policy.TLS_FORWARD emits UDP packets (cleartext DNS) on port 853 after some time

I set up a local kresd instance, version 2.1.0 on debian testing/unstable, with the following policy:

policy.add(policy.all(policy.TLS_FORWARD({{'9.9.9.9', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt'}})))

I did a few queries on it while using wireshark to gather all traffic to/from 9.9.9.9.

As expected, most traffic was TCP port 853, consisting of TLS traffic.

However, i did see occasional bursts of UDP traffic, also on port 853.

that traffic appears to actually be cleartext UDP traffic, described by wireshark (when i decode it as DNS) as:

W.X.Y.Z	9.9.9.9	DNS	70	Standard query 0x1c30 DNSKEY <Root> OPT

perhaps this is intended to be a priming query?

note that 9.9.9.9 sends ICMP "Host administratively prohibited" responses to UDP traffic on port 853. They only support TLS (over TCP).

In another case, i saw a query going out for an actual A record:

W.X.Y.Z	9.9.9.9	DNS	83	Standard query 0x08ee A WWW.IetF.org OPT

So in addition to a bug, this appears to be a leak of the private dns request! I have not tried to debug it further.