When an upstream server returned a truncated reply to a query that BIND had
signed with TSIG, the resolver could keep waiting for a follow-up UDP packet
that never arrived, so the query stalled until it hit resolver-query-timeout
and the client received no answer. BIND now treats any reply it cannot
authenticate as an immediate failure and returns SERVFAIL right away as a
defense in depth.
Closes #6028
Merge branch '6028-tsig-truncated-tsig-response' into 'main'
See merge request isc-projects/bind9!12080
projects / thirdparty / bind9.git / commitdiff
