checker: report chain transport errors as Unknown, not Warn

A transport-level query failure (connection refused, timeout, network
unreachable) means the alias state could not be observed, not that the
alias is misconfigured. Mapping it to Warn made the check flap whenever a
flaky auth server alternated between refusing connections (Warn) and
answering SERVFAIL (Crit). Report TermQueryErr as Unknown so only
definitive DNS evidence drives Warn/Crit.
This commit is contained in:
nemunaire 2026-06-18 09:30:01 +09:00
commit 680a7735f0
2 changed files with 8 additions and 4 deletions

View file

@ -125,7 +125,7 @@ func TestChainQueryErrorRule(t *testing.T) {
t.Run("query err", func(t *testing.T) {
d := apexKnownData()
d.ChainTerminated = ChainTermination{Reason: TermQueryErr, Subject: "broken.example.com.", Detail: "timeout"}
assertSingle(t, run(chainQueryErrorRule{}, d, nil), sdk.StatusWarn)
assertSingle(t, run(chainQueryErrorRule{}, d, nil), sdk.StatusUnknown)
})
}