checker: report transient mid-chain and final rcodes as Unknown, not Crit/Warn
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing

SERVFAIL/REFUSED from every auth server means the record could not be
observed, not that the zone published a negative answer. Mark such rcodes
transient on TermRcode terminations and final A/AAAA lookups so chainRcodeRule
reports Unknown instead of flapping the check into Crit/Warn; definitive
NXDOMAIN answers still drive Crit (mid-chain) and Warn (final).
This commit is contained in:
nemunaire 2026-06-18 11:22:00 +09:00
commit 65687ce375
4 changed files with 65 additions and 16 deletions

View file

@ -162,14 +162,32 @@ func TestChainRcodeRule(t *testing.T) {
d.ChainTerminated = ChainTermination{Reason: TermRcode, Subject: "gone.example.com.", Rcode: "NXDOMAIN"}
assertSingle(t, run(chainRcodeRule{}, d, nil), sdk.StatusCrit)
})
t.Run("final rcode", func(t *testing.T) {
t.Run("mid-chain transient SERVFAIL", func(t *testing.T) {
// SERVFAIL from every auth server could not be observed: Unknown, not Crit.
d := apexKnownData()
d.ChainTerminated = ChainTermination{Reason: TermRcode, Subject: "flaky.example.com.", Rcode: "SERVFAIL", Transient: true}
assertSingle(t, run(chainRcodeRule{}, d, nil), sdk.StatusUnknown)
})
t.Run("final definitive rcode", func(t *testing.T) {
d := apexKnownData()
d.ChainTerminated.Reason = TermOK
d.FinalTarget = "target.example."
d.FinalRcode = "NXDOMAIN"
states := run(chainRcodeRule{}, d, nil)
if len(states) != 1 || states[0].Status != sdk.StatusWarn {
t.Fatalf("want single WARN, got %+v", states)
}
})
t.Run("final transient rcode", func(t *testing.T) {
// SERVFAIL on the final lookup could not be observed: Unknown, not Warn.
d := apexKnownData()
d.ChainTerminated.Reason = TermOK
d.FinalTarget = "target.example."
d.FinalRcode = "SERVFAIL"
d.FinalRcodeTransient = true
states := run(chainRcodeRule{}, d, nil)
if len(states) != 1 || states[0].Status != sdk.StatusWarn {
t.Fatalf("want single WARN, got %+v", states)
if len(states) != 1 || states[0].Status != sdk.StatusUnknown {
t.Fatalf("want single UNKNOWN, got %+v", states)
}
})
}