HIVE-3134: Use native golang DNS capabilities instead of pulling in a library

go.mod

@@ -27,7 +27,6 @@ require (
 	github.com/heptio/velero v1.0.0
 	github.com/jonboulle/clockwork v0.5.0
 	github.com/json-iterator/go v1.1.12
-	github.com/miekg/dns v1.1.35
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.38.2

go.sum

@@ -769,8 +769,6 @@ github.com/microsoftgraph/msgraph-sdk-go v0.59.0 h1:gS/rWZVpQGT3gaR01MWTaH85cISj
 github.com/microsoftgraph/msgraph-sdk-go v0.59.0/go.mod h1:RBrQLknmiglNeL5QarizkazPxs10ONHY/CUtNK9bzkI=
 github.com/microsoftgraph/msgraph-sdk-go-core v0.34.1 h1:tGDR/Je5mnf4Kn01w8/5HyywPL07JonFfe6Ip0w7a08=
 github.com/microsoftgraph/msgraph-sdk-go-core v0.34.1/go.mod h1:28uAIh5Oa9x4yfiKCrjTbG+1hikkf82jEzSKb7gC+Dg=
-github.com/miekg/dns v1.1.35 h1:oTfOaDH+mZkdcgdIjH6yBajRGtIwcwcaR+rt23ZSrJs=
-github.com/miekg/dns v1.1.35/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
@@ -1191,7 +1189,6 @@ golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
@@ -1238,7 +1235,6 @@ golang.org/x/sys v0.0.0-20190419153524-e8e3143a4f4a/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1302,7 +1298,6 @@ golang.org/x/tools v0.0.0-20190416151739-9c9e1878f421/go.mod h1:LCzVGOaR6xXOjkQ3
 golang.org/x/tools v0.0.0-20190420181800-aa740d480789/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190531172133-b3315ee88b7d/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200324003944-a576cf524670/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
 golang.org/x/tools v0.0.0-20200329025819-fd4102a86c65/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=

pkg/controller/dnszone/dnszone_controller.go

@@ -3,12 +3,12 @@ package dnszone
 import (
 	"context"
 	"fmt"
+	"net"
 	"os"
 	"reflect"
 	"strings"
 	"time"
 
-	"github.com/miekg/dns"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
 	log "github.com/sirupsen/logrus"
@@ -40,7 +40,6 @@ const (
 	zoneResyncDuration              = 2 * time.Hour
 	domainAvailabilityCheckInterval = 30 * time.Second
 	dnsClientTimeout                = 30 * time.Second
-	resolverConfigFile              = "/etc/resolv.conf"
 	zoneCheckDNSServersEnvVar       = "ZONE_CHECK_DNS_SERVERS"
 	accessDeniedReason              = "AccessDenied"
 	accessGrantedReason             = "AccessGranted"
@@ -80,9 +79,9 @@ func Add(mgr manager.Manager) error {
 // newReconciler returns a new reconcile.Reconciler
 func newReconciler(mgr manager.Manager, rateLimiter flowcontrol.RateLimiter) *ReconcileDNSZone {
 	return &ReconcileDNSZone{
-		Client:    controllerutils.NewClientWithMetricsOrDie(mgr, ControllerName, &rateLimiter),
-		logger:    log.WithField("controller", ControllerName),
-		soaLookup: lookupSOARecord,
+		Client:   controllerutils.NewClientWithMetricsOrDie(mgr, ControllerName, &rateLimiter),
+		logger:   log.WithField("controller", ControllerName),
+		nsLookup: lookupNSRecord,
 	}
 }
 
@@ -124,8 +123,8 @@ type ReconcileDNSZone struct {
 
 	logger log.FieldLogger
 
-	// soaLookup is a function that looks up a zone's SOA record
-	soaLookup func(string, log.FieldLogger) (bool, error)
+	// nsLookup is a function that looks up a zone's NS record
+	nsLookup func(string, log.FieldLogger) (bool, error)
 }
 
