Merge pull request PowerDNS#17430 from pieterlexis/rec-doc-nearmiss

pieterlexis · web-flow · commit 0cca2e389a63 · 2026-05-26T10:24:35.000+02:00
docs(rec): describe result of hitting spoof-nearmiss-max in more places
diff --git a/pdns/recursordist/docs/security.rst b/pdns/recursordist/docs/security.rst
@@ -16,6 +16,7 @@ Under some circumstances, 'some time' has been measured at 2 seconds.
 This technique was first used by ``dnscache`` by Dan J. Bernstein and is standardized in :rfc:`5452`
 
 In addition, PowerDNS detects when it is being sent too many unexpected answers, and mistrusts a proper answer if found within a clutch of unexpected ones.
+When this happens, the query to the authoritative server is retried over TCP.
 
 This behaviour can be tuned using the :ref:`setting-yaml-recursor.spoof_nearmiss_max`.
 
diff --git a/pdns/recursordist/rec-rust-lib/table.py b/pdns/recursordist/rec-rust-lib/table.py
@@ -2739,6 +2739,7 @@
         "help": "If non-zero, assume spoofing after this many near misses",
         "doc": """
 If set to non-zero, PowerDNS will assume it is being subjected to a spoofing attack after seeing this many answers with the wrong id.
+When detected, PowerDNS will fall back to using TCP for the query to the authoritative server.
  """,
         "versionchanged": ("4.5.0", "Older versions used 20 as the default value."),
     },
