tinydns, like BIND, includes NS records with answers to most queries. This increases DNS packet sizes, but it draws queries away from parent servers, and reduces the frequency of long DNS delays. With the default tinydns-data cache times, a client that uses a normal record at least once every day will always have the corresponding NS records cached and will never have to talk to parent servers.

In other words, ye olde "we made it go faster by not doing the work."

I'm taking a look myself into the compiler warnings for potentially undiscovered portability issues.

Indeed this led me to rediscover a bug affecting 64-bit big-endian systems. Otherwise there was gcc's builtin "puts" to defuse and some signed vs. unsigned int sloppiness that could conceivably be a problem at the 2G boundary, which seems unlikely to be remotely approached given the context but who knows.

These and all other interesting fixes I found are now in the port.

Otherwise...

There's also an acknowledged security bug, albeit for uncommon scenarios, which Bernstein himself patched as late as 2009 and awarded his bounty to the reporter Matthew Dempsky.

Jonathan de Boyne Pollard has published a number of patches; I wasn't too impressed with his descriptions of the supposed problems but it might be good to have on hand at least.

This "PJP" guy who tried very hard to make it look less like a djb program and shoehorn it into fedora/github world has collected some patch refs.

Then there's this nameless patch collection.

I expect the first two patches mentioned will go in, and I'm taking a look myself into the compiler warnings for potentially undiscovered portability issues.

Relatedly, the qmail gport has also received some needed attention; it was in Gales from the start but never used/tested there.