I just synced the public git to my personal git repo, and there are
quite a few commits.
Apologies for the dump. Most of the changes are fairly inconsequential
or follow naturally from the big enhancement.
The big change is the handling of truncation in the DNS system. In
principle, this is simple. If an answer is too big to fit in a UDP
packet, the upstream server will mark the answer as truncated, DNS
returns this, and the client repeats the query over TCP. When it gets
complicated with is with DNSSEC. An answer is not truncated, but an
answer to a DNSKEY or DS query needed to do DNSSEC validation is. This
requires a move to TCP to get the intermediate answer for validation.
This used to be done by faking a truncated answer to the original query
to force the client to retry over TCP. The whole transaction then
happened over TCP, including the intermediate queries of DNSKEY and DS
records. This is undesirable for several reasons.
The new code allows dnsmasq to move from UDP to TCP and back
on-the-fly, so intermediate queries can be done over TCP, without
forcing the original client to use TCP. This also works for situations
where the answer to the original query needs to come over TCP, but the
client can be answered over UDP. For instance the answer includes RRSIG
RRs for DNSSEC validation which pushes it over the UDP limit, but these
are removed before the answer is returned to the original client.
There's also code which handles the opposite case. If a client has a
smaller limit on UDP packet size (for instance if it doesn't support
EDNS0 and therefore has a packet size limit of 512, rather than 1232)
then dnsmasq can truncate the untruncated answer from upstream to force
the client to retry over TCP.
This code has been extensively tested by me, but I'd like to hear how
others are getting on with it. It has not been easy to get right. The
--log-queries option has a new version, --log-queries=proto, which
includes information about which query was used for each transaction.
Cheers,
Simon.
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss