Date: Mon, 17 Aug 2015 15:28:22 +0200 From: Mark Martinec <Mark.Martinec+freebsd@ijs.si> To: freebsd-stable@freebsd.org Subject: Re: freebsd-update to 10.2-RELEASE broken ? Message-ID: <11b6542dbdfdb5ee7eefcba48fb07e16@mailbox.ijs.si> In-Reply-To: <alpine.BSF.2.20.1508162121180.49345@noc1.cksoft.de> References: <alpine.BSF.2.20.1508161911450.49345@noc1.cksoft.de> <2C3CC22D-749A-4B92-885C-D73311997050@gid.co.uk> <20150816180715.GM40589@home.opsec.eu> <alpine.BSF.2.20.1508162103400.49345@noc1.cksoft.de> <CA%2B7WWSdxf-YGn3cnD0H%2BSzj4yhvLS_XtB_qPZVkXabQbf=9u%2Bw@mail.gmail.com> <alpine.BSF.2.20.1508162121180.49345@noc1.cksoft.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sun, 16 Aug 2015, Kimmo Paasiala wrote: >> It could be the classic fall back to TCP on SRV records problem on >> your upstream DNS forwarder if you're using one: >> http://lists.freebsd.org/pipermail/freebsd-ports/2012-May/074801.html >> >> The cure would be to use your own caching DNS resolver (configured to >> query the authoritative name servers directly) such as dns/unbound. 2015-08-16 Christian Kratzer wrote: > I run my own bind9 resolvers on freebsd 10 at both sites. I never > particurlarly like the concept of an "upstream" resolver. > > All my resolvers are behind firewalls although different kinds. > ASA at one site and freebsd pf at the other. > > I will investigate though. Thanks for the tip. ASA firewall has a nasty setting to *discard* DNS UDP packets with UDP message size over 512 bytes, i.e. it does not allow EDNS0 option. Check that you have this DNS deep packet inspection misfeature turned off. Check also the firewall log. This would affect UDP DNS responses to a SRV query _http._tcp.update.FreeBSD.org, which comes close to the size limit (possibly depending on geolocation). Using google's public DNS server may avoid the problem by stripping nonessential records from the DNS reply (like the ADDITIONAL SECTION). Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11b6542dbdfdb5ee7eefcba48fb07e16>