resolver: err for dns-over-rustls w/o roots #2179
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If we're setting up dns-over-rustls and find that we've constructed a Rustls root cert store that has no trust anchors, return an early error. This makes the problem obvious and avoids surfacing some other less specific error cause when we first try to validate a peer certificate with an empty root store.
In order for our new early error to be surfaced correctly the
name_sever_pool.rs
parallel_conn_loop
fn needs its error handling adjusted. Previously it would always compare the new error produced by trying to build the TLS config against the default error it starts its loop with,ProtoErrorKind::NoConnections
. Since the error being returned is anotherProtoErrorKind
that isn'tNoRecordsFound
,Io
, orTimeout
the error specificity comparison considers the two errors equivalent in the general case, and the default error was always returned and the new error thrown away.There is still a small mystery around why a more specific error from tokio-rustls isn't returned when peer validation inevitably fails. In my testing upstream we get a niceSee my comment here I think this is a side-effect of theio::Error
likeerr: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) }
. I can't figure out where or why, but something in the Hickory DNS stack is reducing this down to just a simple io error with typeInvalidData
- no nested source error or message.Clone
impl onProtoErrorKind
.Updates #2066