dnscrypt doesn't work after upgrade to 1.18

[dukeartem]

Good day!
After upgrade unbound from 1.17.1 -> 1.18 we have trouble with dnscrypt module. Every second query for same fqdn and any type is hang. How it looks like:
first query

dig @127.0.0.1 -p 5353 yandex.com +nodnssec +timeout=10 -t A +notcp
; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> @127.0.0.1 -p 5353 yandex.com +nodnssec +timeout=10 -t A +notcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17889
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;yandex.com.			IN	A

;; ANSWER SECTION:
yandex.com.		1200	IN	A	77.88.55.80
yandex.com.		1200	IN	A	5.255.255.88
yandex.com.		1200	IN	A	5.255.255.80
yandex.com.		1200	IN	A	77.88.55.77

;; Query time: 216 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1) (UDP)
;; WHEN: Thu Sep 21 12:41:27 MSK 2023
;; MSG SIZE  rcvd: 103

second query

dig @127.0.0.1 -p 5353 yandex.com +nodnssec +timeout=10 -t A +notcp
; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> @127.0.0.1 -p 5353 yandex.com +nodnssec +timeout=10 -t A +notcp
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

if i flush cache unbound-control -c /etc/unbound/unbound_crypt_my.conf flush yandex.com, the request is working again and only one time. If I set +tcp trouble will not reproduce.
For debug i gathered tcpdump unbound_dnscrypt_pcap.zip
and in unbound 1.17(file dnscrypt_1.17.pcap) both requests have encrypted response,
but in unbound 1.18 on udp (file dnscrypt_1.18_udp.pcap) first request has encrypted response, but second response in plain text. And for comparing i recorded unbound 1.18 on tcp (file dnscrypt_1.18_tcp.pcap) and in this time many requests have many encrypted response.

Our schema and configurations:
dncrypt-proxy(https://github.com/dyne/dnscrypt-proxy) -> unbond
Configs
/etc/dnscrypt-proxy/dnscrypt-proxy.conf

ProviderName    2.dnscrypt-cert.browser.yandex.net
ProviderKey     D384:C071:C9F7:4662:AF2A:CCD5:7B5D:CC97:14D4:07B6:AD36:01E1:AEDC:06D5:6D49:6327
ResolverAddress 127.0.0.1:15354
Daemonize no
LocalAddress 127.0.0.1:5353
LocalCache off
EphemeralKeys off
LogLevel 7
BlockIPv6 no

unbound version

Version 1.18.0
Configure line: --disable-static --prefix=/var/empty/unbound-1.18.0 --bindir=/var/empty/tmp/out/bin --sbindir=/var/empty/tmp/out/sbin --includedir=/var/empty/tmp/out/include --oldincludedir=/var/empty/tmp/out/include --mandir=/var/empty/tmp/out/share/man --infodir=/var/empty/tmp/out/share/info --docdir=/var/empty/tmp/out/share/doc/unbound --libdir=/var/empty/tmp/out/lib --libexecdir=/var/empty/tmp/out/libexec --localedir=/var/empty/tmp/out/share/locale --disable-rpath --disable-dnstap --enable-dnscrypt --enable-subnet --enable-systemd --libdir=/usr/lib --prefix= --with-libevent=/place/sandbox-data/tasks/3/9/1924600693/__FUSE/mount_path_ffc78d12-6077-4afa-8e09-3215fe69b6c3/contrib/libs/libevent --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --with-username= --disable-systemd
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.2 15 Mar 2022
Linked modules: dns64 subnetcache respip validator iterator
DNSCrypt feature available

unbound config

server:
        root-hints: "/dnsdata/named.root"
        directory: "/"
        username: ""
        chroot: ""
        interface: 127.0.0.1@10453
        interface: ::1@10453
        interface: 127.0.0.1@15354
        ip-freebind: "yes"
        do-daemonize: "no"
        num-threads: 1
        access-control: 0.0.0.0/0 allow
        access-control: ::0/0 allow
        statistics-interval: 60
        statistics-cumulative: "yes"
        extended-statistics: "yes"
        logfile: /logs/unbound/unbound_crypt.log
        verbosity: 5
        val-log-level: 2
        log-time-ascii: yes
        log-queries: yes
        trust-anchor-file: "/unbound_secrets/root.key"
        val-permissive-mode: "yes"
        module-config: "iterator"
remote-control:
        control-enable: yes
        control-interface: ::1
        control-port: 22204
        server-key-file: "/unbound_secrets/unbound_server.key"
        server-cert-file: "/unbound_secrets/unbound_server.pem"
        control-key-file: "/unbound_secrets/unbound_control.key"
        control-cert-file: "/unbound_secrets/unbound_control.pem"
dnscrypt:
        dnscrypt-enable: yes
        dnscrypt-port: 15354
        dnscrypt-provider: 2.dnscrypt-cert.browser.yandex.net.
        dnscrypt-secret-key: /dnscrypt/2.key
        dnscrypt-provider-cert: /dnscrypt/2.cert
        dnscrypt-provider-cert-rotated: /dnscrypt/1.cert

lsb_release -r
Release:	22.04

uname -rn
5.4.210-39

[dukeartem]

i found this behavior occurred after this commit 2e6ddd6#diff-5ba9d48b3472f0792b0e8126de24df983e00cb43e2603465ac24f26c06470616R3837-R3841
and after this commit 1c8f0e0#diff-5ba9d48b3472f0792b0e8126de24df983e00cb43e2603465ac24f26c06470616L3857-L3861
now is work again.
I think this is because in function comm_point_udp_ancil_callback in this place https://github.com/NLnetLabs/unbound/blob/master/util/netevent.c#L1073C48-L1073C57
need something like this

struct sldns_buffer *buffer;
#ifdef USE_DNSCRYPT
		      buffer = rep.c->dnscrypt_buffer;
#else
		      buffer = rep.c->buffer;
#endif
		if((*rep.c->callback)(rep.c, rep.c->cb_arg, NETEVENT_NOERROR, &rep)) {
			/* send back immediate reply */
			(void)comm_point_send_udp_msg_if(rep.c, buffer,
				(struct sockaddr*)&rep.remote_addr,
				rep.remote_addrlen, &rep);
		}

[gthess]

Thanks for the information! dnscrypt should have already been working on the master branch after the commit you referenced but I also submitted you suggestion so that dnscrypt would continue working when comm_point_udp_ancil_callback is used, for example with interface-automatic: yes.