[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

bugzilla-noreply Mon, 06 Feb 2017 13:13:02 -0800

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867


            Bug ID: 216867
           Summary: IPFW workstation rules block DNSSEC resulting in DNS
                    failure on freebsd.org domains
           Product: Base System
           Version: 11.0-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: conf
          Assignee: [email protected]
          Reporter: [email protected]
                CC: [email protected]
                CC: [email protected]

The default IPFW "workstation" rules seem to block fragmented packets caused by
DNSSEC, in turn causing DNS to fail for some domains (including freebsd.org
subdomains) when DNS resolution is performed locally (using BIND or Unbound).

Fix:
The addition of the IPFW rule "ipfw add reass udp from any to any in" to
/etc/rc.firewall, under type workstation, fixes the issue.

This issue was discussed at:
https://forums.freebsd.org/threads/48760/

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-amd64
To unsubscribe, send any mail to "[email protected]"

[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

Reply via email to