From owner-freebsd-net@FreeBSD.ORG  Sat Jan 31 03:50:20 2015
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 8A3E3394;
 Sat, 31 Jan 2015 03:50:20 +0000 (UTC)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 0109022F;
 Sat, 31 Jan 2015 03:50:19 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t0V3o8VW013109;
 Sat, 31 Jan 2015 14:50:08 +1100 (EST)
 (envelope-from smithi@nimnet.asn.au)
Date: Sat, 31 Jan 2015 14:50:08 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Kevin Oberman <rkoberman@gmail.com>
Subject: Re: Problems with DNSSEC -- answer in fragmented UDP doesn't work
In-Reply-To: <CAN6yY1v8apAdjNtfzXEG4Gx6tbCsEbZuRii48vOQJ2O+CeUNyQ@mail.gmail.com>
Message-ID: <20150131143014.F66172@sola.nimnet.asn.au>
References: <54C918D2.7090805@FreeBSD.org>
 <CAN6yY1v8apAdjNtfzXEG4Gx6tbCsEbZuRii48vOQJ2O+CeUNyQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>,
 Lev Serebryakov <lev@freebsd.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Jan 2015 03:50:20 -0000

On Fri, 30 Jan 2015 16:57:28 -0800, Kevin Oberman wrote:
 > On Wed, Jan 28, 2015 at 9:13 AM, Lev Serebryakov <lev@freebsd.org> wrote:

 > >  I could not resolve names with DNSSEC (for example, in freebsd.org
 > > domain) on two of my installations, one with FreeBSD 11 and other with
 > > FreeBSD 9.3.
 > >
 > >  Symptoms are the same: answer is sent as fragmented IP/UDP packet and
 > > second part of answer is never arrived. For example, this doesn't work
 > > for me ("timeout" and only first part of fragmented packet on wire
 > > according to tcpdump):
 > >
 > > % dig +dnssec www.freebsd.org @72.52.71.1
 > >
 > > ; <<>> DiG 9.9.5 <<>> +dnssec www.freebsd.org @72.52.71.1
 > > ;; global options: +cmd
 > > ;; connection timed out; no servers could be reached
 > > %
 > >
 > >  Problem is, latest bind (9.9 from ports) send such requests over UDP,
 > > not TCP.

That's normal for bind, and nothing new.

 > >  Is it Ok? Is it misconfiguration of my networks (I have such problem
 > > in tow different installations) or something?
 > >
 > > - --
 > > // Lev Serebryakov
 > >
 > 
 >  Does the system have a firewall? If so, is it configured to allow
 > fragments?
 > 
 > For ipfw you need something like "allow ip from any to me frag". If you
 > want to restrict this to DNS, restrict it to dst-port 53.

Indeed.  Same has long applied if using (eg) zen.spamhaus.org lookups 
against spam, which responses can have up to two fragments.  If also 
serving DNSSEC you'd need to allow frags outbound as well.

Another example, perhaps, of damage due to the mistake-ridden IPFW 
handbook example rulesets, all of which gratuitously deny all frags.

cheers, Ian