From Klaus at Ethgen.de  Sun Jul  4 21:59:17 2010
From: Klaus at Ethgen.de (Klaus Ethgen)
Date: Sun, 4 Jul 2010 20:59:17 +0100
Subject: fiaif and DNSSEC
Message-ID: <20100704195916.GA16498@ikki.ethgen.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

I am using fiaif for years now. Recently I slipped into a very difficult
problem. The main registrar for my country, nic.ch, switched to DNSSEC
in September 2009. Since then I was not able anymore to resolve names in
there zone.

After many tests I did find two sources for problems. One is bind itself
which seems to have problems with that big packages.

The other is fiaif which forbids fragmented UDP packages. (I finally
found a note about that on the web page of debian but not in the
documentation of fiaif.) As the package of the nic.ch zone is much more
big than all other zones which uses dnssec that one will not fit into
the package size of 1480 Bytes (MTU 1500) so I cannot resolve it
anymore.

By the way, I searched where this limitation is done in iptables but
didn't success. There is no such rule in the iptables however I find one
rule about fragmentation in the sanity_check.sh: "IPTABLES -t ${TABLE}
- -A ${QUEUE} -p icmp --fragment -j LOG_DROP" But that is not relevant for
DNS.

Is there any way to allow fragmented UDP packages at all or, better, for
DNSSEC only?

Regards
   Klaus

Ps. Please hold me in Cc as I am not subscribet to the list and cannot
find the list on gmane.
- -- 
Klaus Ethgen                            http://www.ethgen.de/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus at Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEVAwUBTDDoFJ+OKpjRpO3lAQoXVgf+MLh866gtcHCJqGtN0sIGbExi9ITKhmdk
McawrRcOZKOXCRN8/8rDFWljQopWjwqPfWcn+RlZYQFGzI2Rvc9lc6IKp+A4bM5s
7xkpyg12aA4Z5Nnjra6bb57gGSZWbNqBdIE3Cukcwb2Rztn8vBAlfPcfr6NpincQ
+eiPveuoyyn38VItuMLYEo/TaEXh7D6bz5j487/JUWSFOCq+Ko3JNksdmBNeky41
Z0kLeBv/pyLSkY9u1Xvxws46oCgRFmpvNNmJwYgqmzTl1z2dIsvCvBujkDO4D718
pe4ppQ5mjxl2eCen5wqFA9hez95k3EP4t8JXF5T3o4NkjC4Kagyd+g==
=57k4
-----END PGP SIGNATURE-----