 // Reconcile reads that state of the cluster for a DNSZone object and makes changes based on the state read
@@ -328,18 +327,18 @@ func (r *ReconcileDNSZone) reconcileDNSProvider(actuator Actuator, dnsZone *hive
 		return reconcile.Result{}, err
 	}
 
-	isZoneSOAAvailable, err := r.soaLookup(dnsZone.Spec.Zone, logger)
+	isZoneNSAvailable, err := r.nsLookup(dnsZone.Spec.Zone, logger)
 	if err != nil {
-		logger.WithError(err).Error("error looking up SOA record for zone")
+		logger.WithError(err).Error("error looking up NS record for zone")
 	}
 
 	reconcileResult := reconcile.Result{}
-	if !isZoneSOAAvailable {
-		logger.Info("SOA record for DNS zone not available")
+	if !isZoneNSAvailable {
+		logger.Info("NS record for DNS zone not available")
 		reconcileResult.RequeueAfter = domainAvailabilityCheckInterval
 	}
 
-	return reconcileResult, r.updateStatus(nameServers, isZoneSOAAvailable, dnsZone, logger)
+	return reconcileResult, r.updateStatus(nameServers, isZoneNSAvailable, dnsZone, logger)
 }
 
 func (r *ReconcileDNSZone) removeDNSZoneFinalizer(dnsZone *hivev1.DNSZone, logger log.FieldLogger) error {
@@ -439,25 +438,25 @@ func (r *ReconcileDNSZone) getActuator(dnsZone *hivev1.DNSZone, dnsLog log.Field
 	return nil, errors.New("unable to determine which actuator to use")
 }
 
-func (r *ReconcileDNSZone) updateStatus(nameServers []string, isSOAAvailable bool, dnsZone *hivev1.DNSZone, logger log.FieldLogger) error {
+func (r *ReconcileDNSZone) updateStatus(nameServers []string, isNSAvailable bool, dnsZone *hivev1.DNSZone, logger log.FieldLogger) error {
 	orig := dnsZone.DeepCopy()
 
 	dnsZone.Status.NameServers = nameServers
 
 	var availableStatus corev1.ConditionStatus
 	var availableReason, availableMessage string
-	if isSOAAvailable {
+	if isNSAvailable {
 		// We need to keep track of the last time we synced to rate limit our dns provider calls.
 		tmpTime := metav1.Now()
 		dnsZone.Status.LastSyncTimestamp = &tmpTime
 
 		availableStatus = corev1.ConditionTrue
 		availableReason = "ZoneAvailable"
-		availableMessage = "DNS SOA record for zone is reachable"
+		availableMessage = "DNS NS record for zone is reachable"
 	} else {
 		availableStatus = corev1.ConditionFalse
 		availableReason = "ZoneUnavailable"
-		availableMessage = "DNS SOA record for zone is not reachable"
+		availableMessage = "DNS NS record for zone is not reachable"
 	}
 	dnsZone.Status.LastSyncGeneration = dnsZone.ObjectMeta.Generation
 	dnsZone.Status.Conditions = controllerutils.SetDNSZoneCondition(
@@ -479,55 +478,50 @@ func (r *ReconcileDNSZone) updateStatus(nameServers []string, isSOAAvailable boo
 	return nil
 }
 
-func lookupSOARecord(zone string, logger log.FieldLogger) (bool, error) {
-	// TODO: determine if there's a better way to obtain resolver endpoints
-	clientConfig, _ := dns.ClientConfigFromFile(resolverConfigFile)
-	client := dns.Client{Timeout: dnsClientTimeout}
+func lookupNSRecord(zone string, logger log.FieldLogger) (bool, error) {
+	resolver := net.DefaultResolver
 
