Bug#1017899: apt - Considers hard DNS errors as transient, prolongs fallback

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1017899: apt - Considers hard DNS errors as transient, prolongs fallback
From: Bastian Blank <waldi@debian.org>
Date: Mon, 22 Aug 2022 09:47:46 +0200
Message-id: <[🔎] 166115446639.16964.17583592422600966878.reportbug@softhammer.credativ.lan>
Reply-to: Bastian Blank <waldi@debian.org>, 1017899@bugs.debian.org

Package: apt
Version: 2.5.2
Severity: important

Moin

apt considers all hard DNS errors (NXDOMAIN), aka
EAI_NONAME from getaddrinfo, as transient and retries.

Example response from the http method:

| 400 URI Failure
| Transient-Failure: true
| FailReason: ResolveFailure
| Message: Could not resolve 'test.example.com'
| URI: https://test.example.com/debian/dists/experimental/InRelease

Responsible code seems to be methods/connect.cc:ConnectToHostname.

So if you use apt-transport-mirror, specifying a non-resolving name just
forces a retry, four time, before it can go to the backup mirror.  This
means an additional five seconds is added to every download.

It get's a bit complicated, as a SERVFAIL response from DNS seems to
provoke an EAI_NONAME error as well, as can be easily checked with
dnssec-failed.org.  But as SERVFAIL only gets out if the DNS resolver
already hit an unrecoverable error during it's one retries or something
like broken signatures, retrying is also not really useful.

Back story:

For the cloud images we think about specifying something like this via
apt-transport-mirror if the user does not define anything different:
| https://vendor.deb.debian.cloud	priority:1
| https://deb.debian.org

This will force a fallback to deb.debian.org if the other one does not
work.  This is meant to be used only if hell breaks loose, so is a last
resort fallback.  However just killing the DNS records for the first
listed one does produce a lot of retries because of the described
behaviour.

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.19.0-trunk-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  adduser                 3.123
ii  debian-archive-keyring  2021.1.1
ii  gpgv                    2.2.35-3
ii  libapt-pkg6.0           2.5.2
ii  libc6                   2.34-3
ii  libgcc-s1               12.1.0-8
ii  libgnutls30             3.7.7-2
ii  libseccomp2             2.5.4-1+b1
ii  libstdc++6              12.1.0-8
ii  libsystemd0             251.3-1

Versions of packages apt recommends:
ii  ca-certificates  20211016

Versions of packages apt suggests:
pn  apt-doc                      <none>
pn  aptitude | synaptic | wajig  <none>
ii  dpkg-dev                     1.21.9
ii  gnupg                        2.2.35-3
pn  powermgmt-base               <none>

-- no debconf information

Reply to:

Follow-Ups:
- Bug#1017899: apt - Considers hard DNS errors as transient, prolongs fallback
  - From: Julian Andres Klode <jak@debian.org>

Prev by Date: Lizy Johnson
Next by Date: Bug#1017899: apt - Considers hard DNS errors as transient, prolongs fallback
Previous by thread: Lizy Johnson
Next by thread: Bug#1017899: apt - Considers hard DNS errors as transient, prolongs fallback
Index(es):
- Date
- Thread