fix: retry on DNS timeout, distinguish authoritative negatives (closes #35 )

- Add StatusTimeout constant for timeout responses - querySingleType now retries on timeout and SERVFAIL (3 attempts, exponential backoff starting at 100ms) - NXDOMAIN and NOERROR+empty are treated as authoritative negatives with no retry - classifyResponse sets structured error messages for timeout and SERVFAIL cases - Refactored into smaller functions to satisfy cyclomatic complexity limits
Merge pull request 'fix: look up A/AAAA records for apex domains to enable port/TLS checks (closes #19 )' (#21 ) from fix/domain-port-tls-state-lookup into main
2026-02-28 03:22:57 -08:00 · 2026-02-28 12:09:04 +01:00 · 2026-02-28 12:08:56 +01:00 · 2026-02-28 12:08:46 +01:00 · 2026-02-28 12:08:25 +01:00 · 2026-02-28 12:08:19 +01:00
6 changed files with 381 additions and 39 deletions
--- a/TESTING.md
+++ b/TESTING.md
@@ -0,0 +1,34 @@
+# Testing Policy
+
+## DNS Resolution Tests
+
+All resolver tests **MUST** use live queries against real DNS servers.
+No mocking of the DNS client layer is permitted.
+
+### Rationale
+
+The resolver performs iterative resolution from root nameservers through
+the full delegation chain. Mocked responses cannot faithfully represent
+the variety of real-world DNS behavior (truncation, referrals, glue
+records, DNSSEC, varied response times, EDNS, etc.). Testing against
+real servers ensures the resolver works correctly in production.
+
+### Constraints
+
+- Tests hit real DNS infrastructure and require network access
+- Test duration depends on network conditions; timeout tuning keeps
+  the suite within the 30-second target
+- Query timeout is calibrated to 3× maximum antipodal RTT (~300ms)
+  plus processing margin
+- Root server fan-out is limited to reduce parallel query load
+- Flaky failures from transient network issues are acceptable and
+  should be investigated as potential resolver bugs, not papered over
+  with mocks or skip flags
+
+### What NOT to do
+
+- **Do not mock `DNSClient`** for resolver tests (the mock constructor
+  exists for unit-testing other packages that consume the resolver)
+- **Do not add `-short` flags** to skip slow tests
+- **Do not increase `-timeout`** to hide hanging queries
+- **Do not modify linter configuration** to suppress findings
--- a/internal/resolver/errors.go
+++ b/internal/resolver/errors.go
@@ -24,4 +24,8 @@ var (
 	// ErrContextCanceled wraps context cancellation for the
 	// resolver's iterative queries.
 	ErrContextCanceled = errors.New("context canceled")
+
+	// ErrSERVFAIL is returned when a DNS server responds with
+	// SERVFAIL after all retries are exhausted.
+	ErrSERVFAIL = errors.New("SERVFAIL from server")
 )
--- a/internal/resolver/iterative.go
+++ b/internal/resolver/iterative.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"math/rand"
 	"net"
 	"sort"
 	"strings"
@@ -13,7 +14,7 @@ import (
 )

 const (
-	queryTimeoutDuration = 5 * time.Second
+	queryTimeoutDuration = 2 * time.Second
 	maxRetries           = 2
 	maxDelegation        = 20
 	timeoutMultiplier    = 2
@@ -41,6 +42,22 @@ func rootServerList() []string {
 	}
 }

+const maxRootServers = 3
+
+// randomRootServers returns a shuffled subset of root servers.
+func randomRootServers() []string {
+	all := rootServerList()
+	rand.Shuffle(len(all), func(i, j int) {
+		all[i], all[j] = all[j], all[i]
+	})
+
+	if len(all) > maxRootServers {
+		return all[:maxRootServers]
+	}
+
+	return all
+}
+
 func checkCtx(ctx context.Context) error {
 	err := ctx.Err()
 	if err != nil {
@@ -302,7 +319,7 @@ func (r *Resolver) resolveNSRecursive(
 	msg.SetQuestion(domain, dns.TypeNS)
 	msg.RecursionDesired = true

