Functional overview
Due to packet size limits, DNS requests made using UDP with replies larger than 512 bytes are typically returned with a flag of TC=1 to indicate that the response may have been truncated and that the resolver should make the request a second time using TCP which is not subject to the same limits.
For this test to be successful for a given resolver, we would expect to receive two separate queries when requesting a large DNS record which results in a response in excess of the 512 character limit.
Implementation
In order to track unique requests and avoid caching issues the Client Side Website Toolkit (CSWT) will send HTTP requests of the format
UUID.LONG_SUBDOMAIN.DOMAIN_NAME
Where the UUID is generated uniquely for each request and LONG_SUBDOMAIN represents a long subdomain creating a prefix length close to the 255 character limit.
The SSCRT configures the DNS zone for the domain name with two wildcard IPv4 A records for *.LONG_SUBDOMAIN.DOMAIN_NAME as well as setting up a wildcard SSL cert and matching web server virtual host for *.LONG_SUBDOMAIN.DOMAIN_NAME.
The multiple IPv4 records ensures that a wildcard query for the specified subdomain generates a sufficiently large response that the TC=1 flag is returned to the calling resolver.
The test is considered to have succeeded if both DNS queries are received for UUID.LONG_SUBDOMAIN.DOMAIN_NAME.
As an additional data point if an HTTP request is observed via the web server for UUID.LONG_SUBDOMAIN.DOMAIN_NAME this will also be logged to provide other information on client requests but this is not considered part of the success criteria.
Configuring test sessions
TCP Fallback test sessions are configured using the test key tcp-fallback which should be supplied when creating new sessions on the SSCRT
resolvertest install tcp-fallback example.com
and when invoking tests using the CSWT.
e.g.
let test = new ResolverCapabilityTest(“tcp-fallback”, “example.com”);
Log format
The log output for IPv6 tests will contain the following distinct fields:
id - A unique numerical id for the log entry
date - The date and time of the combined log entry.
status - Either “Success” or “Failed” depending upon whether two separate DNS queries were received for UUID.LONG_SUBDOMAIN.DOMAIN_NAME.
dnsResolutionTime1 - The date and time that the first A record DNS query was received for UUID.LONG_SUBDOMAIN.DOMAIN_NAME
dnsResolvedHostname1 -should generally be set to UUID.LONG_SUBDOMAIN.DOMAIN_NAME
dnsClientIpAddress1 - The IPv4 address of the client resolver or the /24 depending upon the configured privacy setting in the SSCRT.
dnsResolverQuery1 - The full query string made by the resolver for the first resolution of the A record DNS query for UUID.LONG_SUBDOMAIN.DOMAIN_NAME
dnsResolutionTime2 - The date and time that a second A record DNS query was received for UUID.LONG_SUBDOMAIN.DOMAIN_NAME (in case of failure)
dnsResolvedHostname2 -should generally be set to UUID.LONG_SUBDOMAIN.DOMAIN_NAME if set
dnsClientIpAddress2 - The IPv4 address of the client resolver or the /24 depending upon the configured privacy setting in the SSCRT.
dnsResolverQuery2 - The full query string made by the resolver for the resolution of the second A record DNS query for UUID.LONG_SUBDOMAIN.DOMAIN_NAME (in case of failure)
webServerRequestTime1 - The date and time that the first HTTP request was made for UUID.LONG_SUBDOMAIN.DOMAIN_NAME if applicable
webServerRequestHostname1- This will be set to UUID.LONG_SUBDOMAIN.DOMAIN_NAME if an HTTP request was made
webServerClientIpAddress1- The IPv4 address of the client machine (web browser) or the /24 depending upon the configured privacy setting in the SSCRT if this request was made.
webServerResponseCode1 - The HTTP response code returned from the web server - generally should be 200 if the request was made