Problems with DNSSEC -- answer in fragmented UDP doesn't work
Kevin Oberman
rkoberman at gmail.com
Sat Jan 31 00:57:28 UTC 2015
On Wed, Jan 28, 2015 at 9:13 AM, Lev Serebryakov <lev at freebsd.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> I could not resolve names with DNSSEC (for example, in freebsd.org
> domain) on two of my installations, one with FreeBSD 11 and other with
> FreeBSD 9.3.
>
> Symptoms are the same: answer is sent as fragmented IP/UDP packet and
> second part of answer is never arrived. For example, this doesn't work
> for me ("timeout" and only first part of fragmented packet on wire
> according to tcpdump):
>
> % dig +dnssec www.freebsd.org @72.52.71.1
>
> ; <<>> DiG 9.9.5 <<>> +dnssec www.freebsd.org @72.52.71.1
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> %
>
> Problem is, latest bind (9.9 from ports) send such requests over UDP,
> not TCP.
>
> Is it Ok? Is it misconfiguration of my networks (I have such problem
> in tow different installations) or something?
>
> - --
> // Lev Serebryakov
>
Does the system have a firewall? If so, is it configured to allow
fragments?
For ipfw you need something like "allow ip from any to me frag". If you
want to restrict this to DNS, restrict it to dst-port 53.
--
Kevin Oberman, Network Engineer, Retired
E-mail: rkoberman at gmail.com
More information about the freebsd-net
mailing list