This is the straight forward fix but not optimal since we now have to move 16k of data from the resolver to the frontend process for every answer even if it's much smaller which is the usual case.
I'll try to improve this in the comming weeks. On Thu, Nov 05, 2020 at 09:22:59AM -0700, Florian Obser wrote: > CVSROOT: /cvs > Module name: src > Changes by: flor...@cvs.openbsd.org 2020/11/05 09:22:59 > > Modified files: > sbin/unwind : frontend.c resolver.c unwind.c unwind.h > > Log message: > Handle DNS answers that are larger than the maximum imsg size (about > 16k) by splitting them up. > Previously unwind would send meta-data about the finished query from > the resolver process to the frontend process and then silently fail to > send the actual answer because it was too big for imsg. > When receiving the meta-data for the next query the frontend process > would then exit via fatal() because it was still expecting an answer. > This likely fixes rare crashes observed by Leo Unglaub. > Note that even with DNSSEC signatures, answers this big are very rare. > OK tb, benno > -- I'm not entirely sure you are real.
