m.SetEdns0(4096, false)
-		return []netip.Addr{}, ResolverAddrs{"MockClient"}, &Error{dns.TypeA, hostname, err, -1, nil}
-	}
-	if hostname == "id.mismatch" {
-		err := dns.ErrId
-		m := new(dns.Msg)
-		m.SetQuestion(dns.Fqdn(hostname), dns.TypeA)
-		m.AuthenticatedData = true
-		m.SetEdns0(4096, false)
-		r := new(dns.Msg)
-		record := new(dns.A)
-		record.Hdr = dns.RR_Header{Name: dns.Fqdn(hostname), Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 0}
-		record.A = net.ParseIP("127.0.0.1")
-		r.Answer = append(r.Answer, record)
-		return []netip.Addr{}, ResolverAddrs{"MockClient"}, &Error{dns.TypeA, hostname, err, -1, nil}
-	}
-	// dual-homed host with an IPv6 and an IPv4 address
-	if hostname == "ipv4.and.ipv6.localhost" {
-		return []netip.Addr{
-			netip.MustParseAddr("::1"),
-			netip.MustParseAddr("127.0.0.1"),
-		}, ResolverAddrs{"MockClient"}, nil
-	}
-	if hostname == "ipv6.localhost" {
-		return []netip.Addr{
-			netip.MustParseAddr("::1"),
-		}, ResolverAddrs{"MockClient"}, nil
-	}
-	return []netip.Addr{netip.MustParseAddr("127.0.0.1")}, ResolverAddrs{"MockClient"}, nil
+// LookupAAAA is a fake
+func (mock *MockClient) LookupAAAA(_ context.Context, hostname string) (*Result[*dns.AAAA], string, error) {
+	return nil, "MockClient", errors.New("unexpected LookupAAAA call on test fake")
 }
 
-// LookupCAA returns mock records for use in tests.
-func (mock *MockClient) LookupCAA(_ context.Context, domain string) ([]*dns.CAA, string, ResolverAddrs, error) {
-	return nil, "", ResolverAddrs{"MockClient"}, nil
+// LookupCAA is a fake
+func (mock *MockClient) LookupCAA(_ context.Context, domain string) (*Result[*dns.CAA], string, error) {
+	return nil, "MockClient", errors.New("unexpected LookupCAA call on test fake")
 }

bdns/dns_test.go

@@ -7,8 +7,9 @@ import (
 	"net/url"
 	"testing"
 
-	"github.com/letsencrypt/boulder/test"
 	"github.com/miekg/dns"
+
+	"github.com/letsencrypt/boulder/test"
 )
 
 func TestError(t *testing.T) {
@@ -17,9 +18,6 @@ func TestError(t *testing.T) {
 		expected string
 	}{
 		{
-			&Error{dns.TypeA, "hostname", makeTimeoutError(), -1, nil},
-			"DNS problem: query timed out looking up A for hostname",
-		}, {
 			&Error{dns.TypeMX, "hostname", &net.OpError{Err: errors.New("some net error")}, -1, nil},
 			"DNS problem: networking error looking up MX for hostname",
 		}, {

bdns/mocks.go

@@ -100,28 +100,16 @@ func main() {
 	tlsConfig, err := c.VA.TLS.Load(scope)
 	cmd.FailOnError(err, "tlsConfig config")
 
-	var resolver bdns.Client
-	if !c.VA.DNSAllowLoopbackAddresses {
-		resolver = bdns.New(
-			c.VA.DNSTimeout.Duration,
-			servers,
-			scope,
-			clk,
-			c.VA.DNSTries,
-			c.VA.UserAgent,
-			logger,
-			tlsConfig)
-	} else {
-		resolver = bdns.NewTest(
-			c.VA.DNSTimeout.Duration,
-			servers,
-			scope,
-			clk,
-			c.VA.DNSTries,
-			c.VA.UserAgent,
-			logger,
-			tlsConfig)
-	}
+	resolver := bdns.New(
+		c.VA.DNSTimeout.Duration,
+		servers,
+		scope,
+		clk,
+		c.VA.DNSTries,
+		c.VA.UserAgent,
+		logger,
+		tlsConfig)
+
 	var remotes []va.RemoteVA
 	if len(c.VA.RemoteVAs) > 0 {
 		for _, rva := range c.VA.RemoteVAs {
@@ -155,6 +143,7 @@ func main() {
 		"",
 		iana.IsReservedAddr,
 		c.VA.SlowRemoteTimeout.Duration,
+		c.VA.DNSAllowLoopbackAddresses,
 	)
 	cmd.FailOnError(err, "Unable to create VA server")
 

bdns/problem_test.go

@@ -106,28 +106,15 @@ func main() {
 		tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven
 	}
 
-	var resolver bdns.Client
-	if !c.RVA.DNSAllowLoopbackAddresses {
-		resolver = bdns.New(
-			c.RVA.DNSTimeout.Duration,
-			servers,
-			scope,
-			clk,
-			c.RVA.DNSTries,
-			c.RVA.UserAgent,
-			logger,
-			tlsConfig)
-	} else {
-		resolver = bdns.NewTest(
-			c.RVA.DNSTimeout.Duration,
-			servers,
-			scope,
-			clk,
-			c.RVA.DNSTries,
-			c.RVA.UserAgent,
-			logger,
-			tlsConfig)
-	}
+	resolver := bdns.New(
+		c.RVA.DNSTimeout.Duration,
+		servers,
+		scope,
+		clk,
+		c.RVA.DNSTries,
+		c.RVA.UserAgent,
+		logger,
+		tlsConfig)
 
 	vai, err := va.NewValidationAuthorityImpl(
 		resolver,
@@ -142,6 +129,7 @@ func main() {
 		c.RVA.RIR,
 		iana.IsReservedAddr,
 		0,
+		c.RVA.DNSAllowLoopbackAddresses,
 	)
 	cmd.FailOnError(err, "Unable to create Remote-VA server")
 

cmd/boulder-va/main.go

@@ -154,7 +154,7 @@ type caaResult struct {
 	issuewild       []*dns.CAA
 	criticalUnknown bool
 	dig             string
-	resolvers       bdns.ResolverAddrs
+	resolver        string
 	err             error
 }
 
@@ -213,14 +213,18 @@ func (va *ValidationAuthorityImpl) parallelCAALookup(ctx context.Context, name s
 		// Start the concurrent DNS lookup.
 		wg.Add(1)
 		go func(name string, r *caaResult) {
+			defer wg.Done()
 			r.name = name
-			var records []*dns.CAA
-			records, r.dig, r.resolvers, r.err = va.dnsClient.LookupCAA(ctx, name)
-			if len(records) > 0 {
+			var records *bdns.Result[*dns.CAA]
+			records, r.resolver, r.err = va.dnsClient.LookupCAA(ctx, name)
+			if r.err != nil {
+				return
+			}
+			r.dig = records.String()
+			if len(records.Final) > 0 {
 				r.present = true
 			}
-			r.issue, r.issuewild, r.criticalUnknown = filterCAA(records)
-			wg.Done()
+			r.issue, r.issuewild, r.criticalUnknown = filterCAA(records.Final)
 		}(strings.Join(labels[i:], "."), &results[i])
 	}