TCP fallback on timeout

Jacob Hoffman-Andrews jsha at
Thu Apr 27 17:06:19 UTC 2017

On 04/27/2017 07:27 AM, Viktor Dukhovni via Unbound-users wrote:
> On Wed, Apr 26, 2017 at 08:14:09PM -0700, Jacob Hoffman-Andrews wrote:
>> I'm trying to understand Unbound's TCP fallback better. Is it expected
>> that Unbound will fall back to TCP when UDP queries timeout, or only if
>> it receives a truncated ANSWER?
> Only when truncated as you observed.
Thanks for the info.

Another question: For CA queries in general (A, AAAA, TXT, CAA), Let's
Encrypt has gotten feedback that using TCP to query authoritative
resolvers is more secure and less likely to be spoofed. Unfortunately,
DNS servers aren't required to support TCP. This is another reason why
we've been considering running to recursive resolvers, one with
tcp-upstream: yes, and one with tcp-upstream: no. The idea would be that
the CA software (Boulder) would first attempt to query the tcp-upstream:
yes instance, and fall back to the tcp-upstream: no instance on errors.
In your opinion, is this a reasonable setup, and does it meaningfully
increase protections against spoofing?

More information about the Unbound-users mailing list