Problems with DNSSEC -- answer in fragmented UDP doesn't work
Ian Smith
smithi at nimnet.asn.au
Sat Jan 31 03:50:20 UTC 2015
On Fri, 30 Jan 2015 16:57:28 -0800, Kevin Oberman wrote:
> On Wed, Jan 28, 2015 at 9:13 AM, Lev Serebryakov <lev at freebsd.org> wrote:
> > I could not resolve names with DNSSEC (for example, in freebsd.org
> > domain) on two of my installations, one with FreeBSD 11 and other with
> > FreeBSD 9.3.
> >
> > Symptoms are the same: answer is sent as fragmented IP/UDP packet and
> > second part of answer is never arrived. For example, this doesn't work
> > for me ("timeout" and only first part of fragmented packet on wire
> > according to tcpdump):
> >
> > % dig +dnssec www.freebsd.org @72.52.71.1
> >
> > ; <<>> DiG 9.9.5 <<>> +dnssec www.freebsd.org @72.52.71.1
> > ;; global options: +cmd
> > ;; connection timed out; no servers could be reached
> > %
> >
> > Problem is, latest bind (9.9 from ports) send such requests over UDP,
> > not TCP.
That's normal for bind, and nothing new.
> > Is it Ok? Is it misconfiguration of my networks (I have such problem
> > in tow different installations) or something?
> >
> > - --
> > // Lev Serebryakov
> >
>
> Does the system have a firewall? If so, is it configured to allow
> fragments?
>
> For ipfw you need something like "allow ip from any to me frag". If you
> want to restrict this to DNS, restrict it to dst-port 53.
Indeed. Same has long applied if using (eg) zen.spamhaus.org lookups
against spam, which responses can have up to two fragments. If also
serving DNSSEC you'd need to allow frags outbound as well.
Another example, perhaps, of damage due to the mistake-ridden IPFW
handbook example rulesets, all of which gratuitously deny all frags.
cheers, Ian
More information about the freebsd-net
mailing list