mirror of
https://github.com/pi-hole/dnsmasq.git
synced 2025-12-19 02:08:24 +00:00
f5cdb007d8
Heretofore, when a validating the result of an external query triggers a DNSKEY or DS query and the result of that query is truncated, dnsmasq has forced the whole validation process to move to TCP by returning a truncated reply to the original requestor. This forces the original requestor to retry the query in TCP mode, and the DNSSEC subqueries also get made via TCP and everything works. Note that in general the actual answer being validated is not large enough to trigger truncation, and there's no reason not to return that answer via UDP if we can validate it successfully. It follows that a substandard client which can't do TCP queries will still work if the answer could be returned via UDP, but fails if it gets an artifically truncated answer and cannot move to TCP. This patch teaches dnsmasq to move to TCP for DNSSEC queries when validating UDP answers. That makes the substandard clients mentioned above work, and saves a round trip even for clients that can do TCP.