On 04/27/2017 07:27 AM, Viktor Dukhovni via Unbound-users wrote: > On Wed, Apr 26, 2017 at 08:14:09PM -0700, Jacob Hoffman-Andrews wrote: > >> I'm trying to understand Unbound's TCP fallback better. Is it expected >> that Unbound will fall back to TCP when UDP queries timeout, or only if >> it receives a truncated ANSWER? > Only when truncated as you observed. Thanks for the info. Another question: For CA queries in general (A, AAAA, TXT, CAA), Let's Encrypt has gotten feedback that using TCP to query authoritative resolvers is more secure and less likely to be spoofed. Unfortunately, DNS servers aren't required to support TCP. This is another reason why we've been considering running to recursive resolvers, one with tcp-upstream: yes, and one with tcp-upstream: no. The idea would be that the CA software (Boulder) would first attempt to query the tcp-upstream: yes instance, and fall back to the tcp-upstream: no instance on errors. In your opinion, is this a reasonable setup, and does it meaningfully increase protections against spoofing?