TLS: improve framing by assembling DNS message in one buffer (!8646) · Merge requests · ISC Open Source Projects / BIND

Artem Boldariev requested to merge 4527-improve-tls-framing-for-dot into main Jan 12, 2024

This commit improves TLS messages framing by avoiding an extra call to SSL_write_ex(). Before that we would use an extra SSL_write_ex() call to pass DNS message length to OpenSSL. That could create an extra TLS frame, increasing number of bytes sent due to frame header and padding.

This commit fixes that by making the code pass both DNS message length and data at once, just like old TLS code did.

It should improve compatibility with some buggy clients that expect both DNS message length and data to be in one TLS frame.

Older TLS DNS code worked like this, too.

Closes #4527 (closed)

TLS: improve framing by assembling DNS message in one buffer

Merge request reports