[dnssec-deployment] some observations about .SE's DNSSEC

[Mark Andrews]

> > I remember a sequence something like:
> > Request big bunch of DNSKEYS (udp) ->
> >  X(lost) <- Big udp packet
> > ...timeout
> > Request big bunch of DNSKEYS (udp) ->
> >   <- 512 byte truncated packet (udp)
> > ...truncated..fail
> > Then sometimes...
> > Request big bunch of DNSKEYS (TCP) ->
> >   <- Big TCP packet
> > Request more information to complete validation ->
> > ..works
> 
> this sounds more like a firewall that says
> 
> 	permit from inside to any udp/53
> 	permit from any udp/53 to inside
> 
> (season to taste with as much "keep-state" as you've got)
> 
> but if the firewall doesn't do ip reassembly before running the ruleset,
> 
> and if the firewall doesn't remember the IP <SRC,DST,ID> of firstfrags
> who matched a "permit" so as to give the otherfrags the same treatment,
> 
> then you'll get a timeout.
> 
> turns out all firewalls work this way.  who knew?  wide area UDP can't
> work end to end unless the datagrams are small enough to never need to
> be fragmented.  DNSSEC, being an EDNS form, often has to be fragmented
> in its first hop, which usually has a 1500 byte MTU.

	No.  It can if NAT/firewall vendors actually re-assemble the
	packets before processing them.

	The non-kernel NATs all work as the packet needs to be
	reassembled to make it to user space.

	One of the problem for firewalls is that the layer 3 headers
	are not available execpt in the first fragment (which may not
	be the first to arrive).

	I've bug reports filed against ipnat for this mis-behaviour
	with FreeBSD as it only handles fragmented responses where
	the first response is the first fragment.

	I suggest that anyone with this problem file a bug report
	with their firewall/NAT vendor.

	I use "edns-udp-size 1460;" on the nameservers behind the NAT.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org