Maintained by: NLnet Labs

[Unbound-users] fragmentation

shmick at riseup.net
Fri Sep 12 17:01:23 CEST 2014


hi

i am testing 2 boxes on debian jessie with identical unbound configs
(with the exception of 1 using forwarding to a dnscrypt resolver; this
box does not suffer fragmentation)

both same wired LAN, they also both access the same gateway and firewall
and essentially have same iptables rules

i tested them using

$ dig +short rs.dns-oarc.net txt

1st box seems ok (dnscrypt forwarding, do-not-query-localhost: no)

rst.x4091.rs.dns-oarc.net.
rst.x3837.rs.dns-oarc.net.
rst.x3822.rs.dns-oarc.net.

but the other sees fragmentation (direct access; no forwarding)

rst.x1002.rs.dns-oarc.net.
rst.x1432.rs.dns-oarc.net.
rst.x1397.x1432.rs.dns-oarc.net.
rst.x1403.x1432.rs.dns-oarc.net.

what could i inspect for the issue ?

what happens if the box suffering fragmentation is doing large DNSSEC
querying/answering - will it revert to truncation and is that extraneous
extra processing and therefore longer duration of time for dns processing ?