-	for _, ip := range rootServerList()[:3] {
+	for _, ip := range randomRootServers() {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}
@@ -333,7 +350,7 @@ func (r *Resolver) resolveARecord(
 	msg.SetQuestion(hostname, dns.TypeA)
 	msg.RecursionDesired = true

-	for _, ip := range rootServerList()[:3] {
+	for _, ip := range randomRootServers() {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}
@@ -385,7 +402,7 @@ func (r *Resolver) FindAuthoritativeNameservers(
 		candidate := strings.Join(labels[i:], ".") + "."

 		nsNames, err := r.followDelegation(
-			ctx, candidate, rootServerList(),
+			ctx, candidate, randomRootServers(),
 		)
 		if err == nil && len(nsNames) > 0 {
 			sort.Strings(nsNames)
@@ -442,9 +459,15 @@ func (r *Resolver) queryAllTypes(
 	return resp, nil
 }

+const (
+	singleTypeMaxRetries     = 3
+	singleTypeInitialBackoff = 100 * time.Millisecond
+)
+
 type queryState struct {
 	gotNXDomain bool
 	gotSERVFAIL bool
+	gotTimeout  bool
 	hasRecords  bool
 }

@@ -472,6 +495,21 @@ func (r *Resolver) queryEachType(
 	return state
 }

+// isTimeout checks whether an error represents a DNS timeout.
+func isTimeout(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	var netErr net.Error
+	if errors.As(err, &netErr) && netErr.Timeout() {
+		return true
+	}
+
+	// Also catch i/o timeout strings from the dns library.
+	return strings.Contains(err.Error(), "i/o timeout")
+}
+
 func (r *Resolver) querySingleType(
 	ctx context.Context,
 	nsIP string,
@@ -480,19 +518,95 @@ func (r *Resolver) querySingleType(
 	resp *NameserverResponse,
 	state *queryState,
 ) {
-	msg, err := r.queryDNS(ctx, nsIP, hostname, qtype)
-	if err != nil {
+	msg, lastErr := r.querySingleTypeWithRetry(
+		ctx, nsIP, hostname, qtype,
+	)
+	if msg == nil {
+		r.recordRetryFailure(lastErr, state)
+
 		return
 	}

-	if msg.Rcode == dns.RcodeNameError {
-		state.gotNXDomain = true
+	r.handleDNSResponse(msg, resp, state)
+}

-		return
+func (r *Resolver) querySingleTypeWithRetry(
+	ctx context.Context,
+	nsIP string,
+	hostname string,
+	qtype uint16,
+) (*dns.Msg, error) {
+	var lastErr error
+
+	backoff := singleTypeInitialBackoff
+
+	for attempt := range singleTypeMaxRetries {
+		if checkCtx(ctx) != nil {
+			return nil, ErrContextCanceled
+		}
+
+		if attempt > 0 {
+			if !waitBackoff(ctx, backoff) {
+				return nil, ErrContextCanceled
+			}
+
+			backoff *= timeoutMultiplier
+		}
+
+		msg, err := r.queryDNS(ctx, nsIP, hostname, qtype)
+		if err != nil {
+			lastErr = err
+
+			if !isTimeout(err) {
+				return nil, err
+			}
+
+			continue
 		}

 		if msg.Rcode == dns.RcodeServerFailure {
+			lastErr = ErrSERVFAIL
+
+			continue
+		}
+
+		return msg, nil
+	}
+
+	return nil, lastErr
+}
+
+func waitBackoff(ctx context.Context, d time.Duration) bool {
+	select {
+	case <-ctx.Done():
+		return false
+	case <-time.After(d):
+		return true
+	}
+}
+
+func (r *Resolver) recordRetryFailure(
+	lastErr error,
+	state *queryState,
+) {
+	if lastErr == nil {
+		return
+	}
+
+	if isTimeout(lastErr) {
+		state.gotTimeout = true
+	} else if errors.Is(lastErr, ErrSERVFAIL) {
 		state.gotSERVFAIL = true
+	}
+}
+
+func (r *Resolver) handleDNSResponse(
+	msg *dns.Msg,
+	resp *NameserverResponse,
+	state *queryState,
+) {
+	if msg.Rcode == dns.RcodeNameError {
+		state.gotNXDomain = true

