Bug 1729831 - [DoH] In strict fallback mode, allow fallback when not confirmed. r=necko-reviewers,valentin

In strict fallback mode, confirmation should still catch cases when the provider is
unavailable for whatever reason, and after that we should just fall back. This was
missing from bug 1714182.

Differential Revision: https://phabricator.services.mozilla.com/D126168

netwerk/dns/nsHostResolver.cpp

@@ -1341,7 +1341,8 @@ nsHostResolver::LookupStatus nsHostResolver::CompleteLookupLocked(
     bool shouldAttemptNative =
         !StaticPrefs::network_trr_strict_native_fallback() ||
         aReason == TRRSkippedReason::TRR_NXDOMAIN ||
-        aReason == TRRSkippedReason::TRR_DISABLED_FLAG;
+        aReason == TRRSkippedReason::TRR_DISABLED_FLAG ||
+        aReason == TRRSkippedReason::TRR_NOT_CONFIRMED;
 
     if (NS_FAILED(status) &&
         addrRec->mEffectiveTRRMode == nsIRequest::TRR_FIRST_MODE &&

netwerk/test/unit/trr_common.js

@@ -9,6 +9,10 @@
 /* import-globals-from head_trr.js */
 /* import-globals-from head_http3.js */
 
+const { TestUtils } = ChromeUtils.import(
+  "resource://testing-common/TestUtils.jsm"
+);
+
 const dns = Cc["@mozilla.org/network/dns-service;1"].getService(
   Ci.nsIDNSService
 );
@@ -268,9 +272,44 @@ async function test_strict_native_fallback() {
     `${inStatus} should be an error code`
   );
 
+  info("Now with confirmation failed - should fallback");
+  dns.clearCache(true);
+  setModeAndURI(2, "doh?responseIP=2.2.2.2&corruptedAnswer=true");
+  if (runningODoHTests) {
+    Services.prefs.setCharPref(
+      "network.trr.uri",
+      "https://foo.example.com:" + h2Port + "/odohconfig?failConfirmation=true"
+    );
+  }
+  Services.prefs.setCharPref("network.trr.confirmationNS", "example.com");
+  await TestUtils.waitForCondition(
+    // 3 => CONFIRM_FAILED, 4 => CONFIRM_TRYING_FAILED
+    () =>
+      dns.currentTrrConfirmationState == 3 ||
+      dns.currentTrrConfirmationState == 4,
+    `Timed out waiting for confirmation failure. Currently ${dns.currentTrrConfirmationState}`,
+    1,
+    5000
+  );
+  await new TRRDNSListener("bar.example.com", "127.0.0.1"); // Should fallback
+
   info("Now a successful case.");
   dns.clearCache(true);
   setModeAndURI(2, "doh?responseIP=2.2.2.2");
+  if (runningODoHTests) {
+    Services.prefs.setCharPref(
+      "network.trr.uri",
+      "https://foo.example.com:" + h2Port + "/odohconfig"
+    );
+  }
+  Services.prefs.setCharPref("network.trr.confirmationNS", "skip");
+  await TestUtils.waitForCondition(
+    // 5 => CONFIRM_DISABLED
+    () => dns.currentTrrConfirmationState == 5,
+    `Timed out waiting for confirmation disabled. Currently ${dns.currentTrrConfirmationState}`,
+    1,
+    5000
+  );
   await new TRRDNSListener("bar.example.com", "2.2.2.2");
 
   info("Now without strict fallback mode, timeout case");

testing/xpcshell/moz-http2/moz-http2.js

@@ -1037,6 +1037,16 @@ function handleRequest(req, res) {
       } else {
         var b64encoded = Buffer.from(odohconfig).toString("base64");
         let packet = dnsPacket.decode(payload);
+        if (
+          u.query.failConfirmation == "true" &&
+          packet.questions[0].type == "NS" &&
+          packet.questions[0].name == "example.com"
+        ) {
+          res.writeHead(200);
+          res.write("<12bytes");
+          res.end("");
+          return;
+        }
         if (packet.questions[0].type == "HTTPS") {
           answers.push({
             name: packet.questions[0].name,