From owner-freebsd-net@FreeBSD.ORG Wed Jan 28 17:38:23 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5C409B7F for ; Wed, 28 Jan 2015 17:38:23 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id DB17B19E for ; Wed, 28 Jan 2015 17:38:22 +0000 (UTC) Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.1/8.15.1) with ESMTPSA id t0SHcEZh004890 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Wed, 28 Jan 2015 17:38:15 GMT (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=infracaninophile.co.uk DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk t0SHcEZh004890 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1422466695; bh=v1M/FV+E/QhMWkFFiAp4rp7eyaieSnR+ld5bDqeEekE=; h=Date:From:To:Subject:References:In-Reply-To; z=Date:=20Wed,=2028=20Jan=202015=2017:38:08=20+0000|From:=20Matthew =20Seaman=20|To:=20freebsd-net@fr eebsd.org|Subject:=20Re:=20Problems=20with=20DNSSEC=20--=20answer= 20in=20fragmented=20UDP=20doesn't=20work|References:=20<54C918D2.7 090805@FreeBSD.org>|In-Reply-To:=20<54C918D2.7090805@FreeBSD.org>; b=NWSTLz9cKJzXTJ0/gryMvcBa6YLvnSbTy28wyknse5evTKKxmC1OrnBbMPBrTiAVe QAHP1b4ylpab2EWfp8qelginjsqZd+E15yfNKHCA/P0uarwZt8Gwz1PuhRGB8z9ZGj x3mcXDD47AVTN7izcWN/LhhY+xDZWhfuEUvhoGas= X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be ox-dell39.ox.adestra.com Message-ID: <54C91E80.7020407@infracaninophile.co.uk> Date: Wed, 28 Jan 2015 17:38:08 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: Problems with DNSSEC -- answer in fragmented UDP doesn't work References: <54C918D2.7090805@FreeBSD.org> In-Reply-To: <54C918D2.7090805@FreeBSD.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="UsdSLQO7RCcdO38OShMpnRSwqHll9H7L2" X-Virus-Scanned: clamav-milter 0.98.5 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 17:38:23 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --UsdSLQO7RCcdO38OShMpnRSwqHll9H7L2 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 01/28/15 17:13, Lev Serebryakov wrote: >=20 > I could not resolve names with DNSSEC (for example, in freebsd.org > domain) on two of my installations, one with FreeBSD 11 and other with > FreeBSD 9.3. >=20 > Symptoms are the same: answer is sent as fragmented IP/UDP packet and > second part of answer is never arrived. For example, this doesn't work > for me ("timeout" and only first part of fragmented packet on wire > according to tcpdump): >=20 > % dig +dnssec www.freebsd.org @72.52.71.1 >=20 > ; <<>> DiG 9.9.5 <<>> +dnssec www.freebsd.org @72.52.71.1 > ;; global options: +cmd > ;; connection timed out; no servers could be reached > % >=20 > Problem is, latest bind (9.9 from ports) send such requests over UDP, > not TCP. >=20 > Is it Ok? Is it misconfiguration of my networks (I have such problem > in tow different installations) or something? What do you get if you run the reply size test at DNS-OARC ? https://www.dns-oarc.net/oarc/services/replysizetest This should help you eliminate restrictions on the size of DNS responses, rather than it being a DNSSEC specific problem. Most queries nowadays are expected to run over UDP, even if the response is too big to fit into a single UDP packet, by means of the EDNS mechanism. The old 'try UDP, and failing that, try again using TCP' style should still work though, although TCP is only used routinely for AXFR or IXFR type queries -- meaning that certain people may forget to allow TCP queries via port 53 when setting up firewalls... If you're on 10.x or above, try enabling local_unbound -- beware that there's a bug that prevents resolution of RFC1918 and other special IP ranges on 10.0, fixed in 10.1. Using a local unbound as a forwarder should give you the ability to tweak exactly how it talks to your upstream DNSes so that the answers get through more reliably. Cheers, Matthew --UsdSLQO7RCcdO38OShMpnRSwqHll9H7L2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJUyR6AXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnFGoQAJoiCEbPkw4R17L4k4xkYjjS /AS25Je57wVkpguV56fhSXIlYV/V/q7YiNBLL5Y7bjiIvSJNE4aExiGIlorlcyf9 xkt+at29NzgyBj2xBC5eESHBpX/rBqL4xVob10Lzio79yUzq95itcTM3nkZflsT8 ihvZ7q5xZmP7iSb+nnJB2aF2n/nOF0Kka9EnMw+IPp7XzFTy8/+v0iAyUY9eRW8N UgOv3TPF67P3WjMAqAWpavWB2MJ79UvNP+bshtDi8ni9XGv2wSJlCxsyXu2txnSy +3NVPdbIg4y4VbicR2O71oYeXV6jwN6c1zDDKKADe9YRo38cfnyZ+VmKnPHrLk4e Pkv6l9/66XoeuN2t6Ogm4mVu/fr4rRdsBeTMZ6K5P+grZ66f8djtdkLGE5O035yx OArn9rT9IuaNsjnLEme6wB8z0zO6CIePwqhnpKvAeOZQHY4vJ0Xt1R2jlRoZhkEl wcWF1ly4pZsP3My8O3h+rRYt98VcDud8HKhXVhQya3cnL6JeczJn23CVlyLzeLAu nh4O1EoSQ7juYIyEpQPAeNRIqR7PUlVdeYV4FGJNRQeVtbIyrscwC61XBDB3cyG6 AWjaQKBrE8owogsrElFz0T9EyZg/f+AsUhTCDOLKrGdghU3tmEmiPfZoRWOxqBIf zdvuV3oQGXyu3JqV73vC =cawr -----END PGP SIGNATURE----- --UsdSLQO7RCcdO38OShMpnRSwqHll9H7L2--