[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

bugzilla-noreply Mon, 06 Feb 2017 13:12:49 -0800

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867


            Bug ID: 216867
           Summary: IPFW workstation rules block DNSSEC resulting in DNS
                    failure on freebsd.org domains
           Product: Base System
           Version: 11.0-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: conf
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: freebsd-b...@rsle.net
                CC: freebsd-am...@freebsd.org
                CC: freebsd-am...@freebsd.org

The default IPFW "workstation" rules seem to block fragmented packets caused by
DNSSEC, in turn causing DNS to fail for some domains (including freebsd.org
subdomains) when DNS resolution is performed locally (using BIND or Unbound).

Fix:
The addition of the IPFW rule "ipfw add reass udp from any to any in" to
/etc/rc.firewall, under type workstation, fixes the issue.

This issue was discussed at:
https://forums.freebsd.org/threads/48760/

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

Reply via email to