Always query DNS records over TCP instead of UDP#540
Conversation
|
References letsencrypt/challtestsrv#35 |
|
Thanks for the patch! I'd say let's simplify and always query over TCP for all query types rather than have a fallback. We know what the backend will be in the default config and we know it supports TCP. Also RFC 9210:
|
kanashimia
force-pushed
the
tcp-retry
branch
from
0791210 to
41b468f
Compare
Yeah you are right, that would be ok here too, and is a much simpler change, updated the PR.
obligatory mention of http://dnsneedsfuckingtcp.info heheh 😄 |
kanashimia
changed the title
|
oh, I committed a binary, sorry |
TXT records can be quite large, with is a problem for DNS challenges, they don't fit in the 512 buffer especially if there are multiple. DNS servers can increase the buffer size through EDNS0 extension, and retry over TCP if that wasn't enough. For the pebble purposes there isn't much reason to try UDP first, it is possible to just always query DNS records over TCP, so we do. Was originally found in letsencrypt#536 (comment)
kanashimia
force-pushed
the
tcp-retry
branch
from
41b468f to
7ae1674
Compare
2 participants
TXT records can be quite large, with is a problem for DNS challenges, they don't fit in the 512 buffer especially if there are multiple. DNS servers can increase the buffer size through EDNS0 extension, and retry over TCP if that wasn't enough.
DNS server should truncate response if it doesn't fit in the buffer, and set TC (Truncate) bit, then DNS client should retry over TCP.
1220 value for UDP buffer size was chosen based on this recommendation: https://www.isc.org/blogs/dns-flag-day-2020-2/
This changes only TXT request, I left other methods untouched. But it would make sense to do the same logic for all requests, by building some small abstraction around miekg/dns for requests.
Also see docs for Exchange function:
https://pkg.go.dev/github.com/miekg/dns#Client.Exchange
Was originally found in
#536 (comment)