From owner-freebsd-net@FreeBSD.ORG Wed Jan 28 17:53:55 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 10878228 for ; Wed, 28 Jan 2015 17:53:55 +0000 (UTC) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id C53EE389 for ; Wed, 28 Jan 2015 17:53:54 +0000 (UTC) Received: from [127.0.0.1] (nat.in.devexperts.com [89.113.128.63]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 3462F5C002; Wed, 28 Jan 2015 20:53:38 +0300 (MSK) Message-ID: <54C92222.6000201@FreeBSD.org> Date: Wed, 28 Jan 2015 20:53:38 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Matthew Seaman , freebsd-net@freebsd.org Subject: Problems with IP fragments (was: Problems with DNSSEC -- answer in fragmented UDP doesn't work) References: <54C918D2.7090805@FreeBSD.org> <54C91E80.7020407@infracaninophile.co.uk> In-Reply-To: <54C91E80.7020407@infracaninophile.co.uk> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 17:53:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 28.01.2015 20:38, Matthew Seaman wrote: > What do you get if you run the reply size test at DNS-OARC ? > > https://www.dns-oarc.net/oarc/services/replysizetest 0 lines (empty answer) at CURRENT, only "rst.x1013.rs.dns-oarc.net." on 9.3. Looks like "IP Fragments Filtered", but I don't understand — why and where?! I'm using ipfw on both hosts, but I don't have any special rules about IP fragments at all! And as these systems are in completely different networks, with different uplinks and FreeBSD versions! > This should help you eliminate restrictions on the size of DNS > responses, rather than it being a DNSSEC specific problem. Yes, it is EDNS more-than-one-UDP-dataggram problem, not DNSSEC-specific one. > If you're on 10.x or above, try enabling local_unbound -- beware > that there's a bug that prevents resolution of RFC1918 and other > special IP ranges on 10.0, fixed in 10.1. Using a local unbound as > a forwarder should give you the ability to tweak exactly how it > talks to your upstream DNSes so that the answers get through more > reliably. Unfortunately, I need recursive resolver for my network and authoritative server (with views!) on one host. unbound could not do that, so I'm using bind from ports on CURRENT. - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJUySIiXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePUt4P/3Ubd77zLlazBQ8ZiQ/hS/O6 Y/t8lAMmRW2OiNO4FU0EuakSj3WxvEITTjVcX46o/K7ZBYGxa6r5Zq5OWw1rVlii KfDesQQHZzCV9WyJI4bp84FyaxFlKzEsBVTbVU8YNvKrBtJqhfL7iGr1aM5Xgvag j6KffsfVkozC8c/WKLHDKriFbR9NzTO1t1DWcWymS3a2PT/Ih1USycb+bZ+xDqFB TXICX0+OZ9h956RP2gGsSdpEvJAP5OTW+daoaDfvHjTdrx77SyfAxHQop7ROEy7n 5blMTVMHBs1iK/hfAfuiXkCAVpAssqOrLEk5mb+SdX5OgwOR79kshE/hyYeN28gg wUjX6FuAnb8HRvv4HNGqe82ptevammeWUSYrFuM2xzQqdfJOElTF3VDfk6FN+iT5 yCdVv2Oqsg6ZPB2dosWK5aWMUeVn5BYdwWD6Z3jrRFGONJ3V1pS17TpLL/bEd4Ta u8A/tIbCLvfzNSrmrs4iXCRRfx1wDpFE+cvL5PXTlS3A8qf4Nm2EgOgv92Oz9862 0TJ/WvxvXn6QdSMXDvgMmk2DhclU3/L7aJy/of4QR1zwdJFwjuQSuhCjek/w1vw0 9wB8mjnVu0kIXa9z1FigI0X2fYF9rIB6YLca0N3SsGydm5p6zHFqIXNcYwTjHUg+ WOu4W9yfm0X10XHI3VdV =+8Zi -----END PGP SIGNATURE-----