From: Colin Vidal <colin@isc.org>
Date: Fri, 10 Apr 2026 12:54:49 +0000 (+0200)
Subject: Do not resend after BADCOOKIE answer on TCP
X-Git-Tag: v9.21.22~10^2~1
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=4aedf7e9dda89bed7b3c6f22ad7078cd3bcbcb8b;p=thirdparty%2Fbind9.git

Do not resend after BADCOOKIE answer on TCP

When an upstream server answers BADCOOKIE, no matter the transport used,
the resolver eventually resends the query using TCP. However, if the
upstream server responds with BADCOOKIE again over TCP, the resolver
would keep resending until the maximum query count is reached.

This is now fixed by stopping resending once the query has already been
sent over TCP.
---

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index d7418d494ad..742748d2f3f 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -9804,7 +9804,9 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
 		rctx->broken_server = DNS_R_BADVERS;
 		rctx->next_server = true;
 #endif /* if DNS_EDNS_VERSION > 0 */
-	} else if (rcode == dns_rcode_badcookie && rctx->query->rmessage->cc_ok)
+	} else if (rcode == dns_rcode_badcookie &&
+		   rctx->query->rmessage->cc_ok &&
+		   (rctx->retryopts & DNS_FETCHOPT_TCP) == 0)
 	{
 		/*
 		 * We have recorded the new cookie.