On Wed, Apr 26, 2017 at 08:14:09PM -0700, Jacob Hoffman-Andrews wrote: > I'm trying to understand Unbound's TCP fallback better. Is it expected > that Unbound will fall back to TCP when UDP queries timeout, or only if > it receives a truncated ANSWER? Only when truncated as you observed. > Specifically, I'm trying to make CAA queries, and finding that, when > querying a certain DNS provider (NetRegistry), UDP queries time out but > TCP queries succeed. That provider has a misconfigured (often Arbor Networks) firewall in front of their nameservers, and the firewall is dropping queries for all but a set of "standard" RRtypes. Ofen in my experience (when the firewall is Arbor Networks) IPv6 UDP queries also work, when the nameservers have IPv6 addresses. In other words, the filtering is in place only for UDP+IPv4. The right thing to do is to not implement work-arounds for the problem on the client end. Instead, let operational errors lead to failure, but notify the operator so they remediate the issue. This will fix lookup issues for CAA, CDS, TLSA, SMIMEA, OPENPGPKEY, whether the resolver is unbound, BIND, ... If you email me a small list of problem domains (served by the problem nameservers), I can get the ball rolling, open a new entry under: https://github.com/dns-violations/dns-violations and notify the errant provider. -- Viktor.