dnspython 2.6.0: timeout with DNS servers that worked fine with dnspython 2.5.0

[felixfontein]

Describe the bug
This happened in the integration tests of the Ansible community.dns collection; I reduced it to the following minimal reproducer:

import dns
import dns.resolver

resolver = dns.resolver.Resolver(configure=False)
resolver.nameservers = ['198.51.44.8']  # IPv4 of dns1.p08.nsone.net., one of the github.com. nameservers
resolver.resolve(dns.name.from_unicode('github.com.'), lifetime=10, rdtype=dns.rdatatype.TXT)

With dnspython 2.5.0 this immediately returned a result. With dnspython 2.6.0, this times out after 10 seconds:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/path/to/python3.11/site-packages/dns/resolver.py", line 1321, in resolve
    timeout = self._compute_timeout(start, lifetime, resolution.errors)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/path/to/python3.11/site-packages/dns/resolver.py", line 1075, in _compute_timeout
    raise LifetimeTimeout(timeout=duration, errors=errors)
dns.resolver.LifetimeTimeout: The resolution lifetime expired after 11.601 seconds: Server Do53:198.51.44.8@53 answered The DNS operation timed out.; Server Do53:198.51.44.8@53 answered The DNS operation timed out.; Server Do53:198.51.44.8@53 answered The DNS operation timed out.; Server Do53:198.51.44.8@53 answered The DNS operation timed out.; Server Do53:198.51.44.8@53 answered The DNS operation timed out.

(lifetime can also be set to a lower value, for example 1 works fine for me with dnspython 2.5.0.)

To Reproduce
See the above reproducer

Context (please complete the following information):

• dnspython version 2.6.0
• Python version 3.11 (happens also with other Python verisons)
• OS: Linux (various)

[felixfontein]

git bisect points to f66e25b (Address DoS via the Tudoor mechanism (CVE-2023-29483)), which I guess isn't surprising :)

[rthalley]

The problem here is that the Tudoor compensation code is eating the Truncated exception raised in this case, preventing us from failing over to TCP. I will fix this and do 2.6.1 soon, but I have to figure out how best to fix it first!

[rthalley]

I was able to replicate with your example and the tudoor-trunc branch I just pushed fixes it, but still preserves the desired Tudoor protection. I'll be merging and starting the release process soon.

[felixfontein]

@rthalley awesome, thank you very much! :)

[felixfontein]

I ran my CI with the latest main branch and it works fine.

[felixfontein]

Resolved with the 2.6.1 release. Thanks a lot again @rthalley!

[rthalley]

Thank you for the report and good replication example!