[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Feb 6 21:12:25 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867
Bug ID: 216867
Summary: IPFW workstation rules block DNSSEC resulting in DNS
failure on freebsd.org domains
Product: Base System
Version: 11.0-RELEASE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: conf
Assignee: freebsd-bugs at FreeBSD.org
Reporter: freebsd-bugs at rsle.net
CC: freebsd-amd64 at FreeBSD.org
CC: freebsd-amd64 at FreeBSD.org
The default IPFW "workstation" rules seem to block fragmented packets caused by
DNSSEC, in turn causing DNS to fail for some domains (including freebsd.org
subdomains) when DNS resolution is performed locally (using BIND or Unbound).
Fix:
The addition of the IPFW rule "ipfw add reass udp from any to any in" to
/etc/rc.firewall, under type workstation, fixes the issue.
This issue was discussed at:
https://forums.freebsd.org/threads/48760/
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-amd64
mailing list