TCP fallback on timeout

Viktor Dukhovni ietf-dane at
Thu Apr 27 14:27:49 UTC 2017

On Wed, Apr 26, 2017 at 08:14:09PM -0700, Jacob Hoffman-Andrews wrote:

> I'm trying to understand Unbound's TCP fallback better. Is it expected
> that Unbound will fall back to TCP when UDP queries timeout, or only if
> it receives a truncated ANSWER?

Only when truncated as you observed.

> Specifically, I'm trying to make CAA queries, and finding that, when
> querying a certain DNS provider (NetRegistry), UDP queries time out but
> TCP queries succeed.

That provider has a misconfigured (often Arbor Networks) firewall
in front of their nameservers, and the firewall is dropping queries
for all but a set of "standard" RRtypes.  Ofen in my experience
(when the firewall is Arbor Networks) IPv6 UDP queries also work,
when the nameservers have IPv6 addresses.  In other words, the
filtering is in place only for UDP+IPv4.

The right thing to do is to not implement work-arounds for the
problem on the client end.  Instead, let operational errors lead
to failure, but notify the operator so they remediate the issue.
This will fix lookup issues for CAA, CDS, TLSA, SMIMEA, OPENPGPKEY,
whether the resolver is unbound, BIND, ...

If you email me a small list of problem domains (served by the
problem nameservers), I can get the ball rolling, open a new
entry under:

and notify the errant provider.


More information about the Unbound-users mailing list