Date: Wed, 28 Jan 2015 17:38:08 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-net@freebsd.org Subject: Re: Problems with DNSSEC -- answer in fragmented UDP doesn't work Message-ID: <54C91E80.7020407@infracaninophile.co.uk> In-Reply-To: <54C918D2.7090805@FreeBSD.org> References: <54C918D2.7090805@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--UsdSLQO7RCcdO38OShMpnRSwqHll9H7L2
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
On 01/28/15 17:13, Lev Serebryakov wrote:
>=20
> I could not resolve names with DNSSEC (for example, in freebsd.org
> domain) on two of my installations, one with FreeBSD 11 and other with
> FreeBSD 9.3.
>=20
> Symptoms are the same: answer is sent as fragmented IP/UDP packet and
> second part of answer is never arrived. For example, this doesn't work
> for me ("timeout" and only first part of fragmented packet on wire
> according to tcpdump):
>=20
> % dig +dnssec www.freebsd.org @72.52.71.1
>=20
> ; <<>> DiG 9.9.5 <<>> +dnssec www.freebsd.org @72.52.71.1
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> %
>=20
> Problem is, latest bind (9.9 from ports) send such requests over UDP,
> not TCP.
>=20
> Is it Ok? Is it misconfiguration of my networks (I have such problem
> in tow different installations) or something?
What do you get if you run the reply size test at DNS-OARC ?
https://www.dns-oarc.net/oarc/services/replysizetest
This should help you eliminate restrictions on the size of DNS
responses, rather than it being a DNSSEC specific problem.
Most queries nowadays are expected to run over UDP, even if the response
is too big to fit into a single UDP packet, by means of the EDNS
mechanism. The old 'try UDP, and failing that, try again using TCP'
style should still work though, although TCP is only used routinely for
AXFR or IXFR type queries -- meaning that certain people may forget to
allow TCP queries via port 53 when setting up firewalls...
If you're on 10.x or above, try enabling local_unbound -- beware that
there's a bug that prevents resolution of RFC1918 and other special IP
ranges on 10.0, fixed in 10.1. Using a local unbound as a forwarder
should give you the ability to tweak exactly how it talks to your
upstream DNSes so that the answers get through more reliably.
Cheers,
Matthew
--UsdSLQO7RCcdO38OShMpnRSwqHll9H7L2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQJ8BAEBCgBmBQJUyR6AXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnFGoQAJoiCEbPkw4R17L4k4xkYjjS
/AS25Je57wVkpguV56fhSXIlYV/V/q7YiNBLL5Y7bjiIvSJNE4aExiGIlorlcyf9
xkt+at29NzgyBj2xBC5eESHBpX/rBqL4xVob10Lzio79yUzq95itcTM3nkZflsT8
ihvZ7q5xZmP7iSb+nnJB2aF2n/nOF0Kka9EnMw+IPp7XzFTy8/+v0iAyUY9eRW8N
UgOv3TPF67P3WjMAqAWpavWB2MJ79UvNP+bshtDi8ni9XGv2wSJlCxsyXu2txnSy
+3NVPdbIg4y4VbicR2O71oYeXV6jwN6c1zDDKKADe9YRo38cfnyZ+VmKnPHrLk4e
Pkv6l9/66XoeuN2t6Ogm4mVu/fr4rRdsBeTMZ6K5P+grZ66f8djtdkLGE5O035yx
OArn9rT9IuaNsjnLEme6wB8z0zO6CIePwqhnpKvAeOZQHY4vJ0Xt1R2jlRoZhkEl
wcWF1ly4pZsP3My8O3h+rRYt98VcDud8HKhXVhQya3cnL6JeczJn23CVlyLzeLAu
nh4O1EoSQ7juYIyEpQPAeNRIqR7PUlVdeYV4FGJNRQeVtbIyrscwC61XBDB3cyG6
AWjaQKBrE8owogsrElFz0T9EyZg/f+AsUhTCDOLKrGdghU3tmEmiPfZoRWOxqBIf
zdvuV3oQGXyu3JqV73vC
=cawr
-----END PGP SIGNATURE-----
--UsdSLQO7RCcdO38OShMpnRSwqHll9H7L2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54C91E80.7020407>