Using TFO with forward-addr, tls-upstream Resolvers

Wouter Wijngaards wouter at
Mon Feb 11 09:15:30 UTC 2019

Hi Jeff,

On 2/10/19 1:00 AM, Jeff Hedley via Unbound-users wrote:
> Hello all,
> Is tfo (TCP Fast Open) supposed to work with forward-zone, tls-upstream
> servers? I see that tfo works when unbound attempts recursive (tcp)
> queries itself, but when it uses a forward-addr for the query, tfo is
> not attempted.
> I'm running unbound 1.9.0 configured with --enable-tfo-client and
> -server. I confirmed the same behavior in version 1.8.3 as well.

Unbound performs fastopen for TCP.  For TLS it tries to set things up,
and on MacOS this means it perform connectx and you (probably) have TFO.
 For Linux, the first write needs MSG_FASTOPEN, but this write is
performed by lib openssl for TLS.  For TCP unbound does it.  It looks
like openssl does not have a function to make it perform TFO on Linux.

Best regards, Wouter

> Has anyone else successfully used tfo with a forward-addr tls upstream
> server?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Unbound-users mailing list