From: Ondřej Surý <ondrej@isc.org>
Date: Fri, 15 May 2026 04:57:00 +0000 (+0200)
Subject: chg: usr: Fall back to TCP on a UDP response with a mismatched query id
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ef405bfa6dce617908bb581812dad4cdd2d7f805;p=thirdparty%2Fbind9.git

chg: usr: Fall back to TCP on a UDP response with a mismatched query id

BIND used to wait silently for the correct DNS message id on a UDP fetch
even after receiving a response from the expected server with the wrong
id, leaving room for off-path spoofing attempts to keep guessing within
that window.  The resolver now retries the fetch over TCP on the first
such response, and a new MismatchTCP statistics counter tracks how
often the fallback fires.

Closes #5449

Merge branch '5449-immediate-tcp-fallback-on-id-mismatch' into 'main'

See merge request isc-projects/bind9!12023
---

ef405bfa6dce617908bb581812dad4cdd2d7f805