From: Ondřej Surý <ondrej@isc.org>
Date: Wed, 24 Jun 2026 10:18:30 +0000 (+0200)
Subject: fix: usr: Truncated reply to a TSIG query no longer stalls the resolver
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=19c202d470c483c8a960f5818b8d535c2b7b654c;p=thirdparty%2Fbind9.git

fix: usr: Truncated reply to a TSIG query no longer stalls the resolver

When an upstream server returned a truncated reply to a query that BIND had
signed with TSIG, the resolver could keep waiting for a follow-up UDP packet
that never arrived, so the query stalled until it hit resolver-query-timeout
and the client received no answer. BIND now treats any reply it cannot
authenticate as an immediate failure and returns SERVFAIL right away as a
defense in depth.

Closes #6028

Merge branch '6028-tsig-truncated-tsig-response' into 'main'

See merge request isc-projects/bind9!12080
---

19c202d470c483c8a960f5818b8d535c2b7b654c