Am 17.04.25 um 09:58 schrieb Yorgos Thessalonikefs via nsd-users:> Hi Andreas, > > On 16/04/2025 23:17, A. Schulze via nsd-users wrote: >> 4. any chance, that https://github.com/NLnetLabs/nsd/pull/437 find it's way in 4.12? >> ??? a similar change in active in unbound-1.23.0rc2 and works well there. > This change was heading to 4.12 but we pulled it because it was breaking software that implicitly sends the SOA probe over UDP. > Maybe a more lenient approach should be used, but the change needs more development time at the moment; not something that could be addressed for this release cycle.Hello Yorgos, I added #437 to my build. It works, somehow... I cannot imagine a scenario for any (resolver?) software to implicitly send a SOA probe over UDP to port 853 / not port 53 Could you clarify this, please? There is also a difference to the same solution for that problem in unbound: While "netstat -lnpu" does not show open UDP sockets for DoT and DoH on unbound, NSD is different: "netstat -lnpu" shows an open Port for Do53 and DoT. Do53/UDP does timeout on Port 853, though. It looks like #437 works very different the the code implemented in unbound. Andreas
Hi Andreas, On 18/04/2025 23:28, A. Schulze via nsd-users wrote:> I added #437 to my build. It works, somehow... > > I cannot imagine a scenario for any (resolver?) software to implicitly > send a SOA probe over UDP to port 853 / not port 53 > Could you clarify this, please?Unbound is an example when configured with auth zones, it will send the SOA prove over UDP before starting a zone transfer.> > There is also a difference to the same solution for that problem in > unbound: > While "netstat -lnpu" does not show open UDP sockets for DoT and DoH on > unbound, NSD is different: > "netstat -lnpu" shows an open Port for Do53 and DoT. Do53/UDP does > timeout on Port 853, though.Just to be clear with terminology (Do53 does not help if the port is not 53 :), you want to say that when a #437-patched NSD is configured for TLS over port 853 you expect to see only TCP open on 853 but you also see UDP open on 853? If that is the case, the PR also needs more work apparently :)> > It looks like #437 works very different the the code implemented in > unbound.Unbound and NSD are very different on how they setup listening interfaces. Best regards, -- Yorgos