Date: Wed, 28 Jan 2015 20:53:38 +0300 From: Lev Serebryakov <lev@FreeBSD.org> To: Matthew Seaman <m.seaman@infracaninophile.co.uk>, freebsd-net@freebsd.org Subject: Problems with IP fragments (was: Problems with DNSSEC -- answer in fragmented UDP doesn't work) Message-ID: <54C92222.6000201@FreeBSD.org> In-Reply-To: <54C91E80.7020407@infracaninophile.co.uk> References: <54C918D2.7090805@FreeBSD.org> <54C91E80.7020407@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 28.01.2015 20:38, Matthew Seaman wrote: > What do you get if you run the reply size test at DNS-OARC ? > > https://www.dns-oarc.net/oarc/services/replysizetest 0 lines (empty answer) at CURRENT, only "rst.x1013.rs.dns-oarc.net." on 9.3. Looks like "IP Fragments Filtered", but I don't understand — why and where?! I'm using ipfw on both hosts, but I don't have any special rules about IP fragments at all! And as these systems are in completely different networks, with different uplinks and FreeBSD versions! > This should help you eliminate restrictions on the size of DNS > responses, rather than it being a DNSSEC specific problem. Yes, it is EDNS more-than-one-UDP-dataggram problem, not DNSSEC-specific one. > If you're on 10.x or above, try enabling local_unbound -- beware > that there's a bug that prevents resolution of RFC1918 and other > special IP ranges on 10.0, fixed in 10.1. Using a local unbound as > a forwarder should give you the ability to tweak exactly how it > talks to your upstream DNSes so that the answers get through more > reliably. Unfortunately, I need recursive resolver for my network and authoritative server (with views!) on one host. unbound could not do that, so I'm using bind from ports on CURRENT. - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJUySIiXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePUt4P/3Ubd77zLlazBQ8ZiQ/hS/O6 Y/t8lAMmRW2OiNO4FU0EuakSj3WxvEITTjVcX46o/K7ZBYGxa6r5Zq5OWw1rVlii KfDesQQHZzCV9WyJI4bp84FyaxFlKzEsBVTbVU8YNvKrBtJqhfL7iGr1aM5Xgvag j6KffsfVkozC8c/WKLHDKriFbR9NzTO1t1DWcWymS3a2PT/Ih1USycb+bZ+xDqFB TXICX0+OZ9h956RP2gGsSdpEvJAP5OTW+daoaDfvHjTdrx77SyfAxHQop7ROEy7n 5blMTVMHBs1iK/hfAfuiXkCAVpAssqOrLEk5mb+SdX5OgwOR79kshE/hyYeN28gg wUjX6FuAnb8HRvv4HNGqe82ptevammeWUSYrFuM2xzQqdfJOElTF3VDfk6FN+iT5 yCdVv2Oqsg6ZPB2dosWK5aWMUeVn5BYdwWD6Z3jrRFGONJ3V1pS17TpLL/bEd4Ta u8A/tIbCLvfzNSrmrs4iXCRRfx1wDpFE+cvL5PXTlS3A8qf4Nm2EgOgv92Oz9862 0TJ/WvxvXn6QdSMXDvgMmk2DhclU3/L7aJy/of4QR1zwdJFwjuQSuhCjek/w1vw0 9wB8mjnVu0kIXa9z1FigI0X2fYF9rIB6YLca0N3SsGydm5p6zHFqIXNcYwTjHUg+ WOu4W9yfm0X10XHI3VdV =+8Zi -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54C92222.6000201>