Date: Wed, 28 Jan 2015 17:38:08 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-net@freebsd.org Subject: Re: Problems with DNSSEC -- answer in fragmented UDP doesn't work Message-ID: <54C91E80.7020407@infracaninophile.co.uk> In-Reply-To: <54C918D2.7090805@FreeBSD.org> References: <54C918D2.7090805@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --UsdSLQO7RCcdO38OShMpnRSwqHll9H7L2 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 01/28/15 17:13, Lev Serebryakov wrote: >=20 > I could not resolve names with DNSSEC (for example, in freebsd.org > domain) on two of my installations, one with FreeBSD 11 and other with > FreeBSD 9.3. >=20 > Symptoms are the same: answer is sent as fragmented IP/UDP packet and > second part of answer is never arrived. For example, this doesn't work > for me ("timeout" and only first part of fragmented packet on wire > according to tcpdump): >=20 > % dig +dnssec www.freebsd.org @72.52.71.1 >=20 > ; <<>> DiG 9.9.5 <<>> +dnssec www.freebsd.org @72.52.71.1 > ;; global options: +cmd > ;; connection timed out; no servers could be reached > % >=20 > Problem is, latest bind (9.9 from ports) send such requests over UDP, > not TCP. >=20 > Is it Ok? Is it misconfiguration of my networks (I have such problem > in tow different installations) or something? What do you get if you run the reply size test at DNS-OARC ? https://www.dns-oarc.net/oarc/services/replysizetest This should help you eliminate restrictions on the size of DNS responses, rather than it being a DNSSEC specific problem. Most queries nowadays are expected to run over UDP, even if the response is too big to fit into a single UDP packet, by means of the EDNS mechanism. The old 'try UDP, and failing that, try again using TCP' style should still work though, although TCP is only used routinely for AXFR or IXFR type queries -- meaning that certain people may forget to allow TCP queries via port 53 when setting up firewalls... If you're on 10.x or above, try enabling local_unbound -- beware that there's a bug that prevents resolution of RFC1918 and other special IP ranges on 10.0, fixed in 10.1. Using a local unbound as a forwarder should give you the ability to tweak exactly how it talks to your upstream DNSes so that the answers get through more reliably. Cheers, Matthew --UsdSLQO7RCcdO38OShMpnRSwqHll9H7L2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJUyR6AXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnFGoQAJoiCEbPkw4R17L4k4xkYjjS /AS25Je57wVkpguV56fhSXIlYV/V/q7YiNBLL5Y7bjiIvSJNE4aExiGIlorlcyf9 xkt+at29NzgyBj2xBC5eESHBpX/rBqL4xVob10Lzio79yUzq95itcTM3nkZflsT8 ihvZ7q5xZmP7iSb+nnJB2aF2n/nOF0Kka9EnMw+IPp7XzFTy8/+v0iAyUY9eRW8N UgOv3TPF67P3WjMAqAWpavWB2MJ79UvNP+bshtDi8ni9XGv2wSJlCxsyXu2txnSy +3NVPdbIg4y4VbicR2O71oYeXV6jwN6c1zDDKKADe9YRo38cfnyZ+VmKnPHrLk4e Pkv6l9/66XoeuN2t6Ogm4mVu/fr4rRdsBeTMZ6K5P+grZ66f8djtdkLGE5O035yx OArn9rT9IuaNsjnLEme6wB8z0zO6CIePwqhnpKvAeOZQHY4vJ0Xt1R2jlRoZhkEl wcWF1ly4pZsP3My8O3h+rRYt98VcDud8HKhXVhQya3cnL6JeczJn23CVlyLzeLAu nh4O1EoSQ7juYIyEpQPAeNRIqR7PUlVdeYV4FGJNRQeVtbIyrscwC61XBDB3cyG6 AWjaQKBrE8owogsrElFz0T9EyZg/f+AsUhTCDOLKrGdghU3tmEmiPfZoRWOxqBIf zdvuV3oQGXyu3JqV73vC =cawr -----END PGP SIGNATURE----- --UsdSLQO7RCcdO38OShMpnRSwqHll9H7L2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54C91E80.7020407>