Problems with IP fragments (was: Problems with DNSSEC -- answer in fragmented UDP doesn't work)
Lev Serebryakov
lev at FreeBSD.org
Wed Jan 28 17:53:55 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 28.01.2015 20:38, Matthew Seaman wrote:
> What do you get if you run the reply size test at DNS-OARC ?
>
> https://www.dns-oarc.net/oarc/services/replysizetest
0 lines (empty answer) at CURRENT, only "rst.x1013.rs.dns-oarc.net."
on 9.3.
Looks like "IP Fragments Filtered", but I don't understand — why and
where?!
I'm using ipfw on both hosts, but I don't have any special rules
about IP fragments at all! And as these systems are in completely
different networks, with different uplinks and FreeBSD versions!
> This should help you eliminate restrictions on the size of DNS
> responses, rather than it being a DNSSEC specific problem.
Yes, it is EDNS more-than-one-UDP-dataggram problem, not
DNSSEC-specific one.
> If you're on 10.x or above, try enabling local_unbound -- beware
> that there's a bug that prevents resolution of RFC1918 and other
> special IP ranges on 10.0, fixed in 10.1. Using a local unbound as
> a forwarder should give you the ability to tweak exactly how it
> talks to your upstream DNSes so that the answers get through more
> reliably.
Unfortunately, I need recursive resolver for my network and
authoritative server (with views!) on one host. unbound could not do
that, so I'm using bind from ports on CURRENT.
- --
// Lev Serebryakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQJ8BAEBCgBmBQJUySIiXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePUt4P/3Ubd77zLlazBQ8ZiQ/hS/O6
Y/t8lAMmRW2OiNO4FU0EuakSj3WxvEITTjVcX46o/K7ZBYGxa6r5Zq5OWw1rVlii
KfDesQQHZzCV9WyJI4bp84FyaxFlKzEsBVTbVU8YNvKrBtJqhfL7iGr1aM5Xgvag
j6KffsfVkozC8c/WKLHDKriFbR9NzTO1t1DWcWymS3a2PT/Ih1USycb+bZ+xDqFB
TXICX0+OZ9h956RP2gGsSdpEvJAP5OTW+daoaDfvHjTdrx77SyfAxHQop7ROEy7n
5blMTVMHBs1iK/hfAfuiXkCAVpAssqOrLEk5mb+SdX5OgwOR79kshE/hyYeN28gg
wUjX6FuAnb8HRvv4HNGqe82ptevammeWUSYrFuM2xzQqdfJOElTF3VDfk6FN+iT5
yCdVv2Oqsg6ZPB2dosWK5aWMUeVn5BYdwWD6Z3jrRFGONJ3V1pS17TpLL/bEd4Ta
u8A/tIbCLvfzNSrmrs4iXCRRfx1wDpFE+cvL5PXTlS3A8qf4Nm2EgOgv92Oz9862
0TJ/WvxvXn6QdSMXDvgMmk2DhclU3/L7aJy/of4QR1zwdJFwjuQSuhCjek/w1vw0
9wB8mjnVu0kIXa9z1FigI0X2fYF9rIB6YLca0N3SsGydm5p6zHFqIXNcYwTjHUg+
WOu4W9yfm0X10XHI3VdV
=+8Zi
-----END PGP SIGNATURE-----
More information about the freebsd-net
mailing list