Hello all,
For the last couple days I've been trying to figure out how to get
dnssec implemented within my environment. A simplified description of my
network is as follows: cloud -> Nokia IP330(Check Point) -> BigIP F5 ->
debian -> named.My problem seems to be that when asking for dnssec-related information over udp, bind generates fragmented UDP packets that are then being blocked somewhere-along-the-way. I am not currently able to determine at what point it's being blocked, however. Here's what I can do: (within named's network): dig @named +dnssec +notcp DNSKEY domain.tld dig @named +dnssec +tcp DNSKEY domain.tld (outside of named's network): dig @named +dnssec +tcp DNSKEY domain.tld dig @named +notcp A domain.tld Here's what I can't do: (outside of named's network): dig @named +notcp +dnssec A domain.tld dig @named +notcp +dnssec DNSKEY domain.tld This is making it so my TLD can't get the DNSKEY via UDP, and therefore fails. I've tried setting various options in bind (edns-udp-size 512;, max-udp-size 512;), to no avail. As far as I can see from tcpdump, bind gets the request, generates some fragmented udp packets, which then enter TheVoid. Does anyone have any experience in getting bind to work with dnssec through potentially faulty firewalls and/or *NOT* fragment the UDP packets? It's possible that the firewall does both: denies fragmented udp packets, and denies udp packets which are not 512 bytes. Any help at all would be greatly appreciated....such as category logging statements that might be of relevance, tools to diagnose udp fragmentation problems, documentation of linux kernel parameters that might affect bind's generation of UDP packets (fragmentation?), etc. Thank you very much for your time, -- Nicholas Wheeler Systems Administrator Development Infostructure
signature.asc
Description: This is a digitally signed message part
_______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
