[Dnsmasq-discuss] Code dump.

Simon Kelley simon at thekelleys.org.uk
Sun Dec 1 23:38:53 UTC 2024 

I just synced the public git to my personal git repo, and there are 
quite a few commits.

Apologies for the dump. Most of the changes are fairly inconsequential 
or follow naturally from the big enhancement.

The big change is the handling of truncation in the DNS system. In 
principle, this is simple. If an answer is too big to fit in a UDP 
packet, the upstream server will mark the answer as truncated, DNS 
returns this, and the client repeats the query over TCP. When it gets 
complicated with is with DNSSEC.  An answer is not truncated, but an 
answer to a DNSKEY or DS query needed to do DNSSEC validation is. This
requires a move to TCP to get the intermediate answer for validation.

This used to be done by faking a truncated answer to the original query 
to force the client to retry over TCP. The whole transaction then 
happened over TCP, including  the intermediate queries of DNSKEY and DS 
records. This is undesirable for several reasons.

The new code  allows dnsmasq to move from UDP to TCP and back 
on-the-fly, so intermediate queries can be done over TCP, without 
forcing the original client to use TCP. This also works for situations 
where the answer to the original query needs to come over TCP, but the 
client can be answered over UDP. For instance the answer includes RRSIG 
RRs for DNSSEC validation which pushes it over the UDP limit, but these 
are removed before the answer is returned to the original client.

There's also code which handles the opposite case. If a client has a 
smaller limit on UDP packet size (for instance if it doesn't support 
EDNS0 and therefore has a packet size limit of 512, rather than 1232) 
then dnsmasq can truncate the untruncated answer from upstream to force 
the client to retry over TCP.


This code has been extensively tested by me, but I'd like to hear how 
others are getting on with it. It has not been easy to get right.  The 
--log-queries option has a new version, --log-queries=proto, which 
includes information about which query was used for each transaction.


Cheers,

Simon.

More information about the Dnsmasq-discuss mailing list