RFE #408: Retry fetching of TA after backoff time

2018-12-03 12:27:31 +01:00 · 2018-12-03 12:27:31 +01:00 · a1692359f3
parent 1e7da76901
commit a1692359f3
10 changed files with 109 additions and 12 deletions
--- a/6
+++ b/6
@ -1,7 +1,11 @@
 * 2018-??-??: Version 1.4.3
+  * RFE #408: Fetching of trust anchors will be retried
+    after failure, after a certain backoff time. The time
+    can be configured with
+    getdns_context_set_trust_anchors_backoff_time().
  * RFE #408: A "dnssec" extension that requires DNSSEC
    verification.  When this extension is set, Indeterminate
-    DNSSEC status will noging be returned.
+    DNSSEC status will not be returned.
  * Issue #410: Unspecified ownership of get_api_information()
  * Fix for DNSSEC bug in finding most specific key when
    trust anchor proves non-existance of one of the labels
--- a/src/anchor.c
+++ b/src/anchor.c
@ -923,6 +923,8 @@ static void tas_fail(getdns_context *context, tas_connection *a)
 		DEBUG_ANCHOR("Fatal error fetching trust anchor: "
 		             "%s connection failed too\n", rt_str(rt));
 		context->trust_anchors_source = GETDNS_TASRC_FAILED;
+		context->trust_anchors_backoff_expiry = 
+		    _getdns_get_now_ms() + context->trust_anchors_backoff_time;
 		_getdns_ta_notify_dnsreqs(context);
 	} else
 		DEBUG_ANCHOR("%s connection failed, waiting for %s\n"
@ -1510,7 +1512,8 @@ static void _tas_hostname_lookup_cb(getdns_dns_req *dnsreq)
 	tas_fail(context, a);
 }

-void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop)
+void _getdns_start_fetching_ta(
+    getdns_context *context, getdns_eventloop *loop, uint64_t *now_ms)
 {
 	getdns_return_t r;
 	size_t scheduled;
@ -1587,6 +1590,13 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop)
 		             "schedule address requests for %s\n"
 		            , tas_hostname);
 		context->trust_anchors_source = GETDNS_TASRC_FAILED;
+		if (now_ms) {
+			if (*now_ms == 0) *now_ms = _getdns_get_now_ms();
+			context->trust_anchors_backoff_expiry = 
+			    *now_ms + context->trust_anchors_backoff_time;
+		} else
+			context->trust_anchors_backoff_expiry = 
+			    _getdns_get_now_ms() + context->trust_anchors_backoff_time;
 		_getdns_ta_notify_dnsreqs(context);
 	} else
 		context->trust_anchors_source = GETDNS_TASRC_FETCHING;
--- a/src/anchor.h
+++ b/src/anchor.h
@ -41,7 +41,8 @@

 void _getdns_context_equip_with_anchor(getdns_context *context, uint64_t *now_ms);

-void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop);
+void _getdns_start_fetching_ta(
+    getdns_context *context, getdns_eventloop *loop, uint64_t *now_ms);

 #define MAX_KSKS        16
 #define RRSIG_RDATA_LEN 16
--- a/src/const-info.c
+++ b/src/const-info.c
@ -96,6 +96,7 @@ static struct const_info consts_info[] = {
 	{     635, "GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES", GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT },
 	{     636, "GETDNS_CONTEXT_CODE_TLS_MIN_VERSION", GETDNS_CONTEXT_CODE_TLS_MIN_VERSION_TEXT },
 	{     637, "GETDNS_CONTEXT_CODE_TLS_MAX_VERSION", GETDNS_CONTEXT_CODE_TLS_MAX_VERSION_TEXT },
+	{     638, "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME", GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME_TEXT },
 	{     699, "GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE", GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE_TEXT },
 	{     700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
 	{     701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
@ -205,6 +206,7 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_CONTEXT_CODE_TLS_MAX_VERSION", 637 },
 	{ "GETDNS_CONTEXT_CODE_TLS_MIN_VERSION", 636 },
 	{ "GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE", 620 },
+	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME", 638 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_URL", 625 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_CA", 626 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_EMAIL", 627 },
--- a/src/context.c
+++ b/src/context.c
@ -1593,6 +1593,7 @@ getdns_context_create_with_extended_memory_functions(
 	result->trust_anchors_url = NULL;
 	result->trust_anchors_verify_email = NULL;
 	result->trust_anchors_verify_CA = NULL;
+	result->trust_anchors_backoff_time = 2500;
 	result->appdata_dir = NULL;
 	result->tls_ca_path = NULL;
 	result->tls_ca_file = NULL;
@ -4026,6 +4027,8 @@ _get_context_settings(getdns_context* context)
 	                           context->tls_query_padding_blocksize)
 	    || getdns_dict_set_int(result, "resolution_type",
 	                           context->resolution_type)
+	    || getdns_dict_set_int(result, "trust_anchors_backoff_time",
+	                           context->trust_anchors_backoff_time)
 	    )
 		goto error;
 	
