From owner-freebsd-net@FreeBSD.ORG Sat Jan 31 00:57:28 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B4204BC1; Sat, 31 Jan 2015 00:57:28 +0000 (UTC) Received: from mail-pa0-x22e.google.com (mail-pa0-x22e.google.com [IPv6:2607:f8b0:400e:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 81827AF; Sat, 31 Jan 2015 00:57:28 +0000 (UTC) Received: by mail-pa0-f46.google.com with SMTP id lj1so58522550pab.5; Fri, 30 Jan 2015 16:57:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=O1yB3/wSq7kd7zGOSkuTL9A8BGWCEj0xS47V7IjOcQE=; b=VZtta781tlUsuPNP8GzRrOccxE10Jkg5AEAnScUWs9syADTGPMf7cIBYByAdPFwvto kkJxoyXVUkYxYvRXWgeXhvfrci8W57NKsupjG0tsDjzlHTC5r7U/qRLPQmrkRWIIAR25 TJt0m/8Q9cqx+8TbANrgk5Mr2TTRNC5BnLKmmwaoC6EE+BHBqmdhPbmubair+AVvUqT9 rhnJJmKAwftiyaPQDszJ/WrclrDIZd+pEY7mmQOul/begTmFUN3W2JcvZcVpbAd/mEPB KFkw/JgXEyf8J4Ol4O2C3Z+tQzdUWy21DD33yqPaqF7agoJA4VaKpGfz9Oy9UzObM7Yr a4YA== MIME-Version: 1.0 X-Received: by 10.68.197.10 with SMTP id iq10mr12519032pbc.143.1422665848066; Fri, 30 Jan 2015 16:57:28 -0800 (PST) Sender: kob6558@gmail.com Received: by 10.67.22.231 with HTTP; Fri, 30 Jan 2015 16:57:28 -0800 (PST) In-Reply-To: <54C918D2.7090805@FreeBSD.org> References: <54C918D2.7090805@FreeBSD.org> Date: Fri, 30 Jan 2015 16:57:28 -0800 X-Google-Sender-Auth: NSSG4MfyAmDxX4MH3uTj6hCDUw0 Message-ID: Subject: Re: Problems with DNSSEC -- answer in fragmented UDP doesn't work From: Kevin Oberman To: Lev Serebryakov Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-net@freebsd.org" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jan 2015 00:57:28 -0000 On Wed, Jan 28, 2015 at 9:13 AM, Lev Serebryakov wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > > I could not resolve names with DNSSEC (for example, in freebsd.org > domain) on two of my installations, one with FreeBSD 11 and other with > FreeBSD 9.3. > > Symptoms are the same: answer is sent as fragmented IP/UDP packet and > second part of answer is never arrived. For example, this doesn't work > for me ("timeout" and only first part of fragmented packet on wire > according to tcpdump): > > % dig +dnssec www.freebsd.org @72.52.71.1 > > ; <<>> DiG 9.9.5 <<>> +dnssec www.freebsd.org @72.52.71.1 > ;; global options: +cmd > ;; connection timed out; no servers could be reached > % > > Problem is, latest bind (9.9 from ports) send such requests over UDP, > not TCP. > > Is it Ok? Is it misconfiguration of my networks (I have such problem > in tow different installations) or something? > > - -- > // Lev Serebryakov > Does the system have a firewall? If so, is it configured to allow fragments? For ipfw you need something like "allow ip from any to me frag". If you want to restrict this to DNS, restrict it to dst-port 53. -- Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com