From: Ondřej Surý <ondrej@isc.org>
Date: Fri, 15 May 2026 07:50:52 +0000 (+0200)
Subject: [9.18] chg: usr: Fall back to TCP on a UDP response with a mismatched query id
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f175d8c63bcb605b663bba56148cd2551a5721cf;p=thirdparty%2Fbind9.git

[9.18] chg: usr: Fall back to TCP on a UDP response with a mismatched query id

BIND used to wait silently for the correct DNS message id on a UDP fetch
even after receiving a response from the expected server with the wrong
id, leaving room for off-path spoofing attempts to keep guessing within
that window.  The resolver now retries the fetch over TCP on the first
such response, and a new MismatchTCP statistics counter tracks how
often the fallback fires.

Closes #5449

Backport of MR !12023

Merge branch 'backport-5449-immediate-tcp-fallback-on-id-mismatch-9.18' into 'bind-9.18'

See merge request isc-projects/bind9!12026
---

f175d8c63bcb605b663bba56148cd2551a5721cf