-	dnsServers := []string{}
 	serversFromEnv := os.Getenv(zoneCheckDNSServersEnvVar)
 	if len(serversFromEnv) > 0 {
-		dnsServers = strings.Split(serversFromEnv, ",")
+		dnsServers := strings.Split(serversFromEnv, ",")
 		// Add port to servers with unspecified port
 		for i := range dnsServers {
 			if !strings.Contains(dnsServers[i], ":") {
 				dnsServers[i] = dnsServers[i] + ":53"
 			}
 		}
-	} else {
-		for _, s := range clientConfig.Servers {
-			dnsServers = append(dnsServers, fmt.Sprintf("%s:%s", s, clientConfig.Port))
+		logger.WithField("servers", dnsServers).Info("looking up zone NS records")
+		resolver = &net.Resolver{
+			PreferGo: true,
+			Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
+				d := net.Dialer{}
+				for _, s := range dnsServers {
+					conn, err := d.DialContext(ctx, "udp", s)
+					if err == nil {
+						return conn, nil
+					}
+					logger.WithError(err).WithField("server", s).Info("failed to connect to DNS server")
+				}
+				return nil, fmt.Errorf("failed to connect to any configured DNS server")
+			},
 		}
+	} else {
+		logger.Info("looking up zone NS records using system resolver")
 	}
-	logger.WithField("servers", dnsServers).Info("looking up domain SOA record")
 
-	m := &dns.Msg{}
-	m.SetQuestion(zone+".", dns.TypeSOA)
-	for _, s := range dnsServers {
-		in, rtt, err := client.Exchange(m, s)
-		if err != nil {
-			logger.WithError(err).WithField("server", s).Info("query for SOA record failed")
-			continue
-		}
-		log.WithField("server", s).Infof("SOA query duration: %v", rtt)
-		if len(in.Answer) > 0 {
-			for _, rr := range in.Answer {
-				soa, ok := rr.(*dns.SOA)
-				if !ok {
-					logger.Info("Record returned is not an SOA record: %#v", rr)
-					continue
-				}
-				if soa.Hdr.Name != controllerutils.Dotted(zone) {
-					logger.WithField("zone", soa.Hdr.Name).Info("SOA record returned but it does not match the lookup zone")
-					return false, nil
-				}
-				logger.WithField("zone", soa.Hdr.Name).Info("SOA record returned, zone is reachable")
-				return true, nil
-			}
-		}
-		logger.WithField("server", s).Info("no answer for SOA record returned")
+	ctx, cancel := context.WithTimeout(context.Background(), dnsClientTimeout)
+	defer cancel()
+
+	ns, err := resolver.LookupNS(ctx, zone)
+	if err != nil {
+		logger.WithError(err).Info("query for NS records failed")
 		return false, nil
 	}
+	if len(ns) > 0 {
+		logger.Info("NS records returned, zone is reachable")
+		return true, nil
+	}
+	logger.Info("no NS records returned")
 	return false, nil
 }
 

pkg/controller/dnszone/dnszone_controller_test.go

@@ -36,7 +36,7 @@ func TestReconcileDNSProviderForAWS(t *testing.T) {
 		expectZoneDeleted bool
 		validateZone      func(*testing.T, *hivev1.DNSZone)
 		errorExpected     bool
-		soaLookupResult   bool
+		nsLookupResult    bool
 	}{
 		{
 			name:    "DNSZone without finalizer",
@@ -160,9 +160,9 @@ func TestReconcileDNSProviderForAWS(t *testing.T) {
 			expectZoneDeleted: true,
 		},
 		{
-			name:            "Existing zone, link to parent, reachable SOA",
-			dnsZone:         validDNSZoneWithLinkToParent(),
-			soaLookupResult: true,
+			name:           "Existing zone, link to parent, reachable NS",
+			dnsZone:        validDNSZoneWithLinkToParent(),
+			nsLookupResult: true,
 			setupAWSMock: func(expect *awsmock.MockClientMockRecorder) {
 				mockAWSZoneExists(expect, validDNSZoneWithAdditionalTags())
 				mockExistingAWSTags(expect)
@@ -193,8 +193,8 @@ func TestReconcileDNSProviderForAWS(t *testing.T) {
 				logger: zr.logger,
 			}
 
-			r.soaLookup = func(string, log.FieldLogger) (bool, error) {
-				return tc.soaLookupResult, nil
+			r.nsLookup = func(string, log.FieldLogger) (bool, error) {
+				return tc.nsLookupResult, nil
 			}
 