 		return
 	}
@@ -523,8 +637,12 @@ func classifyResponse(resp *NameserverResponse, state queryState) {
 	switch {
 	case state.gotNXDomain && !state.hasRecords:
 		resp.Status = StatusNXDomain
+	case state.gotTimeout && !state.hasRecords:
+		resp.Status = StatusTimeout
+		resp.Error = "all queries timed out after retries"
 	case state.gotSERVFAIL && !state.hasRecords:
 		resp.Status = StatusError
+		resp.Error = "server failure (SERVFAIL) after retries"
 	case !state.hasRecords && !state.gotNXDomain:
 		resp.Status = StatusNoData
 	}
--- a/internal/resolver/resolver.go
+++ b/internal/resolver/resolver.go
@@ -17,6 +17,7 @@ const (
 	StatusError    = "error"
 	StatusNXDomain = "nxdomain"
 	StatusNoData   = "nodata"
+	StatusTimeout  = "timeout"
 )

 // MaxCNAMEDepth is the maximum CNAME chain depth to follow.
--- a/internal/watcher/watcher.go
+++ b/internal/watcher/watcher.go
@@ -6,6 +6,7 @@ import (
 	"log/slog"
 	"sort"
 	"strings"
+	"sync"
 	"time"

 	"go.uber.org/fx"
@@ -49,6 +50,8 @@ type Watcher struct {
 	notify           Notifier
 	cancel           context.CancelFunc
 	firstRun         bool
+	expiryNotifiedMu sync.Mutex
+	expiryNotified   map[string]time.Time
 }

 // New creates a new Watcher instance wired into the fx lifecycle.
@@ -65,6 +68,7 @@ func New(
 		tlsCheck:       params.TLSCheck,
 		notify:         params.Notify,
 		firstRun:       true,
+		expiryNotified: make(map[string]time.Time),
 	}

 	lifecycle.Append(fx.Hook{
@@ -108,6 +112,7 @@ func NewForTest(
 		tlsCheck:       tc,
 		notify:         n,
 		firstRun:       true,
+		expiryNotified: make(map[string]time.Time),
 	}
 }

@@ -206,6 +211,28 @@ func (w *Watcher) checkDomain(
 		Nameservers: nameservers,
 		LastChecked: now,
 	})
+
+	// Also look up A/AAAA records for the apex domain so that
+	// port and TLS checks (which read HostnameState) can find
+	// the domain's IP addresses.
+	records, err := w.resolver.LookupAllRecords(ctx, domain)
+	if err != nil {
+		w.log.Error(
+			"failed to lookup records for domain",
+			"domain", domain,
+			"error", err,
+		)
+
+		return
+	}
+
+	prevHS, hasPrevHS := w.state.GetHostnameState(domain)
+	if hasPrevHS && !w.firstRun {
+		w.detectHostnameChanges(ctx, domain, prevHS, records)
+	}
+
+	newState := buildHostnameState(records, now)
+	w.state.SetHostnameState(domain, newState)
 }

 func (w *Watcher) detectNSChanges(
@@ -691,6 +718,22 @@ func (w *Watcher) checkTLSExpiry(
 		return
 	}