@ -4960,6 +4963,7 @@ _getdns_context_config_setting(getdns_context *context,
 	CONTEXT_SETTING_STRING(trust_anchors_url)
 	CONTEXT_SETTING_STRING(trust_anchors_verify_CA)
 	CONTEXT_SETTING_STRING(trust_anchors_verify_email)
+	CONTEXT_SETTING_INT(trust_anchors_backoff_time)
 	CONTEXT_SETTING_STRING(appdata_dir)
 #ifndef USE_WINSOCK
 	CONTEXT_SETTING_STRING(resolvconf)
@ -5430,6 +5434,32 @@ getdns_context_get_trust_anchors_verify_email(
 	return GETDNS_RETURN_GOOD;
 }

+getdns_return_t
+getdns_context_set_trust_anchors_backoff_time(
+    getdns_context *context, uint64_t backoff_time)
+{
+	if (!context)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	context->trust_anchors_backoff_time = backoff_time;
+	if (context->trust_anchors_source == GETDNS_TASRC_FAILED)
+		context->trust_anchors_source = GETDNS_TASRC_NONE;
+	dispatch_updated( context
+	                , GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t
+getdns_context_get_trust_anchors_backoff_time(
+    getdns_context *context, uint64_t *backoff_time)
+{
+	if (!backoff_time)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	*backoff_time = context->trust_anchors_backoff_time;
+	return GETDNS_RETURN_GOOD;
+}
+
 getdns_return_t
 getdns_context_set_appdata_dir(
    getdns_context *context, const char *appdata_dir)
--- a/src/context.h
+++ b/src/context.h
@ -269,7 +269,7 @@ typedef struct getdns_upstreams {
 	size_t count;
 	size_t current_udp;
 	size_t current_stateful;
-    uint16_t max_backoff_value;
+	uint16_t max_backoff_value;
 	uint16_t tls_backoff_time;
 	uint16_t tls_connection_retries;
 	getdns_log_config log;
@ -347,6 +347,8 @@ struct getdns_context {
 	char                 *trust_anchors_url;
 	char                 *trust_anchors_verify_CA;
 	char                 *trust_anchors_verify_email;
+	uint64_t              trust_anchors_backoff_time;
+	uint64_t              trust_anchors_backoff_expiry;

 	_getdns_ksks          root_ksk;

--- a/src/dnssec.c
+++ b/src/dnssec.c
@ -3302,11 +3302,11 @@ static void check_chain_complete(chain_head *chain)

 			DEBUG_ANCHOR("root DNSKEY set was bogus!\n");
 			if (!dnsreq->waiting_for_ta) {
-				uint64_t now = 0;
+				uint64_t now_ms = 0;

 				dnsreq->waiting_for_ta = 1;
 				_getdns_context_equip_with_anchor(
-				    context, &now);
+				    context, &now_ms);

 				if (context->trust_anchors_source
 				    == GETDNS_TASRC_XML) {
@ -3314,9 +3314,19 @@ static void check_chain_complete(chain_head *chain)
 					check_chain_complete(chain);
 					return;
 				}
-				_getdns_start_fetching_ta(
-				    context,  dnsreq->loop);
-
+				if (context->trust_anchors_source ==
+						GETDNS_TASRC_FAILED
+				&& 0 == _getdns_ms_until_expiry2(
+				    context->trust_anchors_backoff_expiry,
+				    &now_ms)) {
+					context->trust_anchors_source =
+					    GETDNS_TASRC_NONE;
+				}
+				if (context->trust_anchors_source
+				!=  GETDNS_TASRC_FAILED) {
+					_getdns_start_fetching_ta(
+					    context,  dnsreq->loop, &now_ms);
+				}
 				if (dnsreq->waiting_for_ta &&
 				    context->trust_anchors_source
 				    == GETDNS_TASRC_FETCHING) {
--- a/src/general.c
+++ b/src/general.c
@ -595,13 +595,18 @@ getdns_general_ns(getdns_context *context, getdns_eventloop *loop,
 	_getdns_context_track_outbound_request(req);

