DNSSEC packets > mtu are fragemented and lost by relayd

[hcoin]

DNSSEC DNS response packets are as large as 4k. Typically, that means three packets in a MTU 1500 net.

The DNS protocol of relayd fails when the packets are fragmented, so the freebsd relayd can't be used for modern DNS.

Responses that are less than the MTU are processed normally.

[hcoin]

Update: dig and other dns query engines set the DF 'do not fragment' bit -- then go on to issue DNSSEC DNS queries leading to responses larger than one 1500 MTU packet --- meaning fragmentation.

Firewalls that drop fragmented packets with the 'do not fragment' bit set are following the protocol correctly --- but will fail to reply to broken DNS engines. Much as earlier versions of NFS did with the DF bit. So-- bug claim withdrawn. Hope this helps someone. I wonder if it's possible for relayd to 'selectively' allow fragmented packets with the DF bit set?

[mrhaarmann]

#8 adds an experimental option to set the IP_DONTFRAG flag, triggered by a tcp option, You can try this if you want. Or was your request more that relayd should detect when the flag is set on incoming packets and forward it to the outgoing side ?