Maintained by: NLnet Labs

[Unbound-users] Linux kernel 2.6.18 and ipv6, and, Solaris and libevent

Paul Wouters
Tue May 18 18:11:55 CEST 2010


On Tue, 18 May 2010, W.C.A. Wijngaards wrote:

> On Linux, if you use kernel 1.6.18 (a little older but found in 'stable'
> distros, such as RHEL 5.5), and use ip6tables, then there is trouble
> with unbound (and other IPv6 related troubles).  What is the issue is
> that UDP fragmentation stops working (also for IPv4), making unbound if
> it is DNSSEC validating unable to fetch whole responses for some
> queries.  This would also affect other DNSSEC implementations.  The fix
> is to upgrade to a newer kernel.  You can detect this issue with
> unbound-host -t TXT rs.dns-oarc.net which drops from 4k to 1435 bytes
> after enabling ip6tables.

I wonder if this is related to:

Sat May 05 2007 Don Zickus <dzickus at redhat dot com> [2.6.18-18.el5]
- [net] IPv6 fragments bypass in nf_conntrack netfilter code (Thomas Graf ) [234288] {CVE-2007-1497}

I'll see if I can do a test with the previous kernel and 2.6.18-18

Though you say it also impacts ipv4 fragments when starting ip6tables
right?

Paul