 	if (req->dnssec_extension_set) {
+		if (context->trust_anchors_source == GETDNS_TASRC_FAILED
+		&&  _getdns_ms_until_expiry2(
+		    context->trust_anchors_backoff_expiry, &now_ms) == 0) {
+			context->trust_anchors_source = GETDNS_TASRC_NONE;
+		}
 		if (context->trust_anchors_source == GETDNS_TASRC_XML_UPDATE)
-			_getdns_start_fetching_ta(context, loop);
+			_getdns_start_fetching_ta(context, loop, &now_ms);

 		else if (context->trust_anchors_source == GETDNS_TASRC_NONE) {
 			_getdns_context_equip_with_anchor(context, &now_ms);
 			if (context->trust_anchors_source == GETDNS_TASRC_NONE) {
-				_getdns_start_fetching_ta(context, loop);
+				_getdns_start_fetching_ta(context, loop, &now_ms);
 			}
 		}
 	}
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@ -108,7 +108,8 @@ extern "C" {
 #define GETDNS_CONTEXT_CODE_TLS_MIN_VERSION_TEXT "Change related to getdns_context_set_tls_min_version"
 #define GETDNS_CONTEXT_CODE_TLS_MAX_VERSION 637
 #define GETDNS_CONTEXT_CODE_TLS_MAX_VERSION_TEXT "Change related to getdns_context_set_tls_max_version"
-
+#define GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME 638
+#define GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME_TEXT "Change related to getdns_context_set_trust_anchors_backoff_time"


 /** @}
@ -702,6 +703,22 @@ getdns_return_t
 getdns_context_set_trust_anchors_verify_email(
    getdns_context *context, const char *verify_email);

+/**
+ * Configure the amount of milliseconds the trust anchors should not be tried
+ * to be fetched after failure.  Default is 2500 which is two and a half seconds.
+ * Setting the trust anchors backoff time will cause fetching to be retried
+ * immediatly.
+ * @see getdns_context_get_trust_anchors_backoff_time
+ * @param context The context to configure
+ * @param value Number of milliseconds before fetch trust anchors
+ *              will be retried.
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null.
+ */
+getdns_return_t
+getdns_context_set_trust_anchors_backoff_time(
+    getdns_context *context, uint64_t value);
+
 /**
 * Initialized the context's upstream recursive servers and suffixes
 * with the values from the given resolv.conf file.
@ -1316,6 +1333,20 @@ getdns_return_t
 getdns_context_get_trust_anchors_verify_email(
    getdns_context *context, const char **verify_email);

+/**
+ * Get the amount of milliseconds the trust anchors will not be tried to be
+ * fetched after failure.
+ * @see getdns_context_set_trust_anchors_backoff_time
+ * @param context The context to configure
+ * @param value Number of milliseconds before fetch trust anchors
+ *              will be retried.
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null.
+ */
+getdns_return_t
+getdns_context_get_trust_anchors_backoff_time(
+    getdns_context *context, uint64_t *value);
+
 /**
 * Get the value with which the context's upstream recursive servers
 * and suffixes were initialized.
--- a/src/libgetdns.symbols
+++ b/src/libgetdns.symbols
@ -43,6 +43,7 @@ getdns_context_get_tls_curves_list
 getdns_context_get_tls_max_version
 getdns_context_get_tls_min_version
 getdns_context_get_tls_query_padding_blocksize
+getdns_context_get_trust_anchors_backoff_time
 getdns_context_get_trust_anchors_url
 getdns_context_get_trust_anchors_verify_CA
 getdns_context_get_trust_anchors_verify_email
@ -90,6 +91,7 @@ getdns_context_set_tls_curves_list
 getdns_context_set_tls_max_version
 getdns_context_set_tls_min_version
 getdns_context_set_tls_query_padding_blocksize
+getdns_context_set_trust_anchors_backoff_time
 getdns_context_set_trust_anchors_url
 getdns_context_set_trust_anchors_verify_CA
 getdns_context_set_trust_anchors_verify_email