Date: Fri, 30 Jan 2015 16:57:28 -0800 From: Kevin Oberman <rkoberman@gmail.com> To: Lev Serebryakov <lev@freebsd.org> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: Problems with DNSSEC -- answer in fragmented UDP doesn't work Message-ID: <CAN6yY1v8apAdjNtfzXEG4Gx6tbCsEbZuRii48vOQJ2O%2BCeUNyQ@mail.gmail.com> In-Reply-To: <54C918D2.7090805@FreeBSD.org> References: <54C918D2.7090805@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 28, 2015 at 9:13 AM, Lev Serebryakov <lev@freebsd.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> I could not resolve names with DNSSEC (for example, in freebsd.org
> domain) on two of my installations, one with FreeBSD 11 and other with
> FreeBSD 9.3.
>
> Symptoms are the same: answer is sent as fragmented IP/UDP packet and
> second part of answer is never arrived. For example, this doesn't work
> for me ("timeout" and only first part of fragmented packet on wire
> according to tcpdump):
>
> % dig +dnssec www.freebsd.org @72.52.71.1
>
> ; <<>> DiG 9.9.5 <<>> +dnssec www.freebsd.org @72.52.71.1
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> %
>
> Problem is, latest bind (9.9 from ports) send such requests over UDP,
> not TCP.
>
> Is it Ok? Is it misconfiguration of my networks (I have such problem
> in tow different installations) or something?
>
> - --
> // Lev Serebryakov
>
Does the system have a firewall? If so, is it configured to allow
fragments?
For ipfw you need something like "allow ip from any to me frag". If you
want to restrict this to DNS, restrict it to dst-port 53.
--
Kevin Oberman, Network Engineer, Retired
E-mail: rkoberman@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1v8apAdjNtfzXEG4Gx6tbCsEbZuRii48vOQJ2O%2BCeUNyQ>