Review comments

Author: aarongable

bdns/dns.go

@@ -168,22 +168,23 @@ func (c *impl) exchangeOne(ctx context.Context, hostname string, qtype uint16) (
 	// present.
 	req.SetEdns0(4096, false)
 
-	var resp *dns.Msg
-
 	servers, err := c.servers.Addrs()
 	if err != nil {
 		return nil, "", fmt.Errorf("failed to list DNS servers: %w", err)
 	}
 
 	// Prepare to increment a latency metric no matter whether we succeed or fail.
-	// The deferred function closes over result, chosenServerIP, and tries, which
+	// The deferred function closes over resp, chosenServerIP, and tries, which
 	// are all modified in the loop below.
 	start := c.clk.Now()
 	qtypeStr := dns.TypeToString[qtype]
-	result := "failed"
-	chosenServerIP := ""
-	tries := 0
+	var (
+		resp           *dns.Msg
+		chosenServerIP string
+		tries          int
+	)
 	defer func() {
+		result := "failed"
 		if resp != nil {
 			result = dns.RcodeToString[resp.Rcode]
 		}
@@ -195,12 +196,6 @@ func (c *impl) exchangeOne(ctx context.Context, hostname string, qtype uint16) (
 		}).Observe(c.clk.Since(start).Seconds())
 	}()
 
-	type dnsRes struct {
-		resp *dns.Msg
-		err  error
-	}
-	ch := make(chan dnsRes, 1)
-
 	for i := range c.maxTries {
 		tries = i + 1
 		chosenServer := servers[i%len(servers)]
@@ -212,64 +207,61 @@ func (c *impl) exchangeOne(ctx context.Context, hostname string, qtype uint16) (
 		// and ensures that chosenServer can't be a bare port, e.g. ":1337"
 		chosenServerIP, _, err = net.SplitHostPort(chosenServer)
 		if err != nil {
-			return nil, "", err
+			return nil, chosenServer, err
 		}
 
-		go func() {
-			resp, rtt, err := c.exchanger.Exchange(req, chosenServer)
-			result := "failed"
-			if resp != nil {
-				result = dns.RcodeToString[resp.Rcode]
-			}
-			if err != nil {
-				c.log.Infof("logDNSError chosenServer=[%s] hostname=[%s] queryType=[%s] err=[%s]", chosenServer, hostname, qtypeStr, err)
-			}
-			c.queryTime.With(prometheus.Labels{
-				"qtype":    qtypeStr,
-				"result":   result,
-				"resolver": chosenServerIP,
-			}).Observe(rtt.Seconds())
-			ch <- dnsRes{resp: resp, err: err}
-		}()
-		select {
-		case <-ctx.Done():
-			switch ctx.Err() {
-			case context.DeadlineExceeded:
-				result = "deadline exceeded"
-			case context.Canceled:
-				result = "canceled"
-			default:
-				result = "unknown"
-			}
-			c.timeoutCounter.With(prometheus.Labels{
-				"qtype":    qtypeStr,
-				"result":   result,
-				"resolver": chosenServerIP,
-				"isTLD":    fmt.Sprintf("%t", !strings.Contains(hostname, ".")),
-			}).Inc()
-			return nil, "", ctx.Err()
-		case r := <-ch:
-			if r.err != nil {
-				// Check if the error is a timeout error, which we want to retry.
-				// Network errors that can timeout implement the net.Error interface.
-				var netErr net.Error
-				isRetryable := errors.As(r.err, &netErr) && netErr.Timeout()
-				hasRetriesLeft := tries < c.maxTries
-				if isRetryable && hasRetriesLeft {
-					continue
-				} else if isRetryable && !hasRetriesLeft {
-					c.timeoutCounter.With(prometheus.Labels{
-						"qtype":    qtypeStr,
-						"result":   "out of retries",
-						"resolver": chosenServerIP,
-						"isTLD":    fmt.Sprintf("%t", !strings.Contains(hostname, ".")),
-					}).Inc()
-				}
+		// Do a bare assignment (not :=) to populate the `resp` used by the defer above.
+		var rtt time.Duration
+		resp, rtt, err = c.exchanger.ExchangeContext(ctx, req, chosenServer)
+
+		// Do some metrics handling before we do error handling.
+		result := "failed"
+		if resp != nil {
+			result = dns.RcodeToString[resp.Rcode]
+		}
+		c.queryTime.With(prometheus.Labels{
+			"qtype":    qtypeStr,
+			"result":   result,
+			"resolver": chosenServerIP,
+		}).Observe(rtt.Seconds())
+
+		if err != nil {
+			c.log.Infof("logDNSError chosenServer=[%s] hostname=[%s] queryType=[%s] err=[%s]", chosenServer, hostname, qtypeStr, err)
+
+			// Check if the error is a timeout error, which we want to retry.
+			// Network errors that can timeout implement the net.Error interface.
+			var netErr net.Error
+			isRetryable := errors.As(err, &netErr) && netErr.Timeout() && !errors.Is(err, context.DeadlineExceeded)
+			hasRetriesLeft := tries < c.maxTries
+			if isRetryable && hasRetriesLeft {
+				continue
+			} else if isRetryable && !hasRetriesLeft {
+				c.timeoutCounter.With(prometheus.Labels{
+					"qtype":    qtypeStr,
+					"result":   "out of retries",
+					"resolver": chosenServerIP,
+					"isTLD":    fmt.Sprintf("%t", !strings.Contains(hostname, ".")),
+				}).Inc()
+			} else if errors.Is(err, context.DeadlineExceeded) {
+				c.timeoutCounter.With(prometheus.Labels{
+					"qtype":    qtypeStr,
+					"result":   "deadline exceeded",
+					"resolver": chosenServerIP,
+					"isTLD":    fmt.Sprintf("%t", !strings.Contains(hostname, ".")),
+				}).Inc()
+			} else if errors.Is(err, context.Canceled) {
+				c.timeoutCounter.With(prometheus.Labels{
+					"qtype":    qtypeStr,
+					"result":   "canceled",
+					"resolver": chosenServerIP,
+					"isTLD":    fmt.Sprintf("%t", !strings.Contains(hostname, ".")),
+				}).Inc()
 			}
 
