Bind, dnssec, udp fragmentation woes.

Nicholas Wheeler nwheeler at devis.com
Fri Oct 2 00:46:39 UTC 2009 

Hello all,

    For the last couple days I've been trying to figure out how to get
dnssec implemented within my environment. A simplified description of my
network is as follows: cloud -> Nokia IP330(Check Point) -> BigIP F5 ->
debian -> named.

My problem seems to be that when asking for dnssec-related information
over udp, bind generates fragmented UDP packets that are then being
blocked somewhere-along-the-way. I am not currently able to determine at
what point it's being blocked, however.

Here's what I can do: 

(within named's network):
dig @named +dnssec +notcp DNSKEY domain.tld
dig @named +dnssec +tcp DNSKEY domain.tld

(outside of named's network):
dig @named +dnssec +tcp DNSKEY domain.tld
dig @named +notcp A domain.tld

Here's what I can't do:

(outside of named's network):
dig @named +notcp +dnssec A domain.tld
dig @named +notcp +dnssec DNSKEY domain.tld

This is making it so my TLD can't get the DNSKEY via UDP, and therefore
fails.

I've tried setting various options in bind (edns-udp-size 512;,
max-udp-size 512;), to no avail. As far as I can see from tcpdump, bind
gets the request, generates some fragmented udp packets, which then
enter TheVoid.

Does anyone have any experience in getting bind to work with dnssec
through potentially faulty firewalls and/or *NOT* fragment the UDP
packets? It's possible that the firewall does both: denies fragmented
udp packets, and denies udp packets which are not 512 bytes.

Any help at all would be greatly appreciated....such as category logging
statements that might be of relevance, tools to diagnose udp
fragmentation problems, documentation of linux kernel parameters that
might affect bind's generation of UDP packets (fragmentation?), etc.

Thank you very much for your time,

-- 
Nicholas Wheeler
Systems Administrator
Development Infostructure
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20091001/2dc739ea/attachment.bin>

More information about the bind-users mailing list