Problems with DNSSEC -- answer in fragmented UDP doesn't work
Matthew Seaman
m.seaman at infracaninophile.co.uk
Wed Jan 28 17:38:23 UTC 2015
On 01/28/15 17:13, Lev Serebryakov wrote:
>
> I could not resolve names with DNSSEC (for example, in freebsd.org
> domain) on two of my installations, one with FreeBSD 11 and other with
> FreeBSD 9.3.
>
> Symptoms are the same: answer is sent as fragmented IP/UDP packet and
> second part of answer is never arrived. For example, this doesn't work
> for me ("timeout" and only first part of fragmented packet on wire
> according to tcpdump):
>
> % dig +dnssec www.freebsd.org @72.52.71.1
>
> ; <<>> DiG 9.9.5 <<>> +dnssec www.freebsd.org @72.52.71.1
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> %
>
> Problem is, latest bind (9.9 from ports) send such requests over UDP,
> not TCP.
>
> Is it Ok? Is it misconfiguration of my networks (I have such problem
> in tow different installations) or something?
What do you get if you run the reply size test at DNS-OARC ?
https://www.dns-oarc.net/oarc/services/replysizetest
This should help you eliminate restrictions on the size of DNS
responses, rather than it being a DNSSEC specific problem.
Most queries nowadays are expected to run over UDP, even if the response
is too big to fit into a single UDP packet, by means of the EDNS
mechanism. The old 'try UDP, and failing that, try again using TCP'
style should still work though, although TCP is only used routinely for
AXFR or IXFR type queries -- meaning that certain people may forget to
allow TCP queries via port 53 when setting up firewalls...
If you're on 10.x or above, try enabling local_unbound -- beware that
there's a bug that prevents resolution of RFC1918 and other special IP
ranges on 10.0, fixed in 10.1. Using a local unbound as a forwarder
should give you the ability to tweak exactly how it talks to your
upstream DNSes so that the answers get through more reliably.
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20150128/5e6c796d/attachment.sig>
More information about the freebsd-net
mailing list