-			// This is either a success or a non-retryable error; return either way.
-			return r.resp, chosenServer, r.err
+			return nil, chosenServer, err
 		}
+
+		return resp, chosenServer, nil
 	}
 
 	// It's impossible to get past the bottom of the loop: on the last attempt
@@ -286,7 +278,7 @@ func (c *impl) LookupA(ctx context.Context, hostname string) (*Result[*dns.A], s
 		return nil, resolver, err
 	}
 
-	return resultFromMsg[*dns.A](resp), resolver, wrapErr(dns.TypeA, hostname, resp, err)
+	return resultFromMsg[*dns.A](resp), resolver, nil
 }
 
 // LookupAAAA sends a DNS query to find all AAAA records associated with the
@@ -339,7 +331,7 @@ func (c *impl) LookupTXT(ctx context.Context, hostname string) (*Result[*dns.TXT
 // exchanger represents an underlying DNS client. This interface exists solely
 // so that its implementation can be swapped out in unit tests.
 type exchanger interface {
-	Exchange(m *dns.Msg, a string) (*dns.Msg, time.Duration, error)
+	ExchangeContext(ctx context.Context, m *dns.Msg, a string) (*dns.Msg, time.Duration, error)
 }
 
 // dohExchanger implements the exchanger interface. It routes all of its DNS
@@ -351,16 +343,16 @@ type dohExchanger struct {
 	userAgent string
 }
 
-// Exchange sends a DoH query to the provided DoH server and returns the response.
-func (d *dohExchanger) Exchange(query *dns.Msg, server string) (*dns.Msg, time.Duration, error) {
+// ExchangeContext sends a DoH query to the provided DoH server and returns the response.
+func (d *dohExchanger) ExchangeContext(ctx context.Context, query *dns.Msg, server string) (*dns.Msg, time.Duration, error) {
 	q, err := query.Pack()
 	if err != nil {
 		return nil, 0, err
 	}
 
 	// The default Unbound URL template
 	url := fmt.Sprintf("https://%s/dns-query", server)
-	req, err := http.NewRequest("POST", url, strings.NewReader(string(q)))
+	req, err := http.NewRequestWithContext(ctx, "POST", url, strings.NewReader(string(q)))
 	if err != nil {
 		return nil, 0, err
 	}

bdns/dns_test.go

@@ -608,7 +608,7 @@ type testExchanger struct {
 
 var errTooManyRequests = errors.New("too many requests")
 
-func (te *testExchanger) Exchange(m *dns.Msg, a string) (*dns.Msg, time.Duration, error) {
+func (te *testExchanger) ExchangeContext(_ context.Context, m *dns.Msg, a string) (*dns.Msg, time.Duration, error) {
 	te.Lock()
 	defer te.Unlock()
 	msg := &dns.Msg{
@@ -785,16 +785,13 @@ func TestRetry(t *testing.T) {
 }
 
 func TestRetryMetrics(t *testing.T) {
-	isTimeoutErr := &url.Error{Op: "read", Err: testTimeoutError(true)}
 	staticProvider, err := NewStaticProvider([]string{dnsLoopbackAddr})
 	test.AssertNotError(t, err, "Got error creating StaticProvider")
 
