Remove CAA SERVFAIL exceptions code (letsencrypt#3262)

Roland Bracewell Shoemaker · jsha · commit bdea281ae07b · 2017-12-05T14:39:37.000-08:00
Fixes letsencrypt#3080.
diff --git a/bdns/dns.go b/bdns/dns.go
@@ -2,7 +2,6 @@ package bdns
 
 import (
 	"fmt"
-	"io/ioutil"
 	"math/rand"
 	"net"
 	"strings"
@@ -157,11 +156,8 @@ type DNSClientImpl struct {
 	dnsClient                exchanger
 	servers                  []string
 	allowRestrictedAddresses bool
-	// If non-nil, these are already-issued names whose registrar returns SERVFAIL
-	// for CAA queries that get a temporary pass during a notification period.
-	caaSERVFAILExceptions map[string]bool
-	maxTries              int
-	clk                   clock.Clock
+	maxTries                 int
+	clk                      clock.Clock
 
 	queryTime             *prometheus.HistogramVec
 	totalLookupTime       *prometheus.HistogramVec
@@ -180,7 +176,6 @@ type exchanger interface {
 func NewDNSClientImpl(
 	readTimeout time.Duration,
 	servers []string,
-	caaSERVFAILExceptions map[string]bool,
 	stats metrics.Scope,
 	clk clock.Clock,
 	maxTries int,
@@ -230,7 +225,6 @@ func NewDNSClientImpl(
 		dnsClient:                dnsClient,
 		servers:                  servers,
 		allowRestrictedAddresses: false,
-		caaSERVFAILExceptions:    caaSERVFAILExceptions,
 		maxTries:                 maxTries,
 		clk:                      clk,
 		queryTime:                queryTime,
@@ -244,7 +238,7 @@ func NewDNSClientImpl(
 // provided list of DNS servers for resolution and will allow loopback addresses.
 // This constructor should *only* be called from tests (unit or integration).
 func NewTestDNSClientImpl(readTimeout time.Duration, servers []string, stats metrics.Scope, clk clock.Clock, maxTries int) *DNSClientImpl {
-	resolver := NewDNSClientImpl(readTimeout, servers, nil, stats, clk, maxTries)
+	resolver := NewDNSClientImpl(readTimeout, servers, stats, clk, maxTries)
 	resolver.allowRestrictedAddresses = true
 	return resolver
 }
@@ -450,19 +444,8 @@ func (dnsClient *DNSClientImpl) LookupCAA(ctx context.Context, hostname string)
 		return nil, &DNSError{dnsType, hostname, err, -1}
 	}
 
-	// If the resolver returns SERVFAIL for a certain list of FQDNs, return an
-	// empty set and no error. We originally granted a pass on SERVFAIL because
-	// Cloudflare's DNS, which is behind a lot of hostnames, returned that code.
-	// That is since fixed, but we have a handful of other domains that still return
-	// SERVFAIL, but will need certificate renewals. After a suitable notice
-	// period we will remove these exceptions.
 	if r.Rcode == dns.RcodeServerFailure {
-		if dnsClient.caaSERVFAILExceptions == nil ||
-			dnsClient.caaSERVFAILExceptions[hostname] {
-			return nil, nil
-		} else {
-			return nil, &DNSError{dnsType, hostname, nil, r.Rcode}
-		}
+		return nil, &DNSError{dnsType, hostname, nil, r.Rcode}
 	}
 
 	var CAAs []*dns.CAA
@@ -495,22 +478,3 @@ func (dnsClient *DNSClientImpl) LookupMX(ctx context.Context, hostname string) (
 
 	return results, nil
 }
-
-// ReadHostList reads in a newline-separated file and returns a map containing
-// each entry. If the filename is empty, returns a nil map and no error.
-func ReadHostList(filename string) (map[string]bool, error) {
-	if filename == "" {
-		return nil, nil
-	}
-	body, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return nil, err
-	}
-	var output = make(map[string]bool)
-	for _, v := range strings.Split(string(body), "\n") {
-		if len(v) > 0 {
-			output[v] = true
-		}
-	}
-	return output, nil
-}
diff --git a/bdns/dns_test.go b/bdns/dns_test.go
@@ -292,22 +292,9 @@ func TestDNSServFail(t *testing.T) {
 	_, err = obj.LookupHost(context.Background(), bad)
 	test.AssertError(t, err, "LookupHost didn't return an error")
 
