apexLookupRule mapped every findApex failure to Crit, including transport and resolver faults like "lookup nemunai.re on 127.0.0.11:53: server misbehaving" — a flaky recursive resolver, not a broken delegation. That made the check flap into Crit whenever the resolver hiccuped, the same class of false negative the chain path already fixed. Mark apex-lookup failures that stem from a transport/resolver fault (resolveZoneNSAddrs net errors, recursiveExchange transport errors, and SERVFAIL/REFUSED seen during the SOA walk) as transient via a typed error, surface it as ApexLookupTransient, and have apexLookupRule report Unknown for those. Definitive failures (NXDOMAIN-only walk, no resolvable NS) still drive Crit. |
||
|---|---|---|
| .. | ||
| collect.go | ||
| definition.go | ||
| dns.go | ||
| dns_test.go | ||
| interactive.go | ||
| provider.go | ||
| report.go | ||
| rules_apex.go | ||
| rules_chain.go | ||
| rules_coexistence.go | ||
| rules_common.go | ||
| rules_dnssec.go | ||
| rules_test.go | ||
| types.go | ||