From 4aedf7e9dda89bed7b3c6f22ad7078cd3bcbcb8b Mon Sep 17 00:00:00 2001 From: Colin Vidal Date: Fri, 10 Apr 2026 14:54:49 +0200 Subject: [PATCH] Do not resend after BADCOOKIE answer on TCP When an upstream server answers BADCOOKIE, no matter the transport used, the resolver eventually resends the query using TCP. However, if the upstream server responds with BADCOOKIE again over TCP, the resolver would keep resending until the maximum query count is reached. This is now fixed by stopping resending once the query has already been sent over TCP. --- lib/dns/resolver.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index d7418d494a..742748d2f3 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -9804,7 +9804,9 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) { rctx->broken_server = DNS_R_BADVERS; rctx->next_server = true; #endif /* if DNS_EDNS_VERSION > 0 */ - } else if (rcode == dns_rcode_badcookie && rctx->query->rmessage->cc_ok) + } else if (rcode == dns_rcode_badcookie && + rctx->query->rmessage->cc_ok && + (rctx->retryopts & DNS_FETCHOPT_TCP) == 0) { /* * We have recorded the new cookie.