~nickbp/kapiti#36: 
Build separate request for querying upstreams

At the moment the Resolver passes through original external client request as-is. We should probably switch this to instead explicitly construct a new request based on the RequestInfo.

This avoids weird "leakage" from the original client request that could affect the result, or worse poison the cache in some way.

A catch with this route is that it does suddenly imply additional checks for things that the client may be asking for, but this was already sort of the case and was just implicitly being ignored by taking and caching the first response for an as-is query. Some examples where this came up:

  • With DNSSEC where the cache key now has a dnssec_ok bit to avoid cross-pollination between queries that have it enabled and queries that don't.
  • With EDNS/OPT records where we need to explicitly strip out the OPT record in the response to the client if their request didn't ask for it.
Status
REPORTED
Submitter
~nickbp
Assigned to
No-one
Submitted
2 years ago
Updated
2 years ago
Labels
No labels applied.

It's a bit quiet in here.