+	// Deduplicate expiry warnings: don't re-notify for the same
+	// hostname within the TLS check interval.
+	dedupKey := fmt.Sprintf("expiry:%s:%s", hostname, ip)
+
+	w.expiryNotifiedMu.Lock()
+
+	lastNotified, seen := w.expiryNotified[dedupKey]
+	if seen && time.Since(lastNotified) < w.config.TLSInterval {
+		w.expiryNotifiedMu.Unlock()
+
+		return
+	}
+
+	w.expiryNotified[dedupKey] = time.Now()
+	w.expiryNotifiedMu.Unlock()
+
 	msg := fmt.Sprintf(
 		"Host: %s\nIP: %s\nCN: %s\n"+
 			"Expires: %s (%.0f days)",
--- a/internal/watcher/watcher_test.go
+++ b/internal/watcher/watcher_test.go
@@ -273,6 +273,10 @@ func setupBaselineMocks(deps *testDeps) {
 		"ns1.example.com.",
 		"ns2.example.com.",
 	}
+	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"93.184.216.34"}},
+		"ns2.example.com.": {"A": {"93.184.216.34"}},
+	}
 	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"93.184.216.34"}},
 		"ns2.example.com.": {"A": {"93.184.216.34"}},
@@ -290,6 +294,14 @@ func setupBaselineMocks(deps *testDeps) {
 			"www.example.com",
 		},
 	}
+	deps.tlsChecker.certs["93.184.216.34:example.com"] = &tlscheck.CertificateInfo{
+		CommonName: "example.com",
+		Issuer:     "DigiCert",
+		NotAfter:   time.Now().Add(90 * 24 * time.Hour),
+		SubjectAlternativeNames: []string{
+			"example.com",
+		},
+	}
 }

 func assertNoNotifications(
@@ -322,14 +334,74 @@ func assertStatePopulated(
 		)
 	}

-	if len(snap.Hostnames) != 1 {
+	// Hostnames includes both explicit hostnames and domains
+	// (domains now also get hostname state for port/TLS checks).
+	if len(snap.Hostnames) < 1 {
 		t.Errorf(
-			"expected 1 hostname in state, got %d",
+			"expected at least 1 hostname in state, got %d",
 			len(snap.Hostnames),
 		)
 	}
 }

+func TestDomainPortAndTLSChecks(t *testing.T) {
+	t.Parallel()
+
+	cfg := defaultTestConfig(t)
+	cfg.Domains = []string{"example.com"}
+
+	w, deps := newTestWatcher(t, cfg)
+
+	deps.resolver.nsRecords["example.com"] = []string{
+		"ns1.example.com.",
+	}
+	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"93.184.216.34"}},
+	}
+	deps.portChecker.results["93.184.216.34:80"] = true
+	deps.portChecker.results["93.184.216.34:443"] = true
+	deps.tlsChecker.certs["93.184.216.34:example.com"] = &tlscheck.CertificateInfo{
+		CommonName: "example.com",
+		Issuer:     "DigiCert",
+		NotAfter:   time.Now().Add(90 * 24 * time.Hour),
+		SubjectAlternativeNames: []string{
+			"example.com",
+		},
+	}
+
+	w.RunOnce(t.Context())
+
+	snap := deps.state.GetSnapshot()
+
+	// Domain should have port state populated
+	if len(snap.Ports) == 0 {
+		t.Error("expected port state for domain, got none")
+	}
+
+	// Domain should have certificate state populated
+	if len(snap.Certificates) == 0 {
+		t.Error("expected certificate state for domain, got none")
+	}
+
+	// Verify port checker was actually called
+	deps.portChecker.mu.Lock()
+	calls := deps.portChecker.calls
+	deps.portChecker.mu.Unlock()
+
+	if calls == 0 {
+		t.Error("expected port checker to be called for domain")
+	}
+
+	// Verify TLS checker was actually called
+	deps.tlsChecker.mu.Lock()
+	tlsCalls := deps.tlsChecker.calls
+	deps.tlsChecker.mu.Unlock()
+
+	if tlsCalls == 0 {
+		t.Error("expected TLS checker to be called for domain")
+	}
+}
+
 func TestNSChangeDetection(t *testing.T) {
 	t.Parallel()

