I just synced the public git to my personal git repo, and there are quite a few commits.

Apologies for the dump. Most of the changes are fairly inconsequential or follow naturally from the big enhancement.

The big change is the handling of truncation in the DNS system. In principle, this is simple. If an answer is too big to fit in a UDP packet, the upstream server will mark the answer as truncated, DNS returns this, and the client repeats the query over TCP. When it gets complicated with is with DNSSEC. An answer is not truncated, but an answer to a DNSKEY or DS query needed to do DNSSEC validation is. This
requires a move to TCP to get the intermediate answer for validation.

This used to be done by faking a truncated answer to the original query to force the client to retry over TCP. The whole transaction then happened over TCP, including the intermediate queries of DNSKEY and DS records. This is undesirable for several reasons.

The new code allows dnsmasq to move from UDP to TCP and back on-the-fly, so intermediate queries can be done over TCP, without forcing the original client to use TCP. This also works for situations where the answer to the original query needs to come over TCP, but the client can be answered over UDP. For instance the answer includes RRSIG RRs for DNSSEC validation which pushes it over the UDP limit, but these are removed before the answer is returned to the original client.

There's also code which handles the opposite case. If a client has a smaller limit on UDP packet size (for instance if it doesn't support EDNS0 and therefore has a packet size limit of 512, rather than 1232) then dnsmasq can truncate the untruncated answer from upstream to force the client to retry over TCP.


This code has been extensively tested by me, but I'd like to hear how others are getting on with it. It has not been easy to get right. The --log-queries option has a new version, --log-queries=proto, which includes information about which query was used for each transaction.


Cheers,

Simon.


_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Reply via email to