Maintained by: NLnet Labs

TCP fallback on timeout

Jacob Hoffman-Andrews
Thu Apr 27 19:06:19 CEST 2017


On 04/27/2017 07:27 AM, Viktor Dukhovni via Unbound-users wrote:
> On Wed, Apr 26, 2017 at 08:14:09PM -0700, Jacob Hoffman-Andrews wrote:
>
>> I'm trying to understand Unbound's TCP fallback better. Is it expected
>> that Unbound will fall back to TCP when UDP queries timeout, or only if
>> it receives a truncated ANSWER?
> Only when truncated as you observed.
Thanks for the info.

Another question: For CA queries in general (A, AAAA, TXT, CAA), Let's
Encrypt has gotten feedback that using TCP to query authoritative
resolvers is more secure and less likely to be spoofed. Unfortunately,
DNS servers aren't required to support TCP. This is another reason why
we've been considering running to recursive resolvers, one with
tcp-upstream: yes, and one with tcp-upstream: no. The idea would be that
the CA software (Boulder) would first attempt to query the tcp-upstream:
yes instance, and fall back to the tcp-upstream: no instance on errors.
In your opinion, is this a reasonable setup, and does it meaningfully
increase protections against spoofing?