-	// CAA lookup ignores validation failures from the resolver for now
-	// and returns an empty list of CAA records.
 	emptyCaa, err := obj.LookupCAA(context.Background(), bad)
 	test.Assert(t, len(emptyCaa) == 0, "Query returned non-empty list of CAA records")
-	test.AssertNotError(t, err, "LookupCAA returned an error")
-
-	// When we turn on enforceCAASERVFAIL, such lookups should fail.
-	obj.caaSERVFAILExceptions = map[string]bool{"servfailexception.example.com": true}
-	emptyCaa, err = obj.LookupCAA(context.Background(), bad)
-	test.Assert(t, len(emptyCaa) == 0, "Query returned non-empty list of CAA records")
 	test.AssertError(t, err, "LookupCAA should have returned an error")
-
-	// Unless they are on the exception list
-	emptyCaa, err = obj.LookupCAA(context.Background(), "servfailexception.example.com")
-	test.Assert(t, len(emptyCaa) == 0, "Query returned non-empty list of CAA records")
-	test.AssertNotError(t, err, "LookupCAA for servfail exception returned an error")
 }
 
 func TestDNSLookupTXT(t *testing.T) {
@@ -666,23 +653,3 @@ type tempError bool
 
 func (t tempError) Temporary() bool { return bool(t) }
 func (t tempError) Error() string   { return fmt.Sprintf("Temporary: %t", t) }
-
-func TestReadHostList(t *testing.T) {
-	res, err := ReadHostList("")
-	if res != nil {
-		t.Errorf("Expected res to be nil")
-	}
-	if err != nil {
-		t.Errorf("Expected err to be nil: %s", err)
-	}
-	res, err = ReadHostList("../test/caa-servfail-exceptions.txt")
-	if err != nil {
-		t.Errorf("Expected err to be nil: %s", err)
-	}
-	if len(res) != 1 {
-		t.Errorf("Wrong size of host list: %d", len(res))
-	}
-	if res["servfailexception.example.com"] != true {
-		t.Errorf("Didn't find servfailexception.example.com in list")
-	}
-}
diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go
@@ -194,7 +194,6 @@ func main() {
 		rai.DNSClient = bdns.NewDNSClientImpl(
 			raDNSTimeout,
 			[]string{c.Common.DNSResolver},
-			nil,
 			scope,
 			cmd.Clock(),
 			dnsTries)
diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
@@ -33,9 +33,6 @@ type config struct {
 		// will be turned into 1.
 		DNSTries int
 
-		// Feature flag to enable enforcement of CAA SERVFAILs.
-		CAASERVFAILExceptions string
-
 		RemoteVAs                   []cmd.GRPCClientConfig
 		MaxRemoteValidationFailures int
 
@@ -95,14 +92,11 @@ func main() {
 		dnsTries = 1
 	}
 	clk := cmd.Clock()
-	caaSERVFAILExceptions, err := bdns.ReadHostList(c.VA.CAASERVFAILExceptions)
-	cmd.FailOnError(err, "Couldn't read CAASERVFAILExceptions file")
 	var resolver bdns.DNSClient
 	if !c.Common.DNSAllowLoopbackAddresses {
 		r := bdns.NewDNSClientImpl(
 			dnsTimeout,
 			[]string{c.Common.DNSResolver},
-			caaSERVFAILExceptions,
 			scope,
 			clk,
 			dnsTries)
diff --git a/test/caa-servfail-exceptions.txt b/test/caa-servfail-exceptions.txt
diff --git a/test/config-next/va.json b/test/config-next/va.json
@@ -1,6 +1,5 @@
 {
   "va": {
-    "CAASERVFAILExceptions": "test/caa-servfail-exceptions.txt",
     "userAgent": "boulder",
     "debugAddr": ":8004",
     "portConfig": {
diff --git a/test/config/va.json b/test/config/va.json
@@ -1,6 +1,5 @@
 {
   "va": {
-    "CAASERVFAILExceptions": "test/caa-servfail-exceptions.txt",
     "userAgent": "boulder",
     "debugAddr": ":8004",
     "portConfig": {

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,5 @@`
`1`	`1`	`{`
`2`	`2`	`"va": {`
`3`		`- "CAASERVFAILExceptions": "test/caa-servfail-exceptions.txt",`
`4`	`3`	`"userAgent": "boulder",`
`5`	`4`	`"debugAddr": ":8004",`
`6`	`5`	`"portConfig": {`