 			// This is necessary for the mocks to report failures like methods not being called an expected number of times.
@@ -242,7 +242,7 @@ func TestReconcileDNSProviderForGCP(t *testing.T) {
 		expectZoneDeleted bool
 		validateZone      func(*testing.T, *hivev1.DNSZone)
 		errorExpected     bool
-		soaLookupResult   bool
+		nsLookupResult    bool
 	}{
 		{
 			name:    "DNSZone without finalizer",
@@ -311,9 +311,9 @@ func TestReconcileDNSProviderForGCP(t *testing.T) {
 			expectZoneDeleted: true,
 		},
 		{
-			name:            "Existing zone, link to parent, reachable SOA",
-			dnsZone:         validDNSZoneWithLinkToParent(),
-			soaLookupResult: true,
+			name:           "Existing zone, link to parent, reachable NS",
+			dnsZone:        validDNSZoneWithLinkToParent(),
+			nsLookupResult: true,
 			setupGCPMock: func(expect *gcpmock.MockClientMockRecorder) {
 				mockGCPZoneExists(expect)
 			},
@@ -341,8 +341,8 @@ func TestReconcileDNSProviderForGCP(t *testing.T) {
 				logger: zr.logger,
 			}
 
-			r.soaLookup = func(string, log.FieldLogger) (bool, error) {
-				return tc.soaLookupResult, nil
+			r.nsLookup = func(string, log.FieldLogger) (bool, error) {
+				return tc.nsLookupResult, nil
 			}
 
 			// This is necessary for the mocks to report failures like methods not being called an expected number of times.
@@ -390,7 +390,7 @@ func TestReconcileDNSProviderForAzure(t *testing.T) {
 		expectZoneDeleted bool
 		validateZone      func(*testing.T, *hivev1.DNSZone)
 		errorExpected     bool
-		soaLookupResult   bool
+		nsLookupResult    bool
 	}{
 		{
 			name:    "DNSZone without finalizer",
@@ -441,9 +441,9 @@ func TestReconcileDNSProviderForAzure(t *testing.T) {
 			expectZoneDeleted: true,
 		},
 		{
-			name:            "Existing zone, link to parent, reachable SOA",
-			dnsZone:         validAzureDNSZoneWithLinkToParent(),
-			soaLookupResult: true,
+			name:           "Existing zone, link to parent, reachable NS",
+			dnsZone:        validAzureDNSZoneWithLinkToParent(),
+			nsLookupResult: true,
 			setupAzureMock: func(_ *gomock.Controller, expect *azuremock.MockClientMockRecorder) {
 				mockAzureZoneExists(expect)
 			},
@@ -471,8 +471,8 @@ func TestReconcileDNSProviderForAzure(t *testing.T) {
 				logger: zr.logger,
 			}
 
-			r.soaLookup = func(string, log.FieldLogger) (bool, error) {
-				return tc.soaLookupResult, nil
+			r.nsLookup = func(string, log.FieldLogger) (bool, error) {
+				return tc.nsLookupResult, nil
 			}
 
 			// This is necessary for the mocks to report failures like methods not being called an expected number of times.
@@ -520,7 +520,7 @@ func TestReconcileDNSProviderForAWSWithConditions(t *testing.T) {
 		expectDnsCondition bool
 		dnsCondition       hivev1.DNSZoneCondition
 		actuator           string
-		soaLookupResult    bool
+		nsLookupResult     bool
 	}{
 		{
 			name:    "Fail to create hosted zone, set generic dns error condition",
@@ -585,8 +585,8 @@ func TestReconcileDNSProviderForAWSWithConditions(t *testing.T) {
 
 			// This is necessary for the mocks to report failures like methods not being called an expected number of times.
 
-			r.soaLookup = func(string, log.FieldLogger) (bool, error) {
-				return tc.soaLookupResult, nil
+			r.nsLookup = func(string, log.FieldLogger) (bool, error) {
+				return tc.nsLookupResult, nil
 			}
 
 			if tc.setupAWSMock != nil {