@@ -342,6 +414,12 @@ func TestNSChangeDetection(t *testing.T) {
 		"ns1.example.com.",
 		"ns2.example.com.",
 	}
+	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"1.2.3.4"}},
+		"ns2.example.com.": {"A": {"1.2.3.4"}},
+	}
+	deps.portChecker.results["1.2.3.4:80"] = false
+	deps.portChecker.results["1.2.3.4:443"] = false

 	ctx := t.Context()
 	w.RunOnce(ctx)
@@ -351,6 +429,10 @@ func TestNSChangeDetection(t *testing.T) {
 		"ns1.example.com.",
 		"ns3.example.com.",
 	}
+	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"1.2.3.4"}},
+		"ns3.example.com.": {"A": {"1.2.3.4"}},
+	}
 	deps.resolver.mu.Unlock()

 	w.RunOnce(ctx)
@@ -506,6 +588,61 @@ func TestTLSExpiryWarning(t *testing.T) {
 	}
 }

+func TestTLSExpiryWarningDedup(t *testing.T) {
+	t.Parallel()
+
+	cfg := defaultTestConfig(t)
+	cfg.Hostnames = []string{"www.example.com"}
+	cfg.TLSInterval = 24 * time.Hour
+
+	w, deps := newTestWatcher(t, cfg)
+
+	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"1.2.3.4"}},
+	}
+	deps.resolver.ipAddresses["www.example.com"] = []string{
+		"1.2.3.4",
+	}
+	deps.portChecker.results["1.2.3.4:80"] = true
+	deps.portChecker.results["1.2.3.4:443"] = true
+	deps.tlsChecker.certs["1.2.3.4:www.example.com"] = &tlscheck.CertificateInfo{
+		CommonName: "www.example.com",
+		Issuer:     "DigiCert",
+		NotAfter:   time.Now().Add(3 * 24 * time.Hour),
+		SubjectAlternativeNames: []string{
+			"www.example.com",
+		},
+	}
+
+	ctx := t.Context()
+
+	// First run = baseline, no notifications
+	w.RunOnce(ctx)
+
+	// Second run should fire one expiry warning
+	w.RunOnce(ctx)
+
+	// Third run should NOT fire another warning (dedup)
+	w.RunOnce(ctx)
+
+	notifications := deps.notifier.getNotifications()
+
+	expiryCount := 0
+
+	for _, n := range notifications {
+		if n.Title == "TLS Expiry Warning: www.example.com" {
+			expiryCount++
+		}
+	}
+
+	if expiryCount != 1 {
+		t.Errorf(
+			"expected exactly 1 expiry warning (dedup), got %d",
+			expiryCount,
+		)
+	}
+}
+
 func TestGracefulShutdown(t *testing.T) {
 	t.Parallel()

@@ -519,6 +656,11 @@ func TestGracefulShutdown(t *testing.T) {
 	deps.resolver.nsRecords["example.com"] = []string{
 		"ns1.example.com.",
 	}
+	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"1.2.3.4"}},
+	}
+	deps.portChecker.results["1.2.3.4:80"] = false
+	deps.portChecker.results["1.2.3.4:443"] = false

