Emit EDE 22 when the resolver runs out of usable addresses

Two exits from fctx_try() landed at DNS_R_SERVFAIL without attaching
DNS_EDE_NOREACHABLEAUTH: when fctx_getaddresses() returned a non-success,
non-wait status, and when every candidate addrinfo was unusable
(over-quota or filtered) after a restart.

With the new TCP fallback actually firing, those paths are now reached
by serve-stale and similar scenarios in which the auth is unreachable.
Attach the EDE so SERVFAIL responses keep carrying the same operator
signal that the timeout-based exit paths already produce.

Co-authored-by: Evan Hunt <each@isc.org>
Assisted-by: Claude:claude-opus-4-7

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 8d4430ddc0f491f33dc36fa6c854fd6290cd404b..0fc89804b80028af26c422fde275595006b9e4f9 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -4354,6 +4354,8 @@ fctx_try(fetchctx_t *fctx, bool retrying) {
                        FCTX_ATTR_SET(fctx, FCTX_ATTR_ADDRWAIT);
                        return;
                default:
+                       dns_ede_add(&fctx->edectx, DNS_EDE_NOREACHABLEAUTH,
+                                   NULL);
                        goto done;
                }
 
@@ -4371,6 +4373,8 @@ fctx_try(fetchctx_t *fctx, bool retrying) {
                 */
                if (addrinfo == NULL) {
                        result = DNS_R_SERVFAIL;
+                       dns_ede_add(&fctx->edectx, DNS_EDE_NOREACHABLEAUTH,
+                                   NULL);
                        goto done;
                }
        }