-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix custom resolver implementation for Windows #255
Conversation
@adferrand Thanks for the detailed summary of the problem and a proposed PR 👍 It's a shame that the language differs in behaviour across platforms in this way.
In the past I resisted adding this dependency to Pebble. Not because of any concerns about quality (we use this dependency in both Boulder and the That said, it's already there transitively by way of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR @adferrand 👍
Also note that as soon as a new version of Go allows to use the native pure Go resolver, I am willing to make a new PR to revert this one. |
Co-Authored-By: Bot from GolangCI <42910462+golangcibot@users.noreply.github.com>
Co-Authored-By: Jacob Hoffman-Andrews <github@hoffman-andrews.com>
Ok @jsha, I improved the error handling thanks to your comments. It is true that for a newcomer in Go, the error handling in this language is quite disturbing at the beginning ^^ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @adferrand
Thanks for the PR, and for the excellent and thorough description of the problem and the solution! |
Pebble accepts a
--dnsserver
flag, that allows to select a custom DNS resolver to use when validating the ACME challenges. This option is critical to make the certbot integration tests work in particular.Current implementation is to set the
net.DefaultResolver
on a newnet.Resolver
instance with a customDial
property to consume the value from--dnsserver
. This allows to transparently resolve any host using this custom DNS resolver from a pure-Go implementation of the DNS resolution API.Sadly this approach does not work on Windows, and the
--dnsserver
has no effect on how resolution is done, and it is always the OS mechanism that is used.One can reveal this behavior by running the following piece of code on Linux and on Windows:
This piece of code tries to resolve a non-existent domain on a non-existent DNS server as IP
4.3.2.1:404
.On Linux, you will get the following error:
That indicates that the system tried to reach the non-existent DNS server, and get back a timeout exception on it.
However on Windows you will get:
This indicates that the system ignored the dummy DNS server address, contacted the OS DNS resolver, that responded that the DNS name does not exist.
One can see also the reason for this behavior on Windows on the
net
godoc, https://godoc.org/net, in particular this line in the module introduction:In fact, the pure Go DNS resolver is not applicable on Windows, the OS DNS resolver will be used, ignoring any customization.
Several relevant discussions, in particular a proposal (not developed yet) to make the pure Go DNS resolver available on Windows:
To fix this, this PR makes Pebble switch to a different logic:
-dnsserver
is not set, use the default API to resolve the names-dnsserver
is set, use a dedicated DNS client, to avoid to use the OS one both on Linux and WindowsThe DNS client is https://github.com/miekg/dns, a highly used and supported DNS library.
With these modifications, integrations tests on Certbot are running correctly both on Linux and Windows.