policy.TLS_FORWARD: better avoid dead addresses

2cc181ed · Vladimír Čunát · 76532284 · 2cc181ed · 2cc181ed · 2cc181ed
Verified Commit 2cc181ed authored 4 years ago by Vladimír Čunát
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,7 @@ Bugfixes
 --------
 - dnstap module: don't break request resolution on dnstap errors (!1147)
 - cache garbage collector: fix crashes introduced in 5.3.0 (!1153)
+- policy.TLS_FORWARD: better avoid dead addresses (#671, !1156)


 Knot Resolver 5.3.0 (2021-02-25)

--- a/lib/selection.c
+++ b/lib/selection.c
@@ -596,6 +596,14 @@ void error(struct kr_query *qry, struct address_state *addr_state,
 	switch (sel_error) {
 	case KR_SELECTION_OK:
 		return;
+	case KR_SELECTION_TCP_CONNECT_FAILED:
+	case KR_SELECTION_TCP_CONNECT_TIMEOUT:
+		qry->server_selection.local_state->force_udp = true;
+		qry->flags.NO_0X20 = false;
+		/* Connection and handshake failures have properties similar
+		 * to UDP timeouts, so we handle them (almost) the same way. */
+		/* fall-through */
+	case KR_SELECTION_TLS_HANDSHAKE_FAILED:
 	case KR_SELECTION_QUERY_TIMEOUT:
 		qry->server_selection.local_state->timeouts++;
 		/* Make sure that the query was chosen by this query and timeout wasn't capped
@@ -654,11 +662,6 @@ void error(struct kr_query *qry, struct address_state *addr_state,
 			qry->flags.NO_MINIMIZE = true;
 		}
 		break;
-	case KR_SELECTION_TCP_CONNECT_FAILED:
-	case KR_SELECTION_TCP_CONNECT_TIMEOUT:
-		qry->server_selection.local_state->force_udp = true;
-		qry->flags.NO_0X20 = false;
-		break;
 	case KR_SELECTION_NOTIMPL:
 	case KR_SELECTION_OTHER_RCODE:
 	case KR_SELECTION_DNSSEC_ERROR:
@@ -667,9 +670,6 @@ void error(struct kr_query *qry, struct address_state *addr_state,
 		/* These errors are fatal, no point in trying this server again. */
 		addr_state->broken = true;
 		break;
-	case KR_SELECTION_TLS_HANDSHAKE_FAILED:
-		/* These might get resolved by retrying. */
-		break;
 	default:
 		assert(0);
 		break;

--- a/lib/selection.h
+++ b/lib/selection.h
@@ -150,6 +150,7 @@ int kr_forward_add_target(struct kr_request *req, const struct sockaddr *sock);
 struct rtt_state {
 	int32_t srtt; /**< Smoothed RTT, i.e. an estimate of round-trip time. */
 	int32_t variance; /**< An estimate of RTT's standard derivation (not variance). */
+	/** Note: some TCP and TLS failures are also considered as timeouts. */
 	int32_t consecutive_timeouts;
 	/** Timestamp of pronouncing this IP bad based on KR_NS_TIMEOUT_ROW_DEAD */
 	uint64_t dead_since;