 	testClient := New(time.Second*10, staticProvider, metrics.NoopRegisterer, clock.NewFake(), 3, "", blog.UseMock(), tlsConfig)
 	dr := testClient.(*impl)
-	dr.exchanger = &testExchanger{errs: []error{isTimeoutErr, isTimeoutErr, nil}}
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-	_, _, err = dr.LookupTXT(ctx, "example.com")
+	dr.exchanger = &testExchanger{errs: []error{context.Canceled}}
+	_, _, err = dr.LookupTXT(t.Context(), "example.com")
 	if err == nil ||
 		err.Error() != "DNS problem: query timed out (and was canceled) looking up TXT for example.com" {
 		t.Errorf("expected %s, got %s", context.Canceled, err)
@@ -808,10 +805,8 @@ func TestRetryMetrics(t *testing.T) {
 
 	testClient = New(time.Second*10, staticProvider, metrics.NoopRegisterer, clock.NewFake(), 3, "", blog.UseMock(), tlsConfig)
 	dr = testClient.(*impl)
-	dr.exchanger = &testExchanger{errs: []error{isTimeoutErr, isTimeoutErr, nil}}
-	ctx, cancel = context.WithTimeout(context.Background(), -10*time.Hour)
-	defer cancel()
-	_, _, err = dr.LookupTXT(ctx, "example.com")
+	dr.exchanger = &testExchanger{errs: []error{context.DeadlineExceeded}}
+	_, _, err = dr.LookupTXT(t.Context(), "example.com")
 	if err == nil ||
 		err.Error() != "DNS problem: query timed out looking up TXT for example.com" {
 		t.Errorf("expected %s, got %s", context.DeadlineExceeded, err)
@@ -839,9 +834,9 @@ type rotateFailureExchanger struct {
 	brokenAddresses map[string]bool
 }
 
-// Exchange for rotateFailureExchanger tracks the `a` argument in `lookups` and
+// ExchangeContext for rotateFailureExchanger tracks the `a` argument in `lookups` and
 // if present in `brokenAddresses`, returns a timeout error.
-func (e *rotateFailureExchanger) Exchange(m *dns.Msg, a string) (*dns.Msg, time.Duration, error) {
+func (e *rotateFailureExchanger) ExchangeContext(_ context.Context, m *dns.Msg, a string) (*dns.Msg, time.Duration, error) {
 	e.Lock()
 	defer e.Unlock()
 
@@ -922,7 +917,7 @@ type dohAlwaysRetryExchanger struct {
 	err error
 }
 
-func (dohE *dohAlwaysRetryExchanger) Exchange(m *dns.Msg, a string) (*dns.Msg, time.Duration, error) {
+func (dohE *dohAlwaysRetryExchanger) ExchangeContext(_ context.Context, m *dns.Msg, a string) (*dns.Msg, time.Duration, error) {
 	dohE.Lock()
 	defer dohE.Unlock()
 

va/caa.go

@@ -274,12 +274,10 @@ func (va *ValidationAuthorityImpl) getCAA(ctx context.Context, hostname string)
 // validates them. If the identifier argument's value has a wildcard prefix then
 // the prefix is stripped and validation will be performed against the base
 // domain, honouring any issueWild CAA records encountered as appropriate.
-// checkCAARecords returns four values: the first is a string indicating at
+// checkCAARecords returns three values: the first is a string indicating at
 // which name (i.e. FQDN or parent thereof) CAA records were found, if any. The
-// second is a bool indicating whether issuance for the identifier is valid. The
-// unmodified *dns.CAA records that were processed/filtered are returned as the
-// third argument. Any errors encountered are returned as the fourth return
-// value (or nil).
+// second is a bool indicating whether issuance for the identifier is valid. Any
+// errors encountered are returned as the last return value (or nil).
 func (va *ValidationAuthorityImpl) checkCAARecords(
 	ctx context.Context,
 	ident identifier.ACMEIdentifier,

va/dns.go

@@ -21,11 +21,11 @@ import (
 	"github.com/letsencrypt/boulder/identifier"
 )
 
-// getAddr will query for all A/AAAA records associated with hostname and return
-// all valid addresses resolved. This is the same choice made by the Go internal
-// resolution library used by net/http. If there is an error resolving the
-// hostname, or if no usable IP addresses are available then a berrors.DNSError
-// instance is returned with a nil netip.Addr slice.
+// getAddr queries for all A/AAAA records associated with hostname, and returns
+// all valid addresses resolved and the addresses of all resolvers used. If
+// there is an error resolving the hostname, or if no usable IP addresses are
+// available then a berrors.DNSError instance is returned with a nil netip.Addr
+// slice.
 func (va ValidationAuthorityImpl) getAddrs(ctx context.Context, hostname string) ([]netip.Addr, []string, error) {
 	// Kick off both the A and AAAA lookups in parallel.
 	var wg sync.WaitGroup