[Dnsmasq-discuss] dnssec on android?
Simon Kelley
simon at thekelleys.org.uk
Thu Apr 3 08:50:51 UTC 2014
On 03/04/14 02:37, Dave Taht wrote:
> It looks like there will be some issues getting dnssec on
> on android by switching to dnsmasq:
>
> https://code.google.com/p/android/issues/detail?id=65510
>
> What is dnsmasq's behavior on how/when to switch to tcp?
>
If the client uses UDP to query dnsmasq, then dnsmasq will use UDP to
query upstream. If the client uses TCP to query dnsmasq, then dnsmasq
uses TCP to query upstream. The same applies to DNSKEY and DS queries,
UDP if the original query came by UDP, TCP if TCP.
The normal situation is: client queries dnsmasq over UDP, dnsmasq
queries upstream over UDP, repsonse is truncated, truncated response
returned to client. Client retries over TCP, dnsmasq queries upstream
over TCP, all is good.
The same situation applies with DNSSEC, with one additional wrinkle,
it's possible that the answer to the actual query comes back
untruncated over UDP, but a subsequent query needed to do validation (ie
getting DNSKEYS or DS records) is truncated. In this case, dnsmasq marks
the original answer as truncated itself and returns it, so that the
client will retry using TCP.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list