It seems that Mikrotik doesn't do this. The following snippet refers, where 192.168.42.1 is the Mikrotik in question (RoS 6.49.7) and 192.168.42.21 is the "upstream" cache (it in turn uses two upstream DJBDNS caches, but in this case already has the response cached):
Code: Select all
13:59:23.326953 IP (tos 0x0, ttl 64, id 58536, offset 0, flags [none], proto UDP (17), length 99)
192.168.42.1.51961 > 192.168.42.21.53: 4900+ TXT? selector-1697116436._domainkey.dejonghoptometry.co.za. (71)
Code: Select all
13:59:23.327060 IP (tos 0x0, ttl 64, id 60262, offset 0, flags [DF], proto UDP (17), length 540)
192.168.42.21.53 > 192.168.42.1.51961: 4900| 3/0/0 selector-1697116436._domainkey.dejonghoptometry.co.za. TXT "v=DKIM1; k=rsa; t=s; n=core; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArpFccWmhLDrQZgRgnTbr9Z9WqY0A2w6oxOd/V5QrBFCVADXlZZWQ0797se6raOuo6TMts1rpVpqYloDd/B", selector-1697116436._domainkey.dejonghoptometry.co.za. TXT "9daBIhbFpB98J3uUsE3W4JUykVNxKwsNndRHTI9kmHTUQ7xqQ0MLf8wifpuHMBCEDNvU4LpwjTDZirG92X2d959T73b3BqbfdkwDPz+BOEk0p2ZZlMSaWJpEXVOgFDqfuFg", selector-1697116436._domainkey.dejonghoptometry.co.za. TXT [|domain]
Response bit: 1
Opcode: 0
Auth: 0
Truncated: 1
Recursion desired: 1
Recursion available: 1
Reserved: 0
Answer authenticated: 0
Non-authenticated data: 0
reply-code: 0 (no error)
Please note that for the above I hacked djbdns to truncate to 512 bytes rather than directly after the question section in the response (ie, normally it won't include even a part of the response). This was done in the hopes that it might trigger RouterOS to switch to TCP fallback.
Anyway, at this point RouterOS simply retransmits the request, somehow expecting a different result, instead of switching to TCP.
RouterOS itself will serve queries from TCP and itself truncate packets to configured size (default 4096 bytes, although the standard says to use 512, but then again with DNSSEC it's probably not a bad idea to violate this and ship larger responses in UDP, but that's a different discussion not relevant to this one) on UDP and set the Truncate bit, so it knows about this, but for some reason doesn't seem to act correctly when running as a client.
One thing we could do is to modify our caches to serve up to 4KB via UDP, but that would go against standards, as well as just move the goalpost (what happens when we get sufficient data to overflow the 4KB mark?)
Is there some configuration option I'm missing, or is this a bug in RouterOS that will be fixed some time soon?
