resolver: err for dns-over-rustls w/o roots

If we find that we've constructed a Rustls root cert store that has no trust anchors, return an early error. This makes the problem obvious and avoids surfacing some other less specific error cause when we first try to validate a peer certificate with an empty root store. In order for our new early error to be surfaced correctly the `name_sever_pool.rs` `parallel_conn_loop` fn needs its error handling adjusted. Previously it would always compare the new error produced by trying to build the TLS config against the default error it starts its loop with, `ProtoErrorKind::NoConnections`. Since the error being returned is another `ProtoErrorKind`, and the error specificity comparison considers two `ProtoErrorKinds` equivalent in the general case, the default error was always returned and the new error thrown away.
hickory-dns · Apr 14, 2024 · 5aeb1d0 · 5aeb1d0
1 parent 2e84c11
commit 5aeb1d0
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/crates/resolver/src/name_server/name_server_pool.rs b/crates/resolver/src/name_server/name_server_pool.rs
@@ -382,6 +382,12 @@ where
                 _ if e.is_busy() => {
                     busy.push(conn);
                 }
+                // If our current error is the default err we start with, replace it with the
+                // new error under consideration. It was produced trying to make a connection
+                // and is more specific than the default.
+                _ if matches!(err.kind(), ProtoErrorKind::NoConnections) => {
+                    err = e;
+                }
                 _ if err.cmp_specificity(&e) == Ordering::Less => {
                     err = e;
                 }

diff --git a/crates/resolver/src/tls/dns_over_rustls.rs b/crates/resolver/src/tls/dns_over_rustls.rs
@@ -59,6 +59,16 @@ pub(crate) static CLIENT_CONFIG: Lazy<Result<Arc<ClientConfig>, ProtoError>> = L
         )
     }));
 
+    // If by the time we reach this point the root store remains empty then
+    // our feature config hasn't resulted in a populated root store. Return an
+    // early error rather than trying to validate a peer certificate without any
+    // trust anchors.
+    if root_store.is_empty() {
+        return Err(ProtoError::from(
+         "no root certificates configured: you must enable the webpki-roots or native-certs feature".to_owned(),
+        ));
+    }
+
     let mut client_config = ClientConfig::builder()
         .with_safe_default_cipher_suites()
         .with_safe_default_kx_groups()