From owner-freebsd-stable@freebsd.org Mon Aug 17 13:28:30 2015 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E43039BB379 for ; Mon, 17 Aug 2015 13:28:29 +0000 (UTC) (envelope-from Mark.Martinec+freebsd@ijs.si) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 957841741 for ; Mon, 17 Aug 2015 13:28:29 +0000 (UTC) (envelope-from Mark.Martinec+freebsd@ijs.si) Received: from amavis-ori.ijs.si (localhost [IPv6:::1]) by mail.ijs.si (Postfix) with ESMTP id 3mvx5l5gfmz12L for ; Mon, 17 Aug 2015 15:28:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= user-agent:message-id:references:in-reply-to:organization :subject:subject:from:from:date:date:content-transfer-encoding :content-type:content-type:mime-version:received:received :received:received; s=jakla4; t=1439818103; x=1442410104; bh=Cbt 7081f2ZWeGIjIjfLNHxaWJJ5HgNzFIKnax2GbKJY=; b=jhx7TKecP8UPEcpQGgE dFZmZ0kA6laxdYGwwmXB5JzXfEYDcOupa/ePtT9HfAFkZNpiRgE0C9XlFEdprhIw EnNEA0/bQqVJwgqitejsjZKh9zusZZQnKJ8gEoetjuxeC7PHUP4Zy0iClX+19f7R Tr0EZv0O2jyuEJoDZM3nDROM= X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10026) with LMTP id AXHll9A4wLns for ; Mon, 17 Aug 2015 15:28:23 +0200 (CEST) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP id 3mvx5g0Ht6z12G for ; Mon, 17 Aug 2015 15:28:23 +0200 (CEST) Received: from nabiralnik.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mildred.ijs.si (Postfix) with ESMTP id 3mvx5f6XFsz1g for ; Mon, 17 Aug 2015 15:28:22 +0200 (CEST) Received: from sleepy.ijs.si ([2001:1470:ff80:e001::1:1]) by nabiralnik.ijs.si with HTTP (HTTP/1.1 POST); Mon, 17 Aug 2015 15:28:22 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Mon, 17 Aug 2015 15:28:22 +0200 From: Mark Martinec To: freebsd-stable@freebsd.org Subject: Re: freebsd-update to 10.2-RELEASE broken ? Organization: Jozef Stefan Institute In-Reply-To: References: <2C3CC22D-749A-4B92-885C-D73311997050@gid.co.uk> <20150816180715.GM40589@home.opsec.eu> Message-ID: <11b6542dbdfdb5ee7eefcba48fb07e16@mailbox.ijs.si> X-Sender: Mark.Martinec+freebsd@ijs.si User-Agent: Roundcube Webmail/1.1.2 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Aug 2015 13:28:30 -0000 > On Sun, 16 Aug 2015, Kimmo Paasiala wrote: >> It could be the classic fall back to TCP on SRV records problem on >> your upstream DNS forwarder if you're using one: >> http://lists.freebsd.org/pipermail/freebsd-ports/2012-May/074801.html >> >> The cure would be to use your own caching DNS resolver (configured to >> query the authoritative name servers directly) such as dns/unbound. 2015-08-16 Christian Kratzer wrote: > I run my own bind9 resolvers on freebsd 10 at both sites. I never > particurlarly like the concept of an "upstream" resolver. > > All my resolvers are behind firewalls although different kinds. > ASA at one site and freebsd pf at the other. > > I will investigate though. Thanks for the tip. ASA firewall has a nasty setting to *discard* DNS UDP packets with UDP message size over 512 bytes, i.e. it does not allow EDNS0 option. Check that you have this DNS deep packet inspection misfeature turned off. Check also the firewall log. This would affect UDP DNS responses to a SRV query _http._tcp.update.FreeBSD.org, which comes close to the size limit (possibly depending on geolocation). Using google's public DNS server may avoid the problem by stripping nonessential records from the DNS reply (like the ADDITIONAL SECTION). Mark