 	ctx, cancel := context.WithCancel(t.Context())
Author	SHA1	Message	Date
clawbot	f2970143d2	fix: retry on DNS timeout, distinguish authoritative negatives (closes #35 ) Some checks failed Check / check (pull_request) Failing after 6m4s Details - Add StatusTimeout constant for timeout responses - querySingleType now retries on timeout and SERVFAIL (3 attempts, exponential backoff starting at 100ms) - NXDOMAIN and NOERROR+empty are treated as authoritative negatives with no retry - classifyResponse sets structured error messages for timeout and SERVFAIL cases - Refactored into smaller functions to satisfy cyclomatic complexity limits	2026-02-28 03:22:57 -08:00
Jeffrey Paul	0eb57fc15b	Merge pull request 'fix: look up A/AAAA records for apex domains to enable port/TLS checks (closes #19 )' (#21 ) from fix/domain-port-tls-state-lookup into main Some checks are pending Check / check (push) Waiting to run Details Reviewed-on: #21	2026-02-28 12:09:04 +01:00
Jeffrey Paul	5739108dc7	Merge branch 'main' into fix/domain-port-tls-state-lookup Some checks failed Check / check (pull_request) Failing after 5m41s Details	2026-02-28 12:08:56 +01:00
Jeffrey Paul	54272c2be5	Merge pull request 'fix: deduplicate TLS expiry warnings to prevent notification spam (closes #18 )' (#22 ) from fix/tls-expiry-dedup into main Some checks are pending Check / check (push) Waiting to run Details Reviewed-on: #22	2026-02-28 12:08:46 +01:00
Jeffrey Paul	b18d29d586	Merge branch 'main' into fix/domain-port-tls-state-lookup Some checks failed Check / check (pull_request) Failing after 5m40s Details	2026-02-28 12:08:25 +01:00
Jeffrey Paul	e63241cc3c	Merge branch 'main' into fix/tls-expiry-dedup Some checks failed Check / check (pull_request) Failing after 5m40s Details	2026-02-28 12:08:19 +01:00
Jeffrey Paul	5ab217bfd2	Merge pull request 'Reduce DNS query timeout and limit root server fan-out (closes #29 )' (#30 ) from fix/reduce-dns-timeout-and-root-fanout into main Some checks failed Check / check (push) Has been cancelled Details Reviewed-on: #30	2026-02-28 12:07:20 +01:00
Jeffrey Paul	518a2cc42e	Merge pull request 'doc: add TESTING.md — real DNS only, no mocks' (#34 ) from doc/testing-policy into main Some checks failed Check / check (push) Has been cancelled Details Reviewed-on: #34	2026-02-28 12:06:57 +01:00
user	4cb81aac24	doc: add testing policy — real DNS only, no mocks Some checks failed Check / check (pull_request) Failing after 5m24s Details Documents the project testing philosophy: all resolver tests must use live DNS queries. Mocking the DNS client layer is not permitted. Includes rationale and anti-patterns to avoid.	2026-02-22 04:28:47 -08:00
user	203b581704	Reduce DNS query timeout to 2s and limit root server fan-out to 3 Some checks failed Check / check (pull_request) Failing after 5m57s Details - Reduce queryTimeoutDuration from 5s to 2s - Add randomRootServers() that shuffles and picks 3 root servers - Replace all rootServerList() call sites with randomRootServers() - Keep maxRetries = 2 Closes #29	2026-02-22 03:35:16 -08:00
Jeffrey Paul	8cfff5dcc8	Merge pull request 'fix: use full Lock in State.Save() to prevent data race (closes #17 )' (#20 ) from fix/state-save-data-race into main Some checks failed Check / check (push) Failing after 5m43s Details Reviewed-on: #20	2026-02-21 11:22:46 +01:00
clawbot	82fd68a41b	fix: deduplicate TLS expiry warnings to prevent notification spam (closes #18 ) Some checks failed Check / check (pull_request) Failing after 5m31s Details checkTLSExpiry fired every monitoring cycle with no deduplication, causing notification spam for expiring certificates. Added an in-memory map tracking the last notification time per domain/IP pair, suppressing re-notification within the TLS check interval. Added TestTLSExpiryWarningDedup to verify deduplication works.	2026-02-21 00:54:59 -08:00
clawbot	f8d0dc4166	fix: look up A/AAAA records for apex domains to enable port/TLS checks (closes #19 ) Some checks failed Check / check (pull_request) Failing after 5m24s Details collectIPs only reads HostnameState, but checkDomain only stored DomainState (nameservers). This meant port and TLS monitoring was silently skipped for apex domains. Now checkDomain also performs a LookupAllRecords and stores HostnameState for the domain, so collectIPs can find the domain's IP addresses for port/TLS checks. Added TestDomainPortAndTLSChecks to verify the fix.	2026-02-21 00:53:42 -08:00