Retry over TCP if TC bit is set for DNS TXT records and set EDNS0

kanashimia · kanashimia · commit 0791210ee047 · 2026-02-17T23:02:42.000+02:00
TXT records can be quite large, with is a problem for DNS challenges, they don't fit in the 512 buffer especially if there are multiple. DNS servers can increase the buffer size through EDNS0 extension, and retry over TCP if that wasn't enough. DNS server should truncate response if it doesn't fit in the buffer, and set TC (Truncate) bit, then DNS client should retry over TCP. 1220 value for UDP buffer size was chosen based on this recommendation: https://www.isc.org/blogs/dns-flag-day-2020-2/ This changes only TXT request, I left other methods untouched. But it would make sense to do the same logic for all requests, by building some small abstraction around miekg/dns for requests. Also see docs for Exchange function: https://pkg.go.dev/github.com/miekg/dns#Client.Exchange Was originally found in #536 (comment)
diff --git a/va/va.go b/va/va.go
@@ -111,6 +111,7 @@ type VAImpl struct {
 	strict             bool
 	customResolverAddr string
 	dnsClient          *dns.Client
+	dnsClientTCP       *dns.Client
 
 	// The VA having a DB client is indeed strange. This is only used to
 	// facilitate va.setOrderError changing the ARI related order replacement
@@ -139,6 +140,8 @@ func New(
 	if customResolverAddr != "" {
 		va.log.Printf("Using custom DNS resolver for ACME challenges: %s", customResolverAddr)
 		va.dnsClient = new(dns.Client)
+		va.dnsClientTCP = new(dns.Client)
+		va.dnsClientTCP.Net = "tcp"
 	} else {
 		va.log.Print("Using system DNS resolver for ACME challenges")
 	}
@@ -832,10 +835,20 @@ func (va VAImpl) getTXTEntry(name string) ([]string, error) {
 		return net.DefaultResolver.LookupTXT(ctx, name)
 	}
 
+	const dnssec = false
+	const udpMaxMsgSize uint16 = 1220 // should be small enough to not cause packet fragmentation
+
 	var txts []string
 	message := new(dns.Msg)
 	message.SetQuestion(dns.Fqdn(name), dns.TypeTXT)
+	message.SetEdns0(udpMaxMsgSize, dnssec)
 	in, _, err := va.dnsClient.ExchangeContext(ctx, message, va.customResolverAddr)
+
+	if in.Truncated {
+		// Response was truncated, retry over TCP instead
+		in, _, err = va.dnsClientTCP.ExchangeContext(ctx, message, va.customResolverAddr)
+	}
+
 	if err != nil {
 